Our latest InfoSec research reveals that compliance with data privacy regulations is a top priority for US businesses – but not for the reasons you might think
In January of 2018, California became the first state to pass comprehensive consumer data protection legislation in the US. Since then, several states have followed suit, with several more bills currently moving through their respective state legislatures.
However, the lack of centralized, federal regulations on data privacy in the US has created a regulatory landscape that is not only fast-moving but also fragmented.
These factors, and the introduction of sweeping data privacy regulations internationally, like GDPR in Europe and POPIA in South Africa, are driving data privacy up the list of priorities for businesses in the US.
Our research, conducted with cloud data security experts Okera, shows that 94% of data, security, and governance executives now consider meeting compliance requirements ‘very much a priority’, or ‘an extremely important priority’.
Interestingly, 45% of respondents reported they are not worried about penalties or fines due to data privacy regulations. This is surprising as penalties, at least theoretically, can be extraordinarily large.
However, these concerns may be mitigated by the belief that smaller, less prominent companies may not become the target of regulators. Or, if they are targeted, that the fines will not be as significant.
The survey results strongly suggest that companies take privacy regulations seriously. However, interpreting this survey result is somewhat difficult, as 31% of respondents report not being worried about fines specifically because they are already in compliance.
Our findings hint that there may be reasons to seek compliance for reasons other than fear of being fined, which is discussed next.
“It’s a business decision. If the fines are manageable, some companies just budget that in,” says Rick Doten, VP, Information Security at Centene Corporation and CISO at Carolina Complete Health. “If it is more expensive to do all this stuff to be compliant, then they’ll just pay the fine.”
A New Focus on Reputational Risk
Customer trust, once lost, can be difficult to regain. Reputational damage due to being non-compliant is another reason for businesses to take compliance seriously.
“You take a reputational risk when you fall out of regulatory compliance,” says Raj Badhwar, SVP and CISO at Voya Financial. If you lose customer trust, you can’t simply pay a fine to fix it. So senior leaders are very worried about the reputational risk.”
“There is naming and shaming happening all the time by regulators and the media,” adds Sharon Bauer, Founder and Privacy Consultant at Bamboo Data Consulting. “And more recently by nonprofit organizations who are putting companies in the spotlight if they abuse people’s privacy.”
In contrast, some privacy and security leaders are proactively using customer facing data privacy policies for positive public relations.
This approach is particularly timely as the very public conflict between two of the largest technology companies in the world, Apple and Facebook, plays out in the media over their use of customer data.
“We asked ourselves, how can we create a strategic advantage out of this regulation?” says Miguel Sanchez Urresty, Chief Data and Analytics Officer LATAM at financial firm Principal. “If we are compliant and we can make that public, we can increase customer confidence in our company. For me, that’s going to be an advantage point for businesses in the future.”
Two Approaches for Data Privacy Compliance
All the participants in our research have implemented protections for personally identifiable information (PII) stored in their systems. The responses suggest that the vast majority are operating in multiple states or regions. Only 6% are responding to rapidly expanding and evolving data privacy regulations minimally, by focusing on one specific regulation.
Of course, different businesses operating in different industries and regions will base their approach to data privacy compliance on their circumstances. However, our research hints at a rapidly maturing response to regulations as companies progress beyond tactical projects to strategic automation and standardization.
45% of respondents are taking a tactical approach by reproducing the work invested into one regulation to respond to new regulations. One effective means of doing this is to take the requirements of the most stringent regulation and applying them uniformly across the business’ data privacy landscape.
“If you benchmark the organization against the gold standard in privacy, then the organization will likely be compliant with all other regulations,” says Sharon Bauer, Founder and Privacy Consultant, at Bamboo Data Consulting. “For example, if GDPR is the gold standard and the most prescriptive privacy legislation out of all of them, then it may make sense to benchmark yourself against the GDPR.”
Meanwhile, our research also shows that an impressive 49% of respondents are taking a strategic approach by automating and standardizing flexible systems to dynamically enforce compliance with a wide variety of evolving regulations.
“Standardization and centralization are good things in this area, as long as the laws are uniformly applied,” says Voya Financial SVP and CISO Raj Badhwar.
Ultimately, businesses will decide how to approach the rapid evolution of data privacy laws based on their unique circumstances. However, all businesses will need to keep their eye on the horizon as new laws are introduced at the state level, federally, or internationally.