2020 was a watershed year for data privacy. It got off to a strong start with the implementation of the California Consumer Privacy Act (CCPA) in January. Two months later, the pandemic put data governance processes to the test in ways never before imagined.
Consumers are becoming more aware of their rights, and while privacy regulation has been a source of anxiety in the past, companies are becoming more used to and even excited about future regulation. These build consumer confidence and can even improve the efficiency of data processing.
The new year will see the continuation of some long-term trends with some notable additions. Here are my top 4:
1. Impacts of long-tail COVID-19
In the early days of the pandemic, the development of contact tracing applications was an important initiative for many governments around the world. However, the awareness created by GDPR sparked global scrutiny on the use of data for these contract tracking applications. Pollyanna Sanderson, Privacy Council of the Future of Privacy Forum, has pointed out that many countries and even US states have gone for a centralized approach that allows people to share their GPS location data with a contract tracker. However, privacy concerns have driven low adoption rates. GPS location data is also not accurate enough to measure person-to-person contact. Additionally, individual state efforts are disjointed and do not provide widespread visibility across state lines.
More decentralized apps that “broadcast random, rotating Bluetooth identifiers” are a more privacy-conscious approach, according to Sanderson. However, differences between states underscore the need for more comprehensive legislation that can help public-private partnerships and data sharing efforts proceed much more quickly and clearly.
In fact, data pools that share certain types of data are gaining momentum. Although Apple and Google face antitrust scrutiny, their contract-tracking collaboration in the early days of the pandemic could be a model for future data-sharing efforts. More companies will adopt these consortia and partnerships in a non-health environment in 2021 to help get a better picture of customer interaction data, and this comes with its own privacy concerns.
2. Appetite for comprehensive federal regulation
An interesting development of the November election was that Californians overwhelmingly voted to expand the California Consumer Privacy Act (CCPA). The updated law, called the California Privacy Rights and Compliance Act (CPRA), is an attempt to bring the CCPA even closer to the General Data Protection Regulation (GDPR) of the European Union.
While this received most of the coverage, it should be noted that dozens of states have pending legislation that seeks to address data privacy. This is in addition to existing federal sector laws such as HIPAA in health care and GLBA in finance.
These state proposals are evolving rapidly, and indeed there is a push from various business sectors to achieve consistency across the board. In fact, according to a Deloitte study, 61% of companies surveyed thought that regulating data privacy improved customer trust. There are some federal proposals that could materialize over the next year, and organizations should adopt best practices in preparation for a more comprehensive data privacy framework.
3.Tipping point for security automation
Over the past three years, we have seen a steady adoption of security automation. Organizations with partially implemented security automation initiatives will certainly outperform organizations without any security automation in 2021. This has already had a major impact on the cost of data breaches.
According to the IBM study, “companies that had not implemented security automation reported an average total cost of $ 6.03 million, more than double the average cost of a data breach of $ 2.45 million for businesses. they had fully implemented security automation. ” With such great savings, and especially in a remote environment, organizations cannot ignore the benefits of automation security for the new year. I expect a steep uptick in adoption through 2021.
4. Maturation of data governance standards
Privacy automation by design has been widely adopted for new applications, but privacy remains an issue in legacy environments. This means that organizations have been forced, especially during the last 10 months, to adopt robust data governance processes, and they will mature further in 2021.
These processes are being developed around a best practice framework. Most begin in a discovery phase where they identify the business initiative, map the assets and personal data flows surrounding the initiative, establish stakeholders for a Data Governance Council, and assess readiness for security and privacy based on in a risk analysis.
Organizations then define the strategies resulting from this discovery process. This means articulating risk tolerance, agreeing on privacy policies, closing security gaps, establishing a data breach response plan, and identifying third-party vendors.
In the enforcement phase, organizations catalog data assets, automate privacy policies and controls, implement Data Subject Access Requests (DSARs), integrate third-party vendors, and train staff on new processes.
Finally, organizations must measure and monitor the success of their data governance framework. This means tracking compliance with consumer requests, tracking compliance, monitoring the privacy posture of data assets, and testing your data breach response plan.
The regulation of data privacy has been a source of anxiety in the past. In 2021, companies will use data privacy to build consumer trust and may even improve the efficiency of data processing. #respectdata
Although 2020 brought with it unprecedented challenges from a data privacy perspective, it was actually a better year than 2019 from a cost perspective. The average total cost of a data breach decreased 1.5% from 2019 to 2020 according to IBM. It’s unclear if these numbers will continue to decline in 2021, but if regulations evolve, security automation continues to be embraced, and data governance standards mature, they very well could.