Gartner predicts that by the end of 2024, 75% of the world’s population will be regulated by modern data privacy laws, up from 25% in 2022. This monumental change represents a drawn-out effort by regulatory bodies attempting to bring data protection to their citizens. As the meteoric rise of digital devices and data-driven technologies accumulates, the need for data privacy regulations and protections is paramount. In our three-part blog series, Demystifying Data Privacy, we’ll deep dive into key areas:
In this post (Part 1), let’s explore and understand the framework for why Europe and the United States have different approaches to privacy and the benefits of each approach. We’ll also look at the core principles that apply to all privacy laws and how organizations can approach privacy using these core principles (regardless of region). Plus, we’ll explore a consistent framework to use as a guide in the evolving data privacy landscape.
Privacy protection has its origin in the laws of Europe and the United States. However, Europe and the United States have inherently different approaches to data privacy arising from the history of each region. The United States has strong sectoral privacy laws, such as those regulating health and finance, and state laws that address the privacy of residents of those states. The European Union (“EU”) has broader, more comprehensive laws (the “GDPR”) that are designed to ensure privacy protection for the individual and facilitate the free flow of personal data between member states.
For example, the GDPR requires an entity to have a legal basis for processing personal data. Marketers can generally rely on legitimate interest as the legal basis for processing personal data. Using legitimate interest requires a balance of interest test:
Conversely, the United States generally does not require any balancing tests for marketing purposes. The United States takes an “opt-out” approach, meaning a marketer can process personal data for marketing purposes freely but individuals must be allowed to opt out of that choice. On the other hand, Europe’s approach is “opt-in”, meaning requests are to be expressed to businesses clearly, intelligibly, and in an easily accessible manner. For an individual, this approach provides much-needed protection and control.
Despite these differences, for businesses collecting and handling customer data, one thing remains the same: it is complex. The various data protection laws create a complicated web of global privacy requirements that are fragmented and overwhelming when working toward compliance.
As of March 2023, 162 countries have enacted data privacy laws. In the United States, multiple states have passed state-level data privacy laws such as the CCPA (California Consumer Privacy Act) enacted by California in 2018, as amended by the CPRA (California Privacy Rights Act) in 2020.
The most globally recognized and enforced data privacy law is the GDPR. Additionally, it serves as a reference model for many regions, including Japan (APPI), Nigeria (NDPR), Brazil (LGPD), and Canada (PIPEDA). However, every region has specific requirements and nuances that make country-specific laws unique. To add to the complexity, the laws usually evolve and get amended after they are enacted. Part of the evolution of the laws comes from decisions made by the supervisory authorities, the state attorneys general, or case law such as the ECJ ruling, or how data is transferred across jurisdictions as we can see from the Schrems cases.
By now, you can begin to understand this fractured landscape and the challenges it presents. Frequent regulatory changes make it challenging for marketing, product, and technology teams to stay updated, leading them to rely on their privacy and legal teams for compliance guidance in data-related initiatives. One unfortunate outcome of this approach is that key requirements for compliance usually surface after the work has been done. The hope is to have clarity about what data will be collected, how it will be used, and ensure that is reflected in the design and data flow. But that is rarely the case. Reviews with the privacy team often lead to rework, frustration, and the feeling that privacy can be a blocker. Organizations with mature privacy practices avoid this situation by using privacy-by-design principles and ensuring that training, assessments, and audits are happening from the start, preventing last-minute emergencies and delays.
To promote cross-company understanding, knowing the foundation of the laws can be helpful. Authorities are legitimately trying to build a world where the individual’s right to privacy is respected and honored, rather than focusing on fining businesses for data privacy mistakes.
As businesses rely more and more on collecting and using personal information, questions arise about impacts on privacy like, “Do I have to deal with this information? How will it be used? Who will access it? How will it be secured?” We are proposing that if an organization understands and follows basic privacy principles, the fear and confusion associated with compliance will be eliminated. Enter the seven principles of GDPR.
Let’s explore the core tenets of GDPR, also referred to as the seven principles of GDPR. They are a set of guiding principles that address the various security and privacy concerns and form the structure that organizations need to implement as they work toward compliance. These principles are crucial as they are the foundation for privacy laws and regulations, serving as a reference for multiple regions and sharing commonalities with global data-related laws and regulations. Understanding these principles, helps teams prepare for compliance and responsible data practices, regardless of the region where they are based.
The seven principles of GDPR include:
These seven principles inform all processing activity and business practices. Organizations must understand the principles, and apply them at the beginning of their compliance journey and to their business holistically.
The seven principles of GDPR collectively support privacy compliance by establishing a robust framework for the fair, lawful, and responsible handling of personal data. They ensure that organizations are transparent in their data processing activities, fostering customer trust and empowering individuals to make informed decisions about sharing their data.
Additionally, these principles guide organizations to adopt a privacy-centric approach throughout the data lifecycle. By emphasizing purpose limitation and data minimization, not only is the individual’s privacy respected, but the risk of loss of data, or unauthorized access or misuse is also reduced.
The principles of accuracy and storage limitation further contribute to maintaining data quality and relevance, while the security principle (integrity and confidentiality) ensures that appropriate measures are in place to protect against data breaches.
Finally, the accountability principle reinforces the importance of organizations taking responsibility for their data processing activities, fostering a culture of continuous compliance and adaptability to evolving privacy standards. Together, these principles create a comprehensive framework that prioritizes privacy and data protection.
Compliance implementation varies based on your company’s privacy teams and regional laws, but using the seven principles as a framework for evaluating data initiatives ensures fair and ethical data management. These principles not only establish the foundation for compliance goals but also streamline collaboration between marketing and legal or privacy teams, easing overall compliance efforts.
Privacy laws will continue to evolve, and this framework helps create a path toward sustainable privacy. By ingraining fair information principles, your organization can take a proactive stance. Ethical data handling earns customer trust and it is the foundation of business success. It is critical to make principles like these central to your privacy program now and in the future.
This blog post is the first in a series of posts providing frameworks and tools to assist in the data privacy journey. For more resources on data privacy, explore Part 2 and Part 3 of our series, “Demystifying Data Privacy”. Additionally, you can explore our e-book, In Data We Trust.