Survey: Uncertainty lingers regarding data privacy compliance

As Europe settles into life under the General Data Protection Regulation (GDPR), the United States is grappling with potential legislation of its own to protect consumer information.

Questions remain about what U.S. data privacy legislation might look like, but companies have already begun to strategize. In partnership with RSA, Compliance Week conducted a survey asking U.S. firms whether they’re doing enough to stay compliant with data protection laws; the survey garnered 100 responses from individuals whose scope of responsibility included helping ensure data privacy. Of the respondents, only 36 percent felt their data privacy program is in compliance with state, national, and/or international regulations, while 52 percent felt they were almost there but struggling to keep up.

“I think this uncertainty is largely due to the continuing changes going on with the regulatory landscape around privacy,” says Marshall Toburen, a risk management strategist with RSA Archer. “There continues to just be so much new regulation around privacy—I’m not at all surprised that there’s a majority of organizations that aren’t quite sure that they’ve got their house completely in order.”

Even those respondents that answered in the negative—4 percent—have likely “spent time analyzing the regulations that they think they have an obligation to comply with and done something, but they just don’t feel that they’ve done enough yet,” says Toburen.

Roughly 70 percent of the respondents said they collect more data from customers today compared to three years ago, yet over 80 percent said less than 25 percent of their compliance budget is dedicated to data security. Of that group, 44 percent said it was less than 10 percent of the budget.

“I think organizations that have been involved with GDPR—that were heavily affected by that regulation—they’re in the category of spending the higher amount,” says Toburen, who added that if the federal government were to come out with a significant umbrella privacy regulation “you would see a much higher percentage of budget devoted to compliance.”

For those not receiving what they feel is the necessary level of support—26 percent—from the board and C-Suite on data privacy, Toburen recommends illustrating the risks of a data breach. When asked what they would worry about more in the event of a breach, 74 percent of respondents picked reputational damage over fines incurred.

Similarly, 48 percent of respondents said complying with regulations is the best argument for a robust data protection program. Supporting the company’s values garnered 27 percent of the vote, while meeting demands of the customers represented the remainder.

“I think leaders are talking about all three of these things,” says Toburen. “Maybe for a particular reg it’s a big fine, but the ones that are being successful are talking about all three of these impacts from a privacy breach to try to get the budget and commitment to the problem.”

The threat of a privacy breach is ever-present. When asked if their company has suffered a breach within the past five years, 29 percent of respondents said yes. The remainder answered “not that I know of,” as there is never truly a way a company can definitively say no.

So what is the best answer for U.S. data privacy? A majority of respondents—72 percent—said they were in favor of national legislation governing data privacy in the United States, a statistic Toburen believes is a reflection of compliance individuals whose companies operate in numerous states across the country. Meanwhile, 43 percent of respondents said having the budget and lead time to meet the requirements would be their biggest worry if the United States adopts a GDPR-like national regulation.

Regarding GDPR specifically, 67 percent of respondents said their company was fully compliant with the EU regulation when compared against those who answered no. The right for consumers to ask that their personal data be deleted and the separation of PII (personal identifiable information) from other account information were considered the most difficult provisions of GDPR to potentially implement. Toburen notes both provisions stem from what is perhaps the most complex area of GDPR: providing a compliant answer when a customer asks, “What data have you collected on me?”

If and when U.S. data privacy legislation is enacted, companies will have work to do. Of CW respondents, 66 percent said they would describe their current data privacy program as “somewhat vulnerable, but improving.” Time will tell what potential legislation might look like, but it would behoove those in charge of data privacy compliance at their company to begin taking steps toward getting their program in line with potential legislation.

“Organizations kind of have to start thinking, if they aren’t already, ‘what is the impact to the individual?’ ” says Toburen. “We need to be aligned to that pain.”

For an in-depth look at data privacy, including results from this exclusive survey, check out Compliance Week’s November/December issue.