With heightened consumer consciousness about data privacy, regulators are moving fast to protect the data dignity of their citizens. Amid this wave of new regulations, businesses are looking for the responsible path forward with data privacy programs that operationalize privacy across the data ecosystem.
Building sustainable solutions for privacy requires that we solve both micro and macro challenges. We need privacy programs that can scale effectively across existing and future laws. Privacy also needs to be a foundational layer of the data ecosystem – so that peoples’ privacy choices are respected and enforced everywhere.
This year will usher in a new round of regulations concerning consumer data, making it an opportune time to take a look at why privacy compliance is complex and how we can make it less so.
Long on rules, short on tools
Compliance with GDPR imposed significant compliance costs on businesses, and the trend is continuing. In 2021, average privacy budgets increased 30% to $873,000, (increasing drastically based on company size) as outlined in the IAPP’s Annual Privacy Governance Report. Even with the increased budget, over 60% of respondents said their budget is less than sufficient to meet their needs. In short, businesses are crying out for tools to help them conquer the complexity in data privacy.
One of the reasons why compliance is difficult is that most companies don’t have a baseline understanding of the data they collect, store, and process – or if they did, it is static and point in time. Efficient and dynamic data discovery is foundational to an effective data privacy program.
For example, privacy regulations often require businesses to document risk assessments. GDPR alone creates obligations for Data Protection Impact Assessments (DPIA) – a process to identify and minimize the data protection risk of a project. There are also Privacy Impact Assessments (PIA), Records of Processing Activities (ROPA), to name a few, with other regulations imposing similar obligations.
Building an always-on understanding of the data collected and stored across your business is key to driving cost effective, timely and accurate assessments.
Secondly, each regulation has a different assembly of “privacy primitives.” For example, each law comes with its own set of rights (e.g. the right to data erasure, rectification, access) for its citizens, and varying ‘lawful basis’ for processing that data (opt-in consent vs. opt-out consent, disclosure, legitimate interest), along with multiple definitions of what constitutes protected data.
The key to driving efficiency in regulation-by-regulation responses is to unlock these privacy primitives, like ingredients to a recipe they can be reassembled to meet current and future obligations.
Thirdly, the data ecosystem upon which to apply privacy choices is enormously complex. The average business has 30+ data systems, some internally managed, others by service providers and partners – all containing vast volumes of structured and unstructured data used for customer engagement, analytics and marketing. Every one of those data systems and service providers store and use customer data in some automated fashion, such as customizing a web experience, or targeting an ad based on items placed in a shopping cart.
You might be forgiven if you assumed there are far reaching and established standards for communicating privacy instructions across the ecosystem. What’s needed for businesses to meet their obligations is automation that utilizes APIs (Application Programming Interfaces), effectively, agreed-upon protocols for the transmission of privacy instructions.
Privacy compliance has too many manual elements today, and needs automation to scale against the vast complexity of the data ecosystem and coming regulations.
Closer than we think
Here’s the good news: businesses and market watchers are realizing that solving for the complexity in privacy requires solving a data management problem. This realization is one of the catalysts for the convergence of privacy and data governance, and is unlocking technology budgets for privacy use cases – accelerating much needed privacy automation.
And programmatic approaches to privacy in the data ecosystem are emerging. Facebook, for example, now supports privacy choices and data subject right fulfillment through privacy APIs. Some are taking it even further, developing the standards for an ethical internet with privacy at its core.
Solving for the complexity in privacy drives material ROI for privacy teams, but the data economy also depends on it. Privacy-mature businesses are already delivering beyond basic compliance, supporting business initiatives that responsibly leverage data for growth, while respecting people’s data dignity.