Privacy Wars Intensifying in 2019 What to expect and how to prepare

By Gretchen Ruck | Director | AlixPartners

While 2018 will be remembered as the year when privacy and personal data became “weaponized,” 2019 could go down as the year in which the battle is fully joined and companies across industries and geographies are pulled into the fray. All companies, not just those in the tech industry or those that have suffered a customer data breach, will be forced to confront their privacy shortfalls.

PRIVACY REGULATIONS ARE GAINING HEAVY DUTY AMMUNITION

New laws and regulations have been implemented that, while generally limited to the protection of consumers in or residents of their jurisdictions and businesses operating there, have far-reaching implications that extend worldwide:

• The European Union’s General Data Protection Regulation (GDPR), which was implemented in May 2018, has far-reaching privacy protections, impacting virtually any company that does business with EU consumers.
• Similarly, the new California Consumer Privacy Act of 2018 could also have massive consequences for the tech industry in California; but, will also impact most company that have amassed data which is tied to residents of California.
• In 2017, the New York Department of Financial Services also implemented new cybersecurity and data protection regulations (23 NYCRR 500) that introduces new requirements for boards to be cyber-risk aware, which impact all financial institutions registered in the state of New York (i.e., most of the financial services and banking industry.)

And the momentum is shifting toward greater regulation in the future:

• Executive accountability: Taking the notion of board cyber-risk awareness even further, bills are being proposed at the U.S. federal level that would hold business executives and board directors personally and possibly even criminally liable for data breaches at the organizations they govern.
• Internet of Things (IoT): Driven by the growing pervasiveness of connected home and personal devices and spurred by oncoming rollout of 5G, government agencies, including those in the United Kingdom and the state of California, among others, have begun to issue IoT security and data protection guidelines, which could signal the first step towards their eventual regulation.

PREDICTIONS FOR 2019

As the need for accountability and transparency grows, privacy has become a business-critical topic among executives and boards.

The rise of the “data troll”

Patent trolls, the cringe-worthy scourge of businesses for many years, will be replaced by data trolls, who will inundate the court system with lawsuits waged against unsuspecting companies.  

Boosted demand for data architects

Driven by cybersecurity breaches, by the collection and processing of personal data by companies, and by new notice and disclosure requirements, an acceleration of litigation on behalf of both consumers and shareholders for perceived or real damages is likely. New regulations, particularly those in California, provide many benefits to consumers; but, could also unintentionally help to facilitate this. Even where no damages can be proven, such litigation can incur major legal, performance and reputation costs.

Companies that process personal data could find themselves unprepared to comply with new regulations and caught up in a privacy dragnet that leads to severe reputation and financial damage if they:

1. Rely on aging, costly legacy technology that’s incompatible with newer security requirements and data protection demands;
2. Have mounting technology debt due to a history of backlogging needed maintenance and upgrades in favor of deploying new functionality and service enhancements; or
3. Trend towards complex cutting-edge technology models, without solidly investing in privacy and security.

Growing recognition of employee data protection rights

Courts and legislators will increasingly acknowledge that employee data, which companies frequently ignore as a source of significant risk, needs similar protections to sensitive consumer data. This could represent a fundamental shift in thinking for very large private employers such as Walmart and Amazon, which collectively employ three quarters of a million people.

The decline of “digital freeganism”

Many of the digital companies that rely on “free data” as a critical component of their business model could see access to that data become locked behind expensive pay-to-play arrangements. Companies that have allowed third parties with access to customer data will be forced to implement strict controls to account for how they share data and with whom. Costs will increase for those companies implementing these controls, as will the need for new ways to monetize this data. All of this will trickle down to the businesses consuming this data.

Unraveling shady consumer data aggregation practices

With heightened requirements for consumers to consent to their data being collected from online sources for processing or sharing with other companies, the legality of business models for organizations that cull public data, such as companies involved with marketing data aggregation, financial risk management, and even those engaged in white hat privacy and cybersecurity services, could be in question, rendering some unsustainable.

PREPARE FOR THE PRIVACY ONSLAUGHT

1. Establish governance 
   Identify a qualified single point of ownership for privacy. Sanction them with authority and visibility. Prepare for access and deletion requests, and evaluate preparations for timely handling and communication of incidents.
2. Formalize a controls framework
   Deploy tools to manage the complexity and the risk. Invest in updating your legacy architecture and controlling data processing by third-parties.
3. Become data-centric 
   Manage your data and know everywhere that it originates and everywhere that it can possibly go. Establish data ownership roles, deploy a simple data classification model, and lock-down all unnecessary access and use of sensitive consumer data.
4. Build awareness and enforcement 
   Make privacy a human resources issue. Institute mandatory, frequent privacy training and deploy a privacy risk awareness campaign, focusing on holding accountable those developers, help desks and others who interact with sensitive consumer data.
5. Measure the business impact 
   Quantify the business case for investing in privacy, shifting the decision away from the gamble on being caught to the benefits gained. Look to reputation management services as predictive indicators of how your business is performing on privacy.

Compliments of AlixPartners, a member of the EACCNY