Navigating The Data Privacy Maze

Uploaded on 2023-10-24 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

Global data privacy regulations are increasing in scope and complexity. In July 2023 the European Commission adopted new rules to ensure stronger enforcement of the General Data Protection Regulation (GDPR) in cross-border cases. Meanwhile in March 2023, the UK government presented a new version of the UK Data Protection and Digital Information Bill No.2. 

Across the pond, certain US states are beefing up their data privacy policies and corresponding legislation as more and more businesses collect, store, and use data -  many now employing Artificial Intelligence (AI) to help them do the job.

So how do businesses who trade internationally keep up to date with ever-changing legislation and adapt business processes accordingly to remain compliant? 

First, Assess Your Current Level Of Compliance

Start mapping out what data your organisation has and where it sits – it is foundational to any successful data privacy and cybersecurity strategy. Womble Bond Dickinson’s new data privacy report Growing Global: 2023 global data privacy law survey report surveyed 200 businesses in the UK and US and found that the majority of organisations still need to do this, with only 34% of all respondents surveyed as part of our research stating they have conducted data mapping and understand data practices at their organisation. We often find that organisations underestimate the value of the data they hold, meaning they are inevitably not maximising the potential of the data.

The Main Challenges To Achieving Compliance 

Keeping abreast of the latest changes represented the biggest challenge for respondents to our survey of businesses on both sides of the Atlantic. Hurdles include tracking the status of legislation and differences between state laws in the US (59%), as well as adapting to new/changing requirements in Europe (55%).

The team effort required to address data privacy issues also leads to numerous operational issues – especially in the US. For those doing business in the states, key challenges include budget increases (52%), lack of available staff (42%), obtaining management approval and support to prioritise changes (30%), and the lack of an appointed leader (21%).

By contrast, each of these selections was chosen by fewer respondents doing business in the UK and/or EU – fitting, given their longer experience with the GDPR and/or Data Protection Act (DPA), as well as the GDPR mandate to have a data privacy officer. For that group, 45% say budget increases are a challenge, while 39% cite lack of available staff, 23% cite obtaining management approval and support, and just 10% cite the lack of an appointed leader. Understanding the data held within the organisation is a key challenge for both groups – which tracks with organisations’ lack of progress on data mapping.

Managing & Documenting Your Data Processing Activities & Data Protection Impact Assessments 

Create a list of the workstreams involved in implementing a data privacy solution and ensure that all key people are involved, including internal teams, senior stakeholders, third party advisors and of course which service providers will be required.

Handling International Data Transfers & Ensuring Adequate Safeguards For Personal Data

According to our recent report, UK respondents are more comfortable with the impact of privacy regulations on their ability to conduct cross-border business than their US counterparts. Forty percent of UK respondents (versus 35% in the US) say these regulations add extra costs but are manageable, while only 10% (versus 17% in the US) believe regulations are a major impediment to such business.

Overall, these findings tell us that, while cross-border data transfers remain a challenge, many businesses are managing and even seeing value in associated regulations. Though much remains in flux, when these rules stabilise, they can have a positive long-term impact.

In an increasingly global – and digital – business landscape, the ability to transfer data across borders is paramount.  A key challenge we are seeing for businesses right now is identifying where those transfers are, particularly when they are happening further down the supply chain.  There is a question over how far down businesses are required to go when looking at downstream transfer compliance – this is an area where in the UK further guidance from the ICO would be welcome. 

When it comes to transferring data from Europe to the US, however, regulatory mechanisms for doing so are in flux following the Court of Justice of the European Union’s 2020 invalidation of the EU-US Privacy Shield framework. Though the Biden administration has proposed a successor framework to address these concerns – the Trans-Atlantic Data Privacy Framework – it is unclear whether it will pass the GDPR’s adequacy standard. The US and UK, meanwhile, are currently working through their own agreement aimed at creating a “data bridge” for data flows between the two nations. 

Despite these uncertainties, our survey gives some indication that data privacy regulations are generally good for cross-border business – especially for UK respondents, who are more experienced with existing standards.

Roughly a third of all respondents say that regulations add extra costs but are manageable and that they encourage international business by providing assurance that data will be treated properly in other countries. Only 10% of UK respondents – and 17% in the US – say data privacy regulations are a major impediment to cross-border business.

Keeping Up With The Evolving Interpretation & Enforcement Of GDPR By Courts & Authorities Across The EU 

Our research showed that 55% of US respondents are concerned with enforcement actions around geolocation data privacy laws, while 50% say as much about litigation – a significantly higher share than their UK counterparts, at 45% and 36%, respectively.

Balancing The Need For Data Protection With The Need For Data-driven Innovation & Value Creation

Where you place emphasis will depend on the culture you’re operating within. We found in our research when it comes to big-picture concerns around data privacy, respondents ranked data breaches and cybersecurity as the number one issue – with UK executives expressing particular concern. Retail and financial services respondents indexed higher than all other industries in terms of data privacy concerns, with 42% and 41%, respectively, selecting “high level of concern.”

US respondents’ second-ranked issue is litigation and regulatory enforcement action while in the UK the runner-up spot is split between loss of customer loyalty/trust and cost of compliance with privacy laws. Interestingly, US respondents are more concerned about not fully utilising data to maximise sales/revenue and less concerned with the cost of compliance than their UK counterparts. This could be because of the differences in how data privacy laws are shaped in the EU and UK versus the US. 

Privacy is a fundamental right in the EU, and the GDPR and its predecessor Directive have provided longstanding legal frameworks to protect those rights. In contrast, US laws have historically been sectoral and reactionary – for instance, what happens if personal data is breached. These new state omnibus privacy laws impose proactive requirements, and the main impetus is to empower consumers with rights over their data, particularly when that data is being monetised.

