It’s the dawn of a new year, and a new decade. Whether you run your own business, or hustle with your team, it’s a perfect time to set new goals. What do you intend to improve in your organization for 2020? If you've been brainstorming since that first glass of champagne, consider privacy. Here’s why cleaning up your organizational privacy practices should be a priority resolution in the new year.
Keep calm and GDPR on
Two years ago this coming May, the world’s most extensive privacy legislation came into force. Now the General Data Protection Regulation continues to make waves. Depending on your point of view, the law is either a somewhat success or failure. For those under investigation, poor practices are proving to be costly. To date, the website Enforcement Tracker lists 163 fines for GDPR compliance failure. Costs range from 204 600 000 Euro in the United Kingdom, to as low as 500 Euro in Bulgaria. Enforcement tracker is careful to note however, that it can only watch public fines. This suggests more fines are out there.
Others fret the law isn’t doing enough. Experts, according to Nicholas Vinocur with Politico, are denouncing the regulation as ‘toothless’. Investigations are the slow, appeals drag on, and enforcement cannot keep pace with the sheer volume of violators. Meanwhile, more changes are on the way. The e-Privacy Regulation, a law intent to limit online tracking, continues to see revisions. Politics are also a factor. According to Arj Singh writing with the Huffington Post, Brexit will be on the table early in the new year. Yet as Elaine Grey with Carey Olson comments, if a no-deal Brexit happens, the country will likely become a "third country" under the GDPR. How will British companies deal with stiffer requirements to process EU resident data? Without the GDPR, what will the United Kingdom use as a replacement?
Oh Canada...
In Canada pressures mount for stronger regulation. From the 2018-2019 Annual Report to Parliament, the Office of the Privacy Commissioner (OPCC) asserts the Canadian government now agrees its is time for reform. Commissioner Daniel Therrien issues that "the question is no longer whether privacy laws should be modernized, but how."
Poor privacy by organizations including LifeLabs, Air Canada and StatsCan have officials talking. More pressure is also sure to mount if rumours are true and PIPEDA is no longer adequate under the GDPR. Canada’s review of adequacy is due in 2022; given trade interests including CETA, that’s a potential back step politicians won’t want to risk. In short, the rise of stronger privacy regulations is only beginning.
Privacy changes coming to country or state near you?
While Canada considers new changes, other countries are already moving forward. In November of 2019, Kenya enacted a new Data Protection law. Brazil’s new General Data Protection Law goes into effect in in February 2020. Already businesses in the United States are scrambling with the California Consumers Privacy Act (CCPA), and Bill 327. The CCPA demands transparency over data sharing, and individual access to personal information. Bill 327, while vague, requires safeguards built into . In Washington representatives are battling out how a federal privacy legislation might look. Writing for BankInfo Security, Suparna Goswami states bills are on the table, but don't expect progress soon.
How many data breaches are we up to anyway?
If regulators are getting fired up, it’s because self-regulation isn’t working. Data breaches are so common now even the larger ones soon become old news. Counting down the year’s top hacks, Lifehacker’s David Murphy quips it’s “a surprise if you haven’t been hit by at least one, if not more”. Meanwhile, hackers have no reason to slow down. In its 2019 Global Risks Report, the World Economic Form rates data fraud or theft as the fourth most likely. Attackers are learning there's money in stolen data, both by selling individual records and entire databases. Ransomware is also a money maker; according to the Verizon Data Breach Report, it's 2# on the list of most-used malware.
The sad reality is many organizations still aren’t doing enough for security. “It baffles me,” Murphy writes, “that companies don’t provide stronger protections for user accounts.” The tools and skills to protect your business are out there. Compiling a list of 2019 security statistics for Comparitech, Andra Zaharia points out that 88% of data breaches can be classified into one of nine patterns. Take a look at your organization’s security strategy and ask what layers of protection are active. If you don’t have a strategy, time to make one.
Privacy is becoming a competitive power play
Looking for an edge to your business or product? Security and privacy are an excellent place to start. Looking ahead into the future of technology, management firm McKinsey & Company projects Internet of Things devices to reach 43 billion by 2023. As more smart devices are expected to enter the market in the new year, customers will be comparing brands, and looking for differentiators. This includes privacy protection. While consumers won’t stop buying connected devices anytime soon, there’s evidence that many still prefer less intrusive alternatives. Writing for Home Theatre Review, Dennis Burger wrote what many of us are thinking: “I just want a dumb TV.”
Already big players are taking notice. In December, social media platform Twitter updated its platform with more details on user data shared with advertisers. While part of the move is compliance with the CCPA, Twitter’s decision to unveil the change worldwide suggests they see brand benefits to be seen as more privacy conscious. Writing for Venture Beat, Cellian Kieran suggests “it’s not crazy to decide that winning on trust can make a real long-term difference to user numbers and bottom line.”
Privacy and security are now elements of customer service. Have a strategy that can show accountable information practices. Dive deep to understand what information you’re collecting, and work with the UX team. Are there ways you can serve users with less information? Can you better inform users how you'll be using their information? What about device security? Have a talk with developers. Are they aware of security safeguards they could be implementing? If they need help getting started, try the "Pushing Left Like a Boss" series by Tanya Janca, a popular keynote at information security events.
One thing is certain: your users want better
A Pew Research Study on American privacy opinion made it official: users don’t actually *like* handing over their data. They do it because they feel they have no choice, and as they do so mistrust is growing. When polled, 81% of Americans revealed that they feel they have little to no choice in data organizations. 81% also feel the risks of data collection outweigh the benefits. In Canada, the news doesn’t get better. According to the OPCC, 92% of Canadians are concerned over protection of their privacy. The more we become aware of how our information could be used against us, the more we’re becoming creeped out.
Most recently, in "Twelve Million Phones, One Dataset, Zero Privacy" the New York Times reveals staggering realities of how powerful a little data can be. As the editorial board states:
"There’s no reason that data needs to be gathered surreptitiously, stored forever in a manner that puts privacy at risk and allowed to be sold to the highest bidder."
In short, users are waking up to the surveillance side of the personal information economy and looking for ways to get out. It will be curious over the next decade to see how it plays out.
Image by Jan Vašek, via Pixabay