What is the future of data privacy?

What is the future of data privacy?

In 2003, William Gibson iconically claimed that ‘the future is already here — it’s just not evenly distributed.’ At that point, mobile phones had been invented over 20 years earlier but only reached 10% penetration. Fast forward seven years, and they had reached 75% penetration, entering the mainstream. The future was here to stay.

How does this tale of extraordinary growth relate to privacy?

As with mobile phones at the beginning of the millennium, privacy laws and principles are not new. In fact, they’ve been around for decades. For example, the US implemented the Privacy Act in 1974, the OECD published privacy guidelines in the 1980s and ‘Privacy by Design’ principles followed in 1995.

Yet privacy concerns have surged in recent years following major scandals (e.g. Cambridge Analytica, Edward Snowden), the introduction of GDPR, CCPA and CPRA privacy legislation, and the growing volume of data breaches.

As a result, we are in the process of a privacy revolution. Change is in motion. Privacy law, governance and technology are now centre stage. Consumers are increasingly engaged and more aware of their rights, and public pressure on governments is mounting to protect the interests of their people. Future generations will be shocked at the carefree manner in which we previously shared our data and exercised little control over data ownership.

This changing environment creates a highly complex landscape for companies, who must adapt to rapidly expanding legislation, harsher financial penalties and reputational damage for any misstep. In response, companies will look to invest in people, processes and technology to ensure they securely protect their data and win the trust of their customers.

  • Consumers are more aware of data privacy and less trusting of organisations. As our lives have moved online, we have become increasingly sensitive about sharing our personal information. Only one-fifth of customers in Germany, Australia, the UK, and France trust how corporations process their data.
  • Consumers are demanding greater transparency. Customers view transparency as the essential factor for building trust around data privacy, which is 2x as important as compliance (Cisco)
  • Consumers will more actively manage their data. Consumers are less likely to ‘trust the process’ and instead will leverage their expanded rights to manage their data in privacy legislation (e.g. granting the right to erasure, data portability).
  • Legislative protection is rapidly expanding. The EU’s GDPR legislation led the way in 2018. Since then, countries including the UK, Brazil, and even China have followed suit, while others (e.g. Australia, India and Canada) have legislation pending or under review. All eyes are now on America, where over 75% of states have debated privacy laws, and some have already taken action (California, Virginia, Utah, Colorado and Connecticut) with more likely to follow. As per Gartner, up to 75% of the world’s population will be covered by modern privacy laws by the end of 2024.
  • Legislation is in progress to address specific technology and privacy risks. AI is the latest to be caught in the crosshairs of regulators, with the EU, US, and Canada already drafting legislation to address AI’s unique privacy challenges. It would be no surprise to see legislation further targeting areas of concern soon, such as biometrics, genomics and personal healthcare (including the ‘internet of bodies’).
  • Managing international data transfers is complicated due to varying legislation. Modern privacy legislation often includes requirements on data localisation and restrictions on international data transfers. These rules add complexity and uncertainty, especially for companies with a global presence. In particular, the situation has not been helped by the delayed EU-US Data Privacy Framework due to replace Privacy Shield.
  • The lack of legislative coordination will result in greater complexity. We await to see whether America will pass federal privacy law, but it faces opposition in California despite bipartisan support. Overall, the extensive growth in legislation is creating a patchwork of rules for companies to adhere to globally. Companies must decide whether to implement localised data governance frameworks or adopt a standardised approach in line with the strictest requirements.
  • Regulators are more willing to enforce penalties for breaches of privacy legislation. EU regulators have been keen to enforce GDPR rules, handing out a record €746 million fine for Amazon in 2021, along with penalties for other tech leaders, such as Meta, Google and Apple. As additional countries pass their own legislation, we can also expect greater enforcement action to follow.

So what does this mean for companies?

  1. Companies will look to invest in privacy expertise but face ongoing skill shortages

Privacy investments are estimated to generate average returns of 1.8x (CISCO) and typically focus on people, architecture design and technology. Investments are already on the rise, with an increase of 125% in spending over the past three years.

