As cyber risk intensifies around the world, regulatory authorities are looking at privacy and data protection frameworks much more seriously than they were a decade ago. In fact, since the launch of the European Union’s GDPR, this has shaped a plethora of global regulations and governing bodies who have either adopted or are considering legislation for more concrete personal data and privacy regulations. In North America alone, 33 states have introduced some sort of data privacy legislation with California, Colorado, and Virginia signing those policies into law.
Globally, 76 percent of countries have either drafted or enacted some sort of personal data privacy protections, including China, Russia, Brazil, and Australia. Likewise, the newly drafted India Personal Data Protection (PDP) Bill includes requirements for notice and prior consent for the use of individual data, limitations on the purposes for which data can be processed by companies, and restrictions to ensure that only data necessary for providing a service to the individual in question is collected.
So, what is driving this escalating demand for enhanced privacy and data protection?
$1 trillion of cybercrime
Some would say we have experienced a perfect storm. In 2020, cybercrime cost the world more than $1 trillion, a 50 percent increase from 2018. Today, data breaches of increasing sophistication and severity are at an all-time high. So, it comes as no surprise that consumer confidence in the promise of data security is at an all-time low and that most Americans, for example, now believe that they have lost total control of their data.
That said, managing the increasingly challenging task of maintaining data and system security in a complex, distributed environment is no easy feat – and has become even harder post pandemic. In 2021 most organizations have moved to a hybrid work environment and digital transformation programs have accelerated. In fact, in its analysis of the impact of Covid-19, consultancy McKinsey calculated that digital transformation programs accelerated by the equivalent of seven years in just a few months to meet customer demand. But this acceleration means attack vectors have grown as digital systems have multiple access points for customers, partners, and employees, resulting in an expanded attack surface.
Additionally, the volume of data has exploded and there are multiple data types, which makes it incredibly difficult for organizations to understand what data they have, how it is being used, and where it is located. Likewise, there is increasing pressure to unlock data to enable better decision-making and gain competitive advantage. Therefore, the challenge for security and privacy professionals is how to exploit data in a safe way and protect it while enabling the business.
Earlier this month, the instant messaging service WhatsApp was fined €225m by the Irish Data Protection Commission. This is the result of an investigation which started in 2018 and concluded that WhatsApp was not being transparent enough around its privacy policies and how it would process customer data. This is the second largest GDPR fine to date and clearly illustrates the risk of poor data handling. Moreover, according to GDPR Enforcement Tracker, 55 percent of GDPR fines are down to the poor processing of personal data and 40 percent of fines are around the lawfulness of processing and whether the company has the right legal basis to use the data, as well as the right controls in place to ensure usage is aligned with the purposes defined. Therefore, fines are not just around data breaches, but organizations are also fined if they have insufficient governance around their data assets.
Furthermore, there is growing emphasis around employee and workplace privacy. If an organization consumes personal information, it must clearly identify the systems where this data is stored and how it is controlled. However, employee data typically lives in unstructured files - in emails, chats and often in places that are not on a priority list for control and protection. High Street retailer H&M was recently fined because it wasn’t appropriately discovering and protecting employee data, but instead it was leaving conversations in chats and sharing sensitive data. The regulator fined the retailer because there was a disproportionate amount of data living in systems without enough control and which the company had not prioritized as needing protection.
As a result of all this heightened publicity, people are becoming much more aware of their rights as a consumer, and this means data security is having an impact on purchasing decisions. It’s also influencing the way in which organization prioritize budgets. According to a recent Now Tech Forrester report, budgets for privacy management software in particular are growing. On top of this, investments aimed at improving privacy and data protection practices are coming from a variety of departments, not just IT security, as employees, customers, and partners become more aware of expectations and the need to better safeguard data – whether that be personal or corporate.
Organizations can use privacy management software to ease the task of achieving compliance with privacy regulatory requirements. Additionally, it enables organizations to leverage personal and sensitive data more ethically and efficiently, while safeguarding employees’ and customers’ trust. The Forrester Analytics Business Technographics® Security Survey, 2020 asked global security decision-makers what tools they had purchased to comply with data protection regulations like GDPR: 49 percent said privacy management software; 44 percent said data management platforms; 38 percent use data discovery and classification tools; and 37 percent use other controls.
The Forrester Now Tech Privacy Management Report explains why organizations invest in privacy management software not just from a compliance perspective but also to ensure data ethics and employee and customer trust. It includes a list of over 30 relevant privacy management software vendors which was compiled based on market presence and functionality. Additionally, the report provides advice around selecting the right technology to support privacy and data protection programs, and what organizations should consider, such as business needs and goals, the complexity of the organization’s data, the environment and technology infrastructure both now and in the future, and any form of measurement criteria surrounding how data is used, stored, governed, and disposed of.
As consumer demand for better data privacy continues to escalate, supported by a global regulatory drive, it is essential that businesses invest intelligently in the technology solutions and privacy management programs that will allow them to achieve compliance and maintain customer trust, without compromising performance.
More in Security & Risk
Conference Session Fireside chat: Could Generative AI hack a data center?