Gartner predicts that by the end of 2024, 75% of the world’s population will be regulated by modern data privacy laws, up from 25% in 2022. This monumental change represents a drawn-out effort by regulatory bodies attempting to bring data protection to their citizens. As the meteoric rise of digital devices and data-driven technologies accumulates, the need for data privacy regulations and protections is paramount. In our three-part blog series, Demystifying Data Privacy, we’ll deep dive into key areas:
- Part 1: Why the regulations exist, what their differences are, and how to approach them.
- Part 2: Understand what it takes to deliver privacy at the enterprise level and the different types of privacy tools in the market.
- Part 3: Understand why data privacy compliance can be difficult and what it takes across the organization to make it easier.
In this post (Part 1), let’s explore and understand the framework for why Europe and the United States have different approaches to privacy and the benefits of each approach. We’ll also look at the core principles that apply to all privacy laws and how organizations can approach privacy using these core principles (regardless of region). Plus, we’ll explore a consistent framework to use as a guide in the evolving data privacy landscape.
Why do Europe and the United States Approach Data Privacy Differently?
Privacy protection has its origin in the laws of Europe and the United States. However, Europe and the United States have inherently different approaches to data privacy arising from the history of each region. The United States has strong sectoral privacy laws, such as those regulating health and finance, and state laws that address the privacy of residents of those states. The European Union (“EU”) has broader, more comprehensive laws (the “GDPR”) that are designed to ensure privacy protection for the individual and facilitate the free flow of personal data between member states.
For example, the GDPR requires an entity to have a legal basis for processing personal data. Marketers can generally rely on legitimate interest as the legal basis for processing personal data. Using legitimate interest requires a balance of interest test:
- Purpose test: Are you pursuing a legitimate interest
- Necessity test: Is the processing necessary for that purpose
- Balancing test: The legitimate interest cannot impinge upon the data subject’s fundamental rights and freedoms
Conversely, the United States generally does not require any balancing tests for marketing purposes. The United States takes an “opt-out” approach, meaning a marketer can process personal data for marketing purposes freely but individuals must be allowed to opt out of that choice. On the other hand, Europe’s approach is “opt-in”, meaning requests are to be expressed to businesses clearly, intelligibly, and in an easily accessible manner. For an individual, this approach provides much-needed protection and control.
Despite these differences, for businesses collecting and handling customer data, one thing remains the same: it is complex. The various data protection laws create a complicated web of global privacy requirements that are fragmented and overwhelming when working toward compliance.
Why Do Different Data Privacy Approaches Lead to Challenges?
As of March 2023, 162 countries have enacted data privacy laws. In the United States, multiple states have passed state-level data privacy laws such as the CCPA (California Consumer Privacy Act) enacted by California in 2018, as amended by the CPRA (California Privacy Rights Act) in 2020.
The most globally recognized and enforced data privacy law is the GDPR. Additionally, it serves as a reference model for many regions, including Japan (APPI), Nigeria (NDPR), Brazil (LGPD), and Canada (PIPEDA). However, every region has specific requirements and nuances that make country-specific laws unique. To add to the complexity, the laws usually evolve and get amended after they are enacted. Part of the evolution of the laws comes from decisions made by the supervisory authorities, the state attorneys general, or case law such as the ECJ ruling, or how data is transferred across jurisdictions as we can see from the Schrems cases.
By now, you can begin to understand this fractured landscape and the challenges it presents. Frequent regulatory changes make it challenging for marketing, product, and technology teams to stay updated, leading them to rely on their privacy and legal teams for compliance guidance in data-related initiatives. One unfortunate outcome of this approach is that key requirements for compliance usually surface after the work has been done. The hope is to have clarity about what data will be collected, how it will be used, and ensure that is reflected in the design and data flow. But that is rarely the case. Reviews with the privacy team often lead to rework, frustration, and the feeling that privacy can be a blocker. Organizations with mature privacy practices avoid this situation by using privacy-by-design principles and ensuring that training, assessments, and audits are happening from the start, preventing last-minute emergencies and delays.
To promote cross-company understanding, knowing the foundation of the laws can be helpful. Authorities are legitimately trying to build a world where the individual’s right to privacy is respected and honored, rather than focusing on fining businesses for data privacy mistakes.
As businesses rely more and more on collecting and using personal information, questions arise about impacts on privacy like, “Do I have to deal with this information? How will it be used? Who will access it? How will it be secured?” We are proposing that if an organization understands and follows basic privacy principles, the fear and confusion associated with compliance will be eliminated. Enter the seven principles of GDPR.
