Global Data Compliance Update: Key Changes in 2023

In the fast-paced digital landscape, businesses must keep up with the latest data compliance regulations. As we approach the end of 2023, significant changes in data protection laws are reshaping how organisations manage sensitive information. From the well-known General Data Protection Regulation (GDPR) to newer laws like the California Privacy Rights Act (CPRA), compliance requirements are evolving.

This article offers practical insights into these evolving data protection regulations. Dive into the details of amended laws, grasp their implications, and gain the knowledge to navigate the altered regulatory environment. 

Country Specific Updates

Jamaica: Data Protection Act (DPA) - November 30, 2023

The DPA was originally introduced in December 2021, with the government giving organisations two years to comply. This law came into effect in November 2023 and expands the scope of the data protection laws throughout Jamaica, introducing several new requirements for organisations, including: 

• Consent must be obtained from individuals before information processing or collecting of personal data.
• Individuals must be able to access the data held on them.
• Organisations must delete personal data at the request of the individual.
• Appropriate security measures to protect sensitive information must be implemented.
• Data breaches must be reported to the Office of the Information Commissioner (OIC) within 72 hours.
• Data protection impact assessments (DPIAs) must be conducted before sensitive personal data is processed or high-risk data processing activities are engaged.

The DPA will have an impact on any organisation that processes or stores the personal data of individuals located in Jamaica. 

Switzerland: Federal Act on Data Protection (FADP) - September 1, 2023

The FADP is a comprehensive piece of legislation designed to protect individuals' privacy. Based on GDPR, this is one of the most stringent data protection laws in the world. The FADP imposes a number of obligations on organisations, such as:

• Organisations must obtain consent from individuals before collecting or processing personal data.
• Individuals must have access to their personal data and be able to request deletion of said personal data.
• Data breaches must be reported to the Federal Data Protection Commissioner within 72 hours. 
• A Data Protection Officer (DPO) must be appointed if the organisation process large amounts of sensitive data or engages in high-risk data processing activities.

United States 

Several new data compliance laws will be passed throughout America by the end of 2023. These laws regulate the collection, use and disclosure of personal data; these laws include:

1. The Virginia Consumer Data Protection Act (VCDPA) - January 1, 2023
2. The Colorado Privacy Act (CPA) - July 1, 2023
3. The Utah Consumer Privacy Act (UCPA) - December 31, 2023

These laws give individuals a number of new rights over their personal data, including the right to access, correct, and delete their personal data and the right to opt out of targeted advertising and data sales.

These regulations appear to be inspired by the California Consumer Privacy Act, which took effect on January 1, 2020. Many of the amendments observed in the three mentioned laws align with those introduced by the California Consumer Privacy Act.

Singapore: Personal Data Protection Act - July 18, 2023

The Personal Data Protection Commission (PDPC) of Singapore published updated or advisory guidelines for using personal data in relation to Artificial intelligence (AI) in July 2023. These guidelines are intended to ensure organisations continue to remain compliant with the PDPA when utilising these future technologies.

These guidelines cover a number of topics, including:

• Transparency: Organisations should be transparent about how AI processes personal data.
• Fairness: They should ensure that their AI systems are fair and unbiased.
• Accountability: Organisations should be accountable for the decisions made by their AI systems.

While not legally binding, these guidelines provide useful instructions for organisations on remaining compliant with PDPA when using AI/ML technologies now and in the future.

India: The Digital Personal Data Protection Act (DPDP) - November 30, 2023

This law, based on GDPR, is a comprehensive data protection law regulating digital personal data processing throughout India. This act also included some unique features, such as:

•  Data trustees must obtain consent from individuals before collecting or processing sensitive personal data.
• This act establishes a Data Protection Authority (DPA) to enforce the law. The DPA can impose penalties on organisations found violating the law.

South Korea: The South Korean Personal Information Protection Act (PIPA) - September 15, 2023

While the original law was passed in 2022, amendments to this piece of legislation came into effect in March of 2023. These amendments require organisations to do the following:

• Organisations must obtain explicit consent for the processing of sensitive personal data.
• There is a requirement to provide individuals with a copy of their personal data in a portable format.
• Individuals must be notified of automated decision-making conducted on their information.
• Data breaches must be reported to the Personal Information Protection Commission (PIPC) within 72 hours. 

Australia: Privacy Amendment Act - November 30, 2023

This amendment was brought into force to update the rather simplistic Australian Privacy Act of 1998 and includes many changes to the original law to become more relevant in this digital age. These changes include:

• Expanded scope to include offshore entities that collect, use or disclose personal information of Australian residents.]
• Increased penalties for serious or repeated data breaches. These penalties have risen from A$2.22 million to A$50 million.
• Updated consent obligations requiring explicit consent outside of limited use cases.
• Organisations must now take reasonable steps to ensure that de-identified information remains de-identified.
• DPIAs must be carried out before engaging in high-risk data processing activities.

The Path Forward: Strategic Compliance and Innovation

As you can see, the evolving landscape of global data compliance demands vigilant attention from businesses worldwide. The regulatory updates in 2023 underscore the growing emphasis on safeguarding individuals' privacy rights. Navigating these complexities requires advanced solutions.

Vaultree's Fully Functional Data In Use Encryption (FFDUE™) represents a key solution in this environment. FFDUE™ not only assures compliance with the evolving laws but also enables organisations to leverage their data assets securely and efficiently. This technology is a game-changer, allowing businesses to meet regulatory demands while driving innovation and securing a competitive edge.

If you would like to learn more about Vaultree’s innovative FFDUE™, please click here to request a free demo.