Data protection and privacy have continued to climb the corporate agenda over the past 12-18 months. The coronavirus (COVID-19) pandemic has sparked a mass migration of employees to remote working and opened up new attack vectors for malicious actors intent on accessing valuable personal information. Potential data breaches raise the financial and reputational risks that businesses face.



Proskauer Rose LLP

“In the US, there is no single comprehensive law or regulatory agency addressing cyber security, data protection or privacy. Instead, companies must navigate a patchwork of federal, state, local and sector-specific privacy and data protection laws, regulations and guidance, and engage with regulators from various federal agencies and state attorneys general. The combination of the passage of state privacy laws in California, Virginia and Colorado and the recent highly sophisticated cyber security attacks impacting companies has increased companies’ awareness and focus of their privacy and data protection responsibilities.”



McMillan LLP

“In our experience, Canadian companies are typically aware that there are laws governing their collection, use and disclosure of personal information, including requirements to implement appropriate safeguards to protect personal information. With that said, businesses are sometimes surprised by the broad application of Canadian privacy laws. Companies can also be under the misapprehension that their compliance with the European Union’s (EU’s) General Data Protection Regulation (GDPR) means that they are likely compliant with other international privacy laws.”



Arochi & Lindner Mexico

“In Mexico, personal data is a human right, and its protection is enshrined within a broad and robust legal framework. In the case of companies, the obligations they have toward personal data holders are established in the General Data Protection Law for the Public Sector, which has been in force since 2010. Due to the current and increased exposure of private personal information, data protection and corresponding enforcement activities have become stronger and gained ground; thus, although we have a long way to go, the business world has been pushed to focus on, accelerate its efforts toward and invest resources into personal data protection, to operate in accordance with the local legal framework.”




“The Cayman Islands Data Protection Act (DPA) came into force in September 2019. The Office of the Ombudsman, which is the Cayman Islands supervisory authority for data protection related matters, has issued a Guide for Data Controllers, which aims to explain how the Ombudsman will interpret certain provisions of the DPA. The Ombudsman also has a clear and informative website. Parties must have a strong understanding of their data protection duties. This requires them to regularly review and prepare privacy notices, data protection policies and data processing terms, as well as conduct training and assess and report on data breaches.”




“In the UK, companies are trying very hard to understand their duties, although some gaps of understanding remain. Many larger organisations have developed a sophisticated understanding of their data protection obligations. The UK’s data protection authority, the Information Commissioner’s Office (ICO), provides a wealth of information on its website that is easy to read and is highly informative.”



De Gaulle Fleurance & Associés

“Since May 2018, when the European Union’s (EU’s) General Data Protection Regulation (GDPR) became compulsory, French companies have gained a better understanding of their duties thanks to the efforts of the French Data Protection Authority (CNIL), new EU guidelines, experts involved in creating a compliance culture, the threat of a serious sanctions and the increasing risk of cyber attacks. In larger organisations, data protection officers (DPOs) have become more professionally trained and procedures have been put in place around a variety of topics, such as conducting privacy impact assessments or letting individuals exercise their data rights.”



Ashurst LLP

“In recent years, and particularly since the General Data Protection Regulation (GDPR) came into force in 2018, corporate awareness of the increasingly complex and challenging data protection compliance environment has increased in Germany. However, even with privacy compliance generally moving more to the centre of corporates’ focus, the level of actual compliance remains mixed. We frequently see small and medium-sized enterprises (SMEs) with massive privacy issues even in their core procedures and business activities.”



Lakshmikumaran & Sridharan

“Data protection duties and obligations stem from data privacy legislation, however there is currently no specific data privacy legislation in India. Data privacy is governed in a very limited sense under the Information Technology Act, 2000 (ITA) and the accompanying Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 (SPD Rules). The ITA and the SPD Rules provide a very basic framework in relation to personal data, which is certainly not on a par with more advanced legal frameworks, such as the European Union’s (EU’s) General Data Protection Regulation (GDPR).”



S.U.Khan Associates Corporate & Legal Consultants

“Pakistan is currently developing a law on personal data protection. A draft of the proposed law issued by the Ministry of Information Technology & Telecommunication (MoITT) has passed the consultation stage and will now be presented before the legislature. There is currently no law governing personal data protection in the country; as such, the only companies that properly understand their data protection duties are those that have been exposed to or are subject to any foreign laws governing data protection, such as multinational companies which have offices in Pakistan and which are subject to the European Union’s (EU’s) General Data Protection Regulation (GDPR), or Pakistani companies that deal with overseas stakeholders and so must comply with the personal data protection laws of other jurisdictions.”




“Over the past few years, and particularly since June 2017 when the Cyber Security Law of the People’s Republic of China (PRC) took effect, raising companies’ awareness of the new regulatory regime on data protection and enforcement against non-compliant operations were the two main areas of focus for regulators. On 29 April 2021, the National People’s Congress published the second Draft Personal Data Protection Law for public consultation. Once passed, this legislation will be the first designated personal data protection law in China.”