As Europe adapts to evolving data protection regulations, organizations are under greater pressure to stay compliant while ensuring secure data collaboration and identity protection. With recent regulatory changes adding new layers of responsibility for data privacy, companies across the EMEA (Europe, Middle East and Africa) region are finding that compliance now requires robust, multidimensional solutions to extend beyond mere data protection policies.
In this article, we’ll outline the key updates in data privacy laws and offer insights into practical compliance measures, from secure collaboration to identity management.
Data Privacy: The New Standard in EMEA Compliance
Over the past few years, data privacy has become a top priority for companies in EMEA, especially in light of legislative shifts across Europe. These changes include updates to the General Data Protection Regulation (GDPR) and national data privacy laws, often requiring a more stringent approach to handling sensitive information.
Recent amendments address the security and transparency of data use, placing an increased burden on organizations to not only protect but also document how they manage personal information.
Below are some of the changes in the last 12 months in Europe:
- European Union: The Data Act went into force in January 2024, designed to foster data sharing and clarify data rights across sectors, particularly for non-personal data generated by IoT devices. Its goal is to increase data accessibility while maintaining safeguards for user and business data. The Artificial Intelligence Act is also progressing, with a risk-based framework to regulate AI development and use, aiming to protect users and foster AI transparency.
- United Kingdom: The Data Protection and Digital Information (DPDI) Bill continues to evolve as a UK-GDPR alternative. It seeks to reduce compliance burdens on businesses, simplify rules and enable more flexibility with data transfers. The Online Safety Bill also introduces new requirements for platforms to handle harmful content, with OFCOM as the regulator overseeing enforcement.
- Switzerland: A revamped Federal Act on Data Protection (FADP) came into effect on September 1, 2023, aligning Switzerland’s standards more closely with GDPR, including updates to data transfer requirements and data subject rights.
International Laws Affecting Multinational Businesses
For businesses operating across borders, these regulations introduce additional complexity. Ensuring data privacy compliance in one country might not fully cover another, as national laws in certain regions now demand higher standards than even the GDPR. Businesses are now tasked with both preventing data breaches and meticulously tracking the processing and sharing of data to ensure transparency and legal compliance.
Here are some national laws that EMEA businesses should take note of if they operate in these countries:
- China’s Personal Information Protection Law (PIPL): The PIPL includes strict requirements for cross-border data transfers, data localization and a unique enforcement mechanism tied to other cybersecurity regulations. This law requires additional steps, including governmental security assessments, for international data transfers. You can find detailed discussions on these provisions from the International Association of Privacy Professionals (IAPP).
- California Privacy Rights Act (CPRA): The CPRA extends consumer rights in ways not covered by GDPR, such as the right to correct personal information and restrict the use of “sensitive” data. It also mandates the creation of a dedicated enforcement agency, the California Privacy Protection Agency (CPPA). For an in-depth look at CPRA’s provisions, check out sources like Cornell Tech’s report on data privacy laws and IAPP’s.
- Brazil’s LGPD: The LGPD includes stringent requirements for handling sensitive data and data subject consent that sometimes go beyond GDPR. Enforcement is conducted by Brazil’s National Data Protection Authority (ANPD), which has significant authority over compliance, including the power to impose fines based on violation severity. For more about LGPD specifics, you can refer to resources from IAPP.
- Japan’s Act on Protection of Personal Information (APPI): Japan’s APPI has reciprocity with the GDPR, yet has introduced recent updates that tighten data handling requirements, especially for companies operating internationally. The APPI sets high standards for data transfers and requires diligence for data breach notifications and data sharing. More information is available via the IAPP’s report on APPI updates.
Key Elements of a Compliance-Driven Privacy Strategy
Despite the differences in privacy regulations globally, there are several common technical controls that most of them expect organizations to implement for privacy protection. Adopting these components allows you to build a privacy-first culture.
