Data Privacy Landscape
Table of contents
- What is data privacy?
- Challenges faced by individuals and organizations.
- Timeline of data privacy laws
- Data Subjects and their PI elements in data privacy
- Sensitive or non-sensitive PI elements across data privacy laws
- What is a pre-DPIA assessment in data privacy?
- Typical questions asked during pre-DPIA.
- What does data transfer means?
- What is a DPIA assessment?
- Typical DPIA questions broken down by category.
- Software tools that can help with data privacy.
- Conclusion
- Resources
Data privacy has become a growing concern for individuals and organizations around the world. With the increasing amount of personal data being collected and shared online, governments and regulators have been taking action to protect individuals’ privacy rights. As a result, there is now a complex and evolving data privacy landscape that varies by region and country. This article explores the current state of the data privacy landscape in the world, including key laws and regulations, notable trends, and challenges faced by individuals and organizations. Understanding the data privacy landscape is essential for staying compliant, protecting personal data, and building trust with customers and stakeholders.
What is data privacy?
Data privacy refers to the protection of an individual’s personal information or data from unauthorized access, use, disclosure, or destruction. It involves controlling how personal information is collected, used, shared, and stored by organizations or individuals. Data privacy is a fundamental right, and it is essential to ensure that individuals have control over their personal information.
Data privacy includes various aspects, such as data security, data protection, data confidentiality, and data anonymity. It is governed by laws, regulations, and standards that aim to protect individual’s privacy rights, such as the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States, and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
In summary, data privacy is about giving individuals control over their personal data and protecting their privacy rights. It is crucial to ensure that individuals’ personal information is collected and processed in a transparent, fair, and lawful manner.
Challenges faced by individuals and organizations.
Organizations and individuals face a range of challenges related to data privacy laws. These include complexity and compliance costs, data breaches and cyberattacks, cross-border data transfers, obtaining valid consent, incorporating privacy by design principles, and adapting to emerging technologies. These challenges require significant resources and attention to ensure compliance with data privacy laws and protect personal data.
| Challenge | Description |
| Complexity | Data privacy laws can be complex and difficult to navigate, with varying requirements and standards across different jurisdictions. This can be especially challenging for organizations operating in multiple countries. |
| Compliance | Compliance with data privacy laws can be costly and time-consuming, requiring significant resources for data management, security, and reporting. Non-compliance can lead to fines, lawsuits, and reputational damage. |
| Data breaches | Data breaches and cyberattacks pose a significant risk to personal data, and can result in identity theft, financial loss, and other harms to individuals. Organizations must take measures to prevent data breaches and respond effectively when they occur. |
| Cross-border data transfers | Transferring personal data across borders can be challenging due to data privacy laws and restrictions on data exports. Organizations must ensure that they have appropriate legal mechanisms and safeguards in place for cross-border data transfers. |
| Consent | Obtaining valid consent for the collection, use, and sharing of personal data can be challenging, especially in situations where individuals may not fully understand the implications of their consent. Organizations must ensure that consent is freely given, specific, informed, and unambiguous. |
| Privacy by design | Incorporating privacy by design principles into products and services can be challenging, especially for organizations with legacy systems or complex data ecosystems. Privacy by design involves considering privacy risks and safeguards throughout the entire product or service lifecycle. |
| Emerging technologies | Emerging technologies such as artificial intelligence, biometrics, and the Internet of Things present new privacy risks and challenges for individuals and organizations. Data privacy laws must keep pace with technological advancements to ensure that individuals’ privacy rights are protected. |
Timeline of data privacy laws
In recent years, data privacy has become a crucial concern for individuals, businesses, and governments worldwide. As a result, many countries have enacted data privacy laws to protect individuals’ personal information and regulate how organizations collect, use, and share such data. These laws vary by continent and country, but they generally aim to promote transparency, accountability, and individuals’ rights to privacy. In Europe, the General Data Protection Regulation (GDPR) has set the global standard for data privacy, while the United States has a patchwork of data privacy laws at the state level. In Asia, countries such as Japan and South Korea have comprehensive data privacy laws, while others, such as China and India, are in the process of developing or have developed their own. Meanwhile, in Latin America, countries such as Brazil and Argentina have enacted data privacy laws, while others, such as Mexico and Chile, are considering similar legislation. This section provides an overview of enacted data privacy laws across continents.
