We know how the industry is responding to data regulations, but it is essential to understand why these regulations came about in the first place.
Almost every company today is seeking to gain market share by collecting more data than ever on their consumers. The bulk of today’s innovations involve customized digital services that track every interest and habit of consumers, which has provided companies the impetus to treat consumer data as an asset. So far, consumers have benefited from the convenience of these hyper-tuned services. However, the tide has turned significantly in consumer sentiment in the last few years after numerous high-profile data breaches, which continue unabated. 90% of consumers, depending on the country, say they are concerned about protecting their data, and this sentiment is on the rise. Recent studies by Accenture, Bearingpoint, and EY, all indicate a dramatic increase in awareness and sensitivity by consumers with how their personal data is collected, disseminated, and used
Despite the attention and investment in data security, news stories and investigative reports have shown that the private sector continues to incur data breaches due to negligence or ethical lapses – seriously affecting consumer trust. Now that data is being viewed as “oil of the 21st century”, this creates a big dilemma for companies. Big data has barely gotten off the ground, and the trust deficit has taken over. The risk to companies is high.
For a while, data hacking was consumers’ only worry. A spate of data breaches and subsequent exploitation of consumers via ID theft and other means has made it much harder for companies to retain consumer trust. In the past, consumers only wanted to know if their data was secure. Now they want to understand how companies are using their data. Various consumer surveys have shown that security issues are no longer generating the most concern. Identity theft and hacking of data are deemed possible, but less likely than being inundated with advertising, lack of respect for privacy, and inability to erase shared data. Against this backdrop of declining consumer trust, how can companies continue to operate with the status quo?
Declining consumer sentiment has elicited a response from governments and institutions now grappling with the topic from a regulatory standpoint. Naturally, their response has been to adopt policies mandating that companies provide some level of data protection, but more importantly, the regulations define a set of data rights for consumers. In April 2016, the European Union adopted General Data Protection Regulation (GDPR), which enshrines new consumer data rights, including the right to be forgotten (also known as the right to erasure) and the right to portability and visibility. It also gives consumers greater control over their data, where a company has to acquire their data consent for all purposes continually. In the United States, California has taken the lead by taking inspiration from GDPR and has enacted the California Consumer Privacy Act. Other states are following California’s lead and are in various stages of adopting their versions. At this time there is some discussion by the United States Congress regarding a Federal privacy law but it is unclear how much focus and effort will be applied given other priorities.
Other countries have followed with their own privacy regulations. Canada is updating their privacy law first instituted in 2001 with the Personal Information and Electronic Documents Act that fully came into effect in 2004. New Regulations under Mexico's Federal Consumer Protection Law came into effect in late 2019 include the creation of the Consumers’ Public Registry, which will allow consumers to opt out of receiving advertisement for products and/or services. And Brazil enacted its Lei Geral de Proteção de Dados (LGPD), or General Law for the Protection of Privacy in 2020 with an effective date of August 2021. The LGPD sets out nine fundamental rights granted to all Brazilian data subjects. India, China, and many other countries have put personal data privacy laws into effect.
This fragmented approach is creating another set of problems for companies that operate across jurisdictional boundaries. In some cases, data cannot be stored and processed outside the jurisdiction. New regulations continue to rise across the globe, and existing regulations continue to change. According to Gartner, by 2023, local regulations will encompass 112 countries covering 5 billion consumers. Most of these regulations define similar consumer data rights but differ in implementation details so that being compliant with more than one of them becomes an operational challenge for companies.
Adding the complexity of the myriad data privacy regulations to the expanding enterprise infrastructure that encompasses multiple external cloud solutions and third parties creates a ‘perfect storm’ of risk for businesses. We will delve further into the challenges company IT departments face in a future article.