As data flows between countries with disparate data protection laws, firms need to ensure the safety of their customer and employee data through regulatory compliance and due diligence. However, multinational organizations often find global data privacy laws exceedingly challenging. To help our clients address these challenges, Forrester developed a research and planning tool called the Data Privacy Heat Map (try the demo version here). Originally published in 2010, the tool leverages in-depth analyses of the privacy-related laws and cultures of 54 countries around the world, helping our clients better strategize their own global privacy and data protection approaches.

Regulation in the data privacy arena is far from static. In the year since we last updated the heat map, we have seen many changes to how countries around the world view and enforce data privacy. Forrester has tracked and rated each of these 54 countries across seven different metrics directly within the tool. Among them, seven countries had their ratings change over the past year. Some of the most significant changes corporations are concerned with involve:

  • New national omnibus data privacy laws spanning private and/or public industry. Data privacy regulation, when looked at globally, forms a spectrum of maturity beginning with spotty industry or situation-specific laws all the way to omnibus frameworks. As you might expect, responsible corporations prefer to engage in business practices where the data privacy laws are clearly-defined and transparent. For instance, countries such as Brazil and China are in the process of moving towards potential omnibus laws which will replace a multitude of sectoral and situation-based laws. Other countries, such as Colombia and Singapore, have recently passed far-reaching omnibus laws, also replacing a patchwork of prior sectoral laws.
  • Adequacy findings published by the EU’s Article 29 Working Party. Corporations either based in the EU or wishing to conduct business there must comply with the standards put forth through the EU’s strict Data Protection Directive whenever data is transferred outside its borders. This can be an arduous process, especially when model clauses or Binding Corporate Rules come into play. Fortunately, this process can be greatly simplified whenever data is transferred from the EU to a country which the Article 29 Working Party deems has an “adequate” level of data protection measures. Organizations and governments alike benefit greatly whenever a country has been granted adequacy status. Currently, 13 “third party” countries have been given this coveted status — in 2012 alone, Uruguay, Israel, and New Zealand were added to this list. This allows an organization to transfer data between the EU and those countries deemed as adequate without fear of reprisal.
  • Excessive government surveillance. Corporations worry that placing data within the borders of a state with high levels of governmental surveillance could place their customer and intellectual property at risk. While China and Singapore have passed a significant number of new data privacy laws during the past year, both have long histories of unregulated governmental surveillance practices. Corporations working within the borders of Mexico also worry about a 2012 Mexican law that gives the government unrestricted access to mobile geolocation data provided by the carriers. Within the EU, Sweden passed a new 2012 data retention law in line with the EU Data Retention Directive, giving the Swedish government broad surveillance capabilities.

Because information is a powerful business asset, modern businesses need to have the know-how to operate in this increasingly global economy. Forrester sees this Data Privacy Heat Map as a valuable source of information for our clients and is committed to updating the map on an ongoing basis. Forrester also provides strategic consulting services to help organizations navigate data security and privacy issues at every step of the information lifecycle. To hear more about the Data Privacy Heat Map tool, read our privacy-related research, find out more about our privacy consulting services, or discuss privacy issues in general, visit or reach out to us (@ChrisShermanFR and @xmlgrrl) on Twitter.