Although the arrival of GDPR may feel like a lifetime ago, privacy continues to be a hot topic for enterprises globally.
Investments continue in earnest, with 90% of those questioned in Cisco’s 2022 Data Privacy Benchmark study citing privacy as a mission-critical business imperative. This is because the pursuit of the perfect privacy policy is a never-ending challenge, as companies continuously need to respond to new regulations in addition to business and customer demands.
According to Gartner’s biennial Global Security and Risk Strategy Survey, the average budget dedicated to privacy in 2019 was US$1.7m, rising to $2.2m in 2021. VP analyst Bart Willemsen expects this figure to exceed $2.5m by 2025 and continue to grow.
“Given the international expansion of legal requirements and the fact privacy is a programme, not a project, spending will continue to increase,” he says.
What’s pushing the growth in privacy investment?
Two main issues are pushing this growth in privacy investment: legal compliance and digital trust.
As of 2020, 20% of the world was covered by GDPR or a similar privacy legislation but, dependent on the passing of India’s Personal data Protection Bill (PDPB), this could hit 70-75% by the end of 2023, says Willemsen.
“If it wasn’t for blockchain, privacy would be the buzzword of the decade,” he laughs. “However, many organisations are only just starting on their privacy journey. Two years after GDPR, came Brazil and its LGPD law, we’ve seen California’s CCPA drive a lot of investment and China also introduced its data security law and the Personal Information Protection Law (PIPL) at the end of 2021.”
Alongside new legislations come regular changes to existing ones. For example, the UK began a consultation last year to make significant changes to its existing data protection laws.
“The substance of future UK regulation will become clearer when the Government publishes the outcome of that consultation,” says Isabel Ost, KPMG Law director.
With each new or amended legislation comes a new swathe of work for organisations and, as Willemsen points out, another 1.4bn people will have to respond to new regulations if/when India’s PDPB is implemented.
“Simply put, organisations are investing in privacy because lawmakers are telling them they have to.”
But organisations have also come to understand the importance of digital trust to their business.
For two years running, Cisco’s survey reported that 90% of customers wouldn’t buy from an organisation that doesn’t properly protect its data, while 91% said that whether a business has external privacy certifications affects their purchasing decision.
“Regulations are certainly what initially caught their attention, but most corporations now recognise that data privacy is fast becoming a key consideration for potential consumers as the public becomes more and more aware of how their data is being used,” explains Caroline Carruthers, author, and co-founder of data consultancy Carruthers and Jackson.
When looked at through this lens, privacy can become a business opportunity as it’s a sure-fire way to build trust, in turn boosting sales while also making customers more likely to hand over their data, which can be analysed to provide invaluable insights.
“People want to use your services more if you have a good track record on data privacy, so it makes good business sense to invest properly in it,” Carruthers notes.
Customers want transparency
The Global Data and Marketing Alliance’s (GDMA) annual report has found – year-on-year –that consumers want more transparency on what happens to their data, especially regarding digital advertising.
The EU has been developing two legislative initiatives – the Digital Services Act (DSA) and Digital Markets Act – that will support a move to improved transparency and Dr Sachiko Scheuing, European Privacy Officer at Acxiom and co-chair of the Federation of European Direct and interactive Marketing Association (FEDMA), advises companies to watch out for these this year.
“The two proposed acts are aimed at creating a safer and more open digital space in Europe. In particular, the DSA was designed to increase transparency and accountability for publishers, online platforms and intermediaries.
“For instance, part of the DSA sets out a provision for more transparent and informed choices for the users of digital services, including information on how their data will be collected,” she explains
“Other provisions, subject to ongoing negotiations, might also make it just as straightforward for a user to refuse consent for their data to be processed, as it does to give that consent. Many responsible enterprises already have procedures in place to offer this under GDPR, but the DSA may provide additional guarantees that enterprises must be aware of and be prepared to deal with.”
Watch out for data sovereignty/localisation/residency restrictions
Another key privacy trend for 2022 is the growth of countries or regions taking sovereignty – also known as localisation or residency – measures to control the infrastructure and data generated in their jurisdictions, with rules on data residency, to conditions on transborder data flows.
This adds another level of complexity and cost to organisations already dealing with an ever-growing number of privacy regulations.
Ralf Helkenberg, IDC research manager – European privacy and data security, explains this is happening because global regulatory complexity is restricting geo-data flexibility and creating an operational environment where data localisation is increasingly seen as the only safe mechanism for organisational compliance.
This includes Europe, as he goes on to highlight.
“The Schrems II ruling and its implications for international data transfers has established itself as a top data protection challenge for organisations. This year will see the spotlight on European regulatory enforcement of data transfer rules.”
How are organisations responding?
Although some may feel that they’re always on the back foot due to the growing number of regulations, wise organisations are looking at how they can best ensure regulatory compliance and customer trust.
One of these is through the implementation of privacy-enhancing technologies.
“This is definitely one of the top strategic technology trends at Gartner, and has been for the last two years,” says Willemsen. He points out that software and hardware solutions are offering new ways to manage information without actually “touching or making it identifiable”.
Staff training is also key, while certification is a good way of externally assessing your privacy credentials. Investment in dedicated privacy professionals also continues to be a popular option for organisations too, with Gartner’s survey showing that two thirds of organisations questioned have a dedicated individual lead and a third have a dedicated privacy team.
Ad hoc teams are also often created to responded to specific challenges as they arise, but getting the right staff can be an issue. This is because although the discipline has grown, there’s still a shortage in professionals due to the high demand.
There’s clearly a lot of challenges, and still a lot to learn, but by embracing best practice and keeping on top of the latest changes to legislation organisations can ensure they keep travelling in the right direction.
Just remember to view privacy as something positive – not only does it protect your organisation, it can also create new business opportunities.