The Evolving Global Privacy Framework

GDPR Graphic showing EU flag

André Thompson, Privacy and Ethics Counsel at Trūata discusses the growing complications of global privacy frameworks, especially during the current COVID era, and how we need to adapt as businesses.

There are few certainties in 2020 given the global geo-political, social and economic landscape. What in January looked like an already complicated year changed immeasurably as Covid-19 spread around the globe. The global response by nation-states to the pandemic, unprecedented in the modern era, brought the privacy of citizens to the fore yet again as governments sought to use smart devices to track the spread of the virus by collecting and processing data about the user’s movements and behaviour. It is timely to reflect on the impact of the GDPR on the increasing spread and impact of privacy laws globally therefore, as the GDPR reaches its second anniversary with mixed reviews. Although the GDPR has received headlines, it is crucial for organisations to realise that it is not the only law that impacts data-driven businesses. The increased awareness in the public and the media about privacy as a result of Covid-19 contact tracing measures means that the global privacy framework is likely to become even more complicated. Therefore, as the volume of these laws is ever-increasing, it is difficult for businesses to keep on top of compliance requirements from one market to the next.

To put this in context, as of February 2020, 11 US States have privacy Acts or developing Bills in place, with a number of other states having privacy task forces in place. A US federal privacy law has been proposed. It is still some time away, but the momentum is growing. Brazil, South Africa and India’s new data protection laws are passed or are at an advanced stage in the legislative process, joining countries that already have modernised data protection and privacy laws, such as Canada, Russia, Japan, Singapore, South Korea, Malaysia and Nigeria – and many others which are on that journey. Although Covid-19 has delayed the legislative processes, with Brazil, South Africa and India’s laws being postponed, more than 60 counties have now introduced privacy laws in response to their citizens desire for control over their privacy and data protection rights. In increasingly globalised markets and with the ever-increasing adoption of cloud computing and PaaS, IaaS and SaaS services, few large organisations can ignore what we can call the ‘global privacy framework’.

With this evolving global privacy framework, the compliance burden is considerable. Some jurisdictions, such as Russia, have data localisation laws. Others differ in subtle but significant ways from GDPR, the law which most companies seek to align to. Brazil’s LGPD has ten lawful bases of processing, compared to GDPR’s six. South Africa’s POPIA protects the data of natural (i.e. living) persons and juristic persons (i.e. corporations). When companies start to dig into the requirements of these differing laws, they realise the difficulty of a ‘one size fits all’ approach. This poses significant Boardroom-level risk. Forrester are predicting a 300% increase in privacy class actions. With so many different flavours and approaches to data protection, managing and analysing data while maintaining customer trust is becoming increasingly difficult for companies with global footprints.

So how can companies address the ‘compliance overhead’ associated with the global privacy framework? How do they manage, stay on top of and adhere to global regulations? There is one constant regardless of the jurisdiction: privacy laws are based on the protection of ‘personal data’. If the data is not ‘personal’ then privacy laws don’t apply. Therefore, turning to genuine anonymisation of personal data is a way of assisting with compliance and building customer trust, regardless of the jurisdiction, and allows organisations to unlock the value in their data and reduce exposure to global privacy laws. The overarching themes of data privacy regulations are that the rights to use personal data are narrowing and the rights of data subjects are expanding. In this environment the risk of fines, negative brand image and drop in revenue are very real. The question isn’t how to comply with the global privacy framework, but how to avoid it altogether. There is every reason to believe that anonymisation is a tool that will become essential for data-driven organisations in the next few years. It brings to mind the maxim, “fail to plan, plan to fail”: Organisations need to start thinking now how they will comply now in one, two, five or ten years as the impact of current events could change the way we do business using personal data. The compliance burden will only get harder and forward-thinking is essential.


Andre Thompson

Andre Thompson is Privacy and Ethics Counsel at Trūata. Andre is a qualified solicitor admitted in Ireland, England, and Wales. He has over 20 years' experience in a commercial legal environment, working in-house, in private commercial practice, and in private consultancy.

Birmingham Unveils the UK’s Best Emerging HealthTech Advances

Kosta Mavroulakis • 03rd April 2025

The National HealthTech Series hosted its latest event in Birmingham this month, showcasing innovative startups driving advanced health technology, including AI-assisted diagnostics, wearable devices and revolutionary educational tools for healthcare professionals. Health stakeholders drawn from the NHS, universities, industry and front-line patient care met with new and emerging businesses to define the future trajectory of...

Why DEIB is Imperative to Tech’s Future

Hadas Almog from AppsFlyer • 17th March 2025

We’ve been seeing Diversity, Equity, Inclusion, and Belonging (DEIB) initiatives being cut time and time again throughout the tech industry. DEIB dedicated roles have been eliminated, employee resource groups have lost funding, and initiatives once considered crucial have been deprioritised in favour of “more immediate business needs.” The justification for these cuts is often the...

The need to eradicate platform dependence

Sue Azari • 10th March 2025

The advertising industry is undergoing a seismic shift. Connected TV (CTV), Retail Media Networks (RMNs), and omnichannel strategies are rapidly redefining how brands engage with consumers. As digital privacy regulations evolve and platform dynamics shift, advertisers must recognise a fundamental truth. You cannot build a sustainable business on borrowed ground. The recent uncertainty surrounding TikTok...

The need to clean data for effective insight

David Sheldrake • 05th March 2025

There is more data today than ever before. In fact, the total amount of data created, captured, copied, and consumed globally has now reached an incredible 149 zettabytes. The growth of the big mountain is not expected to slow down, either, with it expected to reach almost 400 zettabytes within the next three years. Whilst...

What can be done to democratize VDI?

Dennis Damen • 05th March 2025

Virtual Desktop Infrastructure (VDI) offers businesses enhanced security, scalability, and compliance, yet it remains a niche technology. One of the biggest barriers to widespread adoption is a severe talent gap. Many IT professionals lack hands-on VDI experience, as their careers begin with physical machines and increasingly shift toward cloud-based services. This shortage has created a...

Tech and Business Outlook: US Confident, European Sentiment Mixed

Viva Technology • 11th February 2025

The VivaTech Confidence Barometer, now in its second edition, reveals strong confidence among tech executives regarding the impact of emerging technologies on business competitiveness, particularly AI, which is expected to have the most significant impact in the near future. Surveying tech leaders from Europe and North America, 81% recognize their companies as competitive internationally, with...