Navigating The Data Privacy Maze

Global data privacy regulations are increasing in scope and complexity. In July 2023 the European Commission adopted new rules to ensure stronger enforcement of the General Data Protection Regulation (GDPR) in cross-border cases. Meanwhile in March 2023, the UK government presented a new version of the UK Data Protection and Digital Information Bill No.2. 

Across the pond, certain US states are beefing up their data privacy policies and corresponding legislation as more and more businesses collect, store, and use data -  many now employing Artificial Intelligence (AI) to help them do the job.

So how do businesses who trade internationally keep up to date with ever-changing legislation and adapt business processes accordingly to remain compliant? 

First, Assess Your Current Level Of Compliance

Start mapping out what data your organisation has and where it sits – it is foundational to any successful data privacy and cybersecurity strategy. Womble Bond Dickinson’s new data privacy report Growing Global: 2023 global data privacy law survey report surveyed 200 businesses in the UK and US and found that the majority of organisations still need to do this, with only 34% of all respondents surveyed as part of our research stating they have conducted data mapping and understand data practices at their organisation. We often find that organisations underestimate the value of the data they hold, meaning they are inevitably not maximising the potential of the data.

The Main Challenges To Achieving Compliance 

Keeping abreast of the latest changes represented the biggest challenge for respondents to our survey of businesses on both sides of the Atlantic. Hurdles include tracking the status of legislation and differences between state laws in the US (59%), as well as adapting to new/changing requirements in Europe (55%).

The team effort required to address data privacy issues also leads to numerous operational issues – especially in the US. For those doing business in the states, key challenges include budget increases (52%), lack of available staff (42%), obtaining management approval and support to prioritise changes (30%), and the lack of an appointed leader (21%).

By contrast, each of these selections was chosen by fewer respondents doing business in the UK and/or EU – fitting, given their longer experience with the GDPR and/or Data Protection Act (DPA), as well as the GDPR mandate to have a data privacy officer. For that group, 45% say budget increases are a challenge, while 39% cite lack of available staff, 23% cite obtaining management approval and support, and just 10% cite the lack of an appointed leader. Understanding the data held within the organisation is a key challenge for both groups – which tracks with organisations’ lack of progress on data mapping.

Managing & Documenting Your Data Processing Activities & Data Protection Impact Assessments 

Create a list of the workstreams involved in implementing a data privacy solution and ensure that all key people are involved, including internal teams, senior stakeholders, third party advisors and of course which service providers will be required.

Handling International Data Transfers & Ensuring Adequate Safeguards For Personal Data

According to our recent report, UK respondents are more comfortable with the impact of privacy regulations on their ability to conduct cross-border business than their US counterparts. Forty percent of UK respondents (versus 35% in the US) say these regulations add extra costs but are manageable, while only 10% (versus 17% in the US) believe regulations are a major impediment to such business.

Overall, these findings tell us that, while cross-border data transfers remain a challenge, many businesses are managing and even seeing value in associated regulations. Though much remains in flux, when these rules stabilise, they can have a positive long-term impact.

In an increasingly global – and digital – business landscape, the ability to transfer data across borders is paramount.  A key challenge we are seeing for businesses right now is identifying where those transfers are, particularly when they are happening further down the supply chain.  There is a question over how far down businesses are required to go when looking at downstream transfer compliance – this is an area where in the UK further guidance from the ICO would be welcome. 

When it comes to transferring data from Europe to the US, however, regulatory mechanisms for doing so are in flux following the Court of Justice of the European Union’s 2020 invalidation of the EU-US Privacy Shield framework. Though the Biden administration has proposed a successor framework to address these concerns – the Trans-Atlantic Data Privacy Framework – it is unclear whether it will pass the GDPR’s adequacy standard. The US and UK, meanwhile, are currently working through their own agreement aimed at creating a “data bridge” for data flows between the two nations. 

