2018 was a significant year marked by its major data protection scandals and the practical implementation of the GDPR. It’s only recently that some organizations have become aware that they must invest serious time and effort in data protection and privacy – as this will not only safeguard them against increasing risks, but will provide a real opportunity to get closer to customers.
Good data governance should be part of the organization’s DNA and needs to combine the benefits of technology and human intelligence to ensure that the right information and systems are kept secure in the correct way to achieve real customer trust.
2019 will not be any less challenging, and data protection and privacy shouldn’t be treated as a tick-box exercise, but rather a long-term proactive journey, as changes in legislation will continue to evolve on a global scale.
With that in mind, we can expect the following key privacy trends to look out for in 2019:
When good data governance is simply not good enough
In 2019 expect to see exemplary data governance as a key pillar of the risk agenda.
Most organizations will claim that they have an array of IT, security and governance policies, and these have been in place for many years. However, evidence suggests that there is generally a lack of enforcement of these policies, which is why so many companies now find themselves with an issue when it comes to being able to pinpoint exactly where their data is, who has access to it and whether it is suitably protected. Companies get into a false sense of security by assuming that by having a policy, it means they have effective controls. Just saying you do the right thing is not enough, you need to prove it.
Simply telling a user not to do something is not enough, 30 minutes of eLearning once a year is also not enough. For policies and processes to be enforceable they need to be able to detect, react and adapt to change. This means going beyond auditing, and requires a deeper level of operational implementation. Policies and controls need to be automated, with the ability to proactively prevent a policy violation whether deliberate or accidental. This automated and predictive approach needs to be implemented quickly and efficiently and most Governance departments are currently not equipped to respond in that way. They are back-office functions, often only becoming aware of a violation or data breach when it is too late.
So just having good data governance is not good enough; it must be exemplary, enabled with technology and be a visible part of the business if it is to be truly effective.
Digital services built on trust and transparency will be the differentiator
In 2019, the drive for digital and adoption of cloud services will continue unabated. Those organizations that choose to operate from a place of trust and transparency, that go the extra mile that do the right thing not because they need to, but because they want to, will achieve differentiation in a digital world.
The GDPR, just like other similar laws and regulations may seem vague in places and can be open to interpretation. It has to be applicable to the small organisation, as much as it does to the international organization. We see statutory authorities, lawyers and data protection experts debating the small print, and trying to make sense of each line and potential loophole. However, considering that such laws take many years to be passed, then some of the principles of the GDPR may already be out of date and may not reflect current practices.
The move to digital and innovations in technology are happening at such a rapid pace, that laws and regulations are often playing catch up. Therefore the GDPR and other such regulations need to be viewed as a ‘minimum’ baseline.
Often when we measure maturity, we notice a difference between those that need to do it, versus those that want to do it. That need versus want is key. If you simply think of providing data protection and privacy as a tick box exercise that you need to do, you miss the bigger opportunity. You miss the opportunity to get closer to your stakeholders and miss the opportunities that competitors have seized. It’s about proactively responding to the here and now and the changing environment. When you answer the question with ‘I didn’t do it, because I didn’t need to’ then something is wrong!
Privacy designed for the people, by the people
In 2019, we will stop looking at people as the weakest link, and consider how we empower them to be the strongest link as advocated by such institutions as the UK National Cyber Security Centre.
It’s easy to think of data measured just as a commodity in gigabytes and terabytes, with a cost to store and protect it. Even when we look at what the data relates to, ‘data subject’ is such a bland term that we forget that the data relates to real people, with real emotions. After all, we are all data subjects, whether we are employees or consumers, we all expect our data to be well managed, secured and not exploited for monetary or political gain.
So rather than just referring to personal data as a commodity or a bland term, we need to consider the context of the data, and the actual harm if that data were revealed. A good example is a ‘name and address.’ At face value, it can be argued that this information is already in the public domain, yet if we consider it from the viewpoint that this is actually the ‘name and address of child that has been taken into care,’ we start to view the data from a different perspective. We start to think about the sensitivities of that data and the controls that need to be in place to safeguard and protect that data.
For privacy-by-design to truly work and be embedded in everything we do, we need to take a step back to understand the data so that privacy is designed for the people, by the people. After all, if we are not doing it for the people, then why are we doing it at all?
The calm before the enforcement storm
In 2019, we can expect to see high-profile violations and even prosecutions against the abuse of personal data.
Since the GDPR came into force in May, statutory authorities have reported a surge in data protection complaints and breach notifications. Increased media coverage, heightened consumer awareness, and reputational damage means that organizations must take more ownership and accountability for how data is collected, stored and processed.
As digitization permeates every aspect of individuals’ lives, the use of people’s data will become central to individuals’ sense of self-determination. In addition, there will inevitably be a public debate about the balance of power and control between organizations, governments and individuals, and about the trade-offs between convenience and efficiency versus privacy in a digitized society. This is particularly relevant in the context of the forthcoming ePrivacy regulation which will introduce further controls.
Now is not the time to be complacent. Savvy organizations must take proactive and decisive action to manage their risk and make privacy a fundamental part of their DNA if they are to avoid becoming the next big headline.
Want to know more? Don’t miss our Top 10 Cyber Security Predictions from our leading experts on what’s to come.