| Continent | Country | Data Protection Law | Acronym | Year Enacted |
| Africa | Algeria | Law No. 18-07 of 25 February 2018 on the Protection of Personal Data | — | 2018 |
| Africa | Egypt | Personal Data Protection Law | — | 2020 |
| Africa | Ghana | Data Protection Act, 2012 | — | 2012 |
| Africa | Kenya | Data Protection Act, 2019 | — | 2019 |
| Africa | Mauritius | Data Protection Act, 2017 | — | 2017 |
| Africa | Morocco | Law No. 09-08 on the Protection of Individuals with respect to the Processing of Personal Data | — | 2009 |
| Africa | Nigeria | Nigeria Data Protection Regulation, 2019 | — | 2019 |
| Africa | South Africa | Protection of Personal Information Act, 2013 | POPIA | 2013 |
| Asia | China | Personal Information Protection Law | PIPL | 2020 |
| Asia | Hong Kong | Personal Data (Privacy) Ordinance | PDPO | 1995 |
| Asia | India | Personal Data Protection Bill, 2019 | — | Not yet enacted |
| Asia | Indonesia | Law No. 11 of 2008 on Electronic Information and Transactions | — | 2008 |
| Asia | Japan | Act on the Protection of Personal Information | APPI | 2005 |
| Asia | Malaysia | Personal Data Protection Act, 2012 | PDPA | 2010 |
| Asia | Philippines | Data Privacy Act of 2012 | DPA | 2012 |
| Asia | Singapore | Personal Data Protection Act, 2012 | PDPA | 2012 |
| Asia | South Korea | Personal Information Protection Act | PIPA | 2011 |
| Asia | Taiwan | Personal Data Protection Act | PDPA | 2010 |
| Asia | Thailand | Personal Data Protection Act, 2019 | PDPA | 2019 |
| Europe | Austria | Data Protection Act, 2018 | DSG | 2018 |
| Europe | Belgium | General Data Protection Regulation | GDPR | 2018 |
| Europe | Croatia | Personal Data Protection Act | PDPA | 2018 |
| Europe | Cyprus | General Data Protection Regulation | GDPR | 2018 |
| Europe | Czech Republic | Personal Data Protection Act | PDPA | 2000 |
| Europe | Denmark | Data Protection Act, 2018 | DPA | 2018 |
| Europe | Estonia | General Data Protection Regulation | GDPR | 2018 |
| Europe | Finland | Data Protection Act, 2018 | DPA | 2018 |
| Europe | France | General Data Protection Regulation | GDPR | 2018 |
| Europe | Germany | General Data Protection Regulation | GDPR | 2018 |
| Europe | Greece | General Data Protection Regulation | GDPR | 2018 |
| Europe | Hungary | Data Protection Act, 2018 | DPA | 2018 |
| Europe | Iceland | Act on Data Protection and the Processing of Personal Data | — | 2018 |
| Europe | Ireland | Data Protection Act, 2018 | DPA | 2018 |
| Europe | Italy | General Data Protection Regulation | GDPR | 2018 |
| Europe | Latvia | General Data Protection Regulation | GDPR | 2018 |
| Europe | Liechtenstein | Data Protection Act | — | 2018 |
| Europe | Lithuania | General Data Protection Regulation | GDPR | 2018 |
Data Subjects and their PI elements in data privacy
Some examples of data subjects and the type of personally identifiable (PI) elements that an organization may collect:
| Data Subject | Type of PI Elements |
| Customer | Name, address, email, phone number, payment information, purchase history |
| Employee | Name, address, email, phone number, Social Security number, bank account information, employment history |
| Patient | Name, address, phone number, email, date of birth, health information, medical history |
| Student | Name, address, email, phone number, date of birth, educational records, transcripts |
| Website visitor | IP address, cookies, browsing history, location data |
| Social media user | Name, profile information, photos and videos, location data, contact lists |
| Job applicant | Name, address, email, phone number, resume, employment history, education history |
Note that this is not an exhaustive list and the specific types of PI elements collected may vary depending on the organization and context. Additionally, sensitive PI elements such as health information, biometric data, and government-issued identification numbers may require additional protections under data privacy laws.
Sensitive or non-sensitive PI elements across data privacy laws
Sensitive and non-sensitive personally identifiable (PI) elements can vary by data privacy laws. Data privacy laws such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) classify certain types of PI as sensitive or non-sensitive and provide different levels of protection and requirements for each. For example, sensitive PI elements may include health information, biometric data, sexual orientation, and religious beliefs, while non-sensitive PI elements may include name, address, and contact information. These laws may require additional consent or notice before collecting, using, or sharing sensitive PI elements, and may impose stricter requirements for securing and deleting such data. Therefore, it is important for organizations to be aware of the different classifications and requirements for sensitive and non-sensitive PI elements under relevant data privacy laws to ensure compliance and protect individuals’ privacy rights. Here are some scenarios of PI elements across applicable regions or countries.
