This time last year, Data Privacy Officers (DPOs) were focused on embedding General Data Privacy Regulations (GDPR) after the 25 May deadline. One year on, the role of DPOs is far from finished.
Consumers have never been more aware of their privacy rights, major hacking incidents are happening with increasing regularity and sophistication, new technologies such as AI and Blockchain are increasingly being used and a glut of global regulations have left organisations attempting to unpick a tangled web of requirements.
Against this backdrop, leading DPOs are looking at how to move from compliance to competitive advantage. They realise a smart approach to data privacy is about positively responding to this changing world through seeking opportunities to improve the experience for customers, uncovering new insights from data and unlocking untapped value.
Having advised numerous cross-sector clients on data privacy over the past year, we hear and see how data privacy can drive a competitive advantage in our client conversations every day. And we heard it in the feedback from our recent presentation at the OneTrust PrivacyTech conference, which was attended by hundreds of data privacy experts. In our speech, we outlined three priority areas for DPOs to seize this advantage:
Our recent research on AI and automation, People and machines: from hype to reality, found that one third (32 per cent) of organisations have invested in these technologies over the past five years. These technologies are arriving faster than many DPOs anticipated, fuelled by the widespread adoption of software as a service (SAAS) models and the availability of out-of-the-box third party solutions. To respond, privacy leaders must recognise these solutions introduce additional privacy risks, map where they’re being used to ensure any privacy implications are identified, and mitigate them through the overall data privacy strategy.
We’ve designed strategies and frameworks to reduce AI privacy risk for a number of organisations. Our experience tells us that privacy leaders must help their business explain the benefits of AI solutions to end users. They must design the implementation with reliability, robustness and security at front of mind. The lawfulness and compliance of these tools, and the accountability of the individuals using and overseeing them, must be considered and addressed from the outset. The DPO needs to ensure there’s the right balance of human and manual intervention, ensuring solutions are fair and unbiased. And finally, the AI privacy strategy must align with your organisation’s values and ethics, which will make it easier to get stakeholder buy-in at all levels within the organisation.
From security and access to considerations around cross-border data flows, managing data in the cloud is a crucial issue – and one expected to increase over the months and years ahead. Our experience of working with regulators tells us they’re comfortable with cloud data privacy as long as there’s evidence of the required awareness and understanding of cloud security and controls, and a robust response plan in place for any breach.
The DPO can also benefit from working closely with cloud providers to leverage their controls frameworks and accessible information, something we’re currently supporting a leading cloud platform to provide. There will be a need to build robust procurement processes to ensure new cloud providers are brought on board in a controlled, coordinated manner – clearly outlining internal responsibilities and those of the cloud provider.
With the introduction of GDPR, other regulations are now on the horizon across the globe. While the basic principles might be similar, the ‘devil is in the detail’, and many DPOs are grappling with the challenge of delivering a global privacy programme when there are differences in the scope and application of regulations. We’ve worked closely with a number of regulators on privacy regimes, as well as with a number of client organisations to respond to these incoming regulations – in particularly the California Consumer Privacy Act (CCPA).
We believe there’s no point focusing on regulations on a case by case basis. Leading DPOs in global organisations are already thinking globally and building a core privacy team with the expertise to deliver privacy efficiently across multiple jurisdictions. By strengthening privacy in areas such as consent management and data governance, DPOs can undertake ‘no regrets’ activity while simultaneously gaining a clearer view of data and the opportunity to create commercial advantage through new insights. In doing so, the DPO can become an enabler and an innovator supporting the business.
Just like last year, the 12 months ahead will see a shift in focus. We anticipate increased attention being paid to increasing regulation around the globe and the associated digital borders and emerging value that data privacy can provide. That’s why DPOs must shift their focus to finding and delivering true business value.
A global movement towards increased data privacy is changing the way companies do business. Are you ready for the new era of data privacy?