Is the GDPR becoming the gold standard for data protection?
GDPR: protecting your data worldwide
Every day, more and more information is created, captured and stored by interconnected, digital systems across the globe. In response to this explosion of online data, the European Union introduced the General Data Protection Regulation (GDPR). Designed to protect consumer data, prevent security breaches and control data processing, GDPR harmonizes laws across Europe to create an EU standard applicable to all businesses and public organizations.
Regulations sans frontières
While GDPR’s intended target is data managed by European businesses, the regulation’s extra-territorial reach has given it impact beyond EU borders. Since GDPR applies to any organization handling or processing European citizens’ data, multinational companies, foreign business partners and subsidiaries are subject to the same standards as their European counterparts. Failure to comply with GDPR requirements can lead to hefty financial penalties, and data breaches can cost companies even more in consumer trust and lost business.
The result is that some highly international businesses located outside the EU are choosing to comply with GDPR as a default position. It is costly and inefficient for businesses to have a stringent data policy for one region and a relaxed policy for all other regions. And with countries around the world introducing data protection legislation in the spirit of GDPR, it makes sense to get prepared now.
The influence of GDPR on regulation outside the EU
Since GDPR came into force on May 25, 2018, countries worldwide have been adopting a similar approach to data protection. Although some countries already had comprehensive data protection policies, many have been making changes to help businesses achieve compliance. Over the past year, a range of countries and businesses have been adapting to GDPR, using the EU regulation as the measure of their data protection policies.
The United States
The United States, birthplace of Big Tech giants – including Google, Amazon, Facebook, and Apple - is acutely aware of the need for comprehensive data protection. In the wake of several security breaches at major tech companies, which exposed the personal information of millions, public interest in enhancing data protection rights has increased.
As a result, several US states have taken steps to increase consumers’ data privacy, with certain states (including California, home to Silicon Valley) passing legislation that mirrors GDPR protections. States like Virginia, Arizona and South Dakota have tightened regulations surrounding breach notification laws, while Vermont passed significant legislation to regulate data brokers.1
In August 2018, Brazil approved the General Data Protection Law (LGDP), a bill that comprehensively regulates data protection requirements. Heavily based on GDPR, the LGPD provides protections for consent, data processing, credit protection, data breach notification and more2. However, the LGPD deviates slightly from GDPR in terms of scope and structure, and the new legislation will not come into force until 2020. While LGDP has a good chance of winning Brazil an adequacy agreement with the EU, Brazilian companies will still have to comply with GDPR requirements in the intervening year.
United Arab Emirates
As one of the EU’s most important trading partners in the Middle East, GDPR’s impact on businesses in the UAE is significant. The country has federal and local laws that provide guidance on data privacy, while several UAE free zones including Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC) already have measures in place to enhance data protection3.
However, general compliance among businesses is patchy. When GDPR came into force in May 2018, less than 35% of Emirati organizations were compliant4, and six months later, many UAE businesses were still struggling to comply5. Although awareness of the need for data protection is growing, many organizations still lack the means to protect their users’ data.
Before GDPR was passed, Singapore was already home to rigorous data protection laws. The Personal Data Protection Act (PDPA) of 2012 governs the collection, use and disclosure of individuals’ data, ensuring users’ rights to correct, erase, limit and protect their information. While the PDPA is a strong approach to data protection, it does not entirely meet GDPR requirements6. In the wake of GDPR, businesses still have changes to make to achieve full compliance, but the gap for companies in Singapore remains much smaller than that of many neighboring countries.
Due to its already rigorous data protection laws, Japan was able to adopt an adequacy agreement with the EU, which effectively exempts it from GDPR compliance. This agreement acknowledges that Japan’s laws offer an equivalent level of data protection to that required by GDPR, and establishes rules to cover any differences between the two data protection systems. Additionally, the adequacy agreement includes a complaint-handling mechanism and provides for access to private data for criminal law enforcement and national security purposes7.
The agreement came into force in January 2019 and will be evaluated for efficacy in 2021. After that, it will be reassessed every four years to ensure the agreement remains functional and data protections are properly respected.
The benefits of certification: Bureau Veritas’ Data Protection Certification Scheme
For companies wishing to become GDPR compliant or seeking guidance with the process, Bureau Veritas provides a wealth of expertise. Our Data Protection Certification Scheme offers independent assurance of compliance with GDPR requirements for businesses around the world. Certification to this voluntary scheme requires implementation and certification to the Bureau Veritas Technical Standard, which is based on ISO 17065’s product and service certification mechanism, a standard contained in GDPR. Our Technical Standard allows you to ensure comprehensive data protection processes, prevent potential security breaches, safeguard customer privacy and protect critical data assets. Through auditing and certification, you can ensure compliance with GDPR and help prepare for equivalent regulations outside the EU.
The future of data protection
Data protection is likely to increase in importance as advanced technology and connected devices further permeate our lives – from smartphones and connected cars to autonomous ships and remotely monitored oil platforms. GDPR has set the standard for data protection, and upcoming regulations are likely to use it as a starting point for their own laws. To future-proof themselves, organizations worldwide need a thorough understanding of GDPR and the ability to work within its framework.
1Serrato, Jeewon Kim et al. US States Pass Data Protection Laws on the Heels of GDPR, Dataprotectionreort.com, July 9, 2018.
2Bioni, Bruno et al. GDRP Matchup, Brazil’s General Data Protection Law, IAPP, October 4, 2018.
3GDPR Compliance in the UAE: 96% of leaders think the public will see it in a positive light, Acorn Strategy, May 30, 2018.
4Cherrayil, Naushad K., Many UAE firms will miss General Data Protection Regulation Deadline, Gulf News, May 17, 2018.
5If hit by data breach, UAE firms not compliant with GDPR would face fines of $23m, Gulf Business, November 8, 2018.
6EU GDPR, Personal Data Protection Commission of Singapore, July 20, 2018
7European Commission has adopted adequacy decision on Japan, European Commission, January 23, 2019.