Navigating The Data Privacy Maze

Global data privacy regulations are increasing in scope and complexity. In July 2023 the European Commission adopted new rules to ensure stronger enforcement of the General Data Protection Regulation (GDPR) in cross-border cases. Meanwhile in March 2023, the UK government presented a new version of the UK Data Protection and Digital Information Bill No.2. 

Across the pond, certain US states are beefing up their data privacy policies and corresponding legislation as more and more businesses collect, store, and use data -  many now employing Artificial Intelligence (AI) to help them do the job.

So how do businesses who trade internationally keep up to date with ever-changing legislation and adapt business processes accordingly to remain compliant? 

First, Assess Your Current Level Of Compliance

Start mapping out what data your organisation has and where it sits – it is foundational to any successful data privacy and cybersecurity strategy. Womble Bond Dickinson’s new data privacy report Growing Global: 2023 global data privacy law survey report surveyed 200 businesses in the UK and US and found that the majority of organisations still need to do this, with only 34% of all respondents surveyed as part of our research stating they have conducted data mapping and understand data practices at their organisation. We often find that organisations underestimate the value of the data they hold, meaning they are inevitably not maximising the potential of the data.

The Main Challenges To Achieving Compliance 

Keeping abreast of the latest changes represented the biggest challenge for respondents to our survey of businesses on both sides of the Atlantic. Hurdles include tracking the status of legislation and differences between state laws in the US (59%), as well as adapting to new/changing requirements in Europe (55%).

The team effort required to address data privacy issues also leads to numerous operational issues – especially in the US. For those doing business in the states, key challenges include budget increases (52%), lack of available staff (42%), obtaining management approval and support to prioritise changes (30%), and the lack of an appointed leader (21%).

By contrast, each of these selections was chosen by fewer respondents doing business in the UK and/or EU – fitting, given their longer experience with the GDPR and/or Data Protection Act (DPA), as well as the GDPR mandate to have a data privacy officer. For that group, 45% say budget increases are a challenge, while 39% cite lack of available staff, 23% cite obtaining management approval and support, and just 10% cite the lack of an appointed leader. Understanding the data held within the organisation is a key challenge for both groups – which tracks with organisations’ lack of progress on data mapping.

Managing & Documenting Your Data Processing Activities & Data Protection Impact Assessments 

Create a list of the workstreams involved in implementing a data privacy solution and ensure that all key people are involved, including internal teams, senior stakeholders, third party advisors and of course which service providers will be required.

Handling International Data Transfers & Ensuring Adequate Safeguards For Personal Data

According to our recent report, UK respondents are more comfortable with the impact of privacy regulations on their ability to conduct cross-border business than their US counterparts. Forty percent of UK respondents (versus 35% in the US) say these regulations add extra costs but are manageable, while only 10% (versus 17% in the US) believe regulations are a major impediment to such business.

Overall, these findings tell us that, while cross-border data transfers remain a challenge, many businesses are managing and even seeing value in associated regulations. Though much remains in flux, when these rules stabilise, they can have a positive long-term impact.

In an increasingly global – and digital – business landscape, the ability to transfer data across borders is paramount.  A key challenge we are seeing for businesses right now is identifying where those transfers are, particularly when they are happening further down the supply chain.  There is a question over how far down businesses are required to go when looking at downstream transfer compliance – this is an area where in the UK further guidance from the ICO would be welcome. 

When it comes to transferring data from Europe to the US, however, regulatory mechanisms for doing so are in flux following the Court of Justice of the European Union’s 2020 invalidation of the EU-US Privacy Shield framework. Though the Biden administration has proposed a successor framework to address these concerns – the Trans-Atlantic Data Privacy Framework – it is unclear whether it will pass the GDPR’s adequacy standard. The US and UK, meanwhile, are currently working through their own agreement aimed at creating a “data bridge” for data flows between the two nations. 