- Data Encryption: Encrypting personal data both in transit and at rest to protect it from unauthorised access
- Access Controls: Implementing strict access controls to ensure that only authorized personnel can access personal data
- Data Integrity and Confidentiality: Ensuring the ongoing integrity, availability and confidentiality of personal data
- Incident Response Plans: Having plans in place to respond to data breaches and other security incidents promptly
- Data Minimisation: Collecting and processing only the data that is necessary for the specified purpose
- Regular Audits and Monitoring: Conducting regular audits and continuous monitoring to detect and address vulnerabilities
- Data Subject Rights: Implementing mechanisms to facilitate data subject rights, such as access, correction and deletion of personal data
For data encryption, access controls and data integrity and confidentiality, organizations could look to adopting controls from a cybersecurity framework.
Control | NIST | CIS | ACSC ISM |
Data Encryption | Protect (PR.DS-1) | Control 13.1 Encrypt sensitive data | ISM-1080: Use an ASD-Approved Cryptographic Algorithm (AACA) or high-assurance cryptographic algorithm when encrypting media. ISM-0457: Use cryptographic equipment or software that has completed a Common Criteria evaluation against a Protection Profile for encrypting media containing OFFICIAL: Sensitive or PROTECTED data. ISM-0469: Use an ASD-Approved Cryptographic Protocol (AACP) or high assurance cryptographic protocol to protect data communicated over network infrastructure. |
Access Controls | Protect (PR.AC-1) | Control 5.1 Establish secure configurations | ISM-0459: Implement full disk encryption, or partial encryption where access controls only allow writing to the encrypted partition. ISM-0462: Handle IT equipment or media according to its original sensitivity or classification when a user authenticates to the encryption functionality. ISM-0507: Develop, implement and maintain cryptographic key management processes and procedures. |
Data Integrity and Confidentiality | Protect (PR.DS-6) Protect (PR.DS-2) | Control 10.1 Implement secure backups Control 14.1 Protect data in transit | ISM-0465: Use cryptographic equipment or software that has completed a Common Criteria evaluation against a Protection Profile to protect OFFICIAL: Sensitive or PROTECTED data when communicated over insufficiently secure networks. ISM-0467: Use High Assurance Cryptographic Equipment (HACE) to protect SECRET and TOP SECRET data when communicated over insufficiently secure networks. ISM-0455: Ensure cryptographic equipment and software provide a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure. |
Adaptation to Emerging Data Privacy Laws: A Proactive Approach
One of the major challenges in this rapidly changing landscape is staying ahead of emerging laws. In some EMEA countries, data privacy regulations are stricter than the overarching GDPR, creating a web of obligations that companies must navigate. As regulations continue to evolve, organizations need to remain proactive by conducting frequent audits, training employees and investing in scalable compliance tools.
Businesses should aim to develop a compliance framework that can adapt as new regulations are introduced. By staying informed of regulatory updates and integrating compliance into everyday operations, organizations can avoid penalties and establish themselves as trusted custodians of data.
You can stay abreast of regulatory shifts by subscribing to newsletters and alerts from legislative authorities, law firms and regulatory bodies. Below are some resources you can subscribe to depending on where your business operates.
Looking Ahead: Building Trust in the Data Privacy Era
Data privacy has shifted from being a compliance requirement to a core component of business strategy, especially in the EMEA region. With stricter regulations on the horizon, decision-makers are encouraged to view privacy as an opportunity to build trust with clients, employees and stakeholders.
Through robust identity management, secure collaboration and transparent documentation, companies can create a secure environment for data, staying compliant with regional laws and protecting their reputations.
Additionally, explorating certification with ISO standards allows organizations to align with regulatory requirements and demonstrate commitment to quality, safety and efficiency.
ISO 27701 certification helps organizations stay up to date with global privacy regulations and obligations by providing a structured framework for managing personal data and demonstrating compliance with various privacy laws. This certification extends ISO/IEC 27001 and ISO/IEC 27002 standards to include privacy-specific requirements, creating a comprehensive Privacy Information Management System (PIMS).
By achieving ISO 27701 certification, organizations can systematically identify, assess and mitigate privacy risks, ensuring they adhere to regulations like GDPR, CCPA and others. Additionally, the certification promotes continuous improvement, helping organizations adapt to evolving privacy laws and best practices.
As regulatory landscapes continue to shift, companies that commit to a privacy-first approach will be better positioned to respond to future requirements. By prioritising data security and compliance today, organizations can safeguard their operations and foster trust in a privacy-conscious world.
If you need assistance with your compliance, Insentra is here to help. Contact us today to start a conversation.