Navigating The Data Privacy Maze

Global data privacy regulations are increasing in scope and complexity. In July 2023 the European Commission adopted new rules to ensure stronger enforcement of the General Data Protection Regulation (GDPR) in cross-border cases. Meanwhile in March 2023, the UK government presented a new version of the UK Data Protection and Digital Information Bill No.2. 

Across the pond, certain US states are beefing up their data privacy policies and corresponding legislation as more and more businesses collect, store, and use data -  many now employing Artificial Intelligence (AI) to help them do the job.

So how do businesses who trade internationally keep up to date with ever-changing legislation and adapt business processes accordingly to remain compliant? 

First, Assess Your Current Level Of Compliance

Start mapping out what data your organisation has and where it sits – it is foundational to any successful data privacy and cybersecurity strategy. Womble Bond Dickinson’s new data privacy report Growing Global: 2023 global data privacy law survey report surveyed 200 businesses in the UK and US and found that the majority of organisations still need to do this, with only 34% of all respondents surveyed as part of our research stating they have conducted data mapping and understand data practices at their organisation. We often find that organisations underestimate the value of the data they hold, meaning they are inevitably not maximising the potential of the data.

The Main Challenges To Achieving Compliance 

Keeping abreast of the latest changes represented the biggest challenge for respondents to our survey of businesses on both sides of the Atlantic. Hurdles include tracking the status of legislation and differences between state laws in the US (59%), as well as adapting to new/changing requirements in Europe (55%).

The team effort required to address data privacy issues also leads to numerous operational issues – especially in the US. For those doing business in the states, key challenges include budget increases (52%), lack of available staff (42%), obtaining management approval and support to prioritise changes (30%), and the lack of an appointed leader (21%).

By contrast, each of these selections was chosen by fewer respondents doing business in the UK and/or EU – fitting, given their longer experience with the GDPR and/or Data Protection Act (DPA), as well as the GDPR mandate to have a data privacy officer. For that group, 45% say budget increases are a challenge, while 39% cite lack of available staff, 23% cite obtaining management approval and support, and just 10% cite the lack of an appointed leader. Understanding the data held within the organisation is a key challenge for both groups – which tracks with organisations’ lack of progress on data mapping.

Managing & Documenting Your Data Processing Activities & Data Protection Impact Assessments 

Create a list of the workstreams involved in implementing a data privacy solution and ensure that all key people are involved, including internal teams, senior stakeholders, third party advisors and of course which service providers will be required.

Handling International Data Transfers & Ensuring Adequate Safeguards For Personal Data

According to our recent report, UK respondents are more comfortable with the impact of privacy regulations on their ability to conduct cross-border business than their US counterparts. Forty percent of UK respondents (versus 35% in the US) say these regulations add extra costs but are manageable, while only 10% (versus 17% in the US) believe regulations are a major impediment to such business.

Overall, these findings tell us that, while cross-border data transfers remain a challenge, many businesses are managing and even seeing value in associated regulations. Though much remains in flux, when these rules stabilise, they can have a positive long-term impact.

In an increasingly global – and digital – business landscape, the ability to transfer data across borders is paramount.  A key challenge we are seeing for businesses right now is identifying where those transfers are, particularly when they are happening further down the supply chain.  There is a question over how far down businesses are required to go when looking at downstream transfer compliance – this is an area where in the UK further guidance from the ICO would be welcome. 

When it comes to transferring data from Europe to the US, however, regulatory mechanisms for doing so are in flux following the Court of Justice of the European Union’s 2020 invalidation of the EU-US Privacy Shield framework. Though the Biden administration has proposed a successor framework to address these concerns – the Trans-Atlantic Data Privacy Framework – it is unclear whether it will pass the GDPR’s adequacy standard. The US and UK, meanwhile, are currently working through their own agreement aimed at creating a “data bridge” for data flows between the two nations. 

Despite these uncertainties, our survey gives some indication that data privacy regulations are generally good for cross-border business – especially for UK respondents, who are more experienced with existing standards.

Roughly a third of all respondents say that regulations add extra costs but are manageable and that they encourage international business by providing assurance that data will be treated properly in other countries. Only 10% of UK respondents – and 17% in the US – say data privacy regulations are a major impediment to cross-border business.

Keeping Up With The Evolving Interpretation & Enforcement Of GDPR By Courts & Authorities Across The EU 

Our research showed that 55% of US respondents are concerned with enforcement actions around geolocation data privacy laws, while 50% say as much about litigation – a significantly higher share than their UK counterparts, at 45% and 36%, respectively.

Balancing The Need For Data Protection With The Need For Data-driven Innovation & Value Creation

Where you place emphasis will depend on the culture you’re operating within. We found in our research when it comes to big-picture concerns around data privacy, respondents ranked data breaches and cybersecurity as the number one issue – with UK executives expressing particular concern. Retail and financial services respondents indexed higher than all other industries in terms of data privacy concerns, with 42% and 41%, respectively, selecting “high level of concern.”

US respondents’ second-ranked issue is litigation and regulatory enforcement action while in the UK the runner-up spot is split between loss of customer loyalty/trust and cost of compliance with privacy laws. Interestingly, US respondents are more concerned about not fully utilising data to maximise sales/revenue and less concerned with the cost of compliance than their UK counterparts. This could be because of the differences in how data privacy laws are shaped in the EU and UK versus the US. 

Privacy is a fundamental right in the EU, and the GDPR and its predecessor Directive have provided longstanding legal frameworks to protect those rights. In contrast, US laws have historically been sectoral and reactionary – for instance, what happens if personal data is breached. These new state omnibus privacy laws impose proactive requirements, and the main impetus is to empower consumers with rights over their data, particularly when that data is being monetised.

