By Aoife Sexton, Chief Privacy Officer and Chief of Product Innovation at Trūata
As consumers become more aware of how modern digital technology can erode their privacy, governments are responding by introducing new laws at speed. It is a trend that shows no sign of abating. Gartner predicts that by 2023, 75% of people across the world will have their personal data protected by privacy regulations, compared to just 25% today.
The volume of data privacy regulations for organisations to follow is challenging, especially for companies operating across multiple jurisdictions. However, businesses cannot risk becoming overwhelmed and paralysed into inaction if they wish to gain the competitive edge and leverage the full value of the data they have at their disposal. At the same time, compliance with privacy laws should not become a mere tick-box exercise. With digital trust at a tipping point, adopting a privacy-centric mindset is now a business imperative.
Our recent Global Consumer State of Mind Report found that nearly half (48%) of consumers feel they have lost control over how much data is stored about them and 76% believe that the onus should be on companies to protect personal data. This presents an opportunity for businesses to build bridges and retain trust by demonstrating the value they place on privacy. After all, 69% of consumers said they are more likely to be loyal to a brand if they are seen to use their personal data appropriately and responsibility. Losing sight of the human factor could become costly for companies in the long run.
A shifting landscape
Navigating the various international privacy regulations that have been introduced to protect the data that businesses collect, process, store and share has never been more challenging. The key principles of transparency, data retention and security are a constant presence, but the landscape continues to shift on almost a weekly basis.
From East to West, the privacy landscape is evolving at pace. More recently, the Chinese parliament has passed a new privacy law, which is due to come into effect on 1st November 2021. This law, the Personal Information Protection Law (PIPL) follows months of state input in tightening regulations on the collection of user data, which has already led to several popular apps being banned in the country. Along with the Cybersecurity Law and the Data Security Law, PIPL will form an overarching framework to govern data protection, cybersecurity and data security in China for years to come.
In the US, the California Privacy Rights Act (CPRA) will become fully operative from 1st January 2023 and will apply to all personal information collected by businesses. This act will amend and supersede the current California Consumer Privacy Act (CCPA) and make various changes to the rules on the processing of sensitive personal information, in addition to amended consumer data rights.
This is not the end, though. Several other countries are expected to adopt new or amended regulations in the foreseeable future. In India, the Personal Data Protection Bill (PDP), is currently in front of parliament to approve. The bill includes specific requirements on the use of individual data, limitations on the purposes for which data can be processed by companies, and restrictions to ensure that only data necessary for providing a service to the individual in question is collected.
Then there is the EU’s ePrivacy Regulation designed to regulate the use of electronic communications services. It was originally intended to come into force in 2018 alongside the General Data Protection Regulation (GDPR) but has been delayed. A finalised text was agreed earlier this year by the EU Council that moves the ePrivacy Regulation into a new phase of negotiations amongst the various EU institutions. Nevertheless, the exact date it will come into force is still anyone’s guess.
A proactive solution
For organisations, the dramatic expansion of privacy regulations has meant data protection has evolved from being a sole component of the Legal or Compliance functions in an organisation to now impacting a wide range of other functions which include IT, Marketing, Product, Security and Data Science.
Forward-thinking organisations are looking towards a range of privacy-enhancing technologies (PETs) so they can continue to leverage their data efficiently and effectively. When every transaction involving personal data needs to be carefully reviewed against constantly evolving regulations, the need for robust, automated processes is essential to be able to move data strategies forward at pace while preserving the privacy rights of individuals.
Both pseudonymisation and anonymisation have come to the fore of commercial conversations surrounding PETs and effective approaches for retaining analytical utility while protecting personal privacy. However, while both have their place, there are important differences between the two.
With pseudonymisation, the data is transformed such that no data can be attributed to a specific individual without the use of supplementary information. This usually means that direct identifiers within the data are made illegible. However, with anonymisation, both direct and indirect identifiers are surfaced and usually transformed, since the end game is to ensure that the controller or another party, while using all means reasonably likely – such a singling out – cannot identify an individual person.
A priority for boardrooms
In today’s digital world, companies are collecting and processing personal data at an unprecedented level. In fact, as much as 44 times the amount of data that was collected in 2009. Whilst keeping up with evolving privacy requirements is a challenge for businesses, especially when working across multiple jurisdictions, ensuring personal and sensitive data is used appropriately and is held securely is becoming an enterprise-wide business priority. After all, the financial penalties for not doing so can be crippling. Already this summer, the Luxembourg data protection authority has handed out a record €746 million (£640 million) penalty and the Irish Data Protection Commission has handed out its largest ever fine of €225 million (£193m). Fines, coupled with the erosion of consumer trust and reputational damage, are causing organisations to sit up and take notice.
In an effort to boost its privacy credentials, Google has been outlining its vision for what a cookie-free web might look like. It now aims to stop supporting all third-party cookies in Chrome by 2022 and says that in the future it will only use “privacy-preserving technologies” that rely on methods like anonymisation or the aggregation of data. Similarly, Apple has placed the ability for consumers to opt out of IDFA-based app tracking front and centre in its latest iPhone update, iOS 14.5; this is a move that has been lauded by consumer groups.
The direction of travel is clear: as we dive deeper into the data decade, we will see more regulation coming into force globally and more constraints on data usage. Organisations that adopt a proactive, privacy-centric approach will be better positioned to manage regulatory risk whilst still enabling data innovation to flourish and building deeper levels of consumer trust.