The Privacy Web: A Look into Where Personal Data Protection Stands Today and Where It’s Headed
Nowadays, data collection and processing bring billions of dollars to companies around the world. To make businesses more successful, they need insights about their customers. And often that would require collecting and storing personal data, including personal identifiable and other sensitive Information. Virtually all organizations process consumer data, and some companies even build their business around this. Personal Information is currently highly marketable.
Daily, hourly and from moment-to-moment in our increasingly digital age, people generate innumerable data points about the things they prefer to do, buy, eat, drink and even think. Essentially, they’re giving themselves away through their digital exhaust, the processing and analysis of which helps companies better understand and serve their customers. This data allows companies to set out and achieve not just their strategic goals and objectives, but to engage deeply with customer behavior, create long-running exchanges, and fully understand contexts and trends.
PII Privacy & Protection
Not long ago, companies could use personal data without strong legal regulation, but not anymore. Today, our governments realize the importance and critical level of personal identifiable information (PII) and, more and more, they strive to guarantee privacy and protection from unfair usage and loss of identity.
PII is information that can be used to distinguish or trace an individual’s identity. PII involves a wide variety of data that, if compromised, can harm, embarrass and inconvenience an individual. Consequently, personal data protection and privacy is gaining momentum and has become a critical topic in digital society in the information age.
In short: data privacy affects everyone—and it must be managed properly.
Individual attitudes toward personal data are changing. We see a movement forming around the idea of “data as a property right,” which would give people more control over their data and, potentially, enable them to earn money when companies use it.
At the same time, this potential empowerment doesn’t neutralize the business obligations of PII fair use. It might even lead to the establishment of more restrictions, limiting a company’s ability to access and use PII.
Improper PII Management
Inadequate usage, protection and loss or leakage of personal information can cost businesses some serious financial and reputational losses. For example, Facebook’s data privacy scandal—PII from upwards of 87 million people by the political consulting firm Cambridge Analytica—is one of the most notable recent examples of such losses. Multiple factors enabled third parties to access Facebook users’ personal information, including inadequate data security from developer companies on one side as well as broad conditions and lack of privacy rights in user agreements on the other.
As a result of the incident, Cambridge Analytica and Facebook suffered from the following losses both financial and reputational:
- SCL Group, which owns Cambridge Analytica, was dissolved
- Cambridge Analytica indicated that "the siege of media coverage has driven away virtually all of the company's customers and suppliers"
- Cambridge Analytica was investigated by the FBI and the Justice Department
- Apple co-founder Steve Wozniak warned users to get off of Facebook
- The FTC announced a $5 billion settlement with Facebook over user privacy violations
PII Protection & Privacy Laws
After the EU’s General Data Protection Regulation (GDPR) established obligations and rights between business and people with data privacy requirements and fines for violators, this regulation set a new precedent for other PII regulations around the world.
In the US, for instance, strict data and consumer privacy regulations are popping up, and have been designed to give individuals a modicum of control over how their data is used. In California there’s CCPA; in New York, NYPA; in New Jersey, the New Jersey Privacy Bill; and so on. Brazil established the General Data Protection Law (LGPD), which applies to all commercial entities which interact with PII. Switzerland will update their Ordinance to the Federal Act on Data Protection (DPO) in 2020. India is set to approve its Personal Data Protection Bill, which will be also focused on securing of PII processing of Indian citizens.
The point is: It’s crucial to keep an eye on new and updated privacy laws in order to be prepared and avoid last-minute scrambles for when compliance effectiveness dates approach.
Data Protection & Privacy Regulatory Compliance Management Lessons Learned
Today, no businesses is immune to data privacy regulations challenges. Take the new DPP laws, where all businesses, big and small, must navigate legal requirements—including understanding what the requirements are, identifying which ones apply to them and figuring out how to meet them, and building an effective data privacy and protection compliance program for their organization.
The need for a data-protection compliance program in business is becoming increasingly important. Noncompliance and/or weak compliance with data privacy legal requirements and inefficient data protection can lead to significant issues and financial and brand impacts, as we saw with Facebook. If a company doesn't control or loses control of their data, and doesn’t know where it is and who has access to it, how can they maintain the necessary level of data protection, prevent additional data leakage and avoid cases of unfair data processing?
Some examples of data being improperly controlled are when:
- An employee copy-and-pastes PII information in an email, for ease of use
- A company allows unused PII data to sit forgotten in archives
- Someone has a laptop full of credit card numbers because they needed to work from an area with no internet and downloaded the data
- An organization stores unused data that really has no value
And where to start? First, you must identify what your risks and obligations are. Here are the questions to answer when building a data-protection compliance program:
- What are the privacy and data protection regulations with which the business must comply?
- What information is considered as PII under the particular law?
- What information should be protected/secured, and what level of data classification is required?
- What data could be processed and under which conditions?
- Where is this information stored in the organization? How is it used, and with whom is it shared?
- Do you have a data retention policy?
- Is any protection information framework in place?
Next, they must begin strategizing how best to execute their business goals to meet regulatory compliance obligations and apply the appropriate protection framework for PII.
An effective data protection strategy requires the involvement of all interested stakeholders. C-level support is essential here. At the same time, it’s important to keep the end user in mind as well as those who will be involved through the integration of protection and privacy solutions.
Future State
“Privacy” is becoming a feature that consumers seek out when using or purchasing a product, similarly to how consumers have increasingly desired more “organic,” “fair trade” and “cruelty-free” packaged goods in the past decade. People are now demanding more transparency regarding their data privacy, and they want to be able to control how their data is collected, used and shared.
Today, it’s not enough for organizations to merely establish data protection controls; data privacy must now be strategic a priority for them. In fact, Gartner predicts that “by 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today.”*
The world-wide rolling out of comprehensive data privacy regulations will continue to expand and companies must ensure compliance. Otherwise, the financial and reputational costs that they face are immense. Moving forward, effective data-privacy management will be unavoidable for organizations. Regulators are starting to require organizations to do their own data baseline privacy work, such as audits and pen testing. There are two options going forward—companies can do their own self-regulation, or they can wait to be required to do so. The smartest organizations will get moving on this as soon as possible. How smart is your company?
*Smarter With Gartner, Gartner Predicts for the Future of Privacy 2020, Jan 2020, https://www.gartner.com/smarterwithgartner/gartner-predicts-for-the-future-of-privacy-2020/