Data Privacy Compliance Beyond GDPR: CCPA, LGPD, POPIA and Global Frameworks
Complete guide to global data privacy compliance: GDPR, CCPA, LGPD, POPIA, PIPL, DPDPA. Comparison of key laws, penalties, individual rights and document handling obligations.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokData privacy regulation is no longer a European concern. As of January 2026, 137 countries have enacted national data protection legislation, according to the UN Conference on Trade and Development (UNCTAD). For UK businesses that process personal data of Brazilian customers, South African counterparties, Californian consumers or Chinese users, compliance with the UK GDPR and the Data Protection Act 2018 is only the starting point.
This guide compares the eight most significant data privacy frameworks, maps their areas of convergence and divergence, and provides a practical compliance structure for organisations operating across multiple jurisdictions.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.
Comparison Table: GDPR, CCPA, LGPD, POPIA and PIPL
The five major data privacy laws share structural similarities but differ substantially on territorial scope, individual rights, maximum penalties and enforcement authority.
| Law | Jurisdiction | In Force | Territorial Scope | Key Rights | Maximum Penalties | Enforcement Authority |
|---|---|---|---|---|---|---|
| UK GDPR + DPA 2018 | United Kingdom | 31 Jan 2020 (Brexit transition) | Any organisation processing personal data of UK residents, regardless of location | Access, rectification, erasure, portability, objection, restriction | GBP 17.5 million or 4% of global turnover | ICO (Information Commissioner's Office) |
| EU GDPR (Reg. 2016/679) | European Union | 25 May 2018 | Any organisation processing data of EU residents, regardless of establishment | Access, rectification, erasure, portability, objection, restriction | EUR 20 million or 4% of global turnover | National DPAs (coordinated by EDPB) |
| CCPA/CPRA (Cal. Civ. Code ยง 1798.100) | California, USA | Jan 2020, amended Jan 2023 (CPRA) | CA businesses > USD 25M revenue, or > 100,000 consumers, or > 50% revenue from data sales | Know, delete, opt-out of sale, correct, non-discrimination | Up to USD 7,500 per intentional violation | California Privacy Protection Agency (CPPA) |
| LGPD (Lei 13.709/2018) | Brazil | Sept 2020, enforcement from Aug 2021 | Any organisation processing data of individuals in Brazil, or data collected in Brazil | Access, correction, anonymisation, portability, erasure, information on sharing | 2% of Brazil revenue, capped at BRL 50 million per infraction | ANPD (Autoridade Nacional de Proteรงรฃo de Dados) |
| POPIA (Act 4 of 2013) | South Africa | 1 July 2021 | Any organisation processing personal information of data subjects in South Africa | Notification, access, correction, erasure, objection | Up to ZAR 10 million + up to 10 years imprisonment | Information Regulator (South Africa) |
| PIPL (China) | China | 1 November 2021 | Organisations processing data of individuals in China, including foreign companies | Know, copy, correct, delete, refuse automated decision-making | Up to CNY 50 million or 5% of China revenue | CAC (Cyberspace Administration of China) |
These penalties are not theoretical. In 2023, Meta was fined EUR 1.2 billion by the Irish DPC for unlawful transfers of EU personal data to the United States (source: EDPB binding decision, May 2023), and the Brazilian ANPD issued its first formal sanctions decisions in late 2023. CheckFile's platform has processed over 2.4 million documents across 32 jurisdictions, maintaining a 99.2% audit compliance rate, which reflects the importance of privacy-compliant document processing infrastructure.
UK GDPR and Data Protection Act 2018: The UK Framework Post-Brexit
Since the UK's exit from the European Union, the UK GDPR โ the EU GDPR as retained and amended in UK law โ operates independently alongside the Data Protection Act 2018. The ICO is the supervisory authority and can impose fines up to GBP 17.5 million or 4% of global annual turnover for serious infringements.
The UK GDPR mirrors the EU GDPR in structure: six lawful bases for processing (Article 6), enhanced protections for special category data (Article 9), data subject rights including the right to erasure (Article 17) and portability (Article 20), and a mandatory 72-hour breach notification requirement (Article 33). However, the UK has begun to diverge from the EU framework through the Data Protection and Digital Information (DPDI) Act, enacted in 2025, which introduced targeted modifications to accountability requirements for smaller organisations and introduced a new framework for recognised legitimate interests.
For FCA-regulated firms, data retention obligations intersect with the Money Laundering Regulations 2017 (MLR 2017). Regulation 40 of the MLR 2017 requires that customer due diligence records be retained for five years after the end of the business relationship. This creates a direct tension with the UK GDPR storage limitation principle (Article 5(1)(e)), resolved by the lawful basis of legal obligation (Article 6(1)(c)), which overrides the right to erasure for the mandatory retention period.
