Global data privacy regulations are becoming increasingly intricate, presenting challenges for businesses engaging in international trade. In July 2023, the European Commission strengthened the General Data Protection Regulation (GDPR) to ensure more robust enforcement in cross-border cases. Simultaneously, the UK government introduced a new version of the Data Protection and Digital Information (DPDI) Bill in March 2023. In response to the escalating use of artificial intelligence (AI) in data-related tasks, certain US states are reinforcing their data privacy policies.
Assess Your Current Level of Compliance
Amid this evolving regulatory landscape, businesses must grapple with the complexities of compliance to stay abreast of changes and adapt their processes accordingly. To begin, a crucial step is assessing the current level of compliance. Womble Bond Dickinson's recent Growing Global: 2023 global data privacy law survey report surveyed 200 businesses in the UK and US. Surprisingly, only 34% of respondents claimed to have conducted data mapping and fully understood data practices within their organizations. This oversight suggests that many organizations are underestimating the value of the data they hold, leading to missed opportunities for maximising its potential.
The Main Challenges to Achieving Compliance
The primary challenges to achieving compliance are rooted in the struggle to keep up with the constant evolution of legislation. The survey identified tracking the status of legislation (59%) and adapting to new requirements in Europe (55%) as significant hurdles for businesses on both sides of the Atlantic. In the US, additional challenges include budget increases (52%), lack of available staff (42%), obtaining management approval and support for changes (30%), and the absence of an appointed leader (21%). In contrast, UK, and EU businesses, with their longer experience with GDPR and Data Protection Act (DPA), face challenges primarily related to budget increases (45%) and a lack of available staff (39%). Understanding internal data remains a common challenge for both groups, indicating a substantial gap in progress on data mapping initiatives.
Managing your Data Processing Activities
Managing and documenting data processing activities, along with conducting data protection impact assessments, necessitate collaboration with internal teams, senior stakeholders, third-party advisors, and service providers. The report underscores those organizations must create comprehensive workstreams for implementing data privacy solutions to ensure all key stakeholders are involved.
Handling International Data Transfers
According to our recent report, a notable disparity emerged when comparing the comfort levels of UK and US respondents regarding the impact of privacy regulations on cross-border business. While 40% of UK respondents find regulations manageable with extra costs, only 35% of US respondents share the same sentiment. This indicates a nuanced understanding of and varying attitudes toward privacy regulations in different regions.
Despite uncertainties surrounding international data transfers, the survey suggests that regulations generally benefit cross-border business. Approximately one-third of respondents acknowledge manageable extra costs and appreciate the assurance that data will be treated properly in other countries. Ongoing efforts, such as the establishment of a "data bridge" between the US and the UK, reflect a commitment to resolving data transfer challenges.
Keeping Up With the Evolving Interpretation and Enforcement of GDPR
The evolving interpretation and enforcement of GDPR by courts and authorities across the EU and beyond continue to be a source of concern. Our research showed that 55% of US respondents are concerned about enforcement actions around geolocation data privacy laws, while 50% express concerns about litigation. In the UK, the focus is split between the loss of customer loyalty/trust and the cost of compliance, highlighting different priorities shaped by regional data privacy laws.
Balancing Data Protection with Innovation
Balancing the need for data protection with the demand for data-driven innovation and value creation is a complex task. Data breaches and cybersecurity top the list of concerns for UK executives, with retail and financial services expressing the highest levels of concern. In the US, litigation and regulatory enforcement actions take second place, reflecting different priorities based on regional data privacy laws.
Collaborating with Relevant Organizations
Collaboration with other organisations along the data value chain is deemed essential for GDPR compliance. However, the report revealed that less than half of respondents have engaged outside legal counsel, participated in peer groups, or developed task forces to track privacy law changes. This indicates a potential gap in the proactive efforts to stay abreast of evolving privacy landscapes.
Managing the Risks of Emerging Technologies
Organisations must involve technical, operational, and legal teams, all working together with oversight and buy-in from senior stakeholders in the business. A notable recommendation is the appointment of a senior member, such as a Chief AI Officer, to oversee the adoption of AI technologies, ensuring due diligence and adherence to regulatory rules.
Preparing for Future Developments in Data Protection Regulation
Anticipating future developments in data protection regulations is imperative for businesses. New data privacy laws in several US states, increased oversight of GDPR investigations in the EU, and uncertainty over the regulation of transatlantic data flows pose challenges. Despite these challenges, only 53% of businesses in the EU and/or UK claim to be very prepared for GDPR, emphasizing the need for continued vigilance.
Europe has traditionally been ahead of the US in implementing data privacy laws, with regulations in effect since 1995, and the GDPR adopted in 2016. This legacy has positioned UK respondents well for compliance, with 59% claiming to be very prepared for EU regulations. In the US, 49% feel very prepared for US regulations, showcasing a regional preparedness discrepancy.
Staying abreast of regulatory changes and adjusting business processes will continue to grow in importance as the business world becomes increasingly digitalized, and policy makers strengthen enforcement. Recent events, such as TikTok's $368m fine from Ireland's Data Protection Commission for breaching Europe's data privacy rules, underscore the significance of compliance in an increasingly regulated and digital business landscape.