- What were the biggest privacy regulation trends in 2021?
- How organizations can manage their most serious risks and derive the greatest value from their privacy investments
- An audience poll found 62% of respondents are hiring more staff and 62% are buying more technology to meet the increased demand on privacy departments
Read more below.
What are the biggest trends in the privacy regulatory space? In the latest installment of The Privacy Collective, Kelly Matoney, executive director of privacy at Vista Consulting Group, talks with Lauren Wallace, RadarFirst’s chief privacy officer and general counsel. Matoney’s background in privacy compliance, risk management, and data governance and her experience as a licensed attorney — spanning Amazon, PWS, Iron Mountain, the Federal Aviation Administration, and the U.S. Department of Homeland Security — gives her extensive insight into global privacy rules. Here are the 11 biggest trends in privacy regulatory enforcement Matoney outlined:
1. Big shifts with China’s PPL laws going into effect
China’s passage of its Personal Information Protection Law went into effect on November 1, 2021. This could lead to some harsh consequences for companies that are not compliant, says Matoney, potentially facing fines up to $7.7 million or 5% of annual revenue — higher than GDPR fines.
Matoney stresses the importance for organizations to comply with China’s new privacy laws as well as China’s new Data Security Law, which took effect September 1, 2021.
2. The EU-US Privacy Shield Framework
While the EU-US privacy shield framework was deemed invalid in mid-2020, both the European Commission and the U.S. Department of Commerce have indicated that it’s a high priority to address and update.
Matoney indicates that there won’t likely be a new agreement until sometime in the summer or fall of 2022, but that the EU and UK have both issued guidance and resources around the analyses and measures needed to lawfully transfer personal data from the EU to the U.S.
3. Enforcement actions are up in the U.S.
There has been a substantial increase in privacy-related enforcement actions from federal agencies. Matoney outlines how the SEC sanctioned eight firms and three options for failures in their cybersecurity policies and procedures, leading to the exposure of personal information of thousands upon thousands of individuals.
Additionally, the U.S. Department of Health and Human Services (HHS), has settled or imposed penalties in 101 cases resulting in fines in excess of $131 million.
4. Big GDPR fines
The largest GDPR fines to date were issued this year. Luxembourg DPA fined Amazon 746 million Euros for GDPR violations. The second largest fine was the Irish DPA’s GDPR fine against WhatsApp for 225 million Euros.
5. Increase in U.S. state privacy bills
There has been an upward trend in the number of bills introduced this year, including laws from Virginia and Colorado which involve notice to state attorneys general. Matoney states that we’re going to see more states moving in this direction. Regarding federal privacy legislation, Matoney believes the U.S. is still pretty far off in terms of aligning on key goals, values, and specific provisions — and that China is ahead on this.
6. Privacy laws have teeth
According to Matoney, the laws that regulators are enforcing have teeth and we’re seeing huge increases in fines. She outlines that COVID-19 has really brought the issue of data privacy and health data privacy to the forefront of people’s minds.
A recent PWC report on the top privacy megatrends, states that regulators now have greater enforcement authority and can impose higher maximum fines and penalties.
7. Rise in breach notification laws
The number of changes to breach notification laws continues to be high. Matoney states that so far in 2021, 12 states have updated their breach notification laws.
With so much to monitor and track, “it’s just nearly impossible to do this work without leveraging technology,” she says. Breach Law Radar is a free, global data breach notification law library that is always one step ahead with up-to-date overviews of global breach notification laws and all 50 U.S. state regulations.
8. Rise in privacy technology
New privacy supportive technologies are available and being implemented, including workflow, AI, and automation technologies and tools.
“A large number of [organizations are] looking at privacy management platforms, investing in technology to help reduce the effort required for things like translating new laws and regulations into actionable compliance requirements and activities, automating data subject request processes, streamlining PIAs, or even monitoring and adhering to breach notification laws,” states Matoney.
9. Privacy professionals are in demand
There is a significant human resource shortage. Matoney says that many in the privacy field — including companies, law firms, consulting firms, the public sector — are looking for privacy professionals.
10. New privacy concerns on the horizon
Biometrics, facial recognition, the use of employee monitoring technology — all of these plus more robust rules and penalties regarding the use and disclosure of health information in light of COVID-19 and vaccines are trends to look out for, according to Matoney.
11. Rise in cyber insurance premiums
Matoney outlines the dramatic rise in cyber insurance premiums and the level of scrutiny insurance companies are using to determine the eligibility and the rates for cyber insurance.
In fact, the National Association of Insurance Commissioners (NAIC) indicated a 400% increase in ransomware incidents in 2020. Additionally, the first half of 2021 saw double-digit increases in premiums for cyber insurance policies that cover ransomware payments every month.
Prioritizing Compliance Efforts with Resources at Hand
Matoney addresses how organizations can manage their most serious risks and derive the greatest value from their privacy investments:
- Focus on having strong incident response management in breach notification
- Making sure incident response processes are compliant and kept up-to-date
- Make sure you have foundational and compliant policies and procedures in place that provide the appropriate notice, consent, and transparency into the data you’re collecting and how you’re using it
- Work with teams to quantify and look at the severity of the risk
- Balance everything with the likelihood of the risk
- Address risks and understand your compliance gaps
- Have a repeatable process to show that you’ve done your due diligence to understand the implications, the risk to your company, the risk of harm to individuals
An audience poll during the session resulted in 62% of respondents are hiring more staff and 62% are buying more technology to meet the increased demand on privacy departments.
States Matoney, “It’s time to get your privacy house in order, and to improve your overall privacy posture and compliance with applicable laws. The bad news is that the risks your organization [faces] — in terms of fines, loss of business, damage to your organization’s reputation, etc, — those risks are greater than ever. But the good news is that as a privacy leader, your business case for investing in the privacy resources and technologies is also strong. I think there’s an opportunity to leverage this increased activity in the enforcement space to garner executive support, to continue building up, and strengthening your privacy program.”
Join us for The Privacy Collective next month as we discuss digital transformation in privacy.