Compliance strategy is just the start of your privacy program

Privacy regulations vary from country to country and often conflict with each other. For a global organization, navigating the patchwork of privacy regulations in countries around the world to develop appropriate privacy policies can be daunting.

At one end of the spectrum, Forrester places countries such as China, Thailand and Paraguay that lack many of the foundational regulations found in most other countries. On the other end are those “Most restricted” European countries with a deep commitment to protecting individuals’ right to data privacy, ensuring that governments and private entities alike do not abuse personal data. Between these two groups lies a highly disparate set of approaches taken by governments toward data privacy protection.

We recently released our 2017 privacy heat map, which evaluates the privacy laws, practices, and regulatory enforcement of 54 countries. We rated each country in seven categories and gave each an overall rating, ranging from “Most restricted” to “Effectively no restrictions.” The new research highlights trends, including that:

European regulators are introducing many other changes beyond GDPR

The General Data Protection Regulation (GDPR) is the most significant data privacy legislation to affect businesses across the globe. While firms around the world are getting ready to comply with the new requirements, the EU parliament is updating the ePrivacy Directive (also known as the Cookie Directive) which it aims to enforce in conjunction with GDPR). At the national level, Switzerland adopted the Swiss-US privacy shield, France and Germany passed new bills in preparation for GDPR, and we expect many others to follow suit, including Ireland. Great uncertainty also remains about the UK, where a new set of national privacy rules will replace GDPR as a result of Brexit.

Countries continue moving toward the EU standard, but local agreements emerge

The slow global convergence toward the EU requirements continued in 2017. For example, Argentina and Japan strengthened existing policies, while Nigeria passed its first comprehensive cybercrime legislation. Japan also established an independent regulatory body (“Privacy Protection Commission”) that oversees privacy issues. In a somewhat different direction in 2016, 11 countries, including Japan and Australia, signed the Trans-Pacific Partnership (TPP) which will compel each member country to allow cross-border transfer of information by electronic means for business purposes. Additionally, it will prevent member countries from requiring covered companies to use or locate computing facilities within their own geographical boundary as a condition for conducting business.

Government surveillance decisions heavily influence countries’ privacy regimes

In recent years, even countries historically committed to privacy protection, such as Germany and France, have also introduced legislation that expanded government surveillance. This trend is due to continue: Poland has just passed legislation that expands government access to digital data and loosens restrictions on police monitoring. Finland and the Netherlands are also due to finalize new surveillance bills, and the UK government has plans to allow for increased surveillance powers. Meanwhile, Brazil passed a bill that triggered concerns over government-sanctioned censorship, and India’s unique citizen identification program and Central Monitoring System (CMS) make the proposition of comprehensive government surveillance very real.

Fines remain the most common – but are not only – type of penalty

The increasing severity of financial penalties from EU GDPR are meant to add teeth to the regulation. While fines remain the most common type of penalty for initial violations for data protection and privacy regulations, there can be differences between fines imposed on the company versus those imposed on private persons (typically an executive). Some countries also take additional measures, particularly for breaching regulator recommendations and corrective orders. Japan and Malaysia can include criminal penalties for your company’s executives and possible jail time (up to six months of imprisonment in Japan). Longer periods of imprisonment are possible in areas like Finland, France, Greece, Hong Kong and India.

Data residency requirements are causing data centers to sprout

Countries such as Germany, France and Canada, where privacy regulations and clients’ preferences make it difficult to export personal data to other jurisdictions, have seen their number of data center facilities multiply in recent years. A similar result occurred in Ireland and the UK, where a supposedly more business-friendly enforcement of EU standards led companies to open numerous new data centers. Japan and Hong Kong now also offer a large number of data center options, and Hong Kong is currently evaluating whether to adopt more stringent residency requirements.

While compliance with privacy regulation is the foundation of a solid corporate privacy strategy, a country’s privacy regime is based on more than just regulatory requirements. It includes the impact of government surveillance on citizen’s privacy and the strength of regulatory enforcement. And perhaps most importantly, privacy programs need to consider the expectations of customers, prospects, employees and other stakeholders with whom your company hopes to establish and maintain trust.

You must not only ask what you can do with personal information, but also what you should do. “Can” addresses what is legal and in alignment with privacy regulations. “Should” addresses considerations such as ethical concerns, customer expectations, and alignment with your company’s mission and values. Just because you can, does not mean you should.