As we enter 2026, organisations around the world are facing one of the most consequential periods for data protection, privacy, cybersecurity and technology governance in recent years. A number of significant laws took effect on 1 January 2026, with further frameworks following in the early months ahead. Together, these developments mark a clear shift as regulators are no longer focused solely on intent or documentation, but on operational maturity, accountability, and demonstrable compliance. 

From U.S. state privacy laws to major Asia-Pacific data protection regimes, and cybersecurity frameworks with broader oversight powers, businesses that process personal data across jurisdictions will need to prioritise cross-border compliance planning and governance readiness. 

This blog provides a snapshot of key laws now in force or imminently effective and explore what they mean for organisations operating globally. 

United States 

As of 1 January 2026, several new U.S. state privacy laws have entered into force, further expanding an already complex patchwork of consumer data protection obligations. 

Kentucky Consumer Data Protection Act (KCDPA) 

Kentucky’s amended Consumer Data Protection Act is now effective. The law applies to organisations that process personal data of Kentucky residents and meet defined processing or revenue thresholds. Amendments clarify exemptions for certain regulated data sets, such as HIPAA-covered health information, while refining requirements around data protection impact assessments and profiling activities. 

Rhode Island Data Transparency and Privacy Protection Act 

Rhode Island’s new privacy law also took effect on 1 January 2026. It introduces strong transparency and disclosure obligations, familiar consumer rights (including access, correction, deletion and opt-out), and enforcement provisions that may apply without a cure period. This increases regulatory risk for organisations that have not updated notices, rights workflows, or governance documentation. 

Indiana Consumer Data Protection Act (CDPA) 

Indiana’s CDPA is now in force, aligning broadly with the Virginia-style privacy framework seen in other states. Organisations subject to the law must ensure appropriate governance measures are in place to support consumer rights, consent requirements for sensitive data, and accountability obligations. 

California’s New CCPA Regulations and ADMT Rules 

The updated California Consumer Privacy Act (CCPA) regulations also took effect on 1 January 2026 under the California Privacy Protection Agency (CPPA). These amendments introduce multi-phase requirements for risk assessments, cybersecurity audits, and Automated Decision-Making Technology (ADMT) which includes systems that use computation to replace or substantially replace human decision-making in significant decisions. 

Illinois Workplace AI Law 

Also, effective as of 1 January 2026, Illinois amended the Human Rights Act to regulate the use of AI and generative AI in employment contexts. Under the new rules: 

  • Employers may not use AI tools that (even unintentionally) result in discrimination against employees or applicants based on protected characteristics such as race, age, sex or disability. 

  • Employers must notify employees and job applicants when AI is used in employment decision processes including hiring, promotion, discharge or other terms of employment. 

  • Using zip codes as a proxy for protected class attributes in AI systems is explicitly prohibited. 

Vietnam 

Vietnam Personal Data Protection Law (PDPL)  

Vietnam’s long-anticipated Personal Data Protection Law entered into force on 1 January 2026, replacing earlier decree-level rules with a comprehensive statutory framework. The PDPL introduces clear obligations around lawful processing, consent, transparency, data minimisation, security safeguards, and cross-border data transfers. 

The law also places strict limitations on the buying and selling of personal data and introduces fines that, in certain cases, may be linked to annual revenue — signalling a more assertive enforcement posture. 

Vietnam AI Law — effective 1 March 2026 

Looking ahead to March, Vietnam’s new AI law will add a further regulatory layer. While distinct from data protection legislation, it intersects directly with privacy and governance obligations, particularly where AI systems rely on personal data or automated decision-making. 

China 

Amendments to China’s Cybersecurity Law took effect on 1 January 2026, strengthening alignment with the Personal Information Protection Law (PIPL) and reinforcing obligations for network operators and critical information infrastructure. 

The amendments expand regulatory oversight, refine security obligations, and tighten expectations around data handling and cross-border transfers. For many organisations, this will require renewed attention to infrastructure classification, data flow mapping, and regulatory engagement. 

China’s regulatory direction continues to emphasise data sovereignty, national security, and risk management, with compliance expectations extending well beyond technical controls. 

Oman 

Oman’s Personal Data Protection Law remains subject to an extended grace period, which now runs until 5 February 2026. While this provides limited additional time, it is clear that full enforcement is imminent. 

Organisations operating in or engaging with Oman should already be finalising compliance measures, including lawful processing frameworks, consent mechanisms, data subject rights procedures, and security controls. 

2026 is about more than “go-live” dates 

While some laws are fully in force as of January, others are entering phased implementation periods that will introduce additional obligations across 2026 and beyond. 

A key example is the EU Artificial Intelligence Act, which entered into force in 2024 but is being implemented progressively. Throughout 2026, organisations will face new obligations tied to AI governance, including requirements around risk classification, transparency, documentation, human oversight, and accountability for high-risk AI systems. 

The California ADMT and cybersecurity audit timelines are another example where compliance obligations stretch across multiple years, with governance, documentation and operational readiness required now, and reporting deadlines in 2028 and beyond. 

This phased approach reflects a broader regulatory strategy seen globally with laws establishing the framework early, while practical compliance expectations escalate over time. For organisations, this means that compliance is not a single deadline, but an ongoing process that must evolve alongside regulatory guidance and enforcement priorities. 

How the DPO function can support compliance readiness in 2026 

A well-positioned Data Protection Officer (DPO) function helps organisations interpret overlapping laws, assess applicability across jurisdictions, and translate legal requirements into practical controls. This includes advising on lawful bases, consent models, transparency obligations, data subject rights handling, and cross-border transfer mechanisms. 

The DPO function also supports risk-based governance, guiding data protection impact assessments, advising on AI-related risks, and ensuring that privacy considerations are embedded into technology design, vendor management, and operational decision-making. 

Equally important, the DPO acts as a bridge between internal teams and regulators, helping organisations demonstrate accountability, respond to regulatory enquiries, and evidence compliance in a credible and structured way. 

As enforcement expectations rise and phased obligations come into effect, organisations with strong DPO oversight are better positioned to adapt, prioritise, and maintain compliance over time. 

What organisations should be doing now 

The start of 2026 marks a defining moment for data protection and digital governance globally. With multiple laws now in force and others advancing through phased implementation, organisations must demonstrate not just awareness, but active compliance readiness. 

Organisations should be: 

  • Reassessing which laws now apply to their operations, customers and employees 

  • Validating that consent, transparency and rights-handling processes work in practice 

  • Reviewing cross-border data flows and transfer justifications 

  • Aligning privacy, cybersecurity and AI governance frameworks 

  • Ensuring DPO or equivalent oversight is independent, empowered and properly resourced 

At HewardMills, we act as an external, independent DPO for organisations navigating increasingly complex and phased data protection, privacy, cybersecurity and AI regulatory requirements. Operating as an extension of your organisation, we provide objective oversight, practical regulatory insight, and ongoing support to help translate evolving legal obligations into operationally effective governance.  

We help organisations strengthen accountability frameworks, manage risk proactively, and engage confidently with regulators. Whether you are looking to enhance compliance readiness, mature your governance model, or reduce regulatory exposure in this new phase of digital regulation, we’re ready to support you as a trusted external DPO.