While organizations of all kinds are beginning to understand the importance of expanding their approaches to privacy compliance in order to meet the demands of expanding laws around the world, more than one-third of organizations are concerned about compliance budget structuring in light of regulatory uncertainty.
This is according to a new study by FTI Consulting, which explored privacy compliance spending and the challenges it faces, especially in light of evolving data privacy laws around the globe. According to its findings, legal and compliance budget spending are heavily dependent on the broader regulatory landscape, further suggesting a crucial role for governments in ensuring that personal information remains protected by organizations.
“A movement that took the international stage with the enactment of the General Data Protection Regulation (GDPR) in 2018—and gained momentum with the passage of the California Consumer Privacy Act (CCPA) and Brazil’s General Data Protection Law (LGPD)—is building into a tidal wave of anticipated regulations worldwide,” the researchers wrote.
“For multinational corporations, future-proofing data privacy and compliance programs against the incoming flow of new and evolving global laws may seem futile, or impossible,” they continued, pointing specifically to the need for organizations to balance risk management costs in relation to protecting personally identifiable information and other types of data.
Three key findings for privacy compliance
The study, entitled ‘Future-Proofing Corporate Data Privacy’, surveyed more than 500 leaders of large companies in the United States. All of the respondents had knowledge of the privacy compliance framework, including the compliance budget, of their organizations, according to the researchers, with 60% holding titles in senior management or in the C-suite and 28% holding other management roles.
The research revealed three key privacy compliance insights concerning the way in which organizations balance their compliance budget with other business expenses:
The first insight revealed a dramatic increase in spending going toward privacy compliance. According to the survey, a substantial 97% of organizations say that they will increase their data privacy spend in their compliance budget over the next 12 months by a high level—on average 50%.
The survey additionally found that, in their compliance budget, organizations face a delicate balance between the need to retain data for the sake of business and to minimize it to mitigate risk. This was evidenced by the fact that 78% of respondents agreed that the value of data lies in encouraging organizations to find ways to avoid complying fully with data privacy regulation.
Interestingly enough, this number sat even higher (93%) among business leaders in the tech sector.
Thirdly, the research revealed that organizations of all kinds—not only those in the European Union that are subject to stringent GDPR compliance—are seeking to strengthen their data privacy compliance framework to protect private information. In order to achieve this, the report says, organizations are devoting more resources toward training, compliance programs, standards, and other checks and processes which ensure data security into their compliance budget.
Impact of COVID-19
While the data collected to form the basis of the report was sampled in late 2019—months before the COVID-19 pandemic took hold—the researchers nonetheless explain that, aside from hiring insights, a large majority of the findings continue to remain relevant
“Some [findings] are even more crucial in this new normal, where regulators are not backing down from enforcement and new pandemic-related challenges to data privacy and security seem to crop up daily,” the researchers wrote.
“Likewise, the questions and struggles reflected in the survey data continue to be best-supported by the strategies of being proactive and prepared when it comes to data privacy.”
New frontiers for compliance budget structuring?
As things currently stand, according to the report, organizations are aware of the need to develop a global data privacy framework that is at once “encompassing of an organization’s full regulatory obligations and malleable to align with nuances at a regional or local level”.
However, the challenge in the meantime remains for companies to integrate comprehensive awareness and training campaigns into their compliance budget, designed not only to support privacy compliance, but also to reduce the risk of data breaches.
“When employees are aware of the issues and trained on how to execute on the global privacy framework, they are less likely to fall afoul,” the researchers noted.
Alluding to the developments in privacy compliance that have arisen from the ongoing pandemic, the report warns organizations that data protection laws will continue to emerge and evolve. Ultimately, they conclude, it remains up to organizations to move forward on an adaptive footing.
“The pandemic and the world changes it has wrought have made the future of data privacy more uncertain than ever, and today’s ambiguous landscape is top of mind for many legal, compliance and executive teams,” the researchers said. “Corporations are still at the tip of the iceberg in terms of the scope of requirements that may ultimately come into play.”