Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
The Struggle to Keep Up With Data Privacy Regulations
Data privacy is one of the most important issues facing corporations, and amidst the challenges of protecting customer data, the regulatory landscape that oversees it is shifting on an almost daily basis.
In the last few years, we've seen the data privacy field — across legal, financial and compliance practices — dramatically change. And those changes are now accelerating. One of the most significant changes in recent years takes effect in May, with the implementation of the General Data Protection Regulation (GDPR) in the European Union, which enacts sweeping new regulations. In addition, countries around the globe are planning to use GDPR as the framework for their own data protection regulations. And other countries, such as Brazil, have their own data privacy legislation pending as well.
There's a lot at stake. GDPR and similar regulations carry harsh sanctions in addition to the reputational risks from enforcement actions.
With changes occurring at such a rapid pace across all corners of the globe, it's not surprising that organizations are increasingly finding themselves inadequately prepared to deal with these regulations.
In 2017, Thomson Reuters conducted a survey of nearly 1,000 data privacy professionals in nine countries and jurisdictions. Forty-four percent — nearly half — stated they are already failing to comply with data privacy regulations.
Potentially more concerning is that an even higher percentage — 47% — report that they are either struggling to keep up or are falling further behind. In some jurisdictions, including the U.S., Australia and Hong Kong, a majority of companies surveyed fall into that category.
In the United States, 62% of organizations surveyed say they have already had to deal with at least one enforcement action. The survey results suggest that number is in danger of climbing even higher as organizations fall further behind in their efforts to maintain compliance.
The difficulty is that compliance requirements are now somewhat of a moving target. One of the biggest challenges involving GDPR is that it is unclear how aggressively it will be enforced. Nor is it clear which provisions regulators will primarily focus on. The answers to those questions may not be known for months after the May implementation. Until then, companies may largely be on their own when it comes to conducting risk assessment and developing appropriate strategies.
And they must navigate this uncertainty with limited resources. About half of companies surveyed say they lack adequate tools for tracking critical items such as inquiries, regulatory changes, and the differing legal obligations in different geographic jurisdictions. Not surprisingly, roughly half of organizations believe their data protection costs will rise this year, increasing budgetary pressures. None of the companies surveyed said their data protection costs are expected to decrease this year.
The scope and complexity of data privacy regulations will likely only continue to grow, owing to a number of factors.
Three large-scale trends in particular are driving these changes and shaping the privacy landscape today: 1) digitization of data; 2) globalization of business; and 3) the rapid expansion of the regulatory environment.
|Continued Digitization of Data
The further digitization of data and advances in technology now allow organizations to collect and inexpensively store nearly unlimited amounts of information about consumers, customers and employees. As a society, we know this information is critical to managing large workforces and providing the customized experience that consumers want.
But it's not without risk. Most of us hold dearly the individual right to privacy and the security of our personal data. All organizations collecting individual data are obligated to protect that data and have the right compliance policies in place according to the laws that govern their business. These policies detail, for instance, how personal data is gathered, used, stored and repurposed for marketing. We all know what happens when organizations don't comply — we see the news headlines and experience the effects, and large companies not in compliance must manage the fallout along with hefty fines.
|Globalization of Business
As business continues to become more global, the data that organizations collect and manage runs into a greater risk of noncompliance because it's falling under laws and regulations from multiple jurisdictions. Data is digital and geographically agnostic — it flows across borders and essentially can go anywhere. A large global retailer based in the U.S. could have customers in 45 countries and every state in the U.S.
This creates new questions for regulators to grapple with. In March, the U.S. Supreme Court heard arguments in U.S. v. Microsoft, revolving around whether a U.S. search warrant could be enforced against a U.S.-based corporation when the data in question was being stored on servers in Ireland. The U.S. Justice Department's position included arguments that the portability and easy transferability of data make the question of its location largely irrelevant. Microsoft, meanwhile, maintained that the law in question, the Stored Communications Act (SCA), which was passed in 1986, could not be applied. In essence, Microsoft, supported by several other major technology companies, argued that the law was essentially outdated and contained no provisions to adequately deal with the issue of extra-national jurisdiction over data.
This is just one example of the issues that lawmakers and regulators around the globe must deal with. Each will act independently in its own jurisdiction, on its own expectations of data privacy, by assessing and mandating how to ensure such information is safeguarded and used appropriately.
|Rapid Expansion of the Regulatory Environment
Countries and jurisdictions are taking many differing paths in dealing with data privacy.
Some, such as the EU nations, are adopting specific regulatory frameworks, such as GDPR. Others are relying on constitutional provisions safeguarding individual privacy. And some nations, such as the U.S., have limited national laws on data privacy, instead relying on regulatory agencies such as the Securities and Exchange Commission, Federal Trade Commission and Federal Communications Commission, as well as state laws and regulations.
The result is a tapestry of regulations stretching across the globe that even the most talented, adequately staffed and eager-to-comply organizations can find difficult to manage. Data privacy professionals have no choice then but to face the daunting challenges in identifying, analyzing and complying with the myriad of global data protection and privacy laws.
We don't see an end to any of these trends anytime soon. One answer may be use of technologies such as advanced databases and artificial intelligence to help data privacy professionals identify trends, track regulatory changes and enforcement actions, and develop strategies to get a better handle on this fast-changing and complicated compliance environment.
*****
Chris Maguire is managing director of the U.S. Corporate Segment for the Legal business of Thomson Reuters.
This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
How Secure Is the AI System Your Law Firm Is Using?
In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
COVID-19 and Lease Negotiations: Early Termination Provisions
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.
Authentic Communications Today Increase Success for Value-Driven Clients
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.