The global privacy landscape is in the midst of a large tectonic shift. Privacy has been top-of-mind for consumers, enterprises, and governments alike recently with headline-hitting examples such as the SolarWinds hack which exposed the personal information of at least 18,000 customers; the release of Apple’s privacy feature that places privacy controls back into the hands of customers; the passage of the California Privacy Rights Act (CPRA) and its domino effect on other states and Congress as it considers a comprehensive privacy bill at the federal level.
Privacy 2.0—the new paradigm of privacy for a data-driven economy—is here. And it has already exposed a major fault line in even the most robust data privacy programs: the inability to accurately and comprehensively identify hard-to-find sensitive information buried in vast pools of enterprise data.
To discuss Privacy 2.0 more in-depth, we invited expert panelists from a wide variety of industries to share their views and perspectives on the evolution of the privacy landscape and their predictions on what’s to come in The Inevitable webinar, "Privacy 2.0: Can Companies Be Both Data-first & Privacy-first?".
Moderator Josiane Ishimwe, Investment Manager at Intel Corporation, hosted privacy expert panelists:
- Brian DuPerre, CPO, UnitedHealth Care
- Jim Gaven, Sr Counsel & CCO, Welsh, Carson, Anderson & Stowe
- Jeff Wysocki, CIO, The Mosiac Company (former CIO, Medtronic)
The panelists, clockwise from top left: Jeff Wysocki, moderator Josiane Ishimwe, Brian DuPerre, and Jim Gaven
A new era of privacy
Privacy 2.0 is making data privacy a top priority for organizations worldwide. Four factors are turning privacy into a critical consideration for every major business decision:
- Rising customer expectations
- Stricter regulatory regimes
- The persistent threat of data breaches
- The proliferation of enterprise data
A shifting legislative landscape
While the current state of privacy legislation in the United States is still very piecemeal, there is a trend towards more comprehensive legislation at the state or federal level. Brian DuPerre of UnitedHealth Care pointed out that, “in this country, we still have the sectoral-specific privacy rules, if you will. So in healthcare we have HIPAA and in finance, we have the Gramm-Leach-Bliley Act, and then with education, and the credit reporting agencies there are those sector-specific rules. But, what we're seeing is really the trend towards that comprehensive privacy bill, something similar to what occurred in Europe.”
The US is a laggard when it comes to federal privacy legislation. The vast majority of countries either already have national privacy legislation or are in the process of passing it. Brazil’s LGPD was enacted in August 2020, India is expected to pass privacy legislation by the end of 2021, and Europe’s GDPR is seen as old news now. But the Biden administration has ushered in a renewed interest in federal privacy legislation with the DelBene proposal earlier this year aimed at protecting consumer data.
So how should global enterprises navigate this fragmented privacy landscape? Jeff Wysocki of The Mosaic Company offers some advice: “You have to almost be looking at what's the most restrictive, common denominator across the globe in order to be looking at solutions and capabilities.”
This variety of international, regional, and state privacy regulations, “definitely strengthens, but also challenges [enterprise privacy programs]. They give you standards that you have to live up to that you might not otherwise live up to on your own,” states Jim Gaven of Welsh, Carson, Anderson & Stowe.
Creating stronger privacy programs to comply with new regulations will likely be a challenging adjustment for some companies, especially those that deal with very sensitive data now. “For industries that are in the sectors that have specific laws, I think there's a lot of history and comfort in working with sensitive data. But for consumer companies who are new, or privacy and data protection is new to them because of these state laws, [regulatory compliance] a very daunting challenge,” states DuPerre.
Facing data challenges
Around 80% of corporate data is unstructured and it is propagating faster than structured data. This has been exacerbated by the shift to remote work environments and is putting even the best information governance and data management processes to the test.
