Three Ways Data Privacy Has Changed in 2018
Guest post by Ameesh Divatia, Co-Founder and CEO of Baffle.
As we close out 2018, it’s hard not to reflect on what has been a game-changing year for data privacy. Some might argue this was the year data privacy moved beyond the boardroom to the lunchroom, where employees discussed the benefits and challenges of new data strategies. We believe there were three major trends shaping the data privacy discussion this year: increased regulation, improvements in encryption and increased scrutiny of U.S. tech giants.
One of the most significant drivers of data privacy strategy and discussion was government regulation, with the General Data Privacy Regulation (GDPR) leading this charge. The legislation, adopted in April 2016 and put into effect on May 25, 2018, sets strict limits on how companies can use personal information from consumers based in the European Union (EU) and requires specific permission for its use. Those not in compliance face a hefty fine – $25M or four percent of annual revenues.
Media discussion and executive team meetings alike were dominated by the topic for much of the year, with many struggling to understand their own level of responsibility and to put appropriate processes and people in place. A few months after GDPR was implemented, the state of California introduced its own legislation aimed at protecting its residents. The California Consumer Protection Act provides similar protections to GPDR, as it requires informing consumers about what data is collected and gaining permission around how (if) it can be used. Its introduction led many in the U.S. to wonder which state would be next and how many would adopt similar measures. In August, Vermont became the next state to follow suit.
In addition to the many processes these new regulations define and require, they also had the effect of elevating privacy at the executive level, with GDPR requiring the appointment of a Data Privacy Officer. Marketing too plays a heightened role in this new data privacy paradigm, both in its role in offering meaningful content to consumers in exchange for permission to use their data and also in mastering the new regulations and acting as a voice for them in conversations with upper management.
This regulatory environment forced organizations across the country to take stock in their privacy and cybersecurity policies. Coupled with new data breaches at popular brands like Under Armor and Panera Bread, it also further reinforced the value of encrypting sensitive data from the start. Historically, many businesses have encrypted data if it was going to be shared or stored locally, but now businesses understand that alone is not enough. Today data can be and must be encrypted from the time data is created, while it is being stored (at rest) and when it’s in use (being moved). That’s the bare minimum, and organizations now are looking to encrypt data while in use. This shift comes in tandem with a growing number of organizations adoption cloud services, which present another environment in which data must be kept safe. Cloud providers are clear who is responsible – they are charged with protecting the cloud environment, but brands are responsible for the security and privacy of the data they store there.