New data protection and privacy laws are being passed at a rate that can make your head spin. For organizations who do business globally, as well as those who simply operate locally, a risk assessment should be carried out if you use personal information (data) in any manner. Here is what the IAPP/KPMG Privacy Risk Study 2023 has to say about this:
“While the complexity, variety and scale may vary from organization to organization, all organizations that process personal data contend with privacy risk.
Whether it’s uncertainty in the ability to deliver on a privacy compliance program for the next year due to ongoing regulatory change, the challenge of obtaining and subsequently maintaining full compliance with proliferating, and even conflicting, privacy laws around the world, or uncertainty from inability to predict the future — organizations need to find ways to identify, assess, evaluate and treat privacy risk.
.
In this climate, organizations increasingly have to grapple with a complex privacy risk environment fraught with regulatory and economic uncertainties. It is an environment replete with new and evolving harms through the proliferation of emerging technologies, changing consumer expectations on privacy, and increasing scrutiny on business initiatives and market trends.
.
In this year’s report, privacy leaders identified geopolitical instability, rapidly maturing and emerging technologies, lack of available talent, and increasing shareholder and regulatory expectations as some of the most significant challenges, revealing concerns about an increasingly fragmented and unpredictable world.
Against this backdrop, we found organizations taking steps to manage enterprise privacy risks considered the following to support the identification, assessment, evaluation and treatment of privacy risk: Roles and responsibilities, methodology, technology, communications and continuous improvement
Key Takeaways
→ The five highest priority privacy risk domains identified by participants were data breaches, noncompliant third-party data processing, ineffective privacy by design implementation, inappropriate personal data management and insufficient privacy training for employees.
→ The most common and most emerging privacy risk identified by participants was difficulty maintaining compliance across various regulatory regimes with
differing and/or evolving requirements.
→ Additional top-ranked emerging risks included balancing data localization requirements with EU business needs, unintended consequences due to immaturity in managing the privacy risks that occur through the use of AI and privacy risks resulting from efforts to monetize data.
→ Regulation/compliance, data management and governance were the top three most common risk domains identified by participants.
Uncertainty and risks persist — no matter what we may be led to believe.
Outcomes are uncertain, whether they represent positive opportunities or undesired effects. At the extreme, inaction can itself carry risk, while full-throttle pursuit of a zero-risk profile may be harmful and wasteful. Whatever the nature of the organization, its objectives face known and unknown risks which can set the stage for both triumph and disaster. Therefore, when we think about risk management, the underlying principles and steps apply to most, if not all organizations. Privacy compliance is no stranger to a risk-based approach and can complement the requirements of privacy regulations, balancing the choices data controllers make under principle-based regulation with rules-based requirements like Article 12 of the EU General Data Protection Regulation.”
For a copy of the complete study contact us at info@newportthomson.com and enter the study name in the subject line