What Are The 7 Principles of GDPR and Why Are They Important?
Let’s explore the core tenets of GDPR, also referred to as the seven principles of GDPR. They are a set of guiding principles that address the various security and privacy concerns and form the structure that organizations need to implement as they work toward compliance. These principles are crucial as they are the foundation for privacy laws and regulations, serving as a reference for multiple regions and sharing commonalities with global data-related laws and regulations. Understanding these principles, helps teams prepare for compliance and responsible data practices, regardless of the region where they are based.
The seven principles of GDPR include:
- Lawfulness, Fairness, and Transparency: Organizations must have a valid reason, or a legal basis, for collecting and processing personal data. They should clearly let individuals know what they’re doing with their data. This principle aims to ensure that people are aware of, understand, and agree to the use of their information, promoting trust and fairness in the handling of personal data. It is about being upfront and laying all the cards on the table.
- Purpose Limitation: Organizations should only collect and use personal information for a specified, explicit, and legitimate purpose. They can’t use the data for something else that wasn’t explained to the person when collecting it. It’s about staying focused on why the data is needed.
- Data Minimization: Organizations should only collect the personal information that is necessary for the purpose they have explained to the individual. Unnecessary details that serve no purpose to data subjects (customers) or businesses should be completely avoided. In simple terms, don’t gather more data than is needed for the task at hand.
- Accuracy: This principle emphasizes that organizations should ensure their personal data is correct and up-to-date. The organization acts as the data controller and/or processor, taking “reasonable measures” to ensure that it stays that way. It’s like keeping a list of names and addresses accurate so everything stays in order.
- Storage Limitation: Organizations should not be keeping personal data for longer than it’s needed for the original purpose. Once the personal data is no longer necessary, it should be deleted or anonymized. Think of it as cleaning up and organizing files when they are not needed any longer.
- Integrity and Confidentiality (Security): This principle focuses on keeping personal data safe and secure. Integrity is about making sure that personal data is correct and cannot be manipulated by others (organizations should opt to protect their systems against hackers). Confidentiality is about making sure that only the people who should have access to the personal data are processing it. It’s like setting up a firewall, file encryption, and 2FA for a laptop.
- Accountability: Accountability involves the organization taking responsibility for implementing and adhering to data processing principles while documenting their compliance efforts. They need to keep records of what they’re doing with personal data. If there’s a risk to data privacy, they should assess and address it (with the required audit trail) and prove responsibility. It’s like having a documented plan to assume responsibility if personal information is compromised.
These seven principles inform all processing activity and business practices. Organizations must understand the principles, and apply them at the beginning of their compliance journey and to their business holistically.
How The 7 Principles Support Privacy Compliance
The seven principles of GDPR collectively support privacy compliance by establishing a robust framework for the fair, lawful, and responsible handling of personal data. They ensure that organizations are transparent in their data processing activities, fostering customer trust and empowering individuals to make informed decisions about sharing their data.
Additionally, these principles guide organizations to adopt a privacy-centric approach throughout the data lifecycle. By emphasizing purpose limitation and data minimization, not only is the individual’s privacy respected, but the risk of loss of data, or unauthorized access or misuse is also reduced.
The principles of accuracy and storage limitation further contribute to maintaining data quality and relevance, while the security principle (integrity and confidentiality) ensures that appropriate measures are in place to protect against data breaches.
Finally, the accountability principle reinforces the importance of organizations taking responsibility for their data processing activities, fostering a culture of continuous compliance and adaptability to evolving privacy standards. Together, these principles create a comprehensive framework that prioritizes privacy and data protection.
What Comes Next for Data Privacy Regulations?
Compliance implementation varies based on your company’s privacy teams and regional laws, but using the seven principles as a framework for evaluating data initiatives ensures fair and ethical data management. These principles not only establish the foundation for compliance goals but also streamline collaboration between marketing and legal or privacy teams, easing overall compliance efforts.
Privacy laws will continue to evolve, and this framework helps create a path toward sustainable privacy. By ingraining fair information principles, your organization can take a proactive stance. Ethical data handling earns customer trust and it is the foundation of business success. It is critical to make principles like these central to your privacy program now and in the future.
This blog post is the first in a series of posts providing frameworks and tools to assist in the data privacy journey. For more resources on data privacy, explore Part 2 and Part 3 of our series, “Demystifying Data Privacy”. Additionally, you can explore our e-book, In Data We Trust.