Despite these uncertainties, our survey gives some indication that data privacy regulations are generally good for cross-border business – especially for UK respondents, who are more experienced with existing standards.

Roughly a third of all respondents say that regulations add extra costs but are manageable and that they encourage international business by providing assurance that data will be treated properly in other countries. Only 10% of UK respondents – and 17% in the US – say data privacy regulations are a major impediment to cross-border business.

Keeping Up With The Evolving Interpretation & Enforcement Of GDPR By Courts & Authorities Across The EU 

Our research showed that 55% of US respondents are concerned with enforcement actions around geolocation data privacy laws, while 50% say as much about litigation – a significantly higher share than their UK counterparts, at 45% and 36%, respectively.

Balancing The Need For Data Protection With The Need For Data-driven Innovation & Value Creation

Where you place emphasis will depend on the culture you’re operating within. We found in our research when it comes to big-picture concerns around data privacy, respondents ranked data breaches and cybersecurity as the number one issue – with UK executives expressing particular concern. Retail and financial services respondents indexed higher than all other industries in terms of data privacy concerns, with 42% and 41%, respectively, selecting “high level of concern.”

US respondents’ second-ranked issue is litigation and regulatory enforcement action while in the UK the runner-up spot is split between loss of customer loyalty/trust and cost of compliance with privacy laws. Interestingly, US respondents are more concerned about not fully utilising data to maximise sales/revenue and less concerned with the cost of compliance than their UK counterparts. This could be because of the differences in how data privacy laws are shaped in the EU and UK versus the US. 

Privacy is a fundamental right in the EU, and the GDPR and its predecessor Directive have provided longstanding legal frameworks to protect those rights. In contrast, US laws have historically been sectoral and reactionary – for instance, what happens if personal data is breached. These new state omnibus privacy laws impose proactive requirements, and the main impetus is to empower consumers with rights over their data, particularly when that data is being monetised.

Collaborating With Other OrganizationsTo Ensure GDPR Compliance Along The Data Value Chain

Our research showed while 70% of businesses say they have designated an internal project manager or owner and 58% say they conduct regular training of staff on data privacy and compliance, less than half of the overall respondent pool have taken the following steps: engaged outside legal counsel (42%), participated in a peer group to keep abreast of changes (40%) or developed a task force/oversight counsel to track privacy law changes (35%).

Managing The Risks & Opportunities Of Emerging Technologies Like AI In The Context Of GDPR Compliance

To maximise emerging technologies opportunities, organisations should create a clear strategy on their approach – this should involve a mixture of technical, operational, and legal teams, all working together with oversight and buy-in from senior stakeholders in the business.  Without this joined-up approach, we are seeing businesses struggle, for example, with operational teams running demos of new technologies, without first consulting with legal, which can prove challenging at later stages in the development of projects.  

The case for a senior member of staff to oversee the adoption of AI is becoming increasingly stronger.

That individual, for example a chief AI Officer, is responsible for the due diligence of AI technologies, whether they adhere to the rules set out by the individual regulator to which the business relates and whether those decisions are going have an individual impact. As we saw with the roll out of GDPR, people will become more knowledgeable about how and why their data is being used, and whether there is an opportunity to claim against that should that use have been found to be improper. 

Preparing For Future Developments In Data Protection Regulation, Both At  EU Level & Globally

Organisations are confronting new data privacy laws in several US states, as well as stepped-up oversight of GDPR investigations in the EU and uncertainty over the regulation of transatlantic data flows. Meanwhile, in the UK, new proposals that aim to relieve businesses of some of the GDPR’s more strict requirements could jeopardise current legal agreements between the UK and EU. The common thread is “giving consumers power as to how they are tracked online.”

In this increasingly complex environment, it’s no wonder that only 53% of those doing business in the EU and/or UK say they are very prepared for the GDPR and/or DPA, despite those requirements having taken effect several years ago.

