GDPR gets all the attention, but global companies face privacy regulations across dozens of jurisdictions. Brazil's LGPD, China's PIPL, South Africa's POPIA, and Singapore's PDPA each have distinct requirements that affect data enrichment operations. Many of these laws have extraterritorial reach—they apply if you're processing data about residents, regardless of where your company is based.
This guide covers the major global privacy regulations beyond GDPR and how they specifically impact data enrichment activities.
The Global Privacy Landscape
Privacy regulation has proliferated rapidly. As of 2026, over 140 countries have comprehensive data protection laws (according to IAPP). The trend toward GDPR-style regulation continues, but important differences exist:
Key Regulatory Patterns
- GDPR-influenced: Many laws (LGPD, UK GDPR, POPIA) closely follow GDPR structure
- Consent-heavy: Some jurisdictions (China, much of Asia) emphasize consent more than GDPR
- Data localization: Several countries require data to remain within borders (China, Russia, Indonesia)
- Sector-specific: Some have distinct rules for different industries (healthcare, financial)
- Enforcement maturity: Laws exist but enforcement varies dramatically by jurisdiction
Extraterritorial Application
Most modern privacy laws apply to foreign companies that:
- Offer goods or services to residents in the jurisdiction
- Monitor behavior of residents in the jurisdiction
- Process personal data of residents (regardless of where processing occurs)
For data enrichment, if you're enriching records about people in a jurisdiction, that jurisdiction's law likely applies.
Americas: Beyond the United States
Brazil: LGPD (Lei Geral de Proteção de Dados)
Brazil's LGPD is South America's most significant privacy law, modeled closely on GDPR.
LGPD Key Requirements
- Legal basis required: 10 bases including consent, legitimate interest, contract
- DPO mandatory: All organizations processing personal data must appoint one
- Data subject rights: Access, correction, deletion, portability, opt-out
- Cross-border transfers: Adequacy, SCCs, or specific consent required
- Penalties: Up to 2% of Brazilian revenue, capped at R$50 million per violation
For data enrichment, LGPD's legitimate interest basis works similarly to GDPR—you can enrich B2B data without consent if the interest is legitimate, necessary, and balanced against data subject rights. However, Brazil's ANPD (national authority) has been more prescriptive about legitimate interest assessments than some EU DPAs.
Argentina: PDPA
Argentina's Personal Data Protection Act predates GDPR but has been updated. Argentina has an EU adequacy decision, making data transfers relatively straightforward.
- Consent emphasis: More consent-dependent than GDPR for many processing activities
- Registry requirement: Databases containing personal data must be registered
- Financial data: Extra protections for financial information
- Cross-border: EU adequacy simplifies transfers
Canada: PIPEDA and Provincial Laws
Canada's federal PIPEDA applies to commercial activities, but provinces can have substantially similar laws:
- Quebec: Law 25 (effective 2023-2025) adds GDPR-like requirements including privacy impact assessments
- British Columbia/Alberta: Provincial private sector privacy acts
- Federal reform: Bill C-27 proposes significant updates to PIPEDA
For enrichment, PIPEDA allows processing for purposes a reasonable person would consider appropriate, but Quebec's new law requires more explicit consent frameworks.
Mexico: LFPDPPP
Mexico's Federal Law on Protection of Personal Data Held by Private Parties:
- Privacy notice: Detailed notice requirements before collecting data
- Consent tiers: Different consent requirements for different data types
- ARCO rights: Access, Rectification, Cancellation, Opposition
- Financial data: Heightened protections
Asia-Pacific: Complex and Varied
China: PIPL (Personal Information Protection Law)
China's PIPL, effective November 2021, is one of the world's strictest privacy laws with significant implications for data enrichment.
PIPL Critical Requirements
- Separate consent: Required for cross-border transfers, sensitive data, public disclosure
- Data localization: CIIOs (Critical Information Infrastructure Operators) must store data locally
- Security assessment: Required for transfers involving 1M+ individuals
- Standard contracts: CAC-published clauses required for cross-border transfers
- Local representative: Required for organizations with no China presence
PIPL significantly restricts data enrichment involving Chinese residents. Key considerations:
- Consent requirements: More emphasis on consent than legitimate interest
- Transfer restrictions: Getting data out of China for enrichment is heavily regulated
- Government access: Authorities have broad data access rights
- Data minimization: Strong emphasis on collecting only necessary data
Japan: APPI (Act on Protection of Personal Information)
Japan's APPI, significantly amended in 2022, has EU adequacy status:
- Opt-out system: Allows third-party data provision with opt-out for non-sensitive data
- Pseudonymized data: Specific rules enable analytics on pseudonymized data
- Cross-border: Adequacy with EU; other transfers require consent or equivalent protection
- Cookies: 2022 amendments regulate cookies as personal information in some cases
Japan's opt-out mechanism for third-party transfers is unique and can support B2B data enrichment when properly implemented.