Collaborating With Other OrganizationsTo Ensure GDPR Compliance Along The Data Value Chain

Our research showed while 70% of businesses say they have designated an internal project manager or owner and 58% say they conduct regular training of staff on data privacy and compliance, less than half of the overall respondent pool have taken the following steps: engaged outside legal counsel (42%), participated in a peer group to keep abreast of changes (40%) or developed a task force/oversight counsel to track privacy law changes (35%).

Managing The Risks & Opportunities Of Emerging Technologies Like AI In The Context Of GDPR Compliance

To maximise emerging technologies opportunities, organisations should create a clear strategy on their approach – this should involve a mixture of technical, operational, and legal teams, all working together with oversight and buy-in from senior stakeholders in the business.  Without this joined-up approach, we are seeing businesses struggle, for example, with operational teams running demos of new technologies, without first consulting with legal, which can prove challenging at later stages in the development of projects.  

The case for a senior member of staff to oversee the adoption of AI is becoming increasingly stronger.

That individual, for example a chief AI Officer, is responsible for the due diligence of AI technologies, whether they adhere to the rules set out by the individual regulator to which the business relates and whether those decisions are going have an individual impact. As we saw with the roll out of GDPR, people will become more knowledgeable about how and why their data is being used, and whether there is an opportunity to claim against that should that use have been found to be improper. 

Preparing For Future Developments In Data Protection Regulation, Both At  EU Level & Globally

Organisations are confronting new data privacy laws in several US states, as well as stepped-up oversight of GDPR investigations in the EU and uncertainty over the regulation of transatlantic data flows. Meanwhile, in the UK, new proposals that aim to relieve businesses of some of the GDPR’s more strict requirements could jeopardise current legal agreements between the UK and EU. The common thread is “giving consumers power as to how they are tracked online.”

In this increasingly complex environment, it’s no wonder that only 53% of those doing business in the EU and/or UK say they are very prepared for the GDPR and/or DPA, despite those requirements having taken effect several years ago.

What’s more, fewer than half of respondents with operations in the US (45%) say they are very prepared to address state privacy laws. On the bright side, those headquartered in the UK are particularly prepared for EU regulations (59% versus 44% of US-headquartered respondents), while those based in America are more prepared for US regulations than their UK counterparts (49% versus 40%).

Europe has long been ahead of the US when it comes to data privacy laws – they’ve had one in effect since 1995, and the GDPR was adopted in 2016 – so it makes sense that UK respondents are well positioned to comply with these regulations. Employees at all levels of the organisation in the UK tend to be aware of the GDPR and DPA given all the steps companies need to take.

Staying abreast of regulatory changes and adjusting business processes to remain compliant will continue to grow in importance as the business world becomes increasingly digitalised and policy makers strengthen enforcement. This month saw TikTok, the most downloaded app on the Apple app store, hit with a $368 million fine from Ireland’s Data Protection Commission for breaching Europe’s data privacy rules.  

Katie Simmonds is a Technology and Data Privacy Lawyer Womble Bond Dickinson 

Image: qimono

You Might Also Read: 

Online Safety Bill UK: WhatsApp, Encryption & The Implications For Privacy:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« A Perfect Storm Of Cyber Threats
The Information War In Gaza & Israel »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CS Group

CS Group

CS Group offers a complete range of security solutions from consultancy to security maintenance and from secure infrastructure design to security governance.

Graphus

Graphus

Graphus provides a simple, powerful, automated solution that eliminates 99% of social engineering and spear phishing attacks against G Suite business Gmail users.

National Digital Exploitation Centre (NDEC) - United Kingdom

National Digital Exploitation Centre (NDEC) - United Kingdom

NDEC is a project to create a centre of cyber and digital development and education for the UK. It will offer training in digital practices, cyber security and research.

NFIR

NFIR

NFIR is a specialist in the field of cyber security incident response and digital forensics.

Deepwatch

Deepwatch

deepwatch’s cloud SecOps platform and relentless customer focus are redefining the managed security services industry.

TriagingX

TriagingX

TriagingX successfully created the first generation malware sandbox that is being used by many Fortune 500 companies for daily malware analysis.

Centre for Cyber Security Belgium (CCB)

Centre for Cyber Security Belgium (CCB)

The Centre for Cyber Security Belgium is the central authority for cyber security in Belgium.

TrustGrid

TrustGrid

Trustgrid is a pioneer and leader in secure, cloud-native software-defined connectivity.

StickmanCyber

StickmanCyber

At StickmanCyber we are on a mission to create a digital world that is safe for everyone - we are your trusted cybersecurity partner.

GetHacked.ca

GetHacked.ca

GetHackded.ca is a certified company offering penetration testing and specialized cybersecurity services.

Cloudflare

Cloudflare

Cloudflare is a global network designed to make everything you connect to the Internet secure, private, fast, and reliable.

Oligo Security

Oligo Security

Oligo aims to streamline the usage of open source by making it secure and easy to protect. Through focusing developers on the relevant vulnerabilities we make the fixing process significantly shorter.

Hook Security

Hook Security

Setting a new standard in security awareness. Hook Security is a people-first company that uses psychological security training to help companies create security-aware culture.

Parablu

Parablu

Parablu is a leading provider of data security and resiliency solutions for the digital enterprise.

Irys Technologies

Irys Technologies

Irys Technologies specialize in pioneering digital transformation solutions designed to streamline communications and enhance maintenance and operational efficiency for a variety of sectors.

Airlock Digital

Airlock Digital

Airlock Digital was created after many years of experience in implementing whitelisting/ allowlisting solutions in Federal Government and various enterprises in Australia.