Security and risk leaders consistently rank compliance with global privacy regulations as one of their top three challenges. To help them, Forrester periodically updates our map of global privacy rights and regulations. We released our 2019 version today. This year, we included 61 countries, adding Kuwait, the Philippines, Qatar, Saudi Arabia, Sri Lanka, the United Arab Emirates, and Vietnam.
- One year post-implementation, Europe is still working out the particulars of the GDPR. While GDPR became directly applicable law in all member states of the European Union upon its implementation in May 2018, there are over 50 areas in which member states are permitted to legislate differently than GDPR in their domestic data protection laws. Several countries are still finalizing their guidance. However, there have already been over €56 million in fines levied since GDPR implementation. Other jurisdictions seeking to implement their own privacy regulations will be able to learn from the process thus far in the EU.
- Including consumer privacy in national law is becoming more and more prevalent around the world. Although GDPR is just one year old, many nations have been inspired by the scope and depth when drafting their own privacy bills. It seems that every week news breaks that another jurisdiction is implementing personal data guidelines. The California Consumer Privacy Act (CCPA) as well as the Brazilian General Data Protection Law (LGPD) have been signed and will come into effect in 2020. Other states are following the example of California; New York recently passed a stringent privacy bill. Countries such as India are drafting their versions, as well.
- The volatility of the Brexit debate has given data residency new relevance. Although the UK has already adopted a bill that translates GDPR standards and requirements into national legislation, the uncertainty around Brexit increases complexity around businesses’ data residency policies. Organizations that transfer or process European citizens’ data in the UK must prepare now. Depending on their risk appetite and specific business needs, firms may even consider relocating British data centers to Europe.
As business is increasingly multinational, firms must keep up to date on the privacy climate for each nation they conduct business in. For more information on these concerns, among others, please use our map tool and read the corresponding report.
(Written with Elsa Pikulik, senior research associate at Forrester)