With changes occurring at such a rapid pace across all corners of the globe, it’s not surprising that organizations are increasingly finding themselves inadequately prepared to deal with privacy regulations.
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel.
Data privacy is one of the most important issues facing corporations, and amidst the challenges of protecting customer data, the regulatory landscape that oversees it is shifting on an almost daily basis.
In the last few years, we’ve seen the data privacy field — across legal, financial and compliance practices — dramatically change. And those changes are now accelerating. One of the most significant changes in recent years takes effect in May, with the implementation of the General Data Protection Regulation (GDPR) in the European Union, which enacts sweeping new regulations. In addition, countries around the globe are planning to use GDPR as the framework for their own data protection regulations. And other countries, such as Brazil, have their own data privacy legislation pending as well.
There’s a lot at stake. GDPR and similar regulations carry harsh sanctions in addition to the reputational risks from enforcement actions.
With changes occurring at such a rapid pace across all corners of the globe, it’s not surprising that organizations are increasingly finding themselves inadequately prepared to deal with these regulations.
In 2017, Thomson Reuters conducted a survey of nearly 1,000 data privacy professionals in nine countries and jurisdictions. Forty-four percent — nearly half — stated they are already failing to comply with data privacy regulations.
Potentially more concerning is that an even higher percentage — 47% — report that they are either struggling to keep up or are falling further behind. In some jurisdictions, including the U.S., Australia and Hong Kong, a majority of companies surveyed fall into that category.
In the United States, 62% of organizations surveyed say they have already had to deal with at least one enforcement action. The survey results suggest that number is in danger of climbing even higher as organizations fall further behind in their efforts to maintain compliance.
The difficulty is that compliance requirements are now somewhat of a moving target. One of the biggest challenges involving GDPR is that it is unclear how aggressively it will be enforced. Nor is it clear which provisions regulators will primarily focus on. The answers to those questions may not be known for months after the May implementation. Until then, companies may largely be on their own when it comes to conducting risk assessment and developing appropriate strategies.
And they must navigate this uncertainty with limited resources. About half of companies surveyed say they lack adequate tools for tracking critical items such as inquiries, regulatory changes, and the differing legal obligations in different geographic jurisdictions. Not surprisingly, roughly half of organizations believe their data protection costs will rise this year, increasing budgetary pressures. None of the companies surveyed said their data protection costs are expected to decrease this year.
The scope and complexity of data privacy regulations will likely only continue to grow, owing to a number of factors.
Three large-scale trends in particular are driving these changes and shaping the privacy landscape today: 1) digitization of data; 2) globalization of business; and 3) the rapid expansion of the regulatory environment.
Continued Digitization of Data
The further digitization of data and advances in technology now allow organizations to collect and inexpensively store nearly unlimited amounts of information about consumers, customers and employees. As a society, we know this information is critical to managing large workforces and providing the customized experience that consumers want.
But it’s not without risk. Most of us hold dearly the individual right to privacy and the security of our personal data. All organizations collecting individual data are obligated to protect that data and have the right compliance policies in place according to the laws that govern their business. These policies detail, for instance, how personal data is gathered, used, stored and repurposed for marketing. We all know what happens when organizations don’t comply — we see the news headlines and experience the effects, and large companies not in compliance must manage the fallout along with hefty fines.
Globalization of Business
As business continues to become more global, the data that organizations collect and manage runs into a greater risk of noncompliance because it’s falling under laws and regulations from multiple jurisdictions. Data is digital and geographically agnostic — it flows across borders and essentially can go anywhere. A large global retailer based in the U.S. could have customers in 45 countries and every state in the U.S.
This creates new questions for regulators to grapple with. In March, the U.S. Supreme Court heard arguments in U.S. v. Microsoft, revolving around whether a U.S. search warrant could be enforced against a U.S.-based corporation when the data in question was being stored on servers in Ireland. The U.S. Justice Department’s position included arguments that the portability and easy transferability of data make the question of its location largely irrelevant. Microsoft, meanwhile, maintained that the law in question, the Stored Communications Act (SCA), which was passed in 1986, could not be applied. In essence, Microsoft, supported by several other major technology companies, argued that the law was essentially outdated and contained no provisions to adequately deal with the issue of extra-national jurisdiction over data.
This is just one example of the issues that lawmakers and regulators around the globe must deal with. Each will act independently in its own jurisdiction, on its own expectations of data privacy, by assessing and mandating how to ensure such information is safeguarded and used appropriately.
Rapid Expansion of the Regulatory Environment
Countries and jurisdictions are taking many differing paths in dealing with data privacy.
Some, such as the EU nations, are adopting specific regulatory frameworks, such as GDPR. Others are relying on constitutional provisions safeguarding individual privacy. And some nations, such as the U.S., have limited national laws on data privacy, instead relying on regulatory agencies such as the Securities and Exchange Commission, Federal Trade Commission and Federal Communications Commission, as well as state laws and regulations.
The result is a tapestry of regulations stretching across the globe that even the most talented, adequately staffed and eager-to-comply organizations can find difficult to manage. Data privacy professionals have no choice then but to face the daunting challenges in identifying, analyzing and complying with the myriad of global data protection and privacy laws.
We don’t see an end to any of these trends anytime soon. One answer may be use of technologies such as advanced databases and artificial intelligence to help data privacy professionals identify trends, track regulatory changes and enforcement actions, and develop strategies to get a better handle on this fast-changing and complicated compliance environment.
Chris Maguire is managing director of the U.S. Corporate Segment for the Legal business of Thomson Reuters.