Data laws: navigating the legal landscape

Data legislation affects every company that processes personal data – something that few modern companies can stray from. A company is subject to data legislation both at a national and international level. While some data legislation occurs at a regional level, there are national data laws that only apply to the individual country. In addition, there are various areas in which data legislation can be in contact with a company; while some legislation concerns the company’s handling of personal data, others concern the company’s cyber security, IT equipment, data breaches, etc. Here is an overview of the most central data legislation:

GDPR
GDPR (General Data Protection Regulation) is a comprehensive data protection regulation that applies to any company that processes personal data about EU citizens, regardless of where in the world they are based. The regulation sets out clear guidelines for how personal data is collected, stored, processed and shared, and it gives individuals strong rights to control their own data.

UK GDPR
Following the UK’s withdrawal from the EU, the country has still retained a version of the GDPR in its national legislation in the form of the UK-GDPR. This data regulation is very similar to the EU version, but there are minor adjustments to align with the UK’s own legislation.

CCPA
The CCPA (California Consumer Privacy Act) is legislation that gives consumers in California increased rights and control over their personal information. It gives consumers the right to know what data is being collected about them, the right to refuse the sale of their data and the right to demand the erasure of their data, as well as a number of other data rights.

CPRA
The CPRA (California Privacy Rights Act) is a relatively new law that was passed in California and is an update to the CCPA (California Consumer Privacy Act). The CPRA expands and strengthens protections for consumers’ personal information and introduces new requirements for businesses operating in California.

PIPL
PIPL (Personal Information Protection Law) is China’s response to GDPR and aims to strengthen the protection of personal data in the country. Like the GDPR, this law imposes strict requirements on companies that collect and process personal data and contains comprehensive rules on consent, data security and enforcement.

NIS2
NIS2 (Network and Information Security Directive) is a European law that focuses on improving cyber security in sectors critical to the functioning of society, such as energy, transport, banking and healthcare. It requires operators of essential services and digital service providers to adopt appropriate security measures to protect their networks and information systems.

ISO 27001
ISO 27001 is an international standard for information security management systems that sets out the requirements for establishing, implementing, maintaining and continuously improving a company’s information security management system. Adherence to this standard helps organisations ensure the confidentiality, integrity and availability of their information.

ISO 9001
ISO 9001 is an international standard for quality management systems that focuses on ensuring that organisations provide high-quality products and services that meet customer needs and expectations. Although not specifically aimed at data security, a well-functioning quality management system plays a vital role in ensuring that data is processed and protected in a responsible manner.

As a company, it is important to be aware of the data laws that applies to you. By complying with these laws and implementing appropriate security measures, you can lay the foundation for protecting personal information, promoting trust and security in the digital world. To help protect data, we at Safe Online create IT tools that are developed in accordance with national as well as international data laws: