Data privacy compliance regulation is getting progressively more complex, and only half of executives in the US, UK and EU are “very prepared” to meet the standards, according to the new 2023 Global Data Privacy Law Survey Report by Womble Bond Dickinson.
The survey drew on the views of 205 C-suite business leaders across 22 industries in 25 countries.
Even though the GDPR and/or DPA requirements have been around for years, ‘only’ 53% of the respondents in the EU and UK said they were very prepared for the undertaking. in the US, just 45% of respondents were very prepared to meet the state privacy laws.
With cybersecurity issues and data hacks becoming more threatening and volatile each day, the respondents also said that their biggest concerns over data privacy issues were just around data breaches and cybersecurity. More than half of the US respondents (55%) also said named enforcement actions around geolocation data privacy laws were a top concern, and 50% worried about litigation. In the UK, the concerns were significantly lower, 45% and 36% respectively.
New data privacy laws
This year is also shaping up to be a landmark year for data privacy, where four new state laws go into effect in the US. Several other states have either enacted or are proposing their own privacy legislation.
The newly amended California Consumer Privacy Act (CCPA) has also raised the bar for compliance. From January 1 this year, it began to apply to employees, job applicants, former employees, beneficiaries of company benefits policies and independent contractors, including B2B contacts. “That’s a formidable scope to expand privacy rights to,” commented Matthew A Cordell, Vice President & General Counsel for Privacy and Technology, VF Corporation.
“Europe has long been ahead of the US when it comes to data privacy laws … so it makes sense that UK respondents are well positioned to comply with these regulations.”
Andrew Kimble, UK-based partner, Womble Bond Dickinson
The EU-US Data Privacy Framework, which streamlines data transfers from the EU to the US, has been finalized too. However, further legal challenges are expected over privacy concerns.
“Overall, these findings tell us that, while cross-border data transfers remain a challenge, many businesses are managing and even seeing value in associated regulations,” said Andrew Parsons, a UK-based partner at Womble Bond Dickinson.
UK more prepared than US
The fact that UK respondents claimed to be more prepared than US respondents might not be a surprise with the already established General Data Protection Regulation (GDPR) in the UK and EU, and the Data Protection Act 2018 (DPA) in the UK. The UK executives also said they were more comfortable regarding the impact of privacy regulations on their ability to conduct cross-border business.
Andrew Kimble, a UK-based partner at Womble Bond Dickinson, said: “Europe has long been ahead of the US when it comes to data privacy laws – they’ve had one in effect since 1995, and the GDPR was adopted in 2016 – so it makes sense that UK respondents are well positioned to comply with these regulations.”
Low data mapping and data practices
With about half of the survey said to be very prepared, and roughly 35% to be moderately prepared to meet the requirements, Womble Bond Dickinson still believes that the respondents might not be so prepared to comply with data privacy laws – especially for mapping out and having a full picture of what data they actually hold. “Given our global respondents’ lack of readiness with regard to such early measures as understanding where all their data sits across their organization, even these executives may not be as prepared as they think”.
Globally, seven in 10 respondents said they have designated an internal project manager or owner, and;
- 58% said that they conduct regular training of staff on data privacy and compliance;
- 42% have engaged outside legal counsel;
- 40% have participated in a peer group to keep abreast of changes;
- 35% have developed a task force/oversight counsel to track privacy law changes; and
- 34% have conducted data mapping and understand data practices across the organization.
“Data mapping – knowing what data you have and where it lives – is foundational for any effective data privacy and cybersecurity strategy,” said Tara Cho, Partner, Womble Bond Dickinson.
“Senior-level employees may be overly optimistic when it comes to compliance preparedness because they’re not in the weeds – and so don’t even know how many weeds there are,” added Ted Claypoole, Partner, Privacy and Cybersecurity Team (US) Lead, IP Transactions Team.
Fingerprints and facial recognition
About six in 10 of the respondents are already using biometric data (US 64%, UK 59%) such as fingerprints, facial recognition and other biometric data. For the US and UK, fingerprints are the most popular, with iris recognition second ()28%, finger/hand veins (24%), heartbeat (8%) and brain waves (5%).
Still, new technologies also bear new compliance challenges and litigation risks. Many of the respondents (US 40%, UK 32%) said they were very concerned about privacy laws that include specific restrictions on collecting and using biometric data for marketing purposes.
“Senior-level employees may be overly optimistic when it comes to compliance preparedness because they’re not in the weeds – and so don’t even know how many weeds there are.”
Ted Claypoole, Partner, Privacy and Cybersecurity Team (US) Lead, IP Transactions Team
For AI, the report also revealed a divide in the use of the technology among the respondents. Globally, the majority has used AI for one to five years (45%), 22% said they have started using AI within the last year, and 19% said to not be using the technology at all.
Data analytics was identified as the main use to which AI is currently being put, with 55% of respondents providing this information; 25% are planning to use it for fraud spotting in the upcoming year.
Many of the respondents mentioned ethical concerns about the technology (US 48%, UK 43%), and said they lacked a full understanding of it, including issues around unreliable results and legal risks.
“As AI comes into the fore, there are a number of moral concerns that might bleed into legal issues, such as AI’s proclivity to mirror societies’ own biases, therefore perpetuating historical social inequities,” said Parsons. “There are also issues that could arise from these tools’ collection and processing of data, as well as intellectual property risks.”