Only half of organizations “very prepared” to meet global data privacy laws

Only around half of businesses executives feel "very prepared" to meet data privacy regulatory requirements in the US, UK, and European Union (EU). That's according to the Womble Bond Dickinson 2023 Global Data Privacy Law Survey Report, which draws on responses from more than 200 UK/US executives. The survey found that only 34% of all respondents have conducted data mapping and understand data practices at their organization, suggesting that even those that feel sufficiently prepared to meet data privacy laws may not be as equipped as they think. Meanwhile, cybersecurity is the number one data privacy concern among those polled.

The findings come as 2023 shapes up to be a landmark year for data privacy on both sides of the Atlantic. In the US, four new state laws will soon or have come into effect. California is expanding its already robust requirements, and several other states have enacted or proposed privacy legislation of their own. Across the pond, the European Commission finalized its approval of the EU-US Data Privacy Framework as negotiations around other global agreements - such as those between the EU and a post-Brexit UK - continue.

UK businesses more prepared than US companies on data privacy

UK respondents feel more prepared than US counterparts in relation to meeting data privacy requirements. Of the UK-headquartered companies, 59% are very prepared for the Global Data Protection Regulation (GDPR) in the UK and EU, as well as the Data Protection Act 2018 (DPA), while 49% of US-headquartered firms are very prepared to meet US state data privacy laws - down from 59% in last year's survey. Interestingly, executives from US-based companies feel better prepared to meet European data protection laws (44%) than those from UK-based organizations do about meeting US laws (40%). This is likely due to the more established GDPR in the UK and EU, as well as the DPA in the UK, compared to newer, still emerging US laws, the report states.

UK respondents are also more comfortable about the impact of privacy regulations on their ability to conduct cross-border business, with 40% stating that, while these regulations add extra costs, they are manageable. That's compared to 35% of US respondents.

Data privacy confidence could be misplaced, data mapping lacking

The survey suggests that those who feel they are very prepared to meet data privacy laws may not be as ready as they believe. While 70% say they have designated an internal project manager or owner and 58% conduct regular training of staff on data privacy and compliance, less than half of the overall respondent pool have taken the following steps: engaged outside legal counsel (42%), participated in a peer group to keep abreast of changes (40%), or developed a task force/oversight counsel to track privacy law changes (35%), the research found.

What's more, only 34% have conducted data mapping and understand data practices across the organization. "Data mapping - knowing what data you have and where it lives - is foundational for any effective data privacy and cybersecurity strategy," wrote Tara Cho, partner, chair of the Womble Bond Dickinson privacy and cybersecurity team, and report contributor. While many companies might implement external-facing actions, such as putting a cookie banner on their website or updating privacy policies, there is still a need to build out back-end requirements to truly operationalize the compliance requirements, Cho added.

Keeping up with data privacy law change the biggest challenge

Keeping up with data privacy law changes represents the biggest challenge for respondents. Hurdles include tracking the status of legislation and differences between state laws in the US (59%), as well as adapting to new/changing requirements in Europe (55%). Budget issues (52% US, 45% UK), lack of staff (42% US, 39% UK), management approval problems (30% US, 23% UK), and lack of leadership (21% US, 10% UK) are other data privacy challenges impacting respondents. Understanding the data held within the organization is also a key challenge for both groups - which tracks with organizations' lack of progress on data mapping, the report says.

Cybersecurity the top data privacy concern

Cybersecurity/data breaches is the number one data privacy concern among those polled, with UK executives expressing particular concern. Retail and financial services respondents score higher than all other industries, with 42% and 41%, respectively, selecting "high level of concern."

US respondents' second-ranked issue is litigation and regulatory enforcement action, while in the UK, the runner-up spot is split between loss of customer loyalty/trust and cost of compliance with privacy laws. Interestingly, US respondents are more concerned about not fully using data to maximize sales/revenue and less concerned with the cost of compliance than their UK counterparts.

"Privacy is a fundamental right in the EU, and the GDPR and its predecessor directive have provided longstanding legal frameworks to protect those rights," wrote Cho. "In contrast, US laws have historically been sectoral and reactionary. For instance, what happens if personal data is breached? These new state omnibus privacy laws impose proactive requirements, and the main impetus is to empower consumers with rights over their data, particularly when that data is being monetized."

The research also highlights notable concern among respondents in relation to geolocation data privacy issues. In the US, 40% of respondents are very concerned about privacy laws that include specific restrictions on collecting and using precise consumer geolocation data for targeted marketing purposes, versus 32% in the UK. US respondents also place more focus on losing the insights that geolocation data provides (35% versus 26% of UK respondents), as well as associated revenue (24% versus 22%). UK respondents, meanwhile, are more concerned about securing consent from consumers (56% versus 51% of US respondents) and defining the specific business purpose (55% versus 50%).

AI, biometrics coming into the data privacy equation

Evolving technologies such as AI and biometrics are coming into the data privacy equation, both introducing their own opportunities and challenges. Businesses are accelerating their adoption of AI technologies with 22% having started using such technology in the past year alone, driven by the skyrocketing popularity of generative AI such as OpenAI's ChatGPT.

Respondents cite a wide range of uses for AI, with 36% using the technology to generate content and another 24% planning to do so in the next year. However, ethical concerns (45%) and legal risks (34%) are key obstacles to AI adoption, the report states. AI regulations are incoming around the world: the EU's AI Act, expected to pass and could apply to businesses as soon as 2025, aims to be a global standard. In the UK, the government has released a "pro-innovation" proposal for AI regulation, while in the US, federal actions aim to advance the White House's AI Bill of Rights.

As for biometrics such as fingerprints and facial recognition, usage has grown globally in the last year. Almost two-thirds (64%) of US respondents are currently using it, compared to 59% last year, with a further 225 planning to do so. In the UK, 59% of businesses are using biometric data, with another 21% planning to. However, with increasing use comes increasing data privacy compliance issues, the report states. Last October saw the first-ever jury verdict in a Biometric Information Privacy Act (BIPA) class action suit, wherein a group of truck drivers successfully sued a freight-rail operator over its fingerprint scan security requirement. The plaintiffs' success could encourage other individuals to pursue their own claims, the research says.

Best practices for addressing evolving data privacy laws

Womble Bond Dickinson's report includes a data privacy compliance checklist, outlining best practices for addressing evolving data privacy laws. These include:

• Designate an internal project manager or owner.
• Establish a dedicated, multidisciplinary team that includes IT, HR, legal, compliance, marketing, and engineering.
• Conduct data mapping and understanding data practices across the organization.
• Develop platforms and systems to process and respond to data privacy rights requests.
• Engage outside legal counsel to advise on compliance.
• Update company privacy policies.
• Set metrics and specific goals to track compliance progress.
• Draft or update agreements with third parties to comply with new privacy requirements.