Despite these uncertainties, our survey gives some indication that data privacy regulations are generally good for cross-border business – especially for UK respondents, who are more experienced with existing standards.

Roughly a third of all respondents say that regulations add extra costs but are manageable and that they encourage international business by providing assurance that data will be treated properly in other countries. Only 10% of UK respondents – and 17% in the US – say data privacy regulations are a major impediment to cross-border business.

Keeping Up With The Evolving Interpretation & Enforcement Of GDPR By Courts & Authorities Across The EU 

Our research showed that 55% of US respondents are concerned with enforcement actions around geolocation data privacy laws, while 50% say as much about litigation – a significantly higher share than their UK counterparts, at 45% and 36%, respectively.

Balancing The Need For Data Protection With The Need For Data-driven Innovation & Value Creation

Where you place emphasis will depend on the culture you’re operating within. We found in our research when it comes to big-picture concerns around data privacy, respondents ranked data breaches and cybersecurity as the number one issue – with UK executives expressing particular concern. Retail and financial services respondents indexed higher than all other industries in terms of data privacy concerns, with 42% and 41%, respectively, selecting “high level of concern.”

US respondents’ second-ranked issue is litigation and regulatory enforcement action while in the UK the runner-up spot is split between loss of customer loyalty/trust and cost of compliance with privacy laws. Interestingly, US respondents are more concerned about not fully utilising data to maximise sales/revenue and less concerned with the cost of compliance than their UK counterparts. This could be because of the differences in how data privacy laws are shaped in the EU and UK versus the US. 

Privacy is a fundamental right in the EU, and the GDPR and its predecessor Directive have provided longstanding legal frameworks to protect those rights. In contrast, US laws have historically been sectoral and reactionary – for instance, what happens if personal data is breached. These new state omnibus privacy laws impose proactive requirements, and the main impetus is to empower consumers with rights over their data, particularly when that data is being monetised.

Collaborating With Other OrganizationsTo Ensure GDPR Compliance Along The Data Value Chain

Our research showed while 70% of businesses say they have designated an internal project manager or owner and 58% say they conduct regular training of staff on data privacy and compliance, less than half of the overall respondent pool have taken the following steps: engaged outside legal counsel (42%), participated in a peer group to keep abreast of changes (40%) or developed a task force/oversight counsel to track privacy law changes (35%).

Managing The Risks & Opportunities Of Emerging Technologies Like AI In The Context Of GDPR Compliance

To maximise emerging technologies opportunities, organisations should create a clear strategy on their approach – this should involve a mixture of technical, operational, and legal teams, all working together with oversight and buy-in from senior stakeholders in the business.  Without this joined-up approach, we are seeing businesses struggle, for example, with operational teams running demos of new technologies, without first consulting with legal, which can prove challenging at later stages in the development of projects.  

The case for a senior member of staff to oversee the adoption of AI is becoming increasingly stronger.

That individual, for example a chief AI Officer, is responsible for the due diligence of AI technologies, whether they adhere to the rules set out by the individual regulator to which the business relates and whether those decisions are going have an individual impact. As we saw with the roll out of GDPR, people will become more knowledgeable about how and why their data is being used, and whether there is an opportunity to claim against that should that use have been found to be improper. 

Preparing For Future Developments In Data Protection Regulation, Both At  EU Level & Globally

Organisations are confronting new data privacy laws in several US states, as well as stepped-up oversight of GDPR investigations in the EU and uncertainty over the regulation of transatlantic data flows. Meanwhile, in the UK, new proposals that aim to relieve businesses of some of the GDPR’s more strict requirements could jeopardise current legal agreements between the UK and EU. The common thread is “giving consumers power as to how they are tracked online.”

In this increasingly complex environment, it’s no wonder that only 53% of those doing business in the EU and/or UK say they are very prepared for the GDPR and/or DPA, despite those requirements having taken effect several years ago.

