In recent years, we have seen an unprecedented expansion in data privacy and security regulations globally as regulators seek to catch up to technology. Some jurisdictions focus on notions of privacy as a fundamental right, while others are geared toward fairness or consumer protection. As a result, these divergent global data privacy and security regulations can be challenging to apply and interpret.
Companies must now take data privacy and security laws more seriously than ever. Aside from developing solutions that consider not only likelihood and severity of risk, they also need to consider business necessity and the interest of consumers, employees and other individuals.
Our new resource, A Short Guide to Global Data Privacy and Security Regulation and Enforcement, gives a snapshot of key recent and imminent changes to data privacy and security regulation and shares anticipated enforcement priorities. It also looks at the rise of data security breach notification requirements and highlights trends to watch over the next few months.
Our research, surveying 52 countries, reveal a number of interesting findings:
- Despite differences in regulatory approach to data privacy and security regulation, there is a clear trend toward omnibus data privacy and security laws. Out of 52 countries surveyed, the US and Saudi Arabia are the only ones not that do not have omnibus data privacy and security laws in place. Forty-two of 52 countries surveyed have sector-specific requirements.
- Many countries with long-established data privacy laws are in the process of making changes to these laws: 41 of 52 countries surveyed anticipate changes in the next 12 months.
- Data privacy and security regulators are becoming more aggressive and tougher on businesses with poor data protection practices, and are aligning themselves with counterparts around the globe. We expect higher penalties to apply on noncompliance moving forward.
- While regulators are stepping up enforcement, they will focus their efforts on more pressing aspects such as data security and incident response practices, online consent practices and transparency requirements, excessive collection and processing of online personal data, and data residency requirements, among others.
- Jurisdictions will continue to adopt more expansive data breach notification requirements. Our data shows that 41 of 52 countries surveyed already require the notification of personal data security breaches.