Beyond GDPR: Privacy Regulations Across the Globe

Blog | 14 March 2019

As of May 25, 2018, companies have had to make sure they comply with the General Data Protection Regulation. Any company working with European consumers is now familiar with the new privacy requirements. Many companies have actually had to opt out of working with Europeans because they aren’t compliant.

After months of anticipation, it might be tempting to breathe a sigh of relief now that GDPR is now live. However, the major effort to protect European consumers’ privacy shouldn’t overshadow the important privacy regulations of other regions. You will want to identify similarities and differences and build privacy policies that meet the strictest of requirements.

United States

In the US, each state has its own regulations regarding the protection of personally identifiable information (PII). For instance, states like California and Massachusetts are considered stricter than others. Many companies use the strictest regulation to govern their overall country-wide policies. There are also industry-specific privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA.)  

South Korea

Similar to GDPR in many ways, South Korea’s Personal Information Protection Act, enacted in 2011, requires that “data subjects” give explicit consent to organizations before their data is collected and used. Consent is also required before sharing that information with a third party.  


The Personal Data Protection Act of 2012 requires organizations to gain consent from individuals before collecting data. They need to specifically notify the individual of the purposes for which the data will be used, and for the data to be used in ways that are reasonable for the organization.   Even before GDPR, European privacy regulations were considered stricter than many other geographies. That doesn’t mean companies should solely focus on GDPR. They should also consider regulations of other regions. Companies will need to get consent from users before collecting and using data. They will also need to protect the data collected, as many countries have cybersecurity and data protection laws. Because sharing data is part of most of these regulations, organizations will want to have clear policies on how their business partners should comply. It would be ironic to comply with so many regulations only to be put at risk by partners who themselves are not compliant.

Why not connect with us?