Last weekend on January 28 we observed Data Privacy Day, an internationally recognized day intended to raise awareness and promote privacy and data protection practices. First celebrated in the United States and Canada ten years ago, the day commemorates the Jan. 28, 1981 signing of Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the first international treaty dealing with privacy and data protection.
In celebration of Data Privacy Day, privacy professionals gathered for Privacy After Hours events across the globe, including one we hosted in our RADAR offices in Portland, Oregon. This well attended and lively event gave me time to catch up with my fellow privacy, legal, and compliance professionals. I found myself thinking about the state of privacy today, and the tremendous opportunity out there for us in the business of protecting sensitive personal data and organizational reputation.
The State of Data Privacy in 2018
In a recent article I wrote that my years in privacy and security have taught me about the inevitability of incidents involving private, protected information. Every year brings new and unprecedented disclosures of data breaches, orders of magnitude more incidents that trigger regulatory assessment but can be sufficiently mitigated to avoid public disclosure, and new and more stringent data protection regulations.
This year is no different. Topmost on many of our minds is the fact that 2018 brings the effective date of the EU GDPR. The impact of this regulation is not to be underestimated. The EU holds the privacy mantel with the belief that the digital economy around the globe requires trust between companies and their consumers and that the GDPR is key to establishing trust. In fact, I have begun nicknaming it the GLOBAL Data Protection Regulation, as this version of the acronym feels like a more accurate representation of the far-reaching application and implication for companies across the globe, setting a new high water mark as we see a rising tide in privacy awareness and regulation.
While regulators are working to increase the specificity and stringency of compliance at the state, federal and international level, technologies are increasing in the amount of data they gather and use. With the proliferation of the Internet of Things and connected smart devices in our cars, homes, and worn on our persons, we have a constant stream of information generated about our public and private lives. According to a forecast from research and advisory company Gartner, 2017 saw the use of 8.4 billion connected devices. They’re predicting the number will grow to 20.4 billion by 2020.
These devices provide conveniences in exchange for personal data, but are consumers savvy to the risks involved in sharing their personal data carte blanche? Perhaps some – and I hope most of us stop and read the scope and purpose of collection and uses of the data before clicking on that explicit consent button. A recent survey from Cisco found that, while over half of consumers saw value in connected devices, less than one in ten report high levels of trust that their data is secure. And in a recent study on consumer views of personal information revealed that there may be generational differences in how consumers entrust their data to devices. While 81 percent of US respondents felt a lack of control in how their personal data are collected and used and about half of consumers in each age group say they sometimes provided information online, younger consumers from generations X, Y and Z are demonstrably more likely to adjust privacy settings on mobile devices and social media.
Organizations dealing with private and personal information are going to have to manage the way they collect data and the way they present this process to the public, in part due to growing awareness from the public and the requirements of GDPR. One example of large brands feeling the heat from GDPR was the Data Privacy Day Facebook announcement that the company promoted as sharing their privacy principles and pushing more content for consumers to take control of and better manage their privacy settings.
Our Shared Role in Raising Awareness of Data Privacy Issues
More than anything, successful privacy teams foster an enterprise-wide culture of privacy and trust in their organizations, and they should use data to persuade the board, C-suite, and business managers to set the tone on privacy programs. Good incident response practices are critical to compliance, but folding privacy into the core of a business’ DNA is one way to go beyond compliance and to win public trust. Business practices that allow for privacy by design mean privacy issues are brought up just as new solutions are conceived. Raising awareness of privacy initiatives and privacy being a human right could now be considered a task for professionals in privacy – in addition to protecting data and ensuring compliance with regulations. As stewards of privacy best practices, it is important we don’t lose sight of our shared role in promoting privacy awareness and best practices.
Last year, we conducted a series of interviews with our customers to better learn their approach to privacy, and share the common best practices in promoting a culture of compliance. I love this quote from a Chief Privacy Officer at a US-based fortune company:
“Privacy is everybody’s job, and it’s bigger than a compliance issue, it’s a business issue. If your business depends on relationships with people, then your success depends on your ability to do a good job at privacy.”
With that, I’d like to wish all my fellow privacy professionals a happy Data Privacy Day, may we go forth and share the importance of privacy measures, continue to improve our privacy practices, and in doing so add value to our companies.