Short answer: There are several major data protection laws worldwide – including the UK GDPR (UK), GDPR (EU), CCPA (California), LGPD (Brazil), POPIA (South Africa), and PDPA (Singapore). While they differ in scope and detail, they all aim to give individuals more control over their personal data and require businesses to handle data with transparency, consent, and care.
A guide to data legislation
In a world where data has become an invaluable resource, it is critical for a business to understand the laws and regulations that govern how data is handled and protected. But data laws is a complicated area that requires legal guidance to navigate. This blog aims to provide an overview of the key laws and standards that apply to your business.
Did you know that GDPR violations can result in fines of up to 20 million euros or 4% of the company's global annual turnover, whichever is higher
- European Commision
An overview of data laws
Data legislation affects every company that processes personal data – something that few modern companies can stray from. A company is subject to data legislation both at a national and international level. While some data legislation occurs at a regional level, there are national data laws that only apply to the individual country. In addition, there are various areas in which data legislation can be in contact with a company; while some legislation concerns the company’s handling of personal data, others concern the company’s cyber security, IT equipment, data breaches, etc. Here is an overview of the most central data legislation:
GDPR
GDPR (General Data Protection Regulation) is a comprehensive data protection regulation that applies to any company that processes personal data about EU citizens, regardless of where in the world they are based. The regulation sets out clear guidelines for how personal data is collected, stored, processed and shared, and it gives individuals strong rights to control their own data.
UK GDPR
Following the UK’s withdrawal from the EU, the country has still retained a version of the GDPR in its national legislation in the form of the UK-GDPR. This data regulation is very similar to the EU version, but there are minor adjustments to align with the UK’s own legislation. Then there’s the new DUAA, which serves as a supplement to the UK GDPR.
CCPA
The CCPA (California Consumer Privacy Act) is legislation that gives consumers in California increased rights and control over their personal information. It gives consumers the right to know what data is being collected about them, the right to refuse the sale of their data and the right to demand the erasure of their data, as well as a number of other data rights.
CPRA
The CPRA (California Privacy Rights Act) is a relatively new law that was passed in California and is an update to the CCPA (California Consumer Privacy Act). The CPRA expands and strengthens protections for consumers’ personal information and introduces new requirements for businesses operating in California.
PIPL
PIPL (Personal Information Protection Law) is China’s response to GDPR and aims to strengthen the protection of personal data in the country. Like the GDPR, this law imposes strict requirements on companies that collect and process personal data and contains comprehensive rules on consent, data security and enforcement.
NIS2
NIS2 (Network and Information Security Directive) is a European law that focuses on improving cyber security in sectors critical to the functioning of society, such as energy, transport, banking and healthcare. It requires operators of essential services and digital service providers to adopt appropriate security measures to protect their networks and information systems.
ISO 27001
ISO 27001 is an international standard for information security management systems that sets out the requirements for establishing, implementing, maintaining and continuously improving a company’s information security management system. Adherence to this standard helps organisations ensure the confidentiality, integrity and availability of their information.
ISO 9001
ISO 9001 is an international standard for quality management systems that focuses on ensuring that organisations provide high-quality products and services that meet customer needs and expectations. Although not specifically aimed at data security, a well-functioning quality management system plays a vital role in ensuring that data is processed and protected in a responsible manner.
Need help managing personal data?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
What data protection laws apply to your company?
If you’re a UK-based company, the UK GDPR is your primary data protection law. But it doesn’t stop there. If you collect or process personal data from individuals in the EU, you’ll also need to comply with the EU GDPR. Have customers or users in the US, Brazil, or South Africa? Local laws like CCPA, LGPD or POPIA might apply too.
It’s not about where you are – it’s about where the data subjects are. So, if your business operates internationally or holds data from individuals outside the UK, chances are multiple regulations affect you.
The smart move? Map out where your data comes from and ensure your policies, tools, and processes meet the highest applicable standard.
Stop the GDPR monster before it gets its hold of your personal data
FAQ on data protection laws
How do we know which laws apply to our business?
It depends on where your customers and users are located. If you primarily operate in the UK, the UK GDPR and the Data Protection Act 2018 are the most relevant. If you have an international presence, you should check the local data protection laws in those regions.
Which data protection laws apply to businesses in the UK?
Companies in the UK must comply with the UK GDPR and the Data Protection Act 2018. Additionally, the Privacy and Electronic Communications Regulations (PECR) are relevant for businesses involved in marketing, cookies, and online tracking.
Does GDPR only apply to businesses in the EU?
No. GDPR applies to any business that processes personal data of individuals in the EU, regardless of where the company is based. For example, if you sell to EU customers from the UK or the US, you still need to comply with EU GDPR.
What happens if we don’t comply with GDPR?
Failure to comply can result in significant fines – up to £17.5 million or 4% of your global turnover. Additionally, non-compliance can damage your company’s reputation and lead to a loss of customer trust.
Do we need to comply with other data laws if we have customers outside the UK?
Yes. If you have customers in the US, the CCPA (California Consumer Privacy Act) may apply. If you operate in China, you must comply with the PIPL (Personal Information Protection Law). Other countries have their own regulations, so it’s essential to assess compliance based on your business footprint.
Looking for help navigating data laws?
As a company, it is important to be aware of the data laws that applies to you. By complying with these laws and implementing appropriate security measures, you can lay the foundation for protecting personal information, promoting trust and security in the digital world. To help protect data, we at Safe Online create IT tools that are developed in accordance with national as well as international data laws:
DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily
Read more about data legislation
- GDPR rights: Find out what your GDPR rights are
- PII: what is hidden behind personally identifiable data
- Benefits of GDPR: Discover and take advantage of the benefits of complying with GDPR
- Data Protection Act 2018: Find out what the Data Protection Act 2018 means for you
- Data ethics: Dive into the background of data legislation – data ethics
- Rights for data subjects: What are your data subject rights
- Video surveillance: Which GDPR rules apply to video surveillance
- Privacy by Default: This principle is becoming more central in software development
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
