It was 5 or so years ago that one of the Outsourced DPO’s favourite clients raised a support case enquiring about data protection in Russia. One of their customers had asked them to provide a data collection service in Russia and they needed to know more about the Russian rules. The Outsourced DPO therefore noted with interest a couple of weeks ago that the fines had dramatically increased for not complying with the Russian data localization law which require physically locating data processing activities and facilities (e.g. servers) within the Russia Federation for processing the personal data of Russian citizens – now approximately £75,000 for one-off violations and £225,000 for repeated offences.
Last week it was announced that revised privacy legislation is being introduced for consideration in the state of Virginia in the USA. The proposed Virginia Privacy Act has some similarities to the new California Consumer Privacy Act (CCPA) such as notice requirements, and affords data subjects rights similar to those set out in the GDPR. However it only applies to certain entities with thresholds on things like data volumes and turnover and would require data controllers to perform and document a privacy risk assessment for every processing activity it undertakes.
The Outsourced DPO isn’t sure how relevant the proposed Virginia Privacy Act and CCPA is to UK-based organisations but keeping track of the ever-evolving privacy law across the globe is a challenge. That’s one of the benefits of contracting out some or all data protection compliance management responsibilities to specialists who not only live and breathe this – they also relish the opportunity of getting stuck into some technical reading as they wend their merry way along the beautiful Esk Valley.