South Korea: PIPA
South Korea's Personal Information Protection Act, amended in 2023:
- Consent emphasis: Strong consent requirements, especially for sensitive data
- Pseudonymization: Well-developed framework for pseudonymized data use
- Data combination: Specific rules for combining datasets
- Cross-border: EU adequacy status achieved in 2024
Singapore: PDPA
Singapore's Personal Data Protection Act is business-friendly while providing protection:
| Aspect | PDPA Approach | Enrichment Impact |
|---|---|---|
| Legal basis | Consent, legitimate interest, business improvement | Legitimate interest supports B2B enrichment |
| Consent exceptions | Broad business purposes exception | Publicly available data easier to use |
| Cross-border | Comparable protection standard | Transfers relatively flexible |
| Do Not Call | Separate DNC registry for marketing | Check before outbound marketing |
India: DPDP Act
India's Digital Personal Data Protection Act (2023) is the country's first comprehensive privacy law:
- Consent-centric: Notice and consent are primary legal basis
- Legitimate use: Limited exceptions for specified legitimate uses
- Cross-border: Transfers allowed except to blacklisted countries
- Data localization: Government can mandate for certain data types
- Significant data fiduciary: Extra obligations for large processors
India's approach is consent-heavy, which may complicate B2B data enrichment operations.
Thailand: PDPA
Thailand's Personal Data Protection Act closely follows GDPR:
- GDPR structure: Six legal bases including legitimate interest
- Cross-border: Adequacy or appropriate safeguards required
- DPO: Required for large-scale processing or sensitive data
- Penalties: Administrative fines up to THB 5 million
Indonesia: PDP Law
Indonesia's Personal Data Protection Law (2022):
- Data localization: Strategic sectors may require local storage
- Consent requirements: Explicit consent emphasis
- Cross-border: Requires comparable protection or binding rules
- Criminal penalties: Includes criminal sanctions for violations
Australia: Privacy Act
Australia's Privacy Act with Australian Privacy Principles (APPs):
- APPs framework: 13 principles governing data handling
- Cross-border: Reasonable steps to ensure overseas compliance
- Reform pending: Significant amendments expected from Privacy Act Review
- Spam Act: Separate marketing consent requirements
Europe: Beyond GDPR
UK GDPR
Post-Brexit, the UK has its own GDPR version:
- Substantial similarity: Largely mirrors EU GDPR
- EU adequacy: UK has EU adequacy (until June 2025, renewable)
- ICO guidance: Sometimes differs from EU interpretations
- Proposed reforms: Data Protection and Digital Information Bill may diverge from EU approach
Switzerland: nFADP
Switzerland's revised Federal Act on Data Protection (effective September 2023):
- GDPR alignment: Closely aligned with GDPR
- No registration: Unlike old law, no database registration required
- Criminal penalties: Individual criminal liability for certain violations
- Cross-border: Adequacy list similar to EU
Middle East and Africa
South Africa: POPIA
South Africa's Protection of Personal Information Act:
POPIA Key Features
- GDPR-influenced: Similar structure with conditions for lawful processing
- Legitimate interest: Available as processing ground
- Cross-border: Adequacy, consent, or contract required
- Direct marketing: Opt-in required for electronic direct marketing
- Information Officer: Must be registered with regulator
UAE: Federal Data Protection Law
The UAE's federal data protection law and DIFC/ADGM regulations:
- Federal law: Applies outside financial free zones
- DIFC: Dubai International Financial Centre has own GDPR-like law
- ADGM: Abu Dhabi Global Market has separate data protection regulations
- Consent focus: Strong emphasis on consent for processing
Saudi Arabia: PDPL
Saudi Arabia's Personal Data Protection Law:
- Consent-based: Consent is primary legal basis
- Data localization: Sensitive data must be stored locally (with exceptions)
- Cross-border: Requires adequate protection determination
- Enforcement: SDAIA oversees compliance
Nigeria: NDPR
Nigeria's Data Protection Regulation:
- Consent emphasis: Consent required for most processing
- Data protection audit: Annual audit required for data controllers
- Local storage: Government data must be stored locally
- Cross-border: Adequate protection required
Cross-Border Data Transfer Mechanisms
Getting enriched data across borders requires understanding transfer mechanisms:
Adequacy Decisions
Some jurisdictions have mutual recognition:
| From | Adequate Destinations | Notes |
|---|---|---|
| EU | UK, Japan, South Korea, Argentina, Canada (commercial), others | US requires Data Privacy Framework |
| UK | EU/EEA, many EU-adequate countries | Adequacy bridge maintained |
| Japan | EU (mutual) | Supplementary rules apply |
| South Korea | EU (mutual, 2024) | New adequacy status |
Standard Contractual Clauses
Most jurisdictions accept some form of contractual safeguards:
- EU SCCs: Widely used, some non-EU countries accept
- UK IDTA: UK's international data transfer agreement
- China SCC: CAC-published standard contract for outbound transfers
- ASEAN MCCs: Model contractual clauses for ASEAN transfers
Data Localization Requirements
Some jurisdictions restrict data from leaving:
- China: CIIOs must localize; others need security assessment for large transfers
- Russia: Personal data of Russian citizens must be stored locally
- Indonesia: Public sector data must remain local
- Vietnam: Certain data categories require local storage
Practical Compliance Strategy
Managing compliance across multiple jurisdictions requires a systematic approach:
Layered Compliance Framework
- Baseline layer: Implement GDPR-level protections globally as minimum standard
- Regional layer: Add requirements for major regions (APAC, LATAM, MENA)
- Country layer: Address specific requirements for high-priority markets
- Exception handling: Processes for markets with unusual requirements
Data Inventory Requirements
Maintain records of:
- Data origins: Where personal data comes from (which jurisdictions)
- Processing locations: Where data is stored and processed
- Data flows: How data moves between jurisdictions
- Vendor locations: Where enrichment providers process data
- Legal bases: Documented basis for each jurisdiction
Consent Management
For jurisdictions requiring consent:
- Granular collection: Capture consent for specific purposes
- Jurisdiction tracking: Record which law applies to each consent
- Withdrawal mechanism: Enable easy consent withdrawal
- Audit trail: Maintain evidence of consent
Vendor Due Diligence
For data enrichment vendors:
- Processing locations: Know where vendor processes data
- Subprocessors: Understand downstream data flows
- Contractual coverage: Ensure DPAs cover relevant jurisdictions
- Certifications: ISO 27001, SOC 2, jurisdiction-specific certifications
Jurisdiction-Specific Enrichment Guidance
High-Restriction Jurisdictions
Where extra caution is needed:
| Jurisdiction | Key Restriction | Enrichment Approach |
|---|---|---|
| China | Cross-border transfer limits | Use local vendors; security assessment for transfers |
| Russia | Data localization | Store and process locally; limited enrichment options |
| India | Consent requirements | Ensure proper consent for B2C; watch for localization rules |
| Indonesia | Sector-specific localization | Assess sector applicability; use local processing |
Moderate Jurisdictions
GDPR-like but with variations:
- Brazil: Legitimate interest works; document DPIA; mind transfer mechanisms
- South Africa: Similar to GDPR; register Information Officer
- Thailand: GDPR approach works; ensure adequate transfer basis
- UAE: Consent-focused; free zone rules differ from federal
Business-Friendly Jurisdictions
Relatively straightforward for enrichment:
- Singapore: Business improvement exceptions; pragmatic enforcement
- Japan: Opt-out mechanism for third-party provision
- UK: GDPR familiar; possible future flexibility
- Canada: Reasonable purposes standard (except Quebec)
Staying Current
Privacy law changes rapidly. Key monitoring strategies:
Regulatory Tracking
- DPA announcements: Follow data protection authorities in key markets
- IAPP resources: International Association of Privacy Professionals tracking
- Law firm alerts: International privacy practice newsletters
- Vendor updates: Data enrichment vendors should flag regulatory changes
Periodic Review
- Annual assessment: Review compliance posture for each jurisdiction
- Market entry: Full compliance review when entering new markets
- Major law changes: Update processes when significant amendments pass
- Enforcement trends: Adjust risk assessment based on enforcement patterns
Frequently Asked Questions
How does Brazil's LGPD affect data enrichment?
Brazil's LGPD (Lei Geral de Proteção de Dados) requires a legal basis for processing personal data, with legitimate interest being most relevant for B2B enrichment. LGPD requires data protection impact assessments for high-risk processing, appointment of a DPO for any organization processing personal data, and specific consent requirements for sensitive data. Cross-border transfers require adequacy decisions or standard contractual clauses.
What are the key requirements of China's PIPL for data enrichment?
China's PIPL (Personal Information Protection Law) imposes strict requirements: separate consent for cross-border data transfers, security assessments for transferring data of more than 1 million individuals, data localization requirements for critical information infrastructure operators, and mandatory contractual clauses for overseas transfers. PIPL's extraterritorial reach applies to organizations outside China processing Chinese residents' data.
How do Southeast Asian privacy laws differ from GDPR?
Southeast Asian laws vary significantly: Singapore's PDPA allows consent-based and legitimate interest processing similar to GDPR but with different breach notification thresholds. Thailand's PDPA closely mirrors GDPR. Malaysia's PDPA requires registration for commercial data processors. Indonesia's PDP Law requires data localization for certain sectors. Most lack the comprehensive enforcement infrastructure seen in Europe.
What is the best approach to multi-jurisdictional data compliance?
The recommended approach is layered compliance: establish a GDPR-level baseline for all personal data processing, then add jurisdiction-specific requirements where needed. Maintain a data inventory tracking where data originates and flows, implement consent management that can capture jurisdiction-specific requirements, and use data localization where required. Work with local counsel in key markets for nuanced interpretation.
Need help with your data?
Tell us about your data challenges and we'll show you what clean, enriched data looks like.
See What We'll FindAbout the Author
Rome Thorndike is the founder of Verum, where he helps B2B companies clean, enrich, and maintain their CRM data. With over 10 years of experience in data at Microsoft, Databricks, and Salesforce, Rome has seen firsthand how data quality impacts revenue operations.