October 31, 2016
To help security and risk professionals navigate the complex landscape of privacy laws around the world, Forrester created a data privacy heat map that highlights the data protection guidelines and practices for 54 different countries. Earlier today, we published the 2016 version to the tool, as well as a free version with access to only the U.K. and U.S. ratings. We have updated the map every year since it’s initial publication in order to keep pace with the constantly-evolving landscape of global data privacy laws.
As we roll out the 2016 update and reflect back on the past 5 years of annual assessments, three high-level trends emerge:
- Countries continue moving toward the EU standard for data protection. New legislation outside of the EU often follows the EU’s lead by adopting provisions similar to those in the existing Directive 95/46/EC regulation. The slow global convergence toward the requirements outlined in the regulation continued through 2016. For example, Argentina and Japan strengthened pre-existing policies, while Nigeria passed its first comprehensive cybercrime legislation. Japan also established an independent regulatory body (“Privacy Protection Commission”) that oversees privacy issues—a requirement of both the current Directive and the superseding European General Data Protection Regulation (GDPR).
- The GDPR has already begun to raise the legislative tide within the EU and abroad. The General Data Protection Regulation (GDPR) is the most significant recent data privacy legislation to affect businesses across the globe. The regulation imposes a higher standard of personal data protection, with significant penalties for noncompliance for companies across the European Union (EU). It also applies to foreign companies that offer services or products to EU residents or collect their data. While the regulation is yet to be enforced, it has already had an effect outside of the EU. For example, in March 2016, South Korea enacted stiff penalties for data privacy violations by telecommunications and online service providers in a fashion similar to the upcoming GDPR (up to 3% of total global revenue in South Korea, 4% for the GDPR).
- Attempts to strengthen surveillance undermine data protection laws. While some countries are reluctant to expose their citizens’ data in any way, many others seek more access. For example, Finland is drafting legislation that would give its military and domestic security forces broad access to civilian web communications to gather intelligence. Even countries with a strong and long-standing privacy protection footprint, like Germany and the Netherlands, passed or are about to pass regulations that considerably increase government’s surveillance powers. Meanwhile, criticism prompted India to withdraw a law in late 2015 that would have forced companies to store all encrypted electronic communication in plaintext for 90 days. The balance between security intelligence and personal privacy continues to pit governments against citizens.
In a world where privacy has become a competitive differentiator for multi-national organizations, businesses must increasingly work with their general counsels and chief privacy officers to understand global data privacy requirements, implementing controls that protect personal data accordingly. Aside from keeping the Data Privacy Heatmap up-to-date, Forrester also provides strategic consulting services to help organizations navigate data security and privacy issues at every step of the information lifecycle.
To hear more about the Data Privacy Heatmap tool, read our privacy-related research, find out more about our privacy consulting services, or discuss privacy issues in general, click here or reach out to our Data Privacy Heatmap authors on Twitter: @ChrisShermanFR, @eiannopollo, @heidishey.