Skip to main content

A guide to data legislation

In a world where data has become an invaluable resource, it is critical for a business to understand the laws and regulations that govern how data is handled and protected. But data laws is a complicated area that requires legal guidance to navigate. This blog aims to provide an overview of the key laws and standards that apply to your business.

Did you know that organisations that do not comply with regulations like GDPR face significantly higher costs when data breaches occur? (

An overview of data laws

Data legislation affects every company that processes personal data – something that few modern companies can stray from. A company is subject to data legislation both at a national and international level. While some data legislation occurs at a regional level, there are national data laws that only apply to the individual country. In addition, there are various areas in which data legislation can be in contact with a company; while some legislation concerns the company’s handling of personal data, others concern the company’s cyber security, IT equipment, data breaches, etc. Here is an overview of the most central data legislation:

GDPR (General Data Protection Regulation) is a comprehensive data protection regulation that applies to any company that processes personal data about EU citizens, regardless of where in the world they are based. The regulation sets out clear guidelines for how personal data is collected, stored, processed and shared, and it gives individuals strong rights to control their own data.

Following the UK’s withdrawal from the EU, the country has still retained a version of the GDPR in its national legislation in the form of the UK-GDPR. This data regulation is very similar to the EU version, but there are minor adjustments to align with the UK’s own legislation.

The CCPA (California Consumer Privacy Act) is legislation that gives consumers in California increased rights and control over their personal information. It gives consumers the right to know what data is being collected about them, the right to refuse the sale of their data and the right to demand the erasure of their data, as well as a number of other data rights.

The CPRA (California Privacy Rights Act) is a relatively new law that was passed in California and is an update to the CCPA (California Consumer Privacy Act). The CPRA expands and strengthens protections for consumers’ personal information and introduces new requirements for businesses operating in California.

PIPL (Personal Information Protection Law) is China’s response to GDPR and aims to strengthen the protection of personal data in the country. Like the GDPR, this law imposes strict requirements on companies that collect and process personal data and contains comprehensive rules on consent, data security and enforcement.

NIS2 (Network and Information Security Directive) is a European law that focuses on improving cyber security in sectors critical to the functioning of society, such as energy, transport, banking and healthcare. It requires operators of essential services and digital service providers to adopt appropriate security measures to protect their networks and information systems.

ISO 27001
ISO 27001 is an international standard for information security management systems that sets out the requirements for establishing, implementing, maintaining and continuously improving a company’s information security management system. Adherence to this standard helps organisations ensure the confidentiality, integrity and availability of their information.

ISO 9001
ISO 9001 is an international standard for quality management systems that focuses on ensuring that organisations provide high-quality products and services that meet customer needs and expectations. Although not specifically aimed at data security, a well-functioning quality management system plays a vital role in ensuring that data is processed and protected in a responsible manner.

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

Read more about data legislation

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

Looking for help navigating data laws?

As a company, it is important to be aware of the data laws that applies to you. By complying with these laws and implementing appropriate security measures, you can lay the foundation for protecting personal information, promoting trust and security in the digital world. To help protect data, we at Safe Online create IT tools that are developed in accordance with national as well as international data laws:

DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily

Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →


How to handle sensitive personal data


How to find personal data with datamapping tool


How to prepare for a data audit