Collaborating With Other OrganizationsTo Ensure GDPR Compliance Along The Data Value Chain

Our research showed while 70% of businesses say they have designated an internal project manager or owner and 58% say they conduct regular training of staff on data privacy and compliance, less than half of the overall respondent pool have taken the following steps: engaged outside legal counsel (42%), participated in a peer group to keep abreast of changes (40%) or developed a task force/oversight counsel to track privacy law changes (35%).

Managing The Risks & Opportunities Of Emerging Technologies Like AI In The Context Of GDPR Compliance

To maximise emerging technologies opportunities, organisations should create a clear strategy on their approach – this should involve a mixture of technical, operational, and legal teams, all working together with oversight and buy-in from senior stakeholders in the business.  Without this joined-up approach, we are seeing businesses struggle, for example, with operational teams running demos of new technologies, without first consulting with legal, which can prove challenging at later stages in the development of projects.  

The case for a senior member of staff to oversee the adoption of AI is becoming increasingly stronger.

That individual, for example a chief AI Officer, is responsible for the due diligence of AI technologies, whether they adhere to the rules set out by the individual regulator to which the business relates and whether those decisions are going have an individual impact. As we saw with the roll out of GDPR, people will become more knowledgeable about how and why their data is being used, and whether there is an opportunity to claim against that should that use have been found to be improper. 

Preparing For Future Developments In Data Protection Regulation, Both At  EU Level & Globally

Organisations are confronting new data privacy laws in several US states, as well as stepped-up oversight of GDPR investigations in the EU and uncertainty over the regulation of transatlantic data flows. Meanwhile, in the UK, new proposals that aim to relieve businesses of some of the GDPR’s more strict requirements could jeopardise current legal agreements between the UK and EU. The common thread is “giving consumers power as to how they are tracked online.”

In this increasingly complex environment, it’s no wonder that only 53% of those doing business in the EU and/or UK say they are very prepared for the GDPR and/or DPA, despite those requirements having taken effect several years ago.

What’s more, fewer than half of respondents with operations in the US (45%) say they are very prepared to address state privacy laws. On the bright side, those headquartered in the UK are particularly prepared for EU regulations (59% versus 44% of US-headquartered respondents), while those based in America are more prepared for US regulations than their UK counterparts (49% versus 40%).

Europe has long been ahead of the US when it comes to data privacy laws – they’ve had one in effect since 1995, and the GDPR was adopted in 2016 – so it makes sense that UK respondents are well positioned to comply with these regulations. Employees at all levels of the organisation in the UK tend to be aware of the GDPR and DPA given all the steps companies need to take.

Staying abreast of regulatory changes and adjusting business processes to remain compliant will continue to grow in importance as the business world becomes increasingly digitalised and policy makers strengthen enforcement. This month saw TikTok, the most downloaded app on the Apple app store, hit with a $368 million fine from Ireland’s Data Protection Commission for breaching Europe’s data privacy rules.  

Katie Simmonds is a Technology and Data Privacy Lawyer Womble Bond Dickinson 

Image: qimono

You Might Also Read: 

Online Safety Bill UK: WhatsApp, Encryption & The Implications For Privacy:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« A Perfect Storm Of Cyber Threats
The Information War In Gaza & Israel »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ON-DEMAND WEBINAR: Harnessing the power of Security Information and Event Management (SIEM)

ON-DEMAND WEBINAR: Harnessing the power of Security Information and Event Management (SIEM)

Join our experts as they give the insights you need to power your Security Information and Event Management (SIEM).

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Endace

Endace

Endace is a leader in network visibility, network recording and packet capture solutions for security, network and application performance monitoring.

Dionach

Dionach

Dionach are a certified information security specialists who provide Penetration Testing, IT Security Auditing and Information Security Consultancy.

Securis

Securis

Securis provides organizations and agencies with the highest level of professional, ultra-secure data destruction and IT recycling.

Forgepoint Capital

Forgepoint Capital

ForgePoint Capital is a premier venture investor for early stage cybersecurity companies.

VIQU Recruitment

VIQU Recruitment

VIQU Recruitment was formed with the primary focus of providing 'Smarter People Solutions' to the UK’s professional IT & Cyber Security markets.

Sharktech

Sharktech

Sharktech designs, develops, and supports advanced DDoS protection and web technologies.

Industrial Defender

Industrial Defender

Committed to ICS Cybersecurity. Industrial Defender provides a fully automated solution to discover, track and report on assets across your ICS footprint.

SecAlliance

SecAlliance

SecAlliance is a cyber threat intelligence product and services company.

AB Handshake

AB Handshake

AB Handshake offers a game-changing solution for telecom service providers that eliminates fraud on inbound and outbound voice traffic.

Allurity

Allurity

Allurity is a group of tech-enabled cybersecurity service providers, comprised of best-in-class experts with a common mission to enable a safe digital world.

Upstack

Upstack

UPSTACK - One partner, end-to-end expertise, helping develop the solutions you need – when you need them.

Dutch Research Council (NWO)

Dutch Research Council (NWO)

The Dutch Research Council (NWO) is one of the most important science-funding bodies in the Netherlands and ensures quality and innovation in science.

OSP Cyber Academy

OSP Cyber Academy

OSP Cyber Academy are a managed service provider of cyber, information security and data protection training.

Port443

Port443

Port443 specialises in providing Security Orchestration, Automation and Remediation (SOAR) "as a service".

Reach Security

Reach Security

Reach is the first generative AI platform purpose-built to empower enterprise security teams. With Reach, organizations measure, manage, and improve their enterprise security posture at scale.

TeKnowledge

TeKnowledge

TeKnowledge enables governments and enterprises around the world to navigate the challenges with digital transformation today and tomorrow with elite cybersecurity protection and managed services.