Many businesses, particularly large organisations, will first look to invest in people, with privacy hiring having increased by 30% in the last year alone (TRU Staffing Partners). As a result, we are seeing a rise in privacy roles and responsibilities amongst senior positions, with Chief Privacy Officers, Chief Information Security Officers, and even privacy-focused board positions becoming more common.

Cyber security skill shortages are estimated at 3.5 million people and will last until at least 2025 (Cybersecurity Ventures)

Businesses will face significant challenges filling these roles due to widespread skill shortages across the sector, impacting privacy and broader cyber security. For example, 53% of organisations reported being somewhat or significantly understaffed in technical privacy roles, while 44% reported the same for legal and compliance (ISACA Privacy in Practice, 2023). Cybersecurity Ventures estimate there to be a 3.5 million shortfall in cybersecurity positions, which will remain until at least 2025. As a result, companies will have to think hard about the value proposition they can offer to attract ‘in-demand’ skills while also looking to invest beyond people to achieve their privacy ambitions.

2. Companies need to adopt secure design practices.

There are two areas where most organisations will focus their efforts: deeper integration of privacy by design principles and implementing zero-trust security architecture.

40% of companies only sometimes, rarely or never implement Privacy by Design principles (ISACA)

Businesses should look to Privacy by Design principles for guidance. These principles have long existed and are often a core element underpinning privacy legislation (e.g. in Europe, the UK, Brazil and California), yet 40% of companies sometimes, rarely or never implement these principles (ISACA: Privacy in Practice). This month, the ISO formally introduced a new standard for Privacy by Design (ISO 31700), which further cements its legitimacy.

Adopting zero trust security will be a core aim for many organisations. Businesses are now constantly threatened by cyberattacks, which can destroy consumer confidence. Intruders spend (on average) over 200 days inside a system before being identified (IBM: Cost of a data breach). Successful implementation of the core elements of zero trust, including micro-segmentation, least-privilege access and moving away from an implicit trust model, can drastically minimise the blast radius from a breach. 55% of companies already have zero trust initiatives in motion. The US federal government has mandated that their departments have adopted zero trust security by the end of 2024, which will likely result in further adoption as it trickles down throughout the private sector.

3. Companies must invest in privacy technologies.

Technology will play a fundamental role for organisations of all sizes to manage data privacy in the face of more significant risks and complexity. The data privacy software market is forecast to reach $18bn in 2028, up from only $1bn in 2020 (Fortune business insights), and 60% of large organisations will use at least one form of privacy-enhancing technology by 2025 (Gartner).

Privacy technology broadly falls within two categories: 1) data management and privacy automation tools, and 2) privacy-enhancing technologies.

Data management and privacy automation tools, such as data mapping and DSAR tools, have gained significant attention in recent years. They are designed to help organisations comply with privacy legislation in a compliant and scalable manner. As these tools become increasingly sophisticated, particularly through the use of artificial intelligence and machine learning, they will be capable of delivering further efficiencies through automating processes and reducing the risk of human error. Demand will continue to grow, driven by the need to comply with expansive legislation, the material risk and cost of a privacy breach and the need to deliver transparency of data management for data subjects as DSARs are anticipated to grow.

Privacy-enhancing technologies (PETs) have the potential to minimise the use of personal data and maximise security for processing data in unstructured environments and multi-party analytics. Relatively simple forms of PETs are already prevalent, such as data masking, tokenisation, anonymisation and encryption, which can address data at rest and in transit.

60% of large organisations will use at least one privacy enhancing computational technology by 2025 (Gartner)

There has been significant recent investment and attention on emergent technologies, particularly privacy-enhancing computational technologies (PECTs), which can preserve the privacy of sensitive information while in use. Over the coming years, companies will need to monitor emerging solutions — such as confidential computing, federated learning, differential privacy, and homomorphic encryption — to identify those that can help deliver their privacy agenda and build a competitive advantage as part of a leading privacy program.

If you would like to learn more about what we are building at Onqlave to help protect sensitive data, follow our updates via LinkedIn, sign up to our newsletter or feel free to get in touch with any of our team.