International data privacy laws: a universal challenge
As more countries across the globe implement data protection and privacy laws, domestic and multinational companies are finding it harder to keep pace. From GDPR to state-by-state regulations in the United States, compliance can increasingly feel like a moving target while local elections, vendor sprawl, and AI ratchet up the complexity.
The shift toward digital identity in the EU and the UK adds another wrinkle as governments push trusted digital ID frameworks, even though they’re still working out legislation to protect them. It’s no wonder users are skeptical.
Even after six years of GDPR implementation, enforcement remains inconsistent—literally all over the map.
In our recent Global Cyber Policy Radar, NCC Group analyzed data collated by OneTrust to reveal that global regulators have issued over 2,700 fines related to data privacy, totaling 6.6B EUR since 2020. Of the penalties levied to date, only 14 of the fines have been in the UK, while Spain has racked up 842. Despite this high number, Spanish penalties have totaled less than 80M EUR. By contrast, Ireland has levied only 20 monetary penalties, yet with the largest ever against Meta (1.2B EUR), its sum far exceeds the rest of the world—more than the US and China combined.
According to the EU’s Report on the General Data Protection Regulation, supervisory authorities have different priorities and tactics. For example:
- The public sector is the biggest area of enforcement, although penalties rarely result from it. By contrast, social media, tech, and e-commerce don’t even rank in the top 10 for enforcement activity, but when they are targeted, the fine is significant.
- Outside of the US and the EU, a few nations and regions have become ones to watch: Kenya, Japan, and Hong Kong are among those have stepped up enforcement.
- AI is becoming a keen area of focus globally, and the EU has rolled out the AI Act, the first comprehensive AI law of its kind. Elsewhere, online services and apps accessed by or targeted to children are the subject of several new regulations.
- Some countries are subtly going after AdTech/cookie compliance by contacting companies for data handling verification. Others are more aggressive, using tools to trawl websites looking for non-compliance.
- There’s been a shift toward quick hits: authorities have accelerated decision-making to enable wider enforcement, providing a faster settlement instead of dragging out investigations for months or years.
While GDPR has become the de facto standard for data privacy, the evolving political landscape may bring even more changes.
In the UK, the newly elected government replaced the previous DPDI bill with a new Digital Information and Smart Data Bill, quietly dropping some UK GDPR reforms.
The US remains a tangle of state laws (19 out of 50 have their own unique statutes) while federal legislation aiming to harmonize state laws has only recently been introduced to Congress – but it remains to be seen whether the law will pass.
In Australia, reforms to the long-standing Privacy Act will see enhanced regulator powers, new requirements for automated decision-making, and a new Children’s Online Privacy Code.
This leaves organizations even more confused, wondering how they can keep up with compliance. Having a solid governance program in place is the first step and experience is the key.
I’ve worked with many organizations across every sector to help them achieve and maintain compliance by staying abreast of changes in legislation and up to date on the latest data privacy and strategic management strategies. Based on that depth of knowledge, here are some best practices to help you navigate the ever-changing regulatory minefield:
6 Essential steps for an effective data privacy and protection compliance framework
1. Understand scope
For the most part, what’s considered personal data is relatively standard across the globe, and companies that serve customers, have a presence, have equipment, or use vendors in a given country are subject to local provisions. However, there are some unique nuances. In Saudi Arabia, for example, the Personal Data Privacy Law includes data that indicates that one or both of the individual’s parents are unknown, and the Philippines law covers educational background.
2. Assess data flows
Understanding where, how, and to whom your data reaches is essential. Developing a Record of Processing Activities (RoPA) is a requirement for GDPR compliance, but having this inventory can also aid in subject access requests and data breach investigations.
3. Update policies and processes
Many new and proposed regulations require changes in operating procedures, so it’s better to implement these now and avoid the scramble ahead of compliance deadlines. For example, the US Protecting American’s Data from Foreign Adversaries Act (PADFA) applies specific restrictions on data brokers associated with or located in foreign adversary countries, including individuals domiciled in a designated country (which of course could change) or entities in which foreign individuals have a 20% or more direct or indirect ownership stake.
4. Address data retention and deletion
We’ve seen more subject access requests in the last 12 months than in previous years. Where it was previously quite rare, this acceleration has left many organizations struggling because, while they had documented procedures, they didn’t have to actually do anything regarding data retention and removal. Updates to the ISO27001 standard are driving the shift, and in many companies, it’s cultural—getting executives onboard with what data can and should be deleted and convincing them to stop using email as a data repository, can be a challenge. Data flow auditing can help streamline this process.
5. Emphasize training and awareness
Staff need to be well-informed about legislative updates so they can understand how protocols impact compliance. Routine changes in system configuration, vendor updates, and simple procedure modifications can inadvertently result in violations. Building compliance checkpoints into the change management process can prevent “accidental” enforcement action.
6. Approach AI as a wildcard
The EU is cracking down on data protection related to AI with new regulatory guidance from the EDPB and the AI Act legislation, the latter of which covers a broad scope throughout the supply chain, including developers of AI systems and models, deployers of those systems, and authorized representatives. In addition to financial penalties, which are higher than GDPR (7% of annual global turnover compared to 4% for GDPR), providers can be forced to remove non-compliant AI systems from the market.
Meanwhile, some US states are also passing AI-specific data privacy legislation. This new oversight will require companies to increase AI literacy, develop ethical guidelines and governance structures, and prioritize collaboration between AI officers and privacy teams.
Getting the basics right is essential for organizations in scope for any regulatory oversight. You need full visibility of what data you have, where it is, how it flows, who has access, and how to restrict access or delete it upon request.
Executive Principal Consultant, NCC Group
Paul leads the NCC Group Privacy Practice and is the outsourced DPO for several clients among various industries. His vast experience allows him to support clients across a range of data privacy services, including privacy research, gap analysis, and remediation.
Preparing for data privacy regulation with NCC Group
NCC Group has been at the forefront of data privacy and protection compliance since the beginning.
Having worked with hundreds of organizations across every sector, we know the risks, pain points, and challenges to plan for. Even better, we know how to solve them with proven best-practice guidance and tailored solutions. Our ability to leverage learnings from one industry across others is a strategic advantage that’s unmatched in the industry.
As new regulations emerge, don’t go it alone. Our compliance team can help you create a roadmap, break the workload into manageable steps, and prioritize concerns so you can focus on the highest risks and implement a pragmatic remediation plan.
Stay ahead of the game.
Start a conversation with one of our compliance consultants to better understand the ins and outs of data privacy and protection for your organization.