Global research firm Gartner recently conducted its annual Security & Risk Management Summit, and perhaps the biggest headline to come out of it was the projection that the majority of the world will be covered by data privacy regulations by 2023.
This would be a very substantial jump in a relatively short period of time. At present, only about 10% of the world has strong privacy regulations akin to the EU General Data Protection Regulation (GDPR). Gartner believes that the GDPR will be the specific model upon which most of these new privacy regulations are based.
The dynamics of privacy regulation propagation
Gartner is expecting these global changes to be driven in no small part by the GDPR’s “trusted partner” standards for anyone handling the personal data of EU residents. Adam Laub, General Manager for Stealthbits Technologies, elaborated on the importance of obtaining this status: “It may not appear so on the surface, but like so many things, data privacy is ultimately driven by money. Interestingly, however, money can be both the stick and the carrot as it pertains to data privacy. As Gartner’s Nader Henein noted, establishing privacy regulations on par with the EU’s GDPR opens up the door for countries and the companies within them to do business on a broader scale because of their “trusted status”. In other words, access to other markets will ultimately depend on a country’s and company’s alignment with and adherence to globally accepted privacy best practices.”
The EU standards essentially require other countries to implement privacy regulations that are on par with the terms of the GDPR. The recent Privacy Shield issue that has been playing out between the EU and US has been illustrative of this; EU court rulings have determined that the US is essentially going to have to pass its own federal-level data privacy regulations before EU personal data can once again be sent there.
While this scenario benefits the general public, it also means a great deal of added compliance and data processing work for organizations. Anticipating this, Gartner is advising security and risk management leaders (SRM) to implement a three-stage technology-enabled privacy program: establish, maintain and evolve. The focus of this program is on increasing the volume, variety and velocity of personal data.
The “establish” stage is aimed primarily at organizations that have not begun or are only in the very early state of implementing a privacy management program. The primary initial focus is on establishing record keeping and data retention policies and mapping risks. This is also where the core user experience elements are developed: public-facing policies, notifications, and management of cookies, subject rights, consent and user preferences.
The “maintain” stage is where organizations begin to scale their privacy management programs, with a focus on administration and resource management. This is the phase in which breach response plans are refined and organizations begin to implement automated elements in privacy impact assessments.
In the final “evolve” stage, the focus is on implementation of specialist tools that reduce risk without detrimental impacts on data utility.
The overall focus is to build a program that is holistic and can adapt to a chain of new regulations rapidly coming online in the next few years, as Gartner Vice President Analyst Bart Willemsen points out. A number of recent surveys have observed that popular demand for privacy regulations and government intervention in data protection is very high, with the world’s population demonstrating a strong awareness of (and concern about) how their personal data is stored and used. Along with maintaining parity with EU standards to preserve digital trade, Gartner sees this as a primary motivator driving the rapid uptake of new privacy regulations around the world in the next few years.
Security projections from Gartner
As the name of the summit indicates, Gartner also provided some projections for the cybersecurity landscape over the next few years. The firm sees this as another area in which agility will be paramount as the threat landscape will continue to evolve very rapidly into 2025.
The primary driver here is the uptick in remote work. What has been a temporary pandemic measure appears likely to become more permanent as organizations now have an extended trial run showing that it is viable. However, this does create added security vulnerabilities as remote workers make use of personal devices and third-party services such as Zoom to get things done.
Data security is a critical feature of compliance with privacy regulations, and Gartner sees the path forward here as the adoption of new endpoint-focused AI-based learning technologies that have the capability to detect and respond to previously unknown threats.
Dan Piazza, Technical Product Manager for Stealthbits Technologies, expanded on the new reality that organizations can expect to face: “What’s clear is that globally we’re taking incredible steps in the right direction for data privacy and consumer rights, and organizations need to be prepared with ‘privacy by design’ initiatives … organizations need to make sure they’re prepared to respond to Data Subject Access Requests (DSARs), or otherwise face stiff fines per existing and soon-to-be data privacy regulations. To put it simply, all organizations need to audit their data workflows and ensure the security of PII as a top priority. It’s a never-ending process, and constant observation and maintenance of data privacy workflows are now essential day-to-day processes.”
New privacy regulations coming online
The biggest of the recent privacy regulations to come online is Brazil’s General Data Protection Law (LGPD), which had originally been delayed to May 2021 due to the Covid-19 crisis but was put into effect immediately by the national government in early September (though enforcement actions do not begin until August 2021).
The other big bill that appears to be imminent is India’s Personal Data Protection Bill (PDPB), which currently has proposed framework components working their way through the country’s parliament.
The biggest unanswered question is what the United States will do. Prior to the Covid-19 crisis there was considerable bipartisan interest in getting a federal set of privacy regulations done and several different bills had been proposed, but the issue seems to have been set aside for the moment by the combination of the virus conditions and the imminent 2020 election. Many observers expect the issue of data protection laws to be addressed once again after the election is settled, as it is now having an impact on trade with the EU.