Around the world, individuals are fighting for control of their personal data.

Backed by legislators and regulators conscious of the transformative impacts of artificial intelligence (AI), they are determined to address the asymmetries in the relationships between individuals and large data-intensive organisations.

In the past five years, the proportion of the world’s population covered by data protection laws has grown from 10% to 82%.

Yet in the world’s largest economy, the legislative framework governing data protection remains remarkably immature. In the US, there is no federal privacy act that provides a clear view of organisations’ responsibilities to safeguard personal data.

Efforts to create a unified legal framework for privacy by the National Institute of Standards and Technology (NIST) and the Federal Trade Commission (FTC) are not backed by the full force of the law.

Where individual states have produced modern privacy and cyber laws, there is limited alignment, although California is emerging as a model for other states. Even so, US state privacy laws tend to focus on consumers and large-scale processing, overlooking many other activities that require regulation.

That puts the US at odds with its neighbours and international peers. On its borders, both Canada and Mexico have implemented principles-based privacy regimes.

Further afield, Europe has constructed a raft of data protection regulations. China may approach the question from a different perspective, but it too has introduced comprehensive legislation.

How do US businesses really govern and manage privacy?

Against this backdrop, we wanted to understand how those on the front line of privacy management in corporate America now see their roles – and what that says about their organisations’ approach to privacy.

• How do US businesses oversee privacy governance?
• How do they manage privacy operations?
• And how do they build a business case for investments in privacy?

To answer these questions and more, we surveyed 100 senior leaders with responsibility for privacy compliance in three industries at the heart of this debate – e-commerce, healthcare, and retail financial services.

What we found is that US businesses recognise the potential benefits of effective privacy management:

• 75% say it could boost trust in their brand.
• 69% expect it to help them maximise the value of data.

Risk reduction is what really drives their investments in privacy management:

• 57% invest in privacy management to minimise legal disputes.
• 50% invest to reduce regulatory risk.

There are ample opportunities for US businesses to improve their privacy management, the survey shows:

• 44% don’t benchmark their practices against those of other organisations.
• 39% don’t yet conduct regular privacy audits.
• 32% have yet to appoint a Data Protection Officer.

And despite the fact the majority struggle to recruit the privacy talent they need, 67% have yet to appoint a retained privacy consulting firm. As a result, they are missing out on access to privacy best practice.

The survey also revealed shortcomings in the way privacy is both governed within US business.

For example, while some of the key building blocks for privacy governance are in place, the structure of oversight is cause for concern:

• 58% of respondents say their privacy governance is overseen by the executive who is also responsible for its delivery.

This creates the potential for conflicts of interest and is contrary to common practice in financial and other areas of governance.

At Securys, we agree that the benefits of effective privacy management are wide-ranging – from brand trust to efficient data processing. But we also know that the risks of a misstep are both significant and growing by the day.

The US’s data privacy regime is immature by international standards, but individual organisations ready to take a proactive lead have much to gain.

• To find out more on how US businesses are falling short on privacy, and how Securys can help, download our new report.

[ENDS]