As consumers be conscious of how modern technology can erode their privacy, governments are responding by introducing new laws as fast as possible. It is a trend that shows no sign of abating. Gartner predicts that by 2023, 75% of people around the globe will have their private data protected by privacy regulations, when compared with just 25% today.
The volume of data privacy regulations for organisations to follow along with is challenging, specifically for companies operating across multiple jurisdictions. However, businesses cannot risk becoming overwhelmed and paralysed into inaction when they wish to gain the edge against your competitors and leverage the full value of the information they've available. Simultaneously, compliance with privacy laws should not be a mere tick-box exercise. With digital trust in a tipping point, adopting a privacy-centric mindset is now a company imperative.
Our recent Global Consumer Frame of mind Report found that up to 50 % of consumers feel they've lost treatments for just how much data is stored about them and 76% think that the onus should be on companies to protect private data. This presents a chance for businesses to build bridges and retain trust by demonstrating the worth they place on privacy. In the end, 69% of consumers said they are more prone to be loyal to a brandname if they are seen to make use of their private data appropriately and responsibility. Moving away from a persons factor could become costly for businesses in the long run.
A shifting landscape
Navigating the different international privacy regulations which have been brought to protect the information that companies collect, process, store and share has never been more challenging. The key principles of transparency, data retention and security are a constant presence, however the landscape is constantly on the shift on almost a weekly basis.
From East to West, the privacy landscape is evolving at pace. Recently, the Chinese parliament has passed a brand new privacy law, which is because of enter into impact on 1st November 2022. This law, the Personal Information Protection Law follows months of state input in tightening regulations on the collection of user data, which has already led to several popular apps being banned in the united states. Combined with the Cybersecurity Law and also the Data Security Law, PIPL will form an overarching framework to govern data protection, cybersecurity and data peace of mind in China for many years.
In the US, the California Privacy Rights Act will become fully operative from 1st January 2023 and will apply to all personal information collected by businesses. This act will amend and supersede the current California Consumer Privacy Act and make various changes to the rules on the processing of sensitive private information, in addition to amended consumer data rights.
This is not the end, though. Other countries are expected to adopt new or amended regulations in the foreseeable future. In India, the private Data Protection Bill , happens to be before parliament to approve. The balance includes specific requirements on the use of individual data, limitations around the purposes that data can be processed by companies, and restrictions to ensure that only data necessary for providing a service towards the individual under consideration is collected.
Then there is the EU's ePrivacy Regulation made to regulate the use of electronic communications services. It was originally meant to come into force in 2022 alongside the overall Data Protection Regulation but has been delayed. A finalised text was agreed captured through the EU Council that moves the ePrivacy Regulation right into a new phase of negotiations among the various EU institutions. Nevertheless, the precise date it'll enter into force is still anyone's guess.
A proactive solution
For organisations, the dramatic growth of privacy regulations has meant data protection has evolved from being a sole element of the Legal or Compliance functions within an organisation to now impacting a wide range of other functions which include IT, Marketing, Product, Security and Data Science.
Forward-thinking organisations are looking towards a range of privacy-enhancing technologies so they are able to still leverage their data efficiently and effectively. When every transaction involving personal data must be carefully reviewed against constantly evolving regulations, the requirement for robust, automated processes is important so that you can move data strategies forward at pace while preserving the privacy rights of people.
Both pseudonymisation and anonymisation have started to the fore of commercial conversations surrounding PETs and effective approaches for retaining analytical utility while protecting security. However, while both have their place, there are important differences forwards and backwards.
With pseudonymisation, the information is transformed so that no data can be related to a specific individual without the use of supplementary information. This results in that direct identifiers inside the data are made illegible. However, with anonymisation, both indirect and direct identifiers are surfaced in most cases transformed, because the end game is to ensure that the controller or any other party, while using every means reasonably likely – this type of singling out – cannot identify an individual person.
A priority for boardrooms
In today's digital world, companies are collecting and processing private data at an unprecedented level. Actually, as much as 44 times the amount of data that was collected in '09. Whilst keeping up with evolving privacy requirements is a challenge for businesses, particularly when working across multiple jurisdictions, ensuring personal and sensitive data is used appropriately and it is held securely has become an enterprise-wide business priority. After all, the financial penalties for not doing this could be crippling. Already come july 1st, the Luxembourg data protection authority has passed out an archive EUR746 million penalty and the Irish Data Protection Commission has handed out its largest ever fine of EUR225 million . Fines, along with the erosion of consumer trust and reputational damage, are causing organisations to sit up and take notice.
In an attempt to boost its privacy credentials, Google has been outlining its vision for what a cookie-free web might look like. It now aims to prevent supporting all third-party cookies in Chrome by 2022 and says that in the future it will just use “privacy-preserving technologies” that depend on methods like anonymisation or even the aggregation of data. Similarly, Apple has placed the ability for customers to opt out of IDFA-based app tracking front and centre in the latest iPhone update, iOS 14.5; this is a move that's been lauded by consumer groups.