In 2016, the European Union adopted the General Data Protection Regulation (GDPR), a landmark law that set out to reshape the way personal data is handled in the digital age. Since coming into force in 2018, it has become a global benchmark for data privacy regulation. 

At its core, the GDPR was created in response to a growing awareness that personal data, once confined to government records or local systems, was now being collected, shared, and monetised at an unprecedented scale. As digital services became central to everyday life, so did the risks of surveillance, manipulation, and exploitation. Harmonised regulation across Europe became necessary, not just for internal consistency, but to safeguard fundamental rights across a digital single market. 

 The GDPR established a clear message: personal data belongs to individuals, not to companies or governments. Citizens were given enforceable rights over their information, such as the right to access, rectify, or delete their data, while organisations were held accountable for how they collected, processed, and protected it. 

A Regulatory Export: The Brussels Effect 

Over time, GDPR’s influence has extended well beyond the EU. It is now recognised as a regulatory success and a powerful example of what is known as the Brussels Effect. 

However, in our work, we prefer the term “global benchmark” over “standard.” For our audiences, mixing regulatory and technical terminology can cause confusion. But examining the relationship between regulations like GDPR and standards remains essential. It helps illustrate why non-EU countries should pay attention, not just to legal compliance, but to interoperability, data governance best practices, and trust in digital services. 

InDiCo-Global’s Mission 

As InDiCo-Global, we focus on building bridges between European regulatory approaches and local policy environments in emerging markets. Our work is rooted in collaboration, particularly through Capacity Building initiatives delivered via Open Calls for micro-projects across strategic partner regions. 

Ultimately, our goal is to create long-term impact by supporting legal, technical, and institutional alignment on data privacy and governance. This includes helping stakeholders engage with evolving challenges around AI, machine-generated data, digital identity, and privacy-by-design technologies. 

From Narrow to Broad GDPR 

In InDiCo-Global, we categorise our work around GDPR into two broad areas: 

• Narrow GDPR applies to regions that currently lack privacy legislation. In these settings, InDiCo-Global supports local stakeholders in adopting and adapting GDPR principles. 
• Broad GDPR refers to contexts where privacy laws exist, but new questions are emerging—around AI-generated data, synthetic data, digital identity, and secure storage solutions like digital wallets. In these cases, InDiCo-Global collaborates with partners to co-create frameworks that align with the spirit of GDPR, and that may, in turn, influence future European standards. 

The following country insights are drawn directly from projects and engagements funded through the first InDiCo-Global Open Call. These on-the-ground experiences reflect how Narrow and Broad GDPR are taking shape in specific national contexts. 

Latin America: An Evolving Landscape 

Through our Open Call, we have engaged numerous stakeholders in Latin America. Many of these countries are undergoing a digital transformation, but without the foundational legal infrastructure to protect personal data. The GDPR provides a valuable reference model for building such frameworks: from defining data subject rights to setting enforcement mechanisms and establishing independent regulatory bodies. 

In this article, we focus on three countries: Guatemala, Bolivia, and Chile. 

Guatemala (Contributor: Julio Herrera Toledo, Director Ejecutivo, Red Ciudadana) 

Guatemala currently has no dedicated data protection law comparable to the GDPR. While there are sectoral rules, for example, in consumer protection and financial services, there is no unified legal framework, and no independent data protection authority. 

The Enhancing Digital Government in Guatemala through European Standards project aims to align Guatemala’s digital governance with European standards in open data, interoperability, and accessibility. By fostering international cooperation and knowledge exchange, this project lays the groundwork for stronger data governance across the region. 

Bolivia (Contributor: Nicole Angel Sánchez Rojas, Data Protection Specialist, Fundación Internet Bolivia)  

Bolivia is actively pursuing digital government and AI strategies, but it still lacks a basic personal data protection law. This absence is significant, as modern technologies rely heavily on processing large volumes of personal data. 

The Fostering Data Protection and Responsible AI Compliance in Bolivia project promotes the voluntary adoption of GDPR-aligned practices, especially by small businesses, universities, and civic organisations. It provides practical tools and awareness-building programmes designed to strengthen responsible data governance from the ground up. 

Though draft legislation exists, it remains stalled due to political polarisation and misinformation. In the meantime, weak oversight has led to routine data breaches and informal data sales. 

Despite these challenges, interest is growing. Civil society, academia, and parts of the private sector are taking proactive steps—offering a foundation for future legal reform. 

Chile (Contributor: Christian Robert Yepsen Marambio, Pontificia Universidad Católica de Chile)  

Chile’s original data protection law, Law 19.628 (1999), was outdated and lacked enforcement strength. A major amendment was passed in 2024, following years of debate and drawing heavily on GDPR principles. The new law will enter into force in 2026, with clear provisions on consent, legal grounds for data use, cross-border transfers, and the creation of a national data protection agency. 

In parallel, Chile has modernised its regulatory landscape with new legislation on Fintech and Cybersecurity. However, challenges remain, particularly in promoting standardisation beyond expert communities. 

As GDPR continues to serve as a guiding framework, InDiCo-Global will remain focused on supporting data governance initiatives that are locally grounded and globally connected. 

→ Stay tuned for updates from our upcoming Open Calls and join us as we explore the next phase of digital cooperation.