| Data Privacy Law Acronym | Sensitive PI Elements | Non-Sensitive PI Elements | Applicable Countries |
| GDPR | Racial or ethnic origin, Political opinions, Religious or philosophical beliefs, Trade union membership, Genetic data, Biometric data for the purpose of uniquely identifying a natural person, Health data, Sex life or sexual orientation | Name, Address, Email address, IP address, Telephone number, Location data, Online identifier | European Union |
| CCPA | Social security number, Driver’s license number, Passport number, Financial account number, Credit or debit card number, Geolocation data, Biometric information, Health information, Information revealing a consumer’s racial or ethnic origin, Sexual orientation, Religion or religious beliefs, Political affiliation or beliefs | Name, Address, Email address, IP address, Telephone number, Employment-related information, Education-related information, Commercial information | California, United States |
| LGPD | Racial or ethnic origin, Religious belief, Political opinion, Health information, Sex life information | Name, Address, Email address, Telephone number, IP address, Geolocation data, Online identifiers | Brazil |
| PDPA (Singapore) | Racial or ethnic origin, Political opinion, Religious or philosophical beliefs, Trade union membership, Health data, Biometric data | Name, Address, Email address, Telephone number, IP address, Geolocation data, Online identifiers | Singapore |
| PIPA (South Korea) | Race or ethnicity, Birthplace, Political opinions, Criminal record, Health information, Sex life information | Name, Address, Email address, Telephone number, IP address, Geolocation data, Online identifiers | South Korea |
| PIPL (China) | Race, ethnicity, religious belief, personal biological characteristics, medical and health information, financial information | Name, address, telephone number, email address, IP address, device identifier, account number, online identifier, education, and work information | China |
| PDPA (Malaysia) | Race, religion, political affiliation, health information, sexual orientation, criminal records | Name, address, telephone number, email address, IP address, device identifier, account number, online identifier, employment information | Malaysia |
| DPA (UK) | Race or ethnicity, Political opinions, Religious or philosophical beliefs, Trade union membership, Biometric data, Health data, Sex life or sexual orientation | Name, Address, Email address, Telephone number, IP address, Geolocation data, Online identifiers | United Kingdom |
| PIPEDA (Canada) | Medical or health information, social insurance number, Driver’s license number, Financial information, Biometric information | Name, Address, Email address, Telephone number, IP address, Geolocation data, Online identifiers | Canada |
| DPA (Austria) | Racial or ethnic origin, Political opinions, Religious or philosophical beliefs, Trade union membership, Genetic data, Biometric data, Health data, Sex life or sexual orientation | Name, Address, Email address, Telephone number, IP address, Geolocation data, Online identifiers | Austria |
| DPA (Denmark) | Race, ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning sex life or sexual orientation | Name, Address, Email address, Telephone number, IP address, Geolocation data, Online identifiers | Denmark |
| POPIA (South Africa) | Race or ethnic origin, Political opinions, Religious or philosophical beliefs, Trade union membership, Health data, Biometric data, Criminal behaviour | Name, Address, Email address, Telephone number, IP address, Geolocation data, Online identifiers | South Africa |
What is a pre-DPIA assessment in data privacy?
A pre-DPIA (Data Protection Impact Assessment) assessment is a preliminary evaluation that organizations can conduct to determine whether a DPIA is necessary for a particular processing activity involving personal data. A DPIA is a tool used to identify, assess, and mitigate privacy risks associated with the processing of personal data, and is required under certain data privacy laws, such as the GDPR (General Data Protection Regulation).
The purpose of a pre-DPIA assessment is to help organizations identify processing activities that may require a DPIA, so that they can allocate resources appropriately and ensure compliance with legal requirements. A pre-DPIA assessment typically involves a high-level analysis of the processing activity, focusing on factors such as the nature of the personal data involved, the purposes of the processing, and the potential risks to individuals’ privacy and data protection rights. Based on this analysis, organizations can determine whether a DPIA is necessary and if so, develop a more detailed plan for conducting the assessment.
Pre-DPIA assessments are not mandatory under the GDPR or other data privacy laws but are often recommended as a best practice to help organizations streamline their privacy compliance efforts and minimize the risk of non-compliance.
Typical questions asked during pre-DPIA.
