Sign up for more with a complimentary subscription to Today’s General Counsel magazine.
Companies Ignoring Looming Privacy Regs
July 11, 2022
The world of privacy regulation was “irreparably changed” by the Equifax hack of May, 2017, according to post from law firm Womble Bond Dickinson. Personal information of more than 150 million Americans had been plucked from a company whose business is essentially to do nothing but handle sensitive personal information.
Approximately a year later, the European Union passed its General Data Protection Act, and California passed its own California Consumer Privacy Act (CCPA). Since then four other states have passed their versions of a consumer privacy act, and several more are considering it. Deadlines are looming, many of them set to go into effect in 2023.
How are companies doing? A survey suggests some double-think may have set in. More than half of executive respondents say their companies are very prepared, and 89 percent say they have increased their budgets to meet compliance deadlines that are already in the cards. Nonetheless, fewer than half of respondents say they have completed “key steps,” including data assessments, policy updates, and establishing metrics and deadlines.
Why the disconnect? “Burnout and fatigue related to a pandemic that has consumed a disproportionate amount of IT resources could be one factor,” the authors surmise. The tight labor market is also likely complicating matters, as many companies cite a lack of available staff. Survey results also suggest that the farther up the corporate hierarchy you go, the more confidence you find.
Another survey finding is that companies differ on how they allocate responsibility. Of those that have designated a project manager for privacy compliance, most are pulling that person from technology or information systems.
That’s a mistake, says a Womble Bond Dickinson partner who was involved with the study. “Preparing for these new laws – understanding the necessary policies, procedures, compliance and governance practices – is really a risk management and legal issue,” he says. “Ideally, organizations would have a cross-functional task force that includes tech and compliance professionals, with a primary lead to ensure things get done.”
Share this post: