“2018 was a truly interesting year for everyone in data protection and privacy. I’m positive 2019 will not disappoint us either.”
Egil Berglind, CEO at DPOrganizer, shares his thoughts on what next year will bring and what will happen with data privacy in 2019.
People in power
In 2018, regulations and compliance was top of mind for many. Endless numbers of GDPR projects, where most ended – more or less successfully – and transformed into GDPR programs. 2019 operational privacy management will be in focus, but regulation will not be the main driver.
Research is unanimous. People are concerned about how their data is used, about their privacy and about how well organizations live up to their expectations. This concern will force organizations to focus on transparency and demonstrate accountability.
Failure to align with people affected by their operations, and failure to responsibly deal with data breaches and other incidents will be extremely costly from a reputational perspective. It will cost organizations, customers, employees and business partners.
Expectations will continue to mature as data processing increases in scale and complexity, and as people’s understanding improves. Increased cyber security threats will further add to the need to put honesty and transparency first.
In 2019, businesses will look beyond compliance and customers expectations. In addition to asking “is this compliant?” and “is this in line with our customers’ expectations?” businesses will ask themselves “is this right?” Not all businesses will get there in 2019. But the front runners will realise that being ethical in how they handle people’s privacy is the best way to distinguish themselves from the pack, and also the best long term strategy. It’s the best way to assess the deployment of new technology, and it’s the best way to stay ahead of changed customer expectations and changed regulatory requirements.
Many thought great fines would be a common consequence by end of May 2018, which is why a hype market was seen during the first half of 2018. When that didn’t happen, some thought it was yet another Y2K: A lot of fuss for nothing. Some even stopped, or reduced, their efforts thereafter. Bad choice.
It takes time to issue a fine under GDPR. And supervisory authorities have good reasons not to be hasty. They have sharper tools now, but in order not to lose trust from the public and create a gap between themselves and the subjects they are to supervise, they need to tread carefully. We need to remember that the rules are new for supervisory authorities too. They need to organise, and they need to get all their new staff up to speed. But they are getting comfortable, and they have recruited heavily. Soon, they will not only have the power and the resources. They will also have the confidence, and have done the necessary preparations to start using their tools.
Regulatory harmonisation and vendor consolidation
GDPR has paved the way for new, far reaching, harmonised data protection laws. In 2019, it will be even more clear that more regulations across the world will follow the European example. It is becoming increasingly evident that organisations across the world will have to start putting people and their privacy at the center of attention. They need to recognise that data protection is not only a security challenge, it’s a privacy challenge. It’s about doing what’s right, it’s about respecting the expectations of anyone they are interacting with. Global harmonisation is great news – not only for people – as it simplifies how multinational organisations define their privacy management strategies.
We will also see an end to the explosion of vendors that emerged during the last two years, all claiming to solve part or all challenges related to data protection. Many of these vendors will disappear in 2019, because customers are now realising that when a project turns into a program, some vendors just aren’t good enough. Customers are maturing in their needs and expectations, and the vendors who haven’t delivered but were great at marketing, will no longer be able to thrive from a hype market. Many vendors will also consolidate through mergers and acquisitions, either because they lack financial stamina to endure a more mature and slower market, or because some vendors will strive to deliver a one stop shop.
Third party risk
In 2018, many organizations prioritised getting their own house in order. Focus was on getting in control of what happened internally, and if anything at all was done regarding third parties (data processors and other recipients), it was mainly a question of getting the relevant agreements and processes in place. 2019 is the year of third party risk assessment. Are we confident in the whole supply chain? Are our vendors processing data in accordance with our expectations? Do they really support us in case of an audit, a data subject request or a breach? Are they in control of their security and their sub-processors? Next year will be very challenging for the vendors that can not live up to their customers’ expectations and efficiently handle their requests.
Rise of the Privacy Hero
A great problem for many organisations in 2018 was the lack of experienced and skilled privacy professionals. There just haven’t been enough good DPOs, CPO’s and consultants to hire.
In 2019, privacy professionals will excel in importance and status. Management will start to realise the immense return on investment in the area, and as a result they will refrain from assigning unqualified staff the responsibility. Privacy professionals have a key role in ensuring processing of personal data in line with regulatory requirements, customer expectations and ethical standards. Privacy professionals will rise to be the Privacy Heroes they truly are.
I wish you all a great Christmas and a Happy New Year. I look forward to working together with many existing and new clients next year. You be the Privacy Heroes, I’ll be the Privacy Hero Sidekick.
Privacy Hero Sidekick, CEO & Founder, DPOrganizer