Data Privacy Day (Jan. 28) is an opportunity to step back and assess our awareness of this fast-evolving risk. Impacts of the General Data Protection Regulation (GDPR) have already been felt. States from Maine to California have recently enacted privacy, data security, cybersecurity, and data breach notification laws. Hundreds of bills are pending in states across the U.S. and other countries around the world. At the U.S. federal level, several bills are slogging up Capitol Hill.
As these efforts continue to come together, organizations need to be prepared. Here are my six data privacy predictions for 2020.
The definition of sensitive data continues to expand. The risks associated with unsecure biometric and geolocation data have already been widely discussed. However, some legislators in the U.S. will expand their scope to include web browsing history in their protection efforts. Legislation has been proposed where the definition of sensitive data includes "information revealing online activities over time and across third-party websites or online services." If these requirements take shape, organizations will be hit with a new level of complexity.
CEOs are required to certify compliance. There are several proposed bills in the U.S. that include requirements for the CEO and/or chief data privacy officer to certify compliance. These include the threat of penalties on individuals who violate the law. Could data privacy be the Sarbanes-Oxley Act of this decade?
Privacy and cyber strategies are combined. Organizations will develop enterprisewide strategies encompassing cyber and data protection, rather than relying on disparate efforts led by a few individuals with expert knowledge as we currently see. This will include breaking down the walls between technology and nontechnology-based cyber and data protection teams to create holistic, end-to-end solutions.
Third (and fourth) parties grow in focus. The focus on third parties in relation to privacy isn't new. There have been several examples of organizations hacked via third-party relationships. There will continue to be a big focus in this space. The next step is for organizations to get a better understanding of how third parties are sharing data with fourth, fifth, and sixth parties. How is data from the organization being used, stored, and accessed by these parties?
Data graveyards are addressed. For most organizations, their ability to produce and/or collect data has far surpassed their ability to use it effectively. Data graveyards are where all of that data goes to die. Unfortunately, that data becomes a privacy and compliance risk. For example, a German real estate company was just fined almost $16 million for retaining data in its graveyard for longer than necessary.
Data privacy becomes a strategic advantage. Consumer attitudes around privacy will continue to shift. Beyond just protecting themselves from reputational damage, organizations will realize the goodwill that can be created when data privacy is managed well.
As data privacy laws continue to develop, I anticipate boards will spend more of their time focused on this risk. Internal auditors need to maintain awareness of changes and build a strong working relationship with legal and compliance to address proper oversight.
As we see legislation expand in this area, it is time for internal auditors to help their organizations celebrate Data Privacy Day and bring notice to the good work they are doing for their clients, customers, and employees.