January 3, 2020
2020 Data Privacy Predictions — Tales from a Salty Soothsayer
By Gabe Gumbs, Chief Innovation Officer
Listen to a blogcast of the post here
Inevitably, as 2019 comes to a close, many of us look forward to seeing what awaits us in the new year. Data security professionals in particular have reasons to be optimistic about the state of data privacy in 2020. However, having read many lofty predictions about this topic already, I want to keep this one grounded in the reality of the lives of the colleagues, communities, and customers that we all interact with every day.
The first reality is one that Gartner Analyst Nader Henein articulates well: “Privacy regulations across the globe have developed more in the past 12 months than they have in the preceding century.” This fact is astounding. In just ONE year, privacy regulations have changed more than they have in 100 years!
This reality has significant implications for all of us as business leaders, consumers, and citizens. For one thing, it has the potential to significantly affect the power dynamics of capitalism in the information age, as companies around the world are compelled to balance cybersecurity risks with data privacy risks to prevent privacy breaches.
The introduction to the latest draft of the NIST Privacy Framework summarizes the overlap between cybersecurity and privacy risks well.
“For more than two decades, the internet and associated information technologies have driven unprecedented innovation, economic value, and improvement in social services. Many of these benefits are fueled by data about individuals that flow through a complex ecosystem — so complex that individuals may not be able to understand the potential consequences for their privacy as they interact with systems, products, and services. At the same time, organizations may not realize the full extent of these consequences for individuals, for society, or for their enterprises, which can affect their reputations, their bottom line, and their future prospects for growth.”
So where does this leave businesses that are trying to understand how to balance the risks of data privacy for their customers with the imperative to deliver on their organization’s economic goals?
The following three predictions for data privacy in 2020 offer unique insights into the challenges we all face in the coming year — and conclude with ideas to begin addressing them.
3 Predictions for Data Privacy in 2020
1. Infonomics — Data as a Business Asset
Infonomics will soon enter into the vernacular and practice of privacy and risk professionals. For those not familiar with the term, infonomics is the practice of viewing information (data) as an actual business asset, not as an IT asset or merely as a business byproduct. Regardless of where you fall on the “data is the new oil” debate, you likely understand that, nuance aside, data has a very real monetary value.
Case in point, our recent blog post about Google’s win against the “right to be forgotten” discusses the implications of the European Union court’s ruling for Google — and its blow to citizens’ privacy standards. Google’s stance on the issue has nothing to do with being evil or unethical. The move was about the company’s desire and ability to monetize data — which is its stated business model, as cited in Google’s initial public offering document — think its data-driven AdWords and AdSense programs).
2. Differential Privacy — Sharing “Anonymous” Data
As companies evaluate their options in today’s rapidly evolving privacy landscape, this second prediction is couched in another concept that will become part of our collective data privacy conversation in 2020 — differential privacy. Differential privacy is a system for publicly sharing information about people via their online behavior patterns versus their personally identifiable information (PII), such as social security numbers, ages, and locations.
Practicing differential privacy is an attempt to retain the business value of data without increasing privacy risks. For example, let’s say you shop at Amazon but want them to delete the marketing data they collected about you, even if they did it in accordance with specific compliance regulations. Amazon has to agree and remove that data to remain in compliance. However, Amazon could also use differential privacy techniques to retain information about you that does not identify you as an individual, such as your purchasing patterns. This data can be bought and sold to perform analytics and create advertisements that target people who share similar buying behavior.
However, differential privacy is not a data-privacy fail-safe. It has the potential to introduce new privacy challenges into an organization. One example is determining the boundaries of the “right to be forgotten” compliance requirement in the face of differential privacy practices, such as data pseudonymization and de-identification.
3. “Privacy Skills Gap” Myth — Privacy Technology Gap Reality
The next significant challenge brings us to a third prediction — the reality of the predicted “privacy skills gap.” Pundits are saying that the great cybersecurity skills gap of the 2010s will lead to a skills gap in privacy risk management in the 2020s. However, there doesn’t seem to be any data to back up that assertion.
What we can see instead is a lack of consideration for the data privacy tools and business processes that can make it easier to manage privacy risk, including establishing privacy breach controls. The increase in compliance regulations in just the past year (including the GDPR and CCPA), and likely into the future, should serve as a driver that pushes the business world over the privacy risk mountain., Now is the time to start deploying the right technologies to carry the data privacy load, and help us all better protect what matters most — our private, sensitive data.
3 Tips to Overcome Data Security Challenges
To address emerging data privacy trends, business professionals tasked with data security, privacy, and compliance should heed three recommendations.:
1. Realize that Data Is Not an Arbitrary Byproduct of Business Practices
It is a business asset with a monetary value and a high-risk component, including from the ever-expanding number of data compliance regulations. As such, monitoring and securing your data according to data protection legislation is critical to the future success of your organization.
2. Don’t Mix Purchased Marketing Lists with Customer Lists
Mixing purchased marketing lists with your own customer lists can lead to the risk of introducing data that is not in compliance with the regulatory laws you scrupulously adhere to. Avoiding this mix-up will help prevent your organization from the downside of differential privacy tactics, whereby you inadvertently re-identify a person who has exercised his or her “right to be forgotten.”
3. Deploy and Scale Data Privacy Program
An effective data privacy program can help you overcome any perceived or real personnel gap as well as understand where to automate and how to orchestrate privacy tasks by deploying the right data privacy technologies for your industry.