Law firm Womble Bond Dickinson on Wednesday released a privacy study that found while 6 in 10 executives say they their organizations are prepared to meet new state consumer privacy laws, less than half have completed important compliance steps.
Already five states — California, Colorado, Virginia, Utah and Connecticut — have passed data privacy laws or amendments that will take effect in 2023, while several other states are weighing similar comprehensive legislation.
Although 89% of respondents have increased their budgets to comply with these new privacy laws, less than half have completed most compliance actions, including conducting data mapping (49%), performing data assessments (43%), and establishing metrics and deadlines to track compliance (38%).
“Companies often feel they are ready for compliance, but that optimism starts to fade when it comes to applying the often unsettled regulations and granular tactics they need to effectively prepare,” said Tara Cho, chair of the privacy and cybersecurity team at Womble Bond Dickinson. “The new requirements affect so many aspects of how companies do business that it can be challenging, particularly at the executive level, to make sure all the bases are covered.”
These survey results are very much in line with what we see at an operational level as we engage with data-driven organizations, said Dan Manners, director, compliance and risk strategy at Breakwater Solutions. Manners said the fundamentals of understanding exactly what personal data gets collected, under what lawful basis the company retains data, and where it maintains data along with ensuring least-privileged access are all not as well understood, documented, and aligned as the C Suite may believe.
“Existing and emerging data privacy regulations are both complex and challenging to operationalize, in practice, especially in complex multinational organizations with hybrid and decentralized governance structure,” Manners said.
Hank Schless, senior manager, security solutions at Lookout, added that every company should make securing sensitive customer data its No. 1 priority regardless of what industry they’re in. Schless said today’s customers also expect companies to keep their data secure. With the universal focus on personal data protection, Schless said brand loyalty often gets tightly tied to whether the consumer feels like an organization does enough to keep their personal sensitive information safe.
“With so many data privacy and compliance laws that focus on securing customer data, violation of these standards can lead to detrimental fines and reputational damage for any organization,” Schless said. “To keep up with today’s threat landscape, IT and security teams need to implement uniform data protection policies that secure data in cloud apps, private apps, and over the web.”