These are typical questions asked during pre-DPIA assessment:
| Category | Example Questions |
| Personal Data | What types of personal data will be processed? Are any special categories of personal data involved (e.g., health data, biometric data)? |
| Processing Activities | What processing activities will be performed on the personal data? Will the data be collected, stored, used, disclosed, or otherwise processed? |
| Purposes | What purposes will the personal data be processed for? Will the processing be necessary for the performance of a contract, compliance with a legal obligation, or another legitimate purpose? |
| Data Subjects | Who are the data subjects whose personal data will be processed? How many data subjects are involved? Are they vulnerable or otherwise at risk? |
| Risks and Impact | What are the potential risks to individuals’ privacy and data protection rights arising from the processing activity? How likely are these risks to occur, and how severe would the impact be? |
| Mitigation Measures | What measures can be taken to mitigate the risks identified in the assessment? Are there technical or organizational measures that can be implemented to reduce the risk or likelihood of harm? |
| Data Transfers | Will personal data be transferred outside of the organization or the EU/EEA? If so, what measures will be taken to ensure an adequate level of protection for the data? |
| Security | What security measures will be implemented to protect the personal data against unauthorized access, disclosure, or other types of misuse? |
| Data Retention | How long will personal data be retained? Is there a justification for retaining the data for this length of time? |
| Data Subject Rights | What rights do data subjects have with respect to the processing of their personal data? How will the organization ensure that these rights are respected? |
It’s worth noting that this list is not exhaustive and that the specific questions asked during a pre-DPIA assessment may depend on the nature of the processing activity and the legal requirements applicable to the organization. Additionally, the categories listed here are not mutually exclusive and may overlap in practice. The goal of a pre-DPIA assessment is to identify and evaluate potential privacy risks associated with a processing activity to determine whether a full DPIA is necessary to ensure compliance with legal requirements and protect individuals’ privacy rights.
What does data transfer means?
In data privacy, data transfer refers to the process of transmitting personal data from one individual, organization, or location to another. This may involve moving data between systems, sharing data with third-party service providers or partners, or transferring data across national borders. Data transfer is often regulated by data privacy laws, which may require organizations to obtain consent from individuals, implement appropriate security measures, or fulfil other requirements before transferring personal data. Transfers of personal data across national borders may also be subject to additional legal requirements, such as those related to data localization, data protection agreements, or international data transfer frameworks like the EU-US Privacy Shield or the Swiss-US Privacy Shield.
What is a DPIA assessment?
A DPIA (Data Protection Impact Assessment) is a process for identifying, assessing, and mitigating privacy risks associated with the processing of personal data. A DPIA is a tool used to help organizations comply with data privacy laws, such as the GDPR (General Data Protection Regulation), which require organizations to evaluate the potential impact of processing personal data on individuals’ privacy and data protection rights.
A DPIA typically involves a systematic analysis of the processing activity, focusing on factors such as the nature of the personal data involved, the purposes of the processing, and the potential risks to individuals’ privacy and data protection rights. The DPIA process may involve consultations with stakeholders, including data subjects, data controllers, and data processors, as well as reviews of relevant documentation and technical and organizational measures.
The specific steps involved in a DPIA may vary depending on the processing activity and the legal requirements applicable to the organization. However, common elements of a DPIA may include:
- Mapping of personal data flows and identifying processing activities and purposes.
- Assessment of the necessity and proportionality of the processing activity.
- Identification of potential risks to individuals’ privacy and data protection rights.
- Evaluation of the likelihood and severity of the potential risks.
- Development and implementation of mitigation measures to address identified risks.
- Monitoring and review of the effectiveness of mitigation measures.
The goal of a DPIA is to identify potential privacy risks associated with a processing activity and to ensure that appropriate measures are in place to mitigate those risks and protect individuals’ privacy and data protection rights. DPIAs are not always required under data privacy laws, but may be mandatory in certain situations, such as when processing involves special categories of personal data or when processing is likely to result in a high risk to individuals’ privacy rights.
Typical DPIA questions broken down by category.
Here’s a crosstab that outlines some of the typical categories of questions that might be asked during a DPIA, along with examples of specific questions that might fall within each category.
