Paying attention to data privacy and security is no longer optional. 2020 witnessed several landmark data protection and privacy events, including record-breaking fines for HIPAA violations, the handing down of the Schrems II ruling from the European Court of Justice, and the start of enforcement of the California Consumer Privacy Act of 2018 (CCPA). EU data protection authorities levied multi-million Euro fines on companies for GDPR violations, in spite of the battle against Covid-19.
The global privacy legislation landscape has shifted considerably during 2020, with consumers placing an even higher value on their data rights following several high-profile breaches. From an international hotel chain, which exposed the information of millions of guests, to the recent data leak from a high-profile pharmaceutical giant, which revealed the personal and medical information of hundreds of patients, data privacy is driving both today’s headlines and the tech initiatives of tomorrow.
As we near the end of the year, 2021 promises to be equally tumultuous. With the prospect of CCPA-like laws from New York and Washington state, the resolution of privacy complaints against some of the world's largest technology companies, the impending Brexit deadline and a new playbook for businesses conducting trans-Atlantic data transfers, the next 12 months is set to drive enterprise-wide changes lined-up by all that 2020 threw at the world.
Here are some of the most significant data privacy trends and milestones that we’ve observed across the world throughout 2020.
A push for data privacy regulations worldwide
Since the implementation of the General Data Protection Regulation (GDPR) in 2018 and subsequent fines levied for data protection violations, it was only a matter of time before similar legislation was passed in the US. Following the January 1, 2020 enforcement date of the California Consumer Privacy Act (CCPA), many other states have since implemented similar data privacy regulations; these include Washington, Texas, New York, Massachusetts, and others. However, this growing patchwork of state data privacy laws is making the scope of data privacy in the US more complex for both businesses and consumers.
The push for national data privacy laws extends far beyond the US. Many other countries have been inspired by Europe’s GDPR to take data privacy regulations to the next level. Brazil has recently passed the General Data Protection Law (Lei Geral de Proteção de Dados Pessaoais, or LGPD), which came into effect in August 2020. India is also likely to pass the Personal Data Protection Bill in 2021, following the introduction of the legislation in 2019.
Data privacy is a higher priority for consumers following the pandemic
With several high-profile data breaches, and an increased emphasis on data privacy worldwide, is resulting in more consumers choosing to engage with businesses that meet higher standards of data privacy.
As enforcement ramps up, it’s important for businesses to remain transparent with consumers. Businesses that go above and beyond to protect customer data will stand out to consumers as they exercise their rights to data privacy. In fact, 77 percent of global consumers agree ‘data privacy is essential to them’ whilst 62 percent say they will continue to use companies who explain what they do with their data.
This year, the Covid-19 pandemic has helped make data privacy more convoluted, with many people concerned the increase in health reporting and movement tracking could lead to increased surveillance - which could have a detrimental effect on consumer privacy.
It’s important to note there doesn’t have to be a conflict between privacy and the use of data for societal good, if effective privacy or data protection by design approaches are adopted. If privacy and ethical considerations are given thought in advance, they can improve the value and the ability of these analytics and these data programs to effect change. Ultimately, if it's well recognised that data is being collected and processed in a way that's both ethical and privacy compliant, these programs will be more willingly accepted by the public, resulting in greater public buy-in and more impactful results.
In fact, Gartner predicts that privacy-enhancing computation will be one of the main drivers of change that we’ll see in 2021,stating the Internet of Behaviours (IoB) - which captures the ‘digital dust’ of people’s lives and uses the information to influence behaviour – will present significant challenges to businesses when it comes to the use and storage of personal data. As more information becomes available and the technology which collects and analyses this data grows more sophisticated, the IoB may be rejected by consumers if it doesn’t offer benefits to them.
The pandemic has, in fact, highlighted to consumers the control they should have over their data. Therefore, now more than ever, it is key for brands to be actively adhering to data privacy regulations and acting transparently in order to regain and retain loyalty.
More emphasis on data privacy training for employees
As the consequences for data breaches and non-compliance become more serious, businesses are investing in more in-depth data privacy training for staff members. Because non-compliance can cost millions, businesses must ensure data privacy standards are maintained across the board. Data privacy isn’t limited to just financial services and IT professionals - these high standards for data stewardship must be followed by all departments in all industries which handle customer data.
The bottom line is, of course, that there is now a responsibility to embed data protection ‘by design and by default’ into the business strategy and structure. That extends to your staff and their need to be aware of the risks involved in processing personal data and how to mitigate those risks. In both cases, data privacy and compliance requires continuous learning and reinforcement. As in other fields, continuous learning helps people to apply what they have grasped in practice, contributing to a culture of data safety within an organization.
Don’t forget about Brexit
Businesses have been so preoccupied with the challenges presented by Covid-19, that they have been distracted from Brexit. But with limited time to go until the transition period ends on 31 December 2020, businesses find themselves with a series of data protection, privacy and governance challenges to overcome.
Organizations must take stock of the personal data they hold to distinguish between data acquired before the end of the transition period and after, to comply with EU data protection law or data protection provisions of a withdrawal agreement, as the case may be.
Whichever applies, it is likely that businesses will need to update their documentation and privacy notice to expressly cover any resulting data transfers and formulate a communication plan to notify data subjects about updated privacy notices.
Ultimately, Brexit is sure to introduce complications which will need to be considered before the end of the year.
Striking the balance
Data protection and privacy issues have continued to attract considerable attention over the last year, particularly as many companies ramp up digitalization of their products, services and internal processes. While the trend toward increased digitalization has gained momentum, the unique circumstances of 2020 and the challenges created by Covid-19 have intensified those digitalization efforts – and in doing so substantially increased the spread of technology which has brought related data protection and privacy concerns to the forefront of conversations around ethics.
Consumers are aware now, more than ever before, of their rights under the GDPR and other data privacy regulations around the world. With breaches hitting the headlines regularly, 2020 has been the year where consumers have started to ask more nuanced questions and demanded more control over where organizations are storing data and how they are protecting that data – demanding organizations make transparency a reality.
Fuelled by the influx of data breaches and the systematic misuse of personal data, consumer data privacy and control will continue to be a huge focus in 2021 and beyond. We can expect to see more legislation introduced to protect consumer rights and hold businesses accountable for any irresponsible data usage. Alongside this, Forrester predicts that regulatory and legal activity related to employee privacy will double, as consumer demand, innovation and the pandemic ‘ignite’ employers’ desire to collect, analyse and share the personal data of workers.
To cultivate trust and improve customer experience in an increasingly competitive business landscape, more organizations will look to give consumers ownership and control of their personal data in the coming years. Fundamentally, by combining ethical, compliant and privacy-preserving principles with technology infrastructure built to scale for the future, society will move towards a system where the value of data will benefit both individuals and enterprises alike.