In the US, each state has its own regulations regarding the protection of personally identifiable information (PII). For instance, states like California and Massachusetts are considered stricter than others. Many companies use the strictest regulation to govern their overall country-wide policies. There are also industry-specific privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA.)
Similar to GDPR in many ways, South Korea’s Personal Information Protection Act, enacted in 2011, requires that “data subjects” give explicit consent to organizations before their data is collected and used. Consent is also required before sharing that information with a third party.
The Personal Data Protection Act of 2012 requires organizations to gain consent from individuals before collecting data. They need to specifically notify the individual of the purposes for which the data will be used, and for the data to be used in ways that are reasonable for the organization.
Even before GDPR, European privacy regulations were considered stricter than many other geographies. That doesn’t mean companies should solely focus on GDPR. They should also consider regulations of other regions. Companies will need to get consent from users before collecting and using data. They will also need to protect the data collected, as many countries have cybersecurity and data protection laws. Because sharing data is part of most of these regulations, organizations will want to have clear policies on how their business partners should comply. It would be ironic to comply with so many regulations only to be put at risk by partners who themselves are not compliant.