How Privacy Laws Impact Compliance Programs

Cybersecurity & Privacy

Our 2021 Compliance Benchmark Report found that more than 71% of organizations say that an increasing focus on privacy has impacted their compliance practices and audits. Learn more about what that impact looks like.

Privacy is at the forefront of regulators’ minds and therefore, greatly impacting compliance programs across the globe. It’s not just regulators who are taking note of new privacy laws — consumers are concerned about their privacy and data, too. A recent KPMG survey noted that 86% of consumers feel a growing concern about data privacy and 78% are worried about the amount of data being collected about them.

With a magnifying glass on privacy concerns — from regulators and consumers — organizations are naturally concerned about their ability to ease consumer fears and avoid massive regulatory fines.

In our 2021 Compliance Benchmark Report, we asked more than 200 cybersecurity, IT, quality assurance (QA), internal audit, finance, and other professionals if the increasing focus on privacy has impacted their compliance practices and audits. An impressive 71% said yes, identifying various ways these impacts are felt across their business.

More Legislation Means More Work

40% of respondents noted that increased privacy requirements and upcoming legislation are necessitating additional work. What exactly does that work look like? Over one-quarter of respondents (27%) said that proposed legislation is pressuring them to stay more current.

With so much legislation coming out from different regions around the world, it’s tough to keep up. Tracking new legislation is becoming something of a full-time job. Legislative sessions around the U.S. — and the world — all run on different timelines (annual, bi-annual, etc.) and at any given moment, multiple pieces of legislation could be at various different stages of introduction, adoption, or amendment. This also means that compliance needs are never-ending. Organizations with customers around the globe are likely finding themselves reviewing new laws and updating privacy practices accordingly on a much more frequent basis.

Impact on Staffing and Training

Not surprisingly, a lot of organizations don’t feel that their team is currently equipped to handle all of this extra work. In fact, 18% of respondents noted that their compliance team doesn’t have the skills/training to deal with privacy. Stack this against the fact that organizations already feel that they have limited staff and resources available to deal with compliance needs, and a huge issue emerges.

Privacy expertise requires granular knowledge of many different pieces of legislation. General Data Protection Regulation (GDPR) remains the gold standard for privacy and, while much of the new legislation coming into existence borrows heavily from it, a patchwork of laws all have different requirements specific to citizens and practices in different regions. Privacy experts must also have an in-depth understanding of the California Consumer Privacy Act (CCPA), a landmark piece of legislation that secured several privacy rights for California consumers, giving them much more control over their personal information being collected and how it’s being used.  Understanding the ins and outs of privacy legislation is a big ask for compliance experts.

To fill the gaps, organizations may look to build out hybrid privacy and compliance teams with experts dedicated to each discipline. We also predict more reliance on technology and automated tools that help organizations track the status of relevant privacy legislation and manage legislation cohesively — identifying areas where guidelines and requirements overlap. A cohesive framework approach will prevent organizations from duplicating efforts unnecessarily and wasting resources in the process.

Security Controls are Top of Mind

In addition to hiring new staff and onboarding new technologies, organizations will also evolve their compliance programs by incorporating more privacy controls. In our survey, 35% of respondents noted that they needed higher levels of security controls built into their internal processes. Privacy isn’t just a consideration for collecting and managing customer data — it’s forcing organizations to become more vigilant about the protection of that data.

We expect this trend will continue as more employees log into work remotely from across the globe, generating new cybersecurity and privacy concerns.

Privacy Laws and Compliance Practices Go Hand in Hand

The increase in privacy laws being introduced on a large scale is poised to have a significant impact on the world of compliance. Organizations are already feeling its effects — with noted gaps in knowledge, skills, and resources available to help them understand and adopt legislation swiftly.

To cope, we believe more organizations will expand their compliance programs moving forward by hiring additional staff, implementing more automated tools, and adopting internal security controls to protect corporate and customer data alike.

Download the 2021 A-LIGN Compliance Benchmark Report

Does your organization need help meeting privacy requirements? A-LIGN’s experts can refine your compliance program today by helping you achieve GDPR, HIPAA Privacy, ISO 27001 and CCPA compliance.