DuPerre shared his experience: “Now you have this giant pile of data that you have to layer in all these different privacy rules and layer in all these other controls. And that becomes incredibly challenging when it's unstructured—or even when it's structured if you didn't have that data governance, to begin with. And even if you did, the size of data and the amount of time it takes to go through, from a compliance perspective and a data protection perspective, in order to assign it its appropriate swim lanes, is a daunting task.”
“I think that the structured information and the regulations that are out today are very clear on the information you need to capture. It's a little easier to follow the guidelines and put processes in place around the structured information,” Wysocki said.
“One of the big problems with unstructured data right now is that some of it ultimately should be considered structured,” mentioned Gaven. “So how do we move from one [category] to the other?” Gaven continued, “the amount of unstructured data you have and being able to account for it. I think that's the biggest challenge right now.”
Even with proper procedures in place, the abundance and complexity of enterprise data today make protecting it even more difficult.
Data breach prevention
With the sheer abundance and complexity of corporate data today, organizations need to go to extra lengths to minimize the impact of an inevitable data breach. Our experts gave their tips:
- Have an understanding of where your information and data is across the organization
- Have an incident management and response process in place to be able to handle a situation that comes up and be able to respond quickly
- Educate the organization on the risks
- Be able to identify the data and be able to rule in or rule out what's been impacted
- Have data governance and rules in place with policies and compliance programs for each platform
- Make sure you're doing an appropriate amount of due diligence on vendors as a custodian of the data that you're sending.
- Do an inventory of vendors and what information do you get from them and what information they’re given
Data privacy as a value proposition
Many businesses are now faced with how to turn their data privacy methods into a value proposition. Wysocki shared the challenges he has encountered: “Right now, a lot of our processes are just very manual and a lot of searching, a lot of it is resource-intensive, a lot of costs, and quite honestly, we’re slow to respond in a lot of situations.”
But this is where technology can really make a difference. Privacy can be a value proposition if the right tools are in place. “Any capability technology-wise that can help me move faster and understand the breadth as well as help me potentially reduce costs in the organization from a velocity and speed standpoint are huge wins,” according to Wysocki. “I think AI and some of its capabilities,” he continued, “aligned with some of the capabilities within Text IQ are fantastic for being able to do that.”
Business evolution in the Privacy 2.0 era
Our panelists all agree that in order to compete in the Privacy 2.0 era, businesses must learn to continuously evolve to keep up with the changing privacy landscape. They must be armed with the correct people, technology, education, and processes to protect and capitalize on one of their biggest assets: consumer data. “What was reasonable three months ago may not be reasonable today,” Gaven pointed out.
Striking the right balance between the liability of data and the usage and retention of data is critical. Wysocki recommended, “internally limiting access to certain types of data.”
“Businesses always want to use the data that they have. And minimizing it can impact the usefulness of that data,” DuPerre countered. “You have to know where your data is and you have to be able to have a good, clean, crisp way of making sense of it all. And then, you can maximize its usefulness for the business by figuring out what rules apply to what data. That becomes increasingly important if you're working across state lines and it becomes super important if you're working across countries’ boundaries,” he added.
The goal for most businesses now is personalization at all levels. “Personalization is where the industry is going,” stated Wysocki. “I want somebody who is selling to me to know about me and offer customized solutions. That's the balance we need to strike here is how you continue to go down that path. We're going to see micro-personalization and balance that against the privacy information and privacy policies that we want to have in place.”
Gaven warned, “If you're in an organization where somebody in senior management is handing this [data privacy] responsibility to one person, stop and think about that. It needs to be a team effort because it has different people who have different skillsets that address this problem. The legal group is going to look at it very differently than the tech group, who's going to look at it very differently than from the compliance group.”
Privacy 2.0 ushers in new challenges forcing businesses to evolve to meet the new privacy and regulatory compliance demands. Having the correct people, technology, processes, and training and communication procedures in place are all crucial to success in the Privacy 2.0 era. You can learn more about Privacy 2.0 and how Text IQ can help here.