2020 was a watershed year for data privacy. It kicked off strong with the implementation of the California Consumer Privacy Act (CCPA) in January. Two months later, the pandemic tested data governance processes in ways previously unimagined.
Consumers are increasingly aware of their rights, and while data privacy regulation has been a source of anxiety in the past, businesses are increasingly used to and even excited for future regulation. These build consumer trust and can even improve data processing efficiency.
The new year will see the continuation of some long-time trends with a few notable additions. Here are my top 4:
1. Long-tail COVID-19 impacts
In the early days of the pandemic, developing contact tracing applications was a major initiative for many governments around the world. Awareness created by GDPR caused global scrutiny on the use of data for these contract tracing apps, however. Pollyanna Sanderson, Privacy Council at the Future of Privacy Forum, has noted that many countries and even U.S. States have opted for a centralized approach that allows individuals to share their GPS location data with a contract tracer. Yet privacy concerns have fueled low adoption rates. GPS location data is also generally not precise enough to measure person-to-person contact. Furthermore, individual state efforts are disjointed and don’t give widespread visibility across state lines.
More decentralized applications that “broadcast rotating, randomized Bluetooth identifiers,” are a more privacy-conscious approach, according to Sanderson. Yet differences between states underscore the need for more comprehensive legislation that can help public-private partnerships and data sharing efforts proceed in a much faster and more clear manner.
In fact, data consortiums that share certain types of data are gaining momentum. Though Apple and Google face antitrust scrutiny, their contract-tracing collaboration in the early days of the pandemic could be a blueprint for future data-sharing efforts. More companies will embrace these consortiums and partnerships in a non-healthcare setting in 2021 to help get a better picture of customer interaction data, and this comes with its own host of privacy concerns.
2. Appetite for comprehensive federal regulation
One interesting development from the November election was that Californians overwhelmingly voted to expand the California Consumer Privacy Act (CCPA). The updated law, called the California Privacy Rights and Enforcement Act (CPRA), is an attempt to move the CCPA even closer to the European Union’s General Data Protection Regulation (GDPR).
While this received the lionshare of coverage, it should be noted that dozens of states have pending legislation seeking to address data privacy. This is in addition to existing federal sector laws such as HIPAA in healthcare and GLBA in finance.
These state proposals are quickly evolving, and there is actually a push from various business sectors for consistency across the board. In fact, according to a Deloitte study, 61% of businesses surveyed thought that data privacy regulation improved customer trust. There are some federal proposals that could materialize over the next year, and organizations should adopt best practices in preparation for a more comprehensive data privacy framework.
3. Tipping point for security automation
Over the last three years, we’ve seen steady adoption of security automation. Organizations with partially deployed security automation initiatives will certainly surpass organizations without any security automation in 2021. This has already had a huge impact on the cost of data breaches.
According to the IBM study, “businesses that had not deployed security automation saw an average total cost of $6.03 million, more than double the average cost of a data breach of $2.45 million for businesses that had fully deployed security automation.” With savings this large, and especially in a remote environment, organizations cannot ignore the benefits of automation security for the new year. I expect a pronounced uptick in adoption through 2021.
4. Maturing data governance standards
Privacy by design automation has been widely adopted for new applications, but privacy remains a problem in legacy environments. This means that organizations have been forced, especially over the last 10 months, to adopt robust data governance processes, and they will mature further in 2021.
These processes are being developed around a framework of best practices. Most begin in a discovery phase where they identify the business initiative, map personal data assets and flows surrounding the initiative, establish stakeholders for a Data Governance Council, and assess security and privacy readiness based on a risk analysis.
Next, organizations define resulting strategies from this discovery process. This means articulating risk tolerance, agreeing on privacy policies, closing security gaps, establishing a Data Breach Response plan, and identifying 3rd party vendors.
In the application phase, organizations catalogue data assets, automate privacy policies and controls, implement Data Subject Access Requests (DSARs), integrate 3rd party vendors, and train staff on new processes.
Finally, organizations must measure and monitor the success of their data governance framework. This means tracking consumer request fulfillment, tracking compliance, monitoring privacy posture of data assets, and testing their Data Breach Response plan.
Though 2020 brought with it unprecedented challenges from a data privacy perspective, it was actually a better year than 2019 from a cost perspective. The average total cost of a data breach declined 1.5% from 2019 to 2020 according to IBM. It’s unclear if these numbers will continue to go down in 2021, but if regulations evolve, security automation continues to be adopted, and data governance standards mature, they very well could.