The UK adequacy decision granted by the EU Commission in 2021 and renewed in 2025 means that transfers from EU member states to the UK do not require additional safeguards. Transfers in the opposite direction โ from UK organisations to EU-based processors โ remain subject to UK GDPR transfer mechanisms as the UK has independently granted adequacy to the EEA.
For a detailed breakdown of GDPR obligations applied to document management, see our GDPR document management compliance guide.
CCPA/CPRA: The California Law and Its International Reach
The California Consumer Privacy Act (CCPA), effective January 2020, was substantially strengthened by the California Privacy Rights Act (CPRA) in January 2023. It applies to for-profit businesses that do business in California and meet at least one of three thresholds: annual gross revenue exceeding USD 25 million, processing the personal information of 100,000 or more consumers or households per year, or deriving 50% or more of annual revenue from selling consumers' personal information.
The CPRA created a new category of "sensitive personal information" (Cal. Civ. Code ยง 1798.121), including social security numbers, financial account credentials, precise geolocation data, racial or ethnic origin, health data, biometric information, and private communications. Consumers have the right to limit use of sensitive personal information to what is necessary to perform the requested service.
Unlike the GDPR's opt-in model for special category data, the CCPA/CPRA operates on an opt-out basis for the sale or sharing of personal information. Businesses must display a "Do Not Sell or Share My Personal Information" link under section 1798.135 of the California Civil Code. The California Privacy Protection Agency (CPPA) enforces these requirements and can issue fines of up to USD 7,500 per intentional violation โ with no cap on the number of violations.
UK businesses with California operations, US subsidiaries, or significant California consumer bases must map data flows against both UK GDPR and CCPA/CPRA requirements. A well-maintained Records of Processing Activities (ROPA) under UK GDPR Article 30 provides the data inventory foundation needed to meet CCPA/CPRA transparency obligations.
LGPD: Brazil's Data Protection Law
The Lei Geral de Proteรงรฃo de Dados Pessoais (LGPD, Lei 13.709/2018) came into force in September 2020, with enforcement authority exercised by the ANPD from August 2021. It applies to any processing of personal data carried out in Brazil, targeting individuals located in Brazil, or where the data was collected in Brazil โ regardless of where the processing organisation is established.
The LGPD defines ten legal bases for processing personal data (Article 7), including consent, legal obligation, legitimate interest, and contract performance. Consent under Article 8 must be "free, informed, prior and unambiguous". This closely mirrors the GDPR's consent standard. The ANPD can impose fines up to 2% of the organisation's revenue in Brazil, capped at BRL 50 million per infraction.
International data transfers under the LGPD (Articles 33 to 36) require either an ANPD adequacy decision, standard contractual clauses, binding corporate rules, or specific data subject consent. As of March 2026, no bilateral adequacy decision exists between the EU/UK and Brazil, meaning UK organisations transferring data to or from Brazil must rely on standard contractual clauses or other approved mechanisms.
UK businesses operating in Latin America โ particularly in financial services, insurance or technology โ should note that the LGPD's data subject rights (access, correction, portability, deletion, information on sharing) are substantively equivalent to GDPR rights and enforceable from the same dataset through coordinated response procedures.
POPIA: South Africa's Data Protection Act
The Protection of Personal Information Act (POPIA, Act 4 of 2013) became fully enforceable on 1 July 2021. The Information Regulator exercises supervisory authority. Penalties reach up to ZAR 10 million, and section 107 of POPIA provides for criminal sanctions including imprisonment of up to 10 years for the most serious violations.
POPIA introduces eight "conditions for lawful processing" (sections 11 to 25), broadly equivalent to the GDPR's principles: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Organisations processing personal information in South Africa must appoint a registered Information Officer with the Regulator.
POPIA affords enhanced protection to special personal information (sections 26 to 32), including health data, religious and philosophical beliefs, biometric information, political opinions, trade union membership, and children's personal information. Processing such data without an explicit exemption or consent is prohibited.
For UK businesses with South African operations, or those processing data of South African residents, POPIA compliance runs in parallel with UK GDPR obligations. The data subject rights under POPIA's section 24 (right to correction and deletion) and section 11 (withdrawal of consent) must be operationally supported regardless of where the organisation is headquartered.
