Report: UK and US Executives Grapple with Evolving Data Privacy Laws
In a landmark year for data privacy, a survey by international law firm Womble Bond Dickinson illuminates corporate preparedness for requirements in the UK, US, and EU – plus new challenges posed by AI and emerging technologies
July 18, 2023 – As global data privacy compliance increases in scope and complexity, only about half of executives feel “very prepared” to meet regulatory requirements in the United Kingdom, United States, and European Union.
That is one of the key findings in Womble Bond Dickinson’s 2023 Global Data Privacy Law Survey Report, which draws on responses from more than 200 executives in the UK and the US, nearly half of whom are C-suite executives. The second annual report analyses the rapidly changing data privacy landscape – including new regulations and the application of artificial intelligence (AI) and other emerging technologies – as well as corporate readiness and the differences between those operating in the UK, US, and EU.
UK outpaces the US in corporate preparedness, but challenges persist on both sides of the Atlantic
With a more established General Data Protection Regulation (GDPR) in Europe and the Data Protection Act 2018 (DPA) in the UK, more respondents with operations on the continent feel prepared to meet data privacy requirements. However, these respondents still feel the impact of an increasingly complex regulatory environment, with just 53% saying they are “very prepared” for compliance. Comparatively, as several US state data privacy laws near or reach effective dates, executives with operations in the US are less confident in their preparedness than in last year’s survey: only 45% say they are very prepared to comply with US laws and regulations, compared with 59% in last year’s survey.
“Europe has long been ahead of the US when it comes to data privacy laws, having had one in effect since 1995, along with the GDPR, which was adopted in 2016,” said Andrew Kimble, a UK-based partner who focuses in data protection and privacy. “Employees at all levels of the organisation in the UK tend to be aware of the GDPR and DPA, given all the steps companies need to take.”
Yet even confident executives may not be as prepared for compliance as they think. While more than half of respondents have completed such key data privacy measures as designating an internal project manager or owner (70%) and conducting regular training (58%), only 34% have conducted data mapping and understand data practices across the organisation.
“Data mapping – knowing what data you have and where it lives – is foundational for any effective data privacy and cybersecurity strategy,” said Tara Cho, partner and Partner and Chair of the Privacy and Cybersecurity Team for Womble Bond Dickinson (US). Additionally, while many companies might implement external-facing actions, such as putting a cookie banner on their website or updating privacy policies, Cho notes that there is still a “need to build out back-end requirements to truly fulfill the compliance requirements.”
Roadblocks crop up in other areas as well. For instance, half of the respondents doing business in Europe and or the UK say understanding the data held within their organisations is a challenge, while 45% cite difficulties increasing their budgets. In the US, nearly 60% of executives view tracking the status of legislation and the differences between state laws as a challenge, yet only 42% have completed comparisons of state privacy law frameworks.
Cross-border data transfers and cybersecurity are top of mind
In an increasingly global and digital business landscape, the ability to transfer data across borders is paramount. Despite the current regulatory uncertainty in this area, the survey data suggests that data privacy regulations can be helpful for cross-border business – especially for UK respondents, who are more experienced with existing standards. Forty percent of UK respondents (versus 35% in the U.S.) say these regulations add extra costs but are manageable, while only 10% in the UK (compared with 17% in the US) believe regulations are a major impediment to such business.
“While cross-border data transfers remain a challenge, the findings demonstrate that many businesses are managing and even seeing value in associated regulations,” added Andrew Parsons, a UK-based partner at Womble Bond Dickinson who focuses on commercial disputes around information rights, privacy, and other technology-related issues. “Though much remains in flux, if and when these rules stabilise, they can have a positive long-term impact.”
When it comes to big-picture concerns around data privacy, data breaches and cybersecurity rank as the top issue (particularly among UK respondents). Litigation and enforcement action ranked second among US respondents.
Growing adoption of biometrics, geolocation, and AI brings new opportunities – and concerns
The majority of respondents say their organisations use fingerprints, facial recognition, and other biometric data, including 59% of UK respondents and 64% in the US (the latter is a five percent jump from the 2022 survey). Amid expanding use, the compliance risks have also grown with biometric privacy laws and several lawsuits in the US.
With regard to geolocation data, 40% of US respondents (and 32% of those in the UK) are very concerned about privacy laws that include specific restrictions on collecting and using geolocation data for targeted marketing purposes.
The survey also finds respondents accelerating their adoption of AI technologies. More than 1 in 5 respondents (22%) started using such technology in the past year alone, and only 19% aren’t using it at all. Respondents cite a wide range of uses for AI, with 36% using the technology to generate content and another 24% planning to do so in the next year. However, respondents cite ethical concerns (45%) and legal risks (34%) as key obstacles to AI adoption.
“Whether it’s evaluating loan applications, filtering qualified candidates for a new job posting, or any number of other use cases, AI tools make complex decisions all the time,” said Ted Claypoole, a Womble Bond Dickinson partner who leads the firm’s US-based IP Transactions Team. “That’s what they’re there for. The question is, are they doing it in a way that’s improper from a societal and legal standpoint?”
The survey was completed by 205 business leaders in April and May 2023. Respondents represent 22 industries and play either a leading or supporting role in data privacy issues. Half of these respondents (51%) are US-based and represent 33 states. Forty-seven percent of respondents were based in the UK Nearly half of the organisations surveyed stated they have offices in the EU, with 25 countries selected. To read the complete report and methodology, please click here.