Around the world, individuals are fighting for control of their personal data.
Backed by legislators and regulators conscious of the transformative impacts of artificial intelligence (AI), they are determined to address the asymmetries in the relationships between individuals and large data-intensive organisations.
In the past five years, the proportion of the world’s population covered by data protection laws has grown from 10% to 82%.
Yet in the world’s largest economy, the legislative framework governing data protection remains remarkably immature. In the US, there is no federal privacy act that provides a clear view of organisations’ responsibilities to safeguard personal data.
Efforts to create a unified legal framework for privacy by the National Institute of Standards and Technology (NIST) and the Federal Trade Commission (FTC) are not backed by the full force of the law.
Where individual states have produced modern privacy and cyber laws, there is limited alignment, although California is emerging as a model for other states. Even so, US state privacy laws tend to focus on consumers and large-scale processing, overlooking many other activities that require regulation.
That puts the US at odds with its neighbours and international peers. On its borders, both Canada and Mexico have implemented principles-based privacy regimes.
Further afield, Europe has constructed a raft of data protection regulations. China may approach the question from a different perspective, but it too has introduced comprehensive legislation.
How do US businesses really govern and manage privacy?
Against this backdrop, we wanted to understand how those on the front line of privacy management in corporate America now see their roles – and what that says about their organisations’ approach to privacy.
To answer these questions and more, we surveyed 100 senior leaders with responsibility for privacy compliance in three industries at the heart of this debate – e-commerce, healthcare, and retail financial services.
What we found is that US businesses recognise the potential benefits of effective privacy management:
Risk reduction is what really drives their investments in privacy management:
There are ample opportunities for US businesses to improve their privacy management, the survey shows:
And despite the fact the majority struggle to recruit the privacy talent they need, 67% have yet to appoint a retained privacy consulting firm. As a result, they are missing out on access to privacy best practice.
The survey also revealed shortcomings in the way privacy is both governed within US business.
For example, while some of the key building blocks for privacy governance are in place, the structure of oversight is cause for concern:
This creates the potential for conflicts of interest and is contrary to common practice in financial and other areas of governance.
At Securys, we agree that the benefits of effective privacy management are wide-ranging – from brand trust to efficient data processing. But we also know that the risks of a misstep are both significant and growing by the day.
The US’s data privacy regime is immature by international standards, but individual organisations ready to take a proactive lead have much to gain.
[ENDS]