What’s more, fewer than half of respondents with operations in the US (45%) say they are very prepared to address state privacy laws. On the bright side, those headquartered in the UK are particularly prepared for EU regulations (59% versus 44% of US-headquartered respondents), while those based in America are more prepared for US regulations than their UK counterparts (49% versus 40%).

Europe has long been ahead of the US when it comes to data privacy laws – they’ve had one in effect since 1995, and the GDPR was adopted in 2016 – so it makes sense that UK respondents are well positioned to comply with these regulations. Employees at all levels of the organisation in the UK tend to be aware of the GDPR and DPA given all the steps companies need to take.

Staying abreast of regulatory changes and adjusting business processes to remain compliant will continue to grow in importance as the business world becomes increasingly digitalised and policy makers strengthen enforcement. This month saw TikTok, the most downloaded app on the Apple app store, hit with a $368 million fine from Ireland’s Data Protection Commission for breaching Europe’s data privacy rules.  

Katie Simmonds is a Technology and Data Privacy Lawyer Womble Bond Dickinson 

Image: qimono

You Might Also Read: 

Online Safety Bill UK: WhatsApp, Encryption & The Implications For Privacy:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« A Perfect Storm Of Cyber Threats
The Information War In Gaza & Israel »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Marsh

Marsh

Marsh is a global leader in insurance broking and risk management and has been a leader in combatting cyber threats since their emergence.

CynergisTek

CynergisTek

CynergisTek is a top-ranked cybersecurity and information management consulting firm dedicated to serving the healthcare industry.

Cybercrime Support Network (CSN)

Cybercrime Support Network (CSN)

CSN is a public-private, nonprofit collaboration created to meet the challenges facing millions of individuals and businesses affected each and every day by cybercrime.

Assertion

Assertion

Assertion secures your collaboration (UC/CC) systems from cyber risks. Enforcing the right set of controls and monitoring them continually brings down risk to acceptable levels.

EU Joint Research Centre

EU Joint Research Centre

JRC is the European Commission's science and knowledge service which employs scientists to carry out research in order to provide independent scientific advice and support to EU policy.

Human Security

Human Security

Human (formerly White Ops) Bot Mitigation Platform enables complete protection from sophisticated bot attacks across advertising, marketing and cybersecurity.

SecurityGate

SecurityGate

SecurityGate.io is the only Integrated Risk Management platform built for OT/ICS cybersecurity.

PlexTrac

PlexTrac

PlexTrac is a cybersecurity reporting and workflow management platform that supercharges security programs, making them more effective, efficient, and proactive.

Cyral

Cyral

Easily observe, control, and protect your data endpoints in a cloud and DevOps-first world. Discover Data Mesh Security with Cyral.

Suffescom Solutions

Suffescom Solutions

Suffescom Solutions is a leading blockchain development company, assisting businesses in harnessing the true potential of blockchain technology.

ASPIA InfoTech

ASPIA InfoTech

ASPIA Infotech is a leading Information and cybersecurity organization focused on innovative approaches to avert targeted attacks.

Tidal Cyber

Tidal Cyber

We formed Tidal for one simple reason—we believe that defenders need and deserve tools and services that make achieving the benefits of threat-informed defense practical and sustainable.

Smile Identity

Smile Identity

Smile Identity helps businesses confirm the true identity of their users in real-time using any smartphone or computer.

AT&T Cybersecurity

AT&T Cybersecurity

AT&T Cybersecurity’s Edge-to-Edge technologies provide threat intelligence, collaborative defense, security without the seams, and solutions that fit your business.

ThreatER

ThreatER

ThreateER (formerly ThreatBlockr / Bandura Cyber) is a cybersecurity platform that provides active network defense by automating the discovery, enforcement, and analysis of cyber threats at scale.

Start-Up Chile (SUP)

Start-Up Chile (SUP)

Start-Up Chile is a business accelerator program created by the Chilean Government for high-potential tech entrepreneurs.