If your enterprise does business in North America, Europe, South America, the UK, China, or Singapore, you likely have some new data privacy compliance considerations this year. New regulations, rules, and guidance about data privacy is going into force around the globe in 2021—plus, Brexit and the invalidation of Privacy Shield have led to a lot of questions about intercontinental data transfers between the EU, the UK, and the US.
We’ll hold a two-hour, deep dive conversation on the global data privacy landscape with data privacy compliance experts later this month (sign up now to attend for free), but in the meantime, here’s a primer on the data privacy considerations that you’ll face this year.
We’ll start with the obvious. Though GDPR went into force nearly three years ago, the EU decided in the last twelve months that they’re done playing around. GDPR fines in 2020 reached a new high—meaning NOW is the time to shore up any weak spots to prevent potential data breaches. Just how high will fines go? According to the law, fines can reach up to four percent of your company’s global revenue. Not playing around, indeed.
Now that the Brexit “Transition Period” has ended, the UK has instituted its own version of GDPR, called “UK GDPR.” Right now, the EU-UK Trade Agreement dictates that until June 30, 2021, data transfers between the EU and UK “will not be considered as transfers to a third country.” However, businesses should be prepared for that to change in the second half of the year.
Schrems II and DPIA
In the wake of Schrems II invalidating Privacy Shield, is it time for a data protection impact assessment (DPIA)? It may be beneficial, even if you’re concerned about what it will reveal. It could be argued that Schrems II classifies any data transfer outside the European Economic Area—now including the UK—as a high-risk activity, making a DPIA mandatory.
As the United States begins to catch up to Europe, individual states are enacting their own data privacy laws, starting with California. The California Consumer Privacy Act (CCPA) is enforceable as of July 1, and applies to all companies that have California-based customers with over $25 million in annual revenues, those that have access to personal information for 50,000 or more California residents, or companies that derive at least half of their annual revenue from selling personal information.
Another privacy law, the California Privacy Rights Act (CPRA), was approved California voters last November and will go into effect on January 1, 2023 (with a look-back period of January 2022, so the clock is ticking). It amends and expands the requirements of the CCPA, creating a new subcategory of personal information (Sensitive Personal Information) and establishing a new privacy regulator, the California Privacy Protection Agency.
China’s DSL and PDPL
Last year, China released drafts of its Data Security Law (DSL) and Personal Data Protection Law (PDPL). These laws, combined with the 2017 Cybersecurity Law, clarify China’s approach to data privacy for foreign companies operating in China or serving Chinese consumers. Seen as China’s response to GDPR, these laws contain many of the same provisions as their European counterpart and similarly, apply across borders—so they’re important to be aware of.
Also getting in on the data privacy action is Brazil, with the Brazilian General Data Protection Law (LGPD). Due to COVID-19, enforcement was pushed to May 2021 and then back to August 2020—so it’s past time to comply for organizations within Brazil, as well as those which serve consumers in Brazil. Sanctions will be enforced starting this August. Requirements are similar to GDPR, but companies must appoint a Data Protection Officer to liaise with the Brazilian National Data Privacy Agency.
Amendments to Singapore’s Personal Data Protection Act of 2012 took effect this week, marking the most significant changes to this regulation since it entered into force. The updates include a mandatory data breach notification, enhanced accountability for individuals with penalties including fines up to S$5000 or up to two years in prison, and a new framework for consent. Later this year, Singapore is also expected to increase the potential fines for organizations.
Attend our free deep-dive forum on data privacy in 2021
Looking to get more details on all of the above, straight from the experts? At our next global forum on February 23, we’ll hear from a panel including data privacy experts, compliance practitioners, and consultants who will guide your attention to where it’s most needed. Sign up today to attend for free.