Three Ways Data Privacy Has Changed in 2018

Guest post by Ameesh Divatia, Co-Founder and CEO of Baffle.

As we close out 2018, it’s hard not to reflect on what has been a game-changing year for data privacy. Some might argue this was the year data privacy moved beyond the boardroom to the lunchroom, where employees discussed the benefits and challenges of new data strategies. We believe there were three major trends shaping the data privacy discussion this year: increased regulation, improvements in encryption and increased scrutiny of U.S. tech giants.

One of the most significant drivers of data privacy strategy and discussion was government regulation, with the General Data Privacy Regulation (GDPR) leading this charge. The legislation, adopted in April 2016 and put into effect on May 25, 2018, sets strict limits on how companies can use personal information from consumers based in the European Union (EU) and requires specific permission for its use. Those not in compliance face a hefty fine – $25M or four percent of annual revenues.

Media discussion and executive team meetings alike were dominated by the topic for much of the year, with many struggling to understand their own level of responsibility and to put appropriate processes and people in place. A few months after GDPR was implemented, the state of California introduced its own legislation aimed at protecting its residents. The California Consumer Protection Act provides similar protections to GPDR, as it requires informing consumers about what data is collected and gaining permission around how (if) it can be used. Its introduction led many in the U.S. to wonder which state would be next and how many would adopt similar measures. In August, Vermont became the next state to follow suit.

In addition to the many processes these new regulations define and require, they also had the effect of elevating privacy at the executive level, with GDPR requiring the appointment of a Data Privacy Officer. Marketing too plays a heightened role in this new data privacy paradigm, both in its role in offering meaningful content to consumers in exchange for permission to use their data and also in mastering the new regulations and acting as a voice for them in conversations with upper management.

This regulatory environment forced organizations across the country to take stock in their privacy and cybersecurity policies. Coupled with new data breaches at popular brands like Under Armor and Panera Bread, it also further reinforced the value of encrypting sensitive data from the start. Historically, many businesses have encrypted data if it was going to be shared or stored locally, but now businesses understand that alone is not enough. Today data can be and must be encrypted from the time data is created, while it is being stored (at rest) and when it’s in use (being moved). That’s the bare minimum, and organizations now are looking to encrypt data while in use. This shift comes in tandem with a growing number of organizations adoption cloud services, which present another environment in which data must be kept safe. Cloud providers are clear who is responsible – they are charged with protecting the cloud environment, but brands are responsible for the security and privacy of the data they store there.

Last but not least, the failure of tech darling Facebook to protect 50 million users from political data firm Cambridge Analytica during the 2016 election put a large magnifying glass on the tech industry as a whole. It had long been accepted that Facebook, its partners and companies like it stored and used consumer data to help market products by advertisers or improve a customer experience. The Facebook/Cambridge Analytica scandal – for the first time – exposed just how much data these companies were storing, the depth of their knowledge around consumer actions and how they were using that data. The resulting outcry by privacy advocates and consumers alike was deafening and other tech companies took note. Apple, for example, now requires all applications in its App Store to have a stated data privacy policy and browser Mozilla Firefox announced in August it had turned off data tracking “by default.” One possible benefit of this scrutiny was the realization that cloud data security must be a shared goal among the tech community. Behind closed doors, giants like Facebook, Microsoft and Amazon now meet jointly and often to share best practices as the industry looks for a new way to perform data analytics securely in a cloud environment.

In the current privacy climate, it can feel overwhelming for brands to determine what immediate steps they need to take and where to focus their investment when it comes to protecting data. A first step an organization should take is performing a deep audit of the data it gathers and stores, understanding what it is and where and how it is stored. Marketers can and should play a key role in this discovery phase as they are often the most knowledgeable about what data they have at their disposal. Secondly, clearly defining your privacy policy for customers, and ensuring your internal teams understand its limits, is a powerful next step. Finally, encrypting data, to ensure that even when it is accessed it is rendered useless, is absolutely critical. When considering a solution, organizations should be sure to select one where the encrypted data and the cryptographic key (which can “decode” the data) are saved in separate areas and in which their data is never decrypted, ever.