If anyone had doubts as to whether data privacy is “the new normal,” the events of 2019 put them to rest.
Regulatory authorities in Europe proved that GDPR means business, issuing $100M-plus fines against global heavy-hitters Marriott and British Airways. The state of California continued preparations to bring GDPR-like regulations to the United States with CCPA, which goes into effect January 1, 2020. Maine, Nevada, and Vermont passed new state laws while pressure for a U.S. federal law continued to mount. The New York and Washington state legislatures proposed laws that were in some respects more ambitious than CCPA, and while those bills did not pass during their respective 2019 legislative sessions, they could signal a trend towards even more comprehensive privacy legislation.
As we embark on a new decade, we’ve identified four trends that companies will want to watch as data privacy becomes standard practice for businesses of all sizes across all industries.
1. More laws on the way
Back when businesses were first starting to prepare for GDPR, some organizations addressed the regulation by segmenting their EU customers and implementing privacy measures for those populations … only to have to repeat the exercise when CCPA came along.
Data privacy is no longer about complying with a single law or adjusting practices for a single group of data subjects. With more state laws on the way and the possibility of federal legislation looming, it’s just a matter of time before nearly every company is affected by one or more data privacy regulations.
While these laws may differ on the details, they all have one thing in common. They all require companies to get a handle on personal data — how and why they gather it, where it goes (within and outside of your organization), who has access to it, what they do with it, how they protect it, and what happens when they no longer need it. By mapping the “big picture” of their entire data lifecycles — starting with business processes — and conducting a thorough inventory, organizations can lay a foundation that enables them to adapt as new regulations come about.
2. Privacy litigation on the rise
Forrester Research recently confirmed that consumers are increasingly concerned about how their data is collected and used — and increasingly willing to take active measures to protect themselves. The result? Forrester predicts that 2020 will see a 300 percent increase in privacy class-action lawsuits.
Unlike GDPR, CCPA specifically grants a private right of action to residents affected by data breaches, providing for statutory damages of up to $750 per consumer per incident. If that doesn’t sound like much, consider this: The average data breach in the United States involves around 25,000 records. Given that California accounts for about 12 percent of the U.S. population, a single breach could result in over $2 million in damages alone under CCPA, over and above any regulatory fines.
For organizations who have yet to prioritize data privacy in the hope of flying under regulatory authorities’ radar, the very real risk of privacy litigation and the associated costs should be a wake-up call.
3. Customers, partners, and potential acquirers are watching
The combination of new privacy laws and high-profile scandals such as the Facebook-Cambridge Analytica affair have brought data privacy into the mainstream spotlight. Consumers are educating themselves on how providers are using their data and proving their willingness to walk away from those who use it irresponsibly.
In the B2B world, potential business partners and acquirers are incorporating data privacy reviews into their standard due diligence practices. For companies looking to partner with European firms, GDPR readiness is now considered to be table stakes, and we will likely see similar behaviors among California firms when CCPA goes into effect. In M&A deals, acquirers are demanding evidence of a sound data privacy program from potential targets, and with good reason: In a recent study by Merrill Corporation among M&A professionals, 55 percent of the respondents cited the target company’s data privacy practices as the primary reason for a transaction to fail. It’s also worth noting that one of the first major GDPR fines involved a data breach related to incomplete due diligence in Marriott’s acquisition of Starwood Hotels.
4. Greater emphasis on employee training and reinforcement
In the rush to implement the operational aspects of data privacy readiness, it’s easy to overlook the need for an effective employee training program that includes regular reinforcement.
Chances are your staff has received the training they need to keep your organization in line with the privacy laws that apply to you. Can you be certain that they’ll know what to do if, say, a customer calls to exercise her right to be forgotten … six months from now?
In a recent webinar, we explored how little information is retained after training: within one month, most people forget about 80 percent of the material they learned. The best remedy for this “forgetting curve” is reinforcement through solutions like gamification, which can reinforce data privacy training on a daily basis in a format that’s fun and engaging for employees — without interfering with their work schedules.
Remember, the goal of data privacy training is not simply imparting information — it’s changing behaviors, and that’s where daily reinforcement delivers.
With GDPR in force, CCPA on the way, and other U.S. state laws either in the works or already in effect, 2019 will likely be remembered as the year data privacy became a permanent fixture in the business landscape. No longer can companies get away with simply adjusting a policy here and there or segmenting customers who fall under a specific law. Nor can organizations limit their concerns to the possibility of fines from regulatory agencies (“if they catch us …”). Customers, business partners, and potential acquirers are all watching what you do to keep personal data safe and private — regardless of which laws apply to you. In 2020, we can expect to see more of the same … and then some.
Like what you see?
Executive Team member Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by Information Management, American Banker, International In-House Counsel Journal, and other national and international organizations.