Privacy regulations vary from country to country and often conflict with each other. For a global organization, navigating the patchwork of privacy regulations in countries around the world to develop appropriate privacy policies can be daunting.\nAt one end of the spectrum, Forrester places countries such as China, Thailand and Paraguay that lack many of the foundational regulations found in most other countries. On the other end are those \u201cMost restricted\u201d European countries with a deep commitment to protecting individuals\u2019 right to data privacy, ensuring that governments and private entities alike do not abuse personal data. Between these two groups lies a highly disparate set of approaches taken by governments toward data privacy protection.\nWe recently released our 2017 privacy heat map, which evaluates the privacy laws, practices, and regulatory enforcement of 54 countries. We rated each country in seven categories and gave each an overall rating, ranging from \u201cMost restricted\u201d to \u201cEffectively no restrictions.\u201d The new research highlights trends, including that:\nEuropean regulators are introducing many other changes beyond GDPR\nThe General Data Protection Regulation (GDPR) is the most significant data privacy legislation to affect businesses across the globe. While firms around the world are getting ready to comply with the new requirements, the EU parliament is updating the ePrivacy Directive (also known as the Cookie Directive) which it aims to enforce in conjunction with GDPR). At the national level, Switzerland adopted the Swiss-US privacy shield, France and Germany passed new bills in preparation for GDPR, and we expect many others to follow suit, including Ireland. Great uncertainty also remains about the UK, where a new set of national privacy rules will replace GDPR as a result of Brexit.\nCountries continue moving toward the EU standard, but local agreements emerge\nThe slow global convergence toward the EU requirements continued in 2017. For example, Argentina and Japan strengthened existing policies, while Nigeria passed its first comprehensive cybercrime legislation. Japan also established an independent regulatory body (\u201cPrivacy Protection Commission\u201d) that oversees privacy issues. In a somewhat different direction in 2016, 11 countries, including Japan and Australia, signed the Trans-Pacific Partnership (TPP) which will compel each member country to allow cross-border transfer of information by electronic means for business purposes. Additionally, it will prevent member countries from requiring covered companies to use or locate computing facilities within their own geographical boundary as a condition for conducting business.\nGovernment surveillance decisions heavily influence countries\u2019 privacy regimes\nIn recent years, even countries historically committed to privacy protection, such as Germany and France, have also introduced legislation that expanded government surveillance. This trend is due to continue: Poland has just passed legislation that expands government access to digital data and loosens restrictions on police monitoring. Finland and the Netherlands are also due to finalize new surveillance bills, and the UK government has plans to allow for increased surveillance powers. Meanwhile, Brazil passed a bill that triggered concerns over government-sanctioned censorship, and India\u2019s unique citizen identification program and Central Monitoring System (CMS) make the proposition of comprehensive government surveillance very real.\nFines remain the most common \u2013 but are not only \u2013 type of penalty\nThe increasing severity of financial penalties from EU GDPR are meant to add teeth to the regulation. While fines remain the most common type of penalty for initial violations for data protection and privacy regulations, there can be differences between fines imposed on the company versus those imposed on private persons (typically an executive). Some countries also take additional measures, particularly for breaching regulator recommendations and corrective orders. Japan and Malaysia can include criminal penalties for your company\u2019s executives and possible jail time (up to six months of imprisonment in Japan). Longer periods of imprisonment are possible in areas like Finland, France, Greece, Hong Kong and India.\nData residency requirements are causing data centers to sprout\nCountries such as Germany, France and Canada, where privacy regulations and clients\u2019 preferences make it difficult to export personal data to other jurisdictions, have seen their number of data center facilities multiply in recent years. A similar result occurred in Ireland and the UK, where a supposedly more business-friendly enforcement of EU standards led companies to open numerous new data centers. Japan and Hong Kong now also offer a large number of data center options, and Hong Kong is currently evaluating whether to adopt more stringent residency requirements.\nWhile compliance with privacy regulation is the foundation of a solid corporate privacy strategy, a country\u2019s privacy regime is based on more than just regulatory requirements. It includes the impact of government surveillance on citizen\u2019s privacy and the strength of regulatory enforcement. And perhaps most importantly, privacy programs need to consider the expectations of customers, prospects, employees and other stakeholders with whom your company hopes to establish and maintain trust.\nYou must not only ask what you can do with personal information, but also what you should do. \u201cCan\u201d addresses what is legal and in alignment with privacy regulations. \u201cShould\u201d addresses considerations such as ethical concerns, customer expectations, and alignment with your company\u2019s mission and values. Just because you can, does not mean you should.