A businessman carrying a baby elephant - enterprise struggling with privacy concept
PHOTO: Shutterstock

Recent research from Gartner predicts that by 2021 more than 60% of organizations will have a privacy management program fully integrated into the business, up from 10% in 2017. While the General Data Protection Regulation (GDPR), which was introduced in May 2018, is often cited as being the reason more enterprises are paying better attention to privacy, there are other sets of regulations like the California Consumer Privacy Act (CCPA) that are also putting pressure on organizations to better manage their privacy settings.

Related Article: 6 Takeaways From GDPR's First Year

Adapting to Regulatory Environments

In the report, Working With GDPR: How Legal and Compliance Leaders Can Improve Data Protection, Gartner identifies five key priorities for enterprise leaders and where they are likely to put their money over the course of this year:

  1. Adapting to a volatile regulatory environment.
  2. Establishing a privacy strategy to support digital transformation.
  3. Implementing an effective third-party risk management program.
  4. Strengthening customer trust and brand loyalty.
  5. Metrics to measure privacy program effectiveness.

While privacy and related issues are generally seen as issues for lawyers to deal with, the reality is privacy considerations have implications that go way beyond the legal department.

Gartner research shows 7 out of 10 privacy executives wish to develop a strategy to support digital transformation at their organizations, but many lack confidence in their existing plans. In short, they don’t feel prepared for the challenges of formalizing a data governance plan in an environment that moves as quickly as the digital workplace.

Why is privacy such a problem? John Hernandez, CEO at Selligent Marketing Cloud, said the difficulty is not just tied to technology, but is rooted in a couple of things.

1. Nuances in Regulatory Laws Across Regions

For brands, you can be compliant with GDPR, for example, but the exact same set of rules do not apply for other regulations, like the CCPA and Canada’s Anti-Spam Legislation (CASL).

“To find a data approach that maintains some consistency yet is across-the-board compliant is tough and even more so to future-proof data strategies for regulations that haven't been enacted yet,” he said.

2. Overwhelming Amount of Data

The second challenge is the data itself, he added. There's just so much of it, it feels like a momentous undertaking to revisit, restructure and re-execute data strategies that meet regulatory requirements. It's often hard to even know where to start.

“This is the reason why, when we work with brands, we recommend starting from their overall business objectives. Understanding what the brand is trying to learn from their data set and what benefit those lessons have for the business and their end consumers is crucial,” he said.

Opting for Privacy

The next step is to work backwards to develop data strategies that make sense to achieve those goals and that are attainable.  One thing is clear, transparency and how being clear on how the information a brand is requesting will benefit consumers is key to keeping trust and loyalty.

Adaptation of privacy regimes, however, requires resilience, said Jeff Skipper CEO of Jeff Skipper Consulting. If this is not the case, IT implementations will encounter resistance instead.

Security is one of the toughest topics for which to capture hearts and minds, but that's what leaders must do. Composing a narrative that connects security with personal safety is a winning strategy for leaders who successfully roll out change. “Executives find creative ways to link change with practical help, purpose and betterment for both employees and customers. Employees want a cause, not a program,” he said.

The issue for executives stems from the fact that the dynamic challenges of the current privacy legislation landscape require the creation of a flexible, nimble division within companies whose success depends on rigidity.

The digital world is interconnected and sweeping legislation brings results that are not obvious to a majority of decision-makers, added Jan Youngren a cybersecurity expert at VPNpro. It is yet more difficult to deduce how different pieces of legislation will interact — although laws are passed within state borders, when it comes to the internet, these borders are fluid at best.

“It’s impossible for companies to prepare for laws in isolation. Their effects have to be constantly observed and businesses must be capable of high-velocity changes in business strategy,” he said.

The creation of such capabilities can (and usually does) mean a change in overall company culture. Naturally, this can be a difficult, if not insurmountable, task for organizational structures that have calcified over decades of polishing procedures, he added.

Just because there are effective technology tools to assist in implementing privacy requirements does not make it a simple task for organizations. Victoria Beckman, is co-chair of Frost Brown Todd’s privacy and data security team. She said organizations also have to consider the specific impact on their business. Balancing the rapidly changing privacy laws with a company's main objective of running business day-to-day is uncharted territory for many organizations, even for companies that want to be compliant with privacy requirements.

People and Process

The new regulations and the conflicts between them make it difficult to follow the right path when it comes to interpretation and implementation. Additionally, compliance with the law is hard to achieve in practice without affecting the processes, interaction with clients, and even the culture of an organization.

Todd Wright, head of data privacy solutions at SAS, said most organizations having difficulty implementing privacy requirements are forgetting two foundational aspects of any data governance or privacy program: people and process. Having the right technology in place is important, but without establishing which departments and people will lead the privacy program and develop processes to constantly monitor and correct issues, the technology is simply “tires without a steering wheel.”

A proper data privacy program does much more than satisfy regulation requirements and strengthen customer trust. The rise of the use of artificial intelligence (AI) and advanced analytics requires more data than ever to learn and evolve. Organizations that develop a data governance base that is a byproduct of data privacy will enhance every aspect of their business that depends on data to be successful.

He cites the example of Interamerican, a large European insurance company that used GDPR requirements provided it an opportunity to invest in and boost their data ecosystem. The new tools, expertise and knowledge Interamerican gained through the process are used not only to comply with regulations and protect data, but also to advance data management practices and provide extended capabilities in data analysis, data quality and data handling.

As a final thought, Tido Carriero, chief product development officer at Segment, said respecting customer privacy requires visibility into what data your company is collecting and how it’s being used. This sounds simple in theory, but in reality it’s a huge engineering challenge, especially given the number of customer touchpoints that exist today. Most businesses don’t have the infrastructure in place to tackle it.

“Enterprises in particular can have dozens of different business units, each one operating in silos with different data collection strategies with no integration,” he said. “Right now, when businesses get a data subject request for laws like GDPR, it can be like a game of “Where’s Waldo?” as they manually search for the personal information across their enterprise in order to delete it. Companies need a single infrastructure in place to give them visibility and control of their data so that respecting privacy can be a priority.