ORLANDO, Fla. — Privacy is like coffee.
When coffee makers adopted fair trade practices, they became the industry norm. If a producer doesn't sell fair trade coffee, "you barely sell coffee," said Bart Willemsen, VP analyst at Gartner, during the IT Symposium/Xpo in Orlando, Florida last week.
The same is true for privacy.
Consumers expect premium care for their data. When they can trust that a company will ethically protect and use data, consumers are more likely to disclose more of it.
Once consumers taste privacy, they like it, said Willemsen. But while everyone has a privacy experience, it's typically not a very good one, he said.
Putting up a cookie banner is not enough to "keep the regulators at bay" nor is it an effective instrument for building consumer trust. Privacy is "not about consent, let's be honest," said Willemsen. Consent is a mechanism of privacy, it's a point of choice.
The CIO's role in privacy
CIOs play a major role in establishing foundational capabilities for a sustainable privacy program. From there, companies have to maintain ongoing administrative and resource management while scaling for "recurring tasks," he said.
Once those layers are in place, companies have the freedom to evolve as needed without introducing additional change to the rest of the organization.
And unlike other areas of technology, privacy is not a market. There is no Magic Quadrant or list ot top providers outlining leaders in the space.
As CIOs shape the digital economy, they have an opportunity to extend niche technologies and solutions into privacy. CIOs can enhance privacy controls through "off-label" technology uses, including IRM, security and risk management, said Willemsen.
"Give privacy a thought when you procure services," he said. Due to privacy's nuanced nature, it requires expertise beyond what's expected of CIOs.
Privacy risk diminishes when companies can trace how they process data. If the spaces between uncontrolled personal data, data lifecycle and its purposes, access, and server side rendering are bookmarked by privacy management, control and user experience, CIