By Chris Sherman
To help businesses navigate the complex landscape of privacy laws around the world, Forrester created a data privacy heat map that highlights the data protection guidelines and practices in 54 different countries. We have updated the data privacy heat map annually for the last five years, keeping pace with the constantly evolving landscape of global data privacy laws.
We recently rolled out the 2016 update and reflected back on the past five years of annual assessments. Here are the three high-level trends that emerged:
- Countries are continuing to move toward the Europe standard for data protection. New legislation outside of the EU often follows the EU's lead by adopting provisions similar to those in the existing Directive 95/46/EC regulation. The slow global convergence toward the requirements outlined in the regulation continued through 2016. For example, Argentina and Japan strengthened pre-existing policies, while Nigeria passed its first comprehensive cybercrime legislation. Japan also established an independent regulatory body ("Privacy Protection Commission") that oversees privacy issues -- a requirement of both the current Directive and the superseding European General Data Protection Regulation (GDPR).
- The General Data Protection Regulation (GDPR) has already started raising the legislative tide within the EU and abroad. The GDPR is the most significant recent data privacy legislation to affect businesses across the globe. The regulation imposes a higher standard of personal data protection, with significant penalties for noncompliance for companies across the European Union (EU). It also applies to foreign companies that offer services or products to EU residents or collect their data. While the regulation is yet to be enforced, it has already had an effect outside of the EU. For example, in March 2016, South Korea enacted stiff penalties for data privacy violations by telecommunications and online service providers in a fashion similar to the upcoming GDPR (up to 3 percent of total global revenue in South Korea, 4 percent for the GDPR).
- Attempts to strengthen surveillance undermine data protection laws. While some countries are reluctant to expose their citizens' data in any way, many others seek more access. For example, Finland is drafting legislation that would give its military and domestic security forces broad access to civilian web communications to gather intelligence. Even countries with a strong and long-standing privacy protection footprint, like Germany and the Netherlands, passed or are about to pass regulations that considerably increase government's surveillance powers. Meanwhile, criticism prompted India to withdraw a law in late 2015 that would have forced companies to store all encrypted electronic communication in plaintext for 90 days. The balance between security intelligence and personal privacy continues to pit governments against citizens.
In a world where privacy has become a competitive differentiator for multi-national organizations, businesses must increasingly work with their general counsels and chief privacy officers to understand global data privacy requirements, implementing controls that protect personal data accordingly. Businesses should be aware of the restrictions that come along with privacy to help security teams practice accordingly.
Chris Sherman is a senior analyst at Forrester, serving security and risk professionals. Follow Chris on Twitter: @ChrisShermanFR.