PIPL, DPDPA, EU GDPR and APPI: Other Major Frameworks
China โ PIPL (effective 1 November 2021)
The Personal Information Protection Law applies to any processing of personal information of individuals within China, including by foreign organisations. It requires separate consent for each processing purpose, mandates Personal Information Protection Impact Assessments (PIPIAs) for high-risk processing activities, and subjects cross-border transfers to CAC security assessments or standard contracts. Penalties reach CNY 50 million or 5% of China annual revenue.
India โ DPDPA 2023 (notified 11 August 2023)
The Digital Personal Data Protection Act 2023 was notified in August 2023. Implementing rules were still being finalised in Q1 2026. The Act provides for penalties up to INR 250 crore (approximately GBP 24 million) for the most serious violations and applies to the digital processing of personal data of individuals in India. UK businesses with Indian operations or Indian user bases should monitor rule notifications closely.
EU GDPR (Regulation 2016/679)
The EU GDPR remains the most comprehensive and influential data privacy regulation globally. It applies extraterritorially under Article 3 to any organisation that targets EU residents, regardless of establishment. The European Data Protection Board (EDPB) coordinates enforcement across national supervisory authorities. For UK organisations with EU operations or EU customer bases, both UK GDPR and EU GDPR obligations apply simultaneously โ the Data Privacy Framework adequacy decision (July 2023) applies to US-EU transfers, not UK-EU transfers.
Japan โ APPI (amended, effective April 2022)
The Act on the Protection of Personal Information was revised with effect from April 2022, introducing stricter breach notification requirements (within 72 hours of discovery for significant breaches), enhanced individual rights, and tighter controls on third-party data transfers. The Personal Information Protection Commission (PPC) can impose criminal penalties up to JPY 100 million on legal entities. Japan holds an EU adequacy decision and the UK has also recognised Japan as adequate under the UK GDPR.
Convergences and Divergences: What Actually Differs Across Jurisdictions
Despite substantial differences, the major data privacy laws converge on five core principles: lawfulness of processing, data minimisation, transparency to data subjects, security of personal data, and restrictions on international transfers.
The three most operationally significant divergences are as follows.
First, the consent model. The GDPR and LGPD require affirmative opt-in for special category or sensitive data, and consent must be freely given, specific, informed and unambiguous. The CCPA/CPRA operates on opt-out for data sale and sharing. The PIPL requires separate consent for each processing purpose. These differences require jurisdiction-specific consent flows in onboarding and document collection processes.
Second, territorial scope and triggers. The UK GDPR applies when an organisation established in the UK processes personal data, or when a non-UK organisation targets UK residents. The LGPD applies when data of Brazilian residents is processed anywhere in the world. The CCPA applies to for-profit businesses meeting revenue or volume thresholds. Understanding which law applies to which data subject relationship is the threshold question before any compliance programme can be designed.
Third, data localisation. The PIPL, under Article 38, subjects cross-border transfers to a CAC security assessment for operators of critical information infrastructure and for large-scale transfers โ effectively requiring some data to remain in China. No equivalent mandatory localisation obligation exists under the UK GDPR, EU GDPR, LGPD or POPIA, although some EU member states have introduced sector-specific restrictions.
Managing these divergences requires precise mapping of document flows. The CheckFile platform, which has delivered an 83% processing time reduction for enterprise clients, enables organisations to automate document compliance checks while generating audit trails that satisfy the accountability requirements of regulators in each jurisdiction.
For organisations structuring their document verification approach across multiple jurisdictions, see our document verification guide.
KYC, AML and Data Privacy: Managing the Overlap
The intersection of anti-money laundering (AML) obligations and data privacy regulation creates significant operational tension. AML law โ including the UK Money Laundering Regulations 2017 (MLR 2017) and the EU's Fifth and Sixth Anti-Money Laundering Directives โ requires customer due diligence records to be retained for five years after the end of the business relationship. Data privacy law requires that personal data be deleted once it is no longer necessary for its original purpose.
This tension is resolved through the lawful basis of legal obligation. Under Article 6(1)(c) of the UK GDPR and EU GDPR, processing that is necessary to comply with a legal obligation does not require separate consent and cannot be blocked by the right to erasure under Article 17(3)(b). The five-year AML retention obligation therefore overrides any data subject deletion request for the same period. Beyond five years, however, the AML lawful basis expires and the data must be deleted.
The same principle applies under the LGPD (Article 16, retention for legal obligations), POPIA (section 14, destruction of records after purpose is fulfilled), and the PIPL (Article 19, retention limited to the shortest period necessary). The key is documenting the legal basis for extended retention in the organisation's data processing records โ a requirement under all five major frameworks.
