A recent survey suggests that retailers should be proactive about data protection
As the world grapples with the effects of COVID-19, news stories abound about companies using consumer data to aid in slowing the spread, raising questions about the need for increased privacy regulations in the United States at state and federal levels. According to a survey conducted by Consilio, an eDiscovery, document review, risk management and legal consulting services firm, even prior to COVID-19 spurring implications across the U.S., 70% of legal professionals believed it was “very likely” or “somewhat likely” that U.S. federal privacy regulations would be passed into law in 2020. Only 6% of respondents indicated it was “very unlikely” that a nationwide statute would be enacted this year.
“The global public health crisis has made it even more complex for companies to navigate emerging state-level and international privacy regulations, and the lack of a U.S. federal law invites heightened ambiguity regarding compliance during an already unprecedented and uncertain time,” said Matthew Miller, vice president, Global Information Governance Advisory Services at Consilio. “While these results show that the industry was expecting a nationwide regulation this year before the rise of COVID-19, today, companies still need to focus on effectively responding to rigorous state laws. Numerous states, including California and Nevada, have passed laws or have bills in front of their state legislatures containing similar but varying obligations that businesses still must comply with now.”
While most respondents thought it was likely that U.S. federal privacy regulations would be passed in 2020, only 30% of respondents stated that they were concerned about the potential forthcoming federal regulations. In fact, when asked which information governance regulations they were most concerned about, more than half of respondents cited state-level privacy laws (56%) and international privacy regulations (51%) at the top, Consilio reported.
Despite continued evolution in information governance regulations, the majority of respondents said that they were “very confident” (48%) or “somewhat confident” (48%) that their companies’ procedures and technology will remain compliant with relevant regulations and rules across the U.S. and internationally.
Nearly half of respondents (46%) noted that their companies are utilizing cross-functional teams to comply with new or existing information governance regulations. Other efforts cited to comply with new or existing information governance regulations in the survey included maintaining/updating/executing on document retention schedules (38%), assessing data governance and data privacy maturity posture (34%), and conducting a Privacy Impact Assessment (PIA) (29%). Only 19% of legal professionals indicated the allotment of new spend, and 18% cited the development of an enterprise data map as steps taken to comply.
“While we hear our clients place an increased emphasis on effectively managing their data to remain compliant, this survey shows there is more work to be done on exactly how that is being accomplished,” said Miller. “This survey qualitatively confirms a glaring issue we see with many organizations day-to-day. Without an enterprise data map, organizations cannot clearly determine what type of personal data is collected, for what purposes or applications is the data collected and whether their processes comply with all relevant regulations.”
When asked which departments at their companies are involved in the management of the organization’s information governance practices, an overwhelming majority of respondents said the CIO/IT teams (70%) and legal departments (69%). Compliance (45%), records management (35%) and CISO/information security (33%) departments were also teams that respondents indicated are included in managing information governance practices.
“The dominance of the CIO/IT and legal departments’ involvement in managing organizations’ information governance practices is not a surprise. However, I do see a missed opportunity stemming from the lack of involvement by CISO/information security departments, as these teams have important expertise when it comes to information governance practices. This includes knowledge of what information the company has, where it is located, what it contains, what level of protection it should have, who can and should have access to it and how to confidently find the right information in a timely fashion,” said Miller. “While information governance regulations are indeed moving a bit slower in the U.S. in comparison to other regions such as Europe, this is the opportunity for all companies, across sectors and geographies, to improve their information governance maturity by taking a more proactive approach towards compliance with data privacy regulations.”
Nearly half of respondents (48%) reported that their companies review their information governance policies yearly, while 27% stated policies are reviewed on a monthly, quarterly or biannual basis and 18% said every two or more years. Only 7% stated that they do not have policies in place.
