Guest post from Researcher Chris Sherman.

Data privacy laws are the champions of citizens' rights in the digital age. However, multi-national  organizations often find these laws challenging to navigate given the complex framework of global legal requirements. To help our clients address these challenges, Forrester developed a research and planning tool called the Data Privacy Heat Map (try the demo version here). Leveraging in-depth analyses on the privacy legislation of 54 countries around the world, this product is aimed at helping our clients better strategize their own global privacy and data protection approaches.

Using the tool, one can quickly determine how various countries stack up against each another in terms of their data privacy standards. Each country has been rated across seven key criteria, covering the breadth of law, EU adequacy, data transfer limitations, government surveillance activities, etc. Leveraging this data, our clients will be able to establish their own data privacy “high watermarks”, ensuring compliance in all locales in which their organization operates. One such application is in the use of cloud computing. Since the cloud is borderless, jurisdictional-based privacy laws are often a mismatch when applied to clouds. When considering outsourcing to a cloud service, companies should consult Forrester’s Privacy Heat Map to determine, for example, whether their data will be at risk of residing in a country with questionable governance surveillance practices.

While developing the Privacy Heat Map, a number of interesting trends surfaced. Most prominent was the difference between how the US treats data privacy compared with the European Union (EU).  While the EU has developed an overarching data privacy framework based on the ideal that privacy is a fundamental right, the United States has taken a largely sector-based approach to its laws. This difference between the two greatly impacts the collection, use, and disclosure of customer and employee data for companies that operate on both sides of the Atlantic. This can also lead to friction between entities that engage in cross-border data transfers[i], as well as between branches of the same company separated by geographic borders.

It is also clear that many countries are undergoing shifts in their privacy legislation, with a trend towards adoption of the EU's legislative standards. There also remain countries with inadequate privacy standards altogether and others which do not properly implement their own standards. For example, 6 out of the 54 countries do not regulate government surveillance, which can lead to rampant and uncontrolled surveillance activities. Additionally, countries like China and Singapore simply have not established privacy regulations sufficient to protect personal data residing within their borders.

Because information is a powerful business asset, it is imperative that modern businesses have the know-how to operate in this increasingly global economy. Forrester sees this Privacy Heat Map as a valuable source of information for our clients and is committed to updating the map on an ongoing basis. As we publish new data privacy research, this too will be accessible directly from the heat map (for example, common questions on EU privacy laws and establishing your own data privacy framework within your organization). Forrester also provides strategic consulting services to help organizations navigate data security and privacy issues at every step of the information lifecycle. To hear more about the Forrester Privacy Heat Map tool, read our privacy-related research, find out more about our privacy consulting services, or discuss privacy issues in general, visit www.forrester.com/rb/srm or join us in the conversation on Twitter (@ChrisShermanFR, @ChenxiWang, @XMLGrrl).


[i]Dutch government has publicly excluded US-based cloud companies to bid on Dutch government contracts. http://www.zdnet.com/blog/btl/dutch-government-to-ban-us-providers-over-patriot-act-concerns/58342