The field of data privacy is changing quickly. Through a turbulent 2020—including numerous challenges in concurrently adjusting to remote work, addressing data protection risks resulting from COVID-19 and operationalising new laws—privacy professionals have had to cover a lot of ground.
This confluence of emerging and shifting data privacy risks is extending into 2021, which will likely be a year as unique and challenging as the last. Amid many unknowns, one thing that is certain is that the pandemic is reshaping the privacy profession. In the IAPP’s recent Privacy Governance Report, more than 40% of respondents said privacy has become more important for their organisation in the wake of COVID-19, and only 5% said it has become less important.
In this landscape, legal, compliance, privacy and IT professionals around the world are faced with a myriad of questions about the future of their roles, regulatory obligations, technological advancements and which impending issues they should be prioritising. To offer guidance for privacy departments working to align their budgets, staffing and programmes with accelerating data protection legislation around the world, this article will cover some of the most pressing of these questions, along with insights drawn from the IAPP’s survey findings and our team’s work with many of the world’s largest multinational corporations.
What are the most critical data privacy issues that have surfaced as a result of COVID-19?
Early on in the pandemic, organisations started exploring what kind of personal data employers could collect and how they could use employee health status information as part of their efforts to keep essential workplaces safe. The IAPP survey found that roughly half of organisations are now collecting health data and other sensitive information from employees to support symptom screening and contact tracing. This creates significant challenges for data privacy, as employers will now be tasked with managing the volume of that data and safeguarding it.
Another key issue is the increase in the use of cloud-based and collaboration tools to enable business continuity for employees working from home. Privacy professionals have needed to work quickly to bolster data protection procedures and policies across new tools and remote work environments. Many are still working through best practices for protecting their organisation from vulnerabilities that arise when employees work from disparate locations.
What risks are associated with the collection and processing of employee health data?
The IAPP survey found that about half of the organisations that are collecting employee health data have not conducted a data privacy impact assessment to determine the risks around how they are collecting, storing and using this information. It’s critical for organisations to conduct these assessments to avoid disproportionate data collection and ensure strong protections around any sensitive information they are gathering from employees or others. Data privacy teams will also need to follow this data over its entire lifecycle, so when the crisis is over, it can be safely disposed of. Ideally, these considerations would be addressed up front, before data collection and processing occurs.
How will data privacy priorities likely shift in the year ahead?
As was revealed in the IAPP report, GDPR continues to rank at the top in terms of privacy priorities. While this makes sense, and GDPR will continue to cast a global shadow, many companies are now juggling multiple, international regulatory frameworks. This will continue to become more complicated and should be a key priority. More sophisticated companies may begin to prioritise the expansion of privacy programmes beyond their required jurisdictions as a way to strengthen consumer and employee trust.
Data breaches are now the most common privacy programme performance topic reported to corporate boards. To what extent will data security issues impact privacy teams going forward?
Security must be a focus area. Data breaches relating to health data are on the rise, as are other cyber and insider threats. Privacy pros need to stay abreast of these things and maintain clear communication with the board to ensure they understand the risks and how the organisation is responding to them. Privacy teams can play a key role in helping make sure data protection risk is top of mind across an organisation and is communicated in a way that ensures executive buy-in for initiatives and technologies that reduce risk.
Schrems II and invalidation of the Privacy Shield framework was one of the most impactful rulings of 2020. Given the most up-to-date guidance, what do privacy professionals need to consider regarding cross-border data transfer activities?
Ambiguity in international data transfer has created a lot of issues and solving this will be a pressure point in 2021. The ability to transfer data is a business continuity issue, and while many organisations were able to place a temporary pause on international data transfers or fall back on standard contractual clauses (SCCs) and binding corporate rules (BCRs) last year, these are stop-gaps and will not be sustainable over the long-term.
After the Schrems II ruling, 62% of organisations said they would need to change their cross-border data transfer mechanism. Without additional formal guidance from authorities, this will be a tricky undertaking. The uncertainty around Brexit’s impact on GDPR compliance adds another layer of complexity for transfers between the U.K. and the EU. Data privacy teams will need to introduce processes to ensure transfer risk is assessed for each situation and ensure and document that data subjects are receiving the same level of protections in receiving countries as they have under GDPR. In some cases, organisations may opt to localise their processes, which will also require careful implementation and oversight from privacy experts.
What activities or developments should be expected from the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)?
One key trend to watch is the increase in CCPA litigation. There have already been instances of class action complaints attempting to broaden the CCPA’s private rights of action and suits focusing on the security of sensitive information belonging to California residents. In addition to an uptick in privacy litigation, CCPA and CPRA will also drive more adoption of data privacy technologies and automation among U.S.-based organisations.
What’s the ideal reporting structure for a data privacy officer to be effective in this increasingly complex environment?
Privacy leaders serve a critical risk management role and therefore need to have a direct line to top level management. Without this, it’s very difficult to influence decisions or secure buy-in for privacy programmes. A reporting structure that reinforces accountability and C-suite involvement in privacy efforts is key. This may mean the privacy leader is aligned under the general counsel or chief compliance officer, or in some cases the CEO. The stakes are higher than ever now for strong data privacy, and it’s essential that the executives and board are supportive of data privacy across the entire organisation. The best way to achieve that is for them to hear from the privacy experts directly.
Though the barriers to gaining privacy compliance are getting higher and more numerous, it’s not all doom and gloom. Privacy touches upon some of the most important social issues of our time, and organisations have an opportunity to make a real difference. There is always a choice in what is done with sensitive information, and a strong data privacy posture can ensure an organisation is simultaneously compliant and adding business value. With a proactive approach to the changes that are coming, teams can architect privacy policies and frameworks that build better businesses and remain resilient to change when it inevitably comes.