Part one of a three part series by James Howard, former Chief Privacy Officer and Chief Data Officer at KPMGAbsolute Truths
When it comes to the use of personal data in a business context, there are a few absolute truths: (1) Businesses will continue to gather and process more and more information about people to meet their goals. (2) We will continue to see larger and more far-reaching data events involving personal information. (3) Regulators will continue to respond with increasingly complex requirements around the handling of personal information.
In addition, businesses now operate in a world of cloud applications where data does not stay limited to a single application anymore. It traverses applications, networks, and organizations, adding to the data sprawl that has gone unhindered for years. The privacy and security professions are facing significant challenges trying to keep up. Internal IT is struggling to keep pace with, let alone control, an ever-widening net of cloud applications adopted by the business. The combination points to the inevitability of catastrophic data incidents.
More importantly, when data incidents occur, the much bigger risk to businesses is the brand damage and loss of customers that follow breaches. As customers have become more frustrated with business misuse and loss of their data, they increasingly consider the privacy trustworthiness of those they choose to do business with. This trend increases the risk that customers may do business elsewhere if customers do not trust the privacy of personal data, despite the large investments businesses have made to attract and retain customers.
But like so many other industries, technology may hold the answer to managing the risk. Through the measured deployment of disruptive technologies, privacy, security, and IT professionals may find a way to support the acceleration of data use in the business while managing risk, pursuing compliance, and improving security – all while enabling IT to better manage the enterprise IT ecosystem.
The thing about black swan events, like major data breaches, is that they are both predictable and unpredictable. You know they are going to happen; you just can’t anticipate when and the form they will take. In 2019, the Dream Market breach alone exposed 617 million records. So far in 2020, major breaches have exposed over 658 million records containing personal data. For perspective, that’s more than every man, woman and child living in the US, UK, Canada, Australia, South Korea and Russia combined.
With the increasing volume of personal data being collected and processed by organizations around the world, it was inevitable that something like this was going to happen. Moreover, it will happen again – and potentially on a larger scale – from new attacks, techniques, and vulnerabilities on which the risk community is not focusing. And no global organization wants to be named in a headline that talks about hundreds of millions of records being compromised.
We live in an age where information is emerging as a truly leverageable resource for companies around the world, enabled by the incredible pace of change in technology and analytics capabilities. The opportunities to improve customer experience are growing exponentially. To be sure, customers now measure their own satisfaction – and loyalty – based on capabilities offered by service-providers that were not even possible a few short years ago. And companies are dramatically ramping investment to outpace their competition, or in many cases – in the face of disruptive startups – ensure their very survival.
Much of the data at the heart of the most promising innovations is in some way tied to individuals — whether traditional PII or PHI (Personal Health Information). Previously uncollected data around people’s movements, tastes and behaviors is now being spun off from IoT sensors, computed using new analytics technologies or gathered by apps used by individual consumers where they are knowingly or inadvertently contributing data.
As a reaction to companies pushing these boundaries and the consequences of high-profile data incidents, lawmakers are implementing far-reaching legislation to protect the rights of individuals. Complying with those is a challenge and imperative for all organizations but especially forward-looking global organizations, as they navigate uncharted waters and as regulations emanating from different jurisdictions overlap and conflict.
A significant impact of data privacy regulations is the tectonic shift in who controls personal data. Regulations define the rights citizens and consumers have with respect to their personal data. Companies no longer “own” consumer data but now have to, in effect, lease it from consumers.
Stay tuned for article 2 of this series, which will discuss the current state of risk and privacy activity.