| Category | Example Questions |
| Personal Data | What types of personal data will be processed, and how sensitive is this data? Is any special category of personal data involved (e.g., health data, biometric data)? |
| Processing Activities | What processing activities will be performed on the personal data, and how will the data be collected, stored, used, disclosed, or otherwise processed? |
| Purposes | What purposes will the personal data be processed for, and are these purposes necessary and proportionate? |
| Data Subjects | Who are the data subjects whose personal data will be processed, and how many data subjects are involved? Are any data subjects particularly vulnerable or at risk? |
| Risks and Impact | What are the potential risks to individuals’ privacy and data protection rights arising from the processing activity, and how likely are these risks to occur? What would be the severity of the impact if the risks materialize? |
| Mitigation Measures | What measures can be taken to mitigate the risks identified in the assessment? Are there technical or organizational measures that can be implemented to reduce the risk or likelihood of harm? |
| Data Transfers | Will personal data be transferred outside of the organization or the EU/EEA? If so, what measures will be taken to ensure an adequate level of protection for the data? |
| Security | What security measures will be implemented to protect the personal data against unauthorized access, disclosure, or other types of misuse? |
| Data Retention | How long will personal data be retained, and is there a justification for retaining the data for this length of time? |
| Data Subject Rights | What rights do data subjects have with respect to the processing of their personal data, and how will the organization ensure that these rights are respected? |
| Legal Basis | What is the legal basis for the processing activity, and is this legal basis appropriate for the processing activity? |
It’s worth noting that this list is not exhaustive and that the specific questions asked during a DPIA may depend on the nature of the processing activity and the legal requirements applicable to the organization. Additionally, the categories listed here are not mutually exclusive and may overlap in practice. The goal of a DPIA is to identify and evaluate potential privacy risks associated with a processing activity to determine appropriate measures to ensure compliance with legal requirements and protect individuals’ privacy rights.
Software tools that can help with data privacy.
Data Classification and Discovery
- Varonis Data Classification Engine: This tool uses machine learning to automatically classify and tag sensitive data, helping organizations identify and protect personal data.
- IBM InfoSphere Discovery: This tool automatically discovers and categorizes sensitive data across an organization’s IT environment, providing a comprehensive view of personal data for privacy and security purposes.
- Spirion Sensitive Data Manager: This tool uses machine learning to identify and classify sensitive data and provides remediation recommendations for privacy and security purposes.
Data Anonymization and Masking
- Privitar: This tool provides advanced data anonymization and privacy protection capabilities, including dynamic masking, de-identification, and synthetic data generation.
- Micro Focus Voltage SecureData: This tool provides end-to-end data privacy and security solutions, including data masking, encryption, and tokenization.
- Dataguise: This tool provides sensitive data discovery, masking, and encryption capabilities to help organizations protect personal data.
Data Governance and Compliance
- OneTrust: This tool provides a comprehensive suite of privacy and security management solutions, including data governance, compliance management, and incident response.
- TrustArc: This tool provides privacy management software and services to help organizations comply with global privacy regulations, including GDPR, CCPA, and LGPD.
- BigID: This tool provides a privacy-aware data discovery and intelligence platform, helping organizations identify and manage personal data for compliance and privacy purposes.
Privacy Impact Assessment and Risk Management
- Proteus: This tool provides privacy impact assessment and risk management capabilities, including privacy risk assessments, data protection impact assessments (DPIAs), and privacy risk management.
- Nymity: This tool provides a comprehensive privacy management platform, including privacy impact assessments, data mapping and inventory, and compliance management.
- LogicGate: This tool provides a risk management platform that can be customized to support privacy risk assessments, compliance management, and privacy impact assessments.
These software tools can help organizations implement data privacy engineering principles and practices throughout the software development lifecycle, from data discovery and classification to data anonymization and governance. Each tool has its own unique features and capabilities, and organizations should select the tool or tools that best meet their specific privacy and data protection needs.
Conclusion
In conclusion, the data protection landscape is complex and constantly evolving, with new laws, technologies, and challenges emerging regularly. Organizations must prioritize data privacy and take proactive measures to protect individuals’ personal information, comply with applicable laws and regulations, and build trust with their customers and stakeholders. This requires ongoing attention to privacy policies and procedures, regular risk assessments and audits, effective security measures, and clear communication with individuals about their data rights and choices. By staying informed and proactive, organizations can navigate the data protection landscape effectively and minimize the risks associated with data breaches, non-compliance, and loss of customer trust.
Resources
- International Association of Privacy Professionals (IAPP) – https://iapp.org/
- Data Protection Authorities (DPAs) – The list of DPAs can vary depending on the region, but here are a few examples:
- European Data Protection Board (EDPB) – https://edpb.europa.eu/
- Information Commissioner’s Office (ICO) (UK) – https://ico.org.uk/
- Office of the Privacy Commissioner of Canada (OPC) – https://www.priv.gc.ca/en/
- European Data Protection Supervisor (EDPS) – https://edps.europa.eu/
- National Institute of Standards and Technology (NIST) – https://www.nist.gov/topics/privacy
- Privacy International – https://privacyinternational.org/
- Future of Privacy Forum (FPF) – https://fpf.org/
- Center for Democracy and Technology (CDT) – https://cdt.org/
- Network Advertising Initiative (NAI) – https://www.networkadvertising.org/
- International Organization for Standardization (ISO) – https://www.iso.org/home.html
