In October 2020, the UK Information Commissioner’s Office (ICO) hit British Airways with a $26 million fine, because they had not implemented sufficient security measures. As a result, their system was compromised by hackers, who managed to get passengers’ personal information, including names, addresses, payment information, and log-in details.
GDPR set an example for non-EU countries to strengthen their own data protection regulations. This meant that privacy laws became more relevant after the GDPR. In a digital world, it is becoming more important to ensure that personal data is protected, processed and used for the correct purpose.
The California Consumer Privacy Act (CCPA) went into effect on January 1st, 2020 and was created to give CA residents—individuals who reside in California, even if they are temporarily outside of the state—more control over the personal information that businesses collect about them.
CCPA is similar to GDPR, except that it only applies to businesses that collect the personal information of California residents. If you’d like to know more about the CCPA, you can find the whole article about it here.
South Africa’s Protection of Personal Information Act (POPIA Act) is the latest major data privacy law in the world to be modeled closely after the EU’s GDPR (and the ePrivacy Directive). It empowers its citizens with enforceable rights over their personal information, establishing 8 minimum requirements for data processing (e.g. introducing consent as a required legal basis), creating a broad definition of personal information for comprehensive end-user protection.
POPIA took effect on July 1, 2020.
POPIA enforcement began on July 1, 2021.
POPIA applies to any company or organization processing personal information in South Africa, who is domiciled in the country, or not domiciled but making use of automated or non-automated means of processing in the country.
The Act applies to any person or organization who keeps any type of records relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently.
The organization does not need to comply if it is domiciled and processes data outside of South Africa. In this respect, POPIA is not like the GDPR and Kenyan Data Protection Act, which requires you to comply if your organization processes the personal information of data subjects in the territory. POPIA focuses on the location of processing rather than the location of the data subject.
Kenya Data Protection Act came into force on 25th November 2019 and is now the primary statute on data protection in Kenya. According to the DPA, the data controller and processor are required to ensure that all personal data is processed lawfully, fairly and in a transparent manner.
The Act covers the processing of personal data of data subjects located in Kenya and applies to data controllers and processors established or resident in or outside Kenya. The DPA is largely modeled on the GDPR.
This content was originally published here.