2019 brought a great deal of focus on data privacy; not to mention the variety of new government regulations. With cyber-attacks on the rise not only in size but in sophistication and cost, data privacy remains a very relevant topic. And attacks aren’t going away – an increase of 72% in the average cost of cybercrime was reported by Accenture in the last 5 years.
The focus on privacy concerns is mainly driven by the cyber security attacks that have inadvertently resulted in huge breaches of personally identifiable information. The response to this has been the creation of regulations in order to strengthen consumer privacy protection. These regulations have been developed in countries around the world, such as the US, India and Australia. In particular, the EU’s GDPR has had an important influence. In the United States, there has been an adoption of individual state laws such as the CCPA (California Consumer Privacy Act), as congress is working on the implementation of a federal data privacy law.
What makes data privacy so important?
On the individual level, the breach of personal information has the capability of damaging an individual’s fundamental rights and freedoms, including the vulnerability to fraud and the risk of identity theft. On the organisational front, there is an introduction of multiple risks if there is any unauthorised collection, less than careful processing or inadequate protection of personal data. Organizations that fail to comply with privacy requirements are at risk of steep fines, lawsuits and other penalties.
There are serious penalties for noncompliance which are perhaps the strongest driver for rising privacy awareness among organizations. For example, the CCPA grants the private right of action if a breach occurs and data was not encrypted or anonymized, and GDPR fines can reach 20 million euros or 4% of a company’s global annual turnover for the preceding financial year. Authorities can even ban the business from processing personal data in the future. This results in organizations taking privacy into account before they use an individual’s data.
Modern compliance requirements mandate that all organizations must take steps to protect the healthcare records, financial data and other personally identifiable information (PII) they process and store against cyber-attacks.
Failure on the part of organisations to ensure data privacy protection could result in legal sanctions and reputational risks. To maintain customer trust today, companies must demonstrate data privacy as a key value. While many businesses still view privacy policies as a legal routine but don’t adhere to it, the consumer’s attitude and awareness level have changed tremendously.
How consumers believe their data is handled
Research by PWC states that only 25% of consumers are under the belief that their personal data is handled in a responsible manner. As the awareness grows to the loose handling of personal data by social networks, tech giants and governments, the implementation of strong controls over the management of personal information is fast becoming a powerful business advantage.
Data privacy in marketing will increase customer loyalty
Companies will be striving to meet the transparency bar, guaranteeing they can explain why they collect and share specific data, as well as ensure they can prove that they have properly asked for consumers’ permission and consumers have been properly advised about data collection and processing. According to Gartner, company brands that implement customer level management to control their marketing data will decrease customer turnover by 40% but improve lifetime loyalty by 25% in 2023.
Third-party risk management will be even more important
A key trend for this year will be third-party risk management. Supply chains for large enterprises are an attractive target for hackers, as the supply chains are digitally connected to the larger enterprises. This emphasises the need for companies to ensure that their partners, suppliers, resellers and service providers have adequate controls to ensure data privacy.
For instance, one of the key factors of the GDPR is the requirement for organisations to work only with third parties that can demonstrate they have measures in place to protect personal data. A risk-based approach is needed in the evaluation of partners and vendors and the creation of agreements about topics such as data breach notification obligations and cooperation in fulfilling data subject requests.
Data privacy staff awareness is critical
Another key trend for 2020 will be the efforts to increase data privacy awareness. Focus by organisations will be on teaching staff about sensitive data security and data management policies. The creation of a privacy and security-aware culture is a requirement of many cyber security regulations. Critical to security and compliance is the education of people about their rights, obligations and regularly testing their adherence to your information policy.
What is your data privacy plan for 2020?
Does your plan involve hiring a Data Protection Officer for DPA or GDPR compliance? Do you need assistance with your supply chain risk management? Is your staff awareness programme robust enough to develop a security-aware culture? If your plan involves any of the above, then Risk Crew can help. Visit our website to view our full range of services.