Data privacy management and protocol got a facelift with the enactments of the General Data Protection Regulation and the California Consumer Privacy Act.
Many companies failed to meet compliance standards in time for GDPR. And for companies that met the deadline, 67% fear they won't be able to sustain compliance, according to Tanium.
"People realize that they can be compliant one time — you can get ready for that audit and pass that audit. But the day after that audit is done, people go back to their day jobs," Chris Hallenbeck, CISO for the Americas at Tanium, told CIO Dive.
Whether in a cut-and-paste scenario or a spreadsheet on an employee's laptop, data is rarely stationary, said Hallenbeck. "You'll end up with copies and even with just subsets of data all over."
Without a reliable sense of where, what and how much data is traveling, companies are susceptible to privacy infringements or, at worst, a data breach.
Breaches of privacy are chief financial officers' greatest concern, according to a BDO Middle Market survey. GDPR fines have reached roughly $126 million since 2018.
The majority of CFOs are anticipating an increase in IT spending this year because of renewed attention on information management and privacy, Karen Schuler, principal and national leader of BDO's governance, risk and compliance practice, told CIO Dive. Over time, companies can expect costs associated with privacy-specific technology and personnel to become more manageable.
"What is painful today for many companies is that they are having to put a compliance muscle in place for the very first time. But once installed, that muscle will pay for itself many times over," said Jack Mardack, VP at Actian, told CIO Dive.
Chief financial officers ranked data privacy as their top regulatory priority for 2020. "We see 2020 as phase two of GDPR enforcement. The honeymoon is over and regulators will no longer be so lenient," said Schuler.
U.S. companies spent $82 million in the last 12 months on compliance measures, according to research from Tanium. Eventually companies will get comfortable with costs.
Privacy isn't a one-time expense. Remaining compliant is a challenge for companies lacking "an approach to consent that is consistent and regularized," Eve Maler, interim CTO at ForgeRock, told CIO Dive.
GDPR once stood as the "most stringent" law. The CCPA and other lingering state laws are challenging that, which impacts how companies manage data, said Mardack.
Both regulations have distinct differences, including who they dictate as the regulated parties. GDPR applies to data controllers whereas the CCPA's regulation extends only to organizations which gross more than $25 million in revenue. The regulations also diverge on how organizations should process consumer-requested restrictions and the right to opt out.
"Many companies in compliance with GDPR still needed to overhaul their consumer response processes to comply with CCPA," said Schuler.
A billion dollar market
In response to privacy demands, vendors will be expected to embed privacy-related capabilities into their products. And data aggregators have to pay for them.
"This is interesting because now it becomes necessary for technology innovation to have to begin to adapt itself to legal requirements," said Mardack.
The data protection market is projected to exceed $158 billion by 2024, according to Market Research Engine. The report suggests a compound annual growth of 15% during that time frame.
IBM, HPE, Symantec and McAfee are among the vendors contributing to the growth. Privacy-related tools are marketed toward security and risk management teams, said Hallenbeck. If a company wants to prevent loss of data or intellectual property, it will likely adopt data loss prevention software.
Companies' compliance also extends to its vendors and business partners. Despite where a breach might have originated, regulators will levy fines against the companies charged with caring for consumer data.
Businesses have issues with harnessing the scope of their collected data and the routine maintenance of it.
"Honestly, the biggest challenge in all of this is human nature," said Hallenbeck. Employees work on finalizing a project so they create a temporary file and then forget to delete it. The flow of data isn't always malicious, it's negligent.
"You have to assume the data is going to land on a laptop somewhere. And the nightmare scenario, of course, is that the laptop gets left in the back of a taxi," said Hallenbeck. Now the company doesn't know what data is vulnerable.
Because there is not yet a specific market for data privacy technology, companies are relying on security tools to moonlight as privacy solutions. Technology leaders have to get creative in their application of available solutions.
Businesses adopted an average of nine tools for CCPA compliance, according to Tanium.
The best tools are the ones that can locate where data is at all times, then "you can truthfully declare yourself compliant," no matter the regulations, said Hallenbeck. He suggests companies reevaluate how they deploy new solutions while keeping privacy in mind:
What privacy protocols need to be put in place before any code is written?
Should there be a discussion around what data businesses are going to have?
Why does a business need it?
How long do we need to have the data?
All the questions Hallenbeck proposed require a shift to a privacy-centric company culture.
Trust is the underlying concept of all tools for protecting privacy. "The consumer trust that comes along with efforts to increase the hygiene of the management of personal data is invaluable," said Maler. She suggests companies evaluate their current data protection methods:
Determine where digital transformation and user trust intersect. The answer will guide companies through innovation while remaining secure.
Treat personal data as a "joint asset" shared between the business and customer.
Embrace user consent.
Adopt access management and consent management systems for continued trust.
Industry has yet to perfect automated responses to security or privacy incidents. Less than one-fifth of companies say they can inform regulators within 72 hours of discovering a breach, according to the Ponemon Institute and McDermott Will & Emery report. Companies are still manually collecting data in response to consumer requests.