What’s more, fewer than half of respondents with operations in the US (45%) say they are very prepared to address state privacy laws. On the bright side, those headquartered in the UK are particularly prepared for EU regulations (59% versus 44% of US-headquartered respondents), while those based in America are more prepared for US regulations than their UK counterparts (49% versus 40%).

Europe has long been ahead of the US when it comes to data privacy laws – they’ve had one in effect since 1995, and the GDPR was adopted in 2016 – so it makes sense that UK respondents are well positioned to comply with these regulations. Employees at all levels of the organisation in the UK tend to be aware of the GDPR and DPA given all the steps companies need to take.

Staying abreast of regulatory changes and adjusting business processes to remain compliant will continue to grow in importance as the business world becomes increasingly digitalised and policy makers strengthen enforcement. This month saw TikTok, the most downloaded app on the Apple app store, hit with a $368 million fine from Ireland’s Data Protection Commission for breaching Europe’s data privacy rules.  

Katie Simmonds is a Technology and Data Privacy Lawyer Womble Bond Dickinson 

Image: qimono

You Might Also Read: 

Online Safety Bill UK: WhatsApp, Encryption & The Implications For Privacy:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« A Perfect Storm Of Cyber Threats
The Information War In Gaza & Israel »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MarQuest

MarQuest

MarQuest provides services and systems to enhance network reliability and security.

Quantivate

Quantivate

Quantivate is a provider of web-based Governance, Risk, and Compliance (GRC) software and service solutions.

Combis

Combis

COMBIS is a regional high-tech ICT company focused on the development of application, communication, security and system solutions and the provision of services.

Luxembourg Office of Accreditation & Surveillance (OLAS)

Luxembourg Office of Accreditation & Surveillance (OLAS)

OLAS is the national accreditation body for Luxembourg. The directory of members provides details of organisations offering certification services for ISO 27001.

Braintrace

Braintrace

Braintrace’s services include Managed Detection and Response (MDR), Managed SIEM, SIEM-as-a-Service, SOC-as-a-Service, Advisory Services, and Incident Response.

SecuLetter

SecuLetter

SecuLetter is able to detect unknown attacks with hybrid approaches, static and dynamic analysis.

Root9B (R9B)

Root9B (R9B)

R9B offers advanced cybersecurity products, services, and training to enhance the way organizations protect their networks.

DCX Technology

DCX Technology

Recognized as a leader in security services, DXC Technology help clients prevent potential attack pathways, reduce cyber risk and improve threat detection and incident response.

DataNumen

DataNumen

The fundamental mission of DataNumen is to recover as much data from inadvertent data disasters as possible.

ImpactQA

ImpactQA

ImpactQA is a global leading software testing & QA consulting company. Ten years of excellence. Delivering unmatched services & digital transformation to SMEs & Fortune 500 companies.

CYOSS

CYOSS

CYOSS, an ESG Group company, is a specialist in Cyber Security and Data Analytics. We focus on the opportunities of a networked world and make security risks manageable.

ABCsolutions

ABCsolutions

ABCsolutions is dedicated to assisting businesses and professionals achieve compliance with federal anti-money laundering regulations in an intelligent and pragmatic way.

Spyderbat

Spyderbat

Spyderbat ATI closes the manual investigation gap between detection and response by instantly presenting causally connected threat activity to security analysts at the onset of an investigation.

Nuance Communications

Nuance Communications

From revolutionizing the doctor-patient relationship to reinventing the way brands connect with their customers, Nuance technology helps organizations push the boundaries of what’s possible.

Dynamic Networks

Dynamic Networks

Dynamic Networks provide Managed Cloud Services; Unified Communications; Security & Compliance Services and Network & Infrastructure Services for both Public Sector and Private sector businesses.

Orca Tech

Orca Tech

Orca Tech brings together a portfolio of complimentary vendor in the IT security industry to help provide a complete solution to meet the requirements of our Partners across all sectors.