With data privacy laws set to take effect in several states in 2023, nearly six in 10 executives say their organizations are very prepared to meet these requirements. However, when asked about particular actions taken, less than half have completed key steps toward compliance.
That discrepancy is one of the key findings in Womble Bond Dickinson’s 2022 State of US Data Privacy Law Compliance Survey Report, which draws on the insights of 182 executives — 62% of whom hold C-suite titles — from company leadership and critical departments.
The challenges of state data privacy laws
Five states — California, Colorado, Virginia, Utah and Connecticut — have now passed data privacy laws or amendments that will take effect in 2023, while several other states are weighing similar comprehensive legislation. Though 59% of executives say their companies are very prepared to meet the guidelines set forth by new privacy legislation — and 89% have increased their budgets to do so — less than half have completed most key compliance actions, including conducting data mapping (49%), performing data assessments (43%), and establishing metrics and deadlines to track compliance (38%).
A large part of the problem is operational, which is exacerbated by the pandemic consuming a disproportionate amount of legal and IT resources. Respondents who do not feel their organizations are very prepared cite lack of available staff to address compliance (39%) and challenges around tracking the status of legislation and differences between state laws (60%).
The survey data also reveals potential issues in how companies assign primary responsibility for privacy compliance. Less than a third of those that have designated a project manager for data privacy compliance, or are in the process of doing so, have assigned the role to a member of the risk or compliance (18%) or legal (11%) departments. Most project leads reside in technology (56%) or information systems (14%).