We’ve seen a record number of data breaches in the past couple of years. Sizable fines assessed in response to these violations suggest that regulators are becoming increasingly serious about holding organizations accountable for failing to properly protect consumer data. Some of the highest-profile cases of this shifting regulatory dynamic include:
- Equifax will pay up to $700 million in fines and monetary relief over a 2017 data breach at the credit reporting agency that affected nearly 150 million consumers.
- Facebook paid a $5 billion fine as part of a settlement with the Federal Trade Commission (FTC), by far the largest penalty ever imposed on a company for violating consumers’ privacy rights. The FTC fine is nearly twenty times greater than any other privacy/data security penalty that has been assessed anywhere in the world and is one of the largest fines imposed by the U.S. government for any type of
- In July, Britain’s Information Commissioner’s Office (ICO) announced that a S. hotel group will become the second organization to face a large-scale General Data Protection Regulation (GDPR) penalty. The hotel group, which suffered a data breach in 2018, could face a fine of over $125 million.
- Here in the U.S., a hacker associated with a third-party hosting provider gained unauthorized access to the personal information of approximately 100 million credit card customers. This breach also exposed the personal information of six million credit card customers in Canada. Litigation is ongoing, but observers expect that the credit card company could be saddled with a fine of anywhere between $100 million and $500 million.
The effects of these breaches on consumer confidence and patience are mounting. In fact, a 2019 Pew Research Center study found a consensus among consumers that data privacy and security is more elusive today than it has been in the past. When asked whether they think their personal data is “less secure,” “more secure,” or “about the same” as it was five years ago, 70 percent of adults chose the first response. Only six percent believe their data is more secure today than it was in the past, which makes organizations’ adherence to data privacy best practices a key differentiator in today’s markets.
SEI has helped numerous large and mid-sized organizations become compliant with regulations like GDPR and the California Consumer Privacy Act. Based on this extensive experience and our robust expertise in this space, here are five key trends that we believe will shape data privacy and protection in 2020 and beyond:
- Data ethics will evolve from a simple compliance concern to an organization-wide issue. This evolution will require senior leadership to translate data ethics considerations into an actionable approach to budgeting, designing, and implementing a trusted end-to-end data ecosystem — and figuring out how to monitor this ecosystem to ensure it is operating appropriately.
- “Data privacy engineer” will rival “data scientist” for the title of “Sexiest Job of the 21st Century.” In 2012, Harvard Business Review dubbed data scientist “the sexiest job of the 21st century”. Nearly eight years later, as the explosion in data collection points and data volumes only increase the demand and regulatory regimes become stricter and/or more common, a new title is emerging to ensure an organization’s data-driven goals do not overshadow the importance of respecting and protecting consumers privacy: data privacy engineer.
- The NIST Privacy Framework will become the gold standard for data privacy. This voluntary framework is designed to help organizations engage in ethical decision-making, future-proof their products, and services (from a compliance perspective), and improve their externally-facing communications. Adopting the NIST Privacy Framework will enable organizations to build trust among their customers by better identifying, assessing, and managing privacy risks.
- Investment in enterprise-grade automation will rapidly increase. Artificial intelligence- and machine learning-based automation platforms can help organizations improve the accuracy and efficiency with which they manage privacy and compliance issues and requests. These platforms can distill voluminous regulatory documents, notify key stakeholders of regulatory changes in nearly real-time, and monitor organizations’ adherence to all relevant regulations.
- Things will get worse before they get better. California and Nevada will serve as catalysts for a fragmented U.S. privacy compliance landscape. That said, as state penalties start to be assessed, organizations should keep an eye out for early signs of a comprehensive federal privacy law that will simplify and standardize the data privacy protections that are afforded to all Americans.
Against the backdrop of rapidly emerging privacy laws, organizations must make a concerted effort to rethink their approaches to data use and protection — not only in terms of what they’re doing today, but in terms of scenarios that may unfold in the future.
In short, this means organizations still have a great deal of work to do to ensure they are not only compliant with the regulations of the day but are equipped to adapt to changing social norms and consumer expectations and build trust in how they’re using technologies to ethically collect and use consumer data.