For a detailed breakdown of KYC document obligations, see our complete KYC guide for businesses. For guidance on the AMLD6 compliance framework, see our AMLD6 compliance guide for obliged entities.
Building a Multi-Jurisdictional Data Privacy Programme
An effective compliance programme for organisations subject to multiple data privacy regulations rests on four operational pillars.
Data mapping and document flow inventory. Identify what personal data is collected, from which data subjects (UK, EU, Brazilian, Californian), through which channel, stored where, and transferred to whom. This inventory is the common foundation for the ROPA obligation under Article 30 of the UK GDPR, LGPD mapping requirements, and CCPA/CPRA transparency obligations. The same document collection event โ a passport scan, a bank statement, a proof of address โ carries different obligations depending on the data subject's residence.
Unified retention policy. Define retention periods that satisfy the most demanding obligation in each applicable jurisdiction. In practice, this means aligning on the longest legally mandated retention period and scheduling deletion at expiry. A document processing platform that timestamps every collection event and automates deletion scheduling โ such as the CheckFile secure processing environment โ reduces the manual overhead of multi-jurisdictional retention management.
Documented transfer mechanisms. For every data flow to a third country, identify and record the applicable transfer mechanism: adequacy decision, standard contractual clauses (SCCs adopted by the EU Commission in June 2021 under Decision 2021/914/EU), binding corporate rules, or a recognised derogation. The Schrems II judgment (CJEU, 16 July 2020, C-311/18) established the requirement to conduct a Transfer Impact Assessment (TIA) before relying on SCCs, documenting whether the destination country's law undermines the protection those clauses provide.
Audit-ready evidence. Every major data privacy regulator โ the ICO, CNIL, ANPD, Information Regulator, CPPA โ expects organisations to demonstrate compliance rather than merely assert it. A document verification platform that logs consent records, processing events, retention decisions and deletion confirmations provides the evidence base for regulatory examination across jurisdictions. CheckFile's enterprise clients report a 99.2% audit compliance rate across 85+ enterprise deployments.
For organisations conducting a structured review of their current compliance posture, our compliance audit checklist provides a practical framework mapped to the major regulatory requirements.
FAQ โ Global Data Privacy Compliance
Does the UK GDPR apply to a UK business that processes only data of Brazilian customers?
The UK GDPR applies when a UK-established organisation processes personal data. Separately, the LGPD applies because the individuals are located in Brazil. A UK organisation processing data of Brazilian residents in connection with services offered to those individuals is subject to both frameworks simultaneously โ and must satisfy the obligations of each independently. There is no mutual recognition between the two laws.
Can data subject rights under multiple laws be handled through a single process?
A single data subject request process can be designed to satisfy rights under multiple frameworks, provided the response timelines and scope of each law are observed. The UK GDPR requires a response within one calendar month (Article 12). The LGPD requires a response within 15 days (Article 19). The CCPA/CPRA requires a response within 45 calendar days (with a 45-day extension available). A unified intake process that automatically applies the most stringent deadline will satisfy all three.
When is a Data Protection Impact Assessment (DPIA) mandatory?
Under Article 35 of the UK GDPR and EU GDPR, a DPIA is required before any processing likely to result in high risk to data subjects โ including large-scale processing of special category data, systematic surveillance, or automated decision-making with significant effects. The LGPD (Article 38), PIPL (Article 55) and India's DPDPA all contain equivalent requirements. A completed DPIA is also a primary document requested by regulators during supervisory review.
What is the difference between a Data Protection Officer (DPO) and an Information Officer under POPIA?
Both roles have equivalent responsibilities: serving as the point of contact between the organisation and the supervisory authority, advising on data protection obligations, and monitoring compliance. Under the UK GDPR and EU GDPR (Article 37), a DPO is mandatory for public authorities, organisations conducting large-scale systematic monitoring, or large-scale processing of special category data. Under POPIA (section 55), every responsible party must register an Information Officer with the Information Regulator, regardless of processing scale. The LGPD requires designation of an "encarregado" for all data controllers.
How should cross-border transfers be managed when no adequacy decision exists?
When no adequacy decision covers a destination country, the standard contractual clauses (SCCs) adopted by the EU Commission (Decision 2021/914/EU) or the UK's International Data Transfer Agreement (IDTA) must be executed with the data importer, supplemented by a Transfer Impact Assessment documenting the legal environment in the destination country. As of March 2026, no adequacy decisions cover Brazil, China, India, or most of Africa โ organisations transferring personal data to these destinations must rely on SCCs or BCRs and maintain documented TIAs for each transfer relationship.