Data Compliance Whack-a-Mole

By Paul McCormack, Vice President of Privacy Law Innovation at Privitar

There are more legal and regulatory updates these days than any one person could find the time to read, let alone analyze and implement.  In 2021 alone, research by Thomson Reuters (Cost of Compliance 2022: Competing priorities report) identified 64,152 compliance alerts across 190 countries, which translated to an average of 176 compliance updates per day.

Whilst this number represents all areas of compliance updates (not only data privacy and protection) it provides useful context when narrowing into the world of data privacy and protection.  It’s therefore no surprise that in 2022, Gartner predicted that by the end of 2024, 75% of the world’s population will have its personal data covered under modern privacy regulations.  If this prediction is correct, the steady pace of changes to or completely new data privacy and protection laws and regulations will continue throughout 2023 and 2024.  

More data, more problems

Let’s think about this growth from the perspective of compliance.  If the expanding universe of laws, regulations and other requirements were a meteor shower, legal and compliance teams are being asked to block it with a piece of paper.  That’s because the job of remaining compliant using current practices is unmanageably complex.  

Taking the EU / UK General Data Protection Regulation (GDPR) as an example, this comprises 99 articles, spread over a 78 page document.  With an estimated 120+ privacy laws and regulations around the world plus other sectoral requirements and related data requirements (e.g. cybersecurity, AI, financial crime, consumer protection, marketing etc), more data and increased geographic coverage certainly equals more compliance complexity and therefore more (data compliance) problems.     

More with less results in reactive compliance

Organizations are already struggling with the volume of existing data compliance requirements they already know and love (or perhaps not).  It’s increasingly common for legal, risk and compliance teams to be made up of people with very country and/or region specific knowledge (e.g. where the team are based in London, they will have a great understanding of UK and EU law, but perhaps not as well equipped to deal with Hong Kong, Singapore, Canada).  The knowledge and bandwidth gaps lead to organizations plugging these holes with external resources.  Whilst this can be a great balance between internal and external strengths, the potential downside to this could be the longer-term lack of retained corporate knowledge if the relationship is not properly managed and there is not a good system to maintain deliverables, work product and key analysis carried out.  

Lack of bandwidth inevitably leads to moving into reactive mode, and for legal, risk and compliance teams, this means fire-fighting the short-term requests and the lack of bandwidth and brain-space to focus on the mid and longer term priorities. This means that when changes to data compliance requirements emerge or new laws and regulations are enacted, it’s hard to consider them holistically (with both existing and emerging requirements) but instead having to consider them on a one-by-one basis.  It often feels like playing a rather never ending game of data compliance “whack-a-mole”. 

This game is not much fun, especially when it means that legal, risk and compliance teams are struggling to keep up with what’s coming down the data compliance pipeline.  In some cases, this can lead to natural risk-averse behaviors which can of course lead to missing valuable data related opportunities.

What does this mean for data teams? 

It often means slow access to data.  After multiple emails, meetings and bouncing around multiple departments to obtain approval to use data,  time and opportunity cost has been impacted and the lack of agility can result in missing out on key business opportunities.

This doesn’t mean that the steps to ensure compliance can be bi-passed or overlooked.  Monetary fines are a significant and potentially disastrous risk for noncompliance, but as important (if not more important) is the loss of customer trust and confidence following misuse and lapse consideration for data compliance.  A more important perspective is how to become more focused and agile in how requests are processed in a consistent and robust manner, thus unlocking the potential value of data / not missing opportunities.  

This may be easy to say, but given the core challenge is with legal, risk and compliance teams being outgunned when it comes to requests vs resources, how do companies stay ahead?

Creating order in a world of data compliance chaos

Understanding the existence of applicable data compliance requirements is a key first step.  From there, organizations need to apply such requirements to the applicable context (e.g. a specific type or types of data projects).  

Privitar’s Data Compliance Navigator (DCN) makes navigating data compliance simple by calculating, communicating and automating the steps professionals need to take to comply with relevant data compliance requirements.

With DCN, you can get immediate visibility into the risks associated with your data project, clear and specific compliance actions unique to your data project, and importantly, whether it is permissible or not.  

DCN also allows companies to understand data movements across the organization, when data compliance requirements change, look back and identify potentially impacted projects.  A core benefit is enabling your legal and compliance teams to be given back bandwidth to focus on the strategic requests and moving away from the reactive ones.

So how much is data compliance costing your organization? Answer three simple questions using our new data compliance calculator and we’ll help you quantify how much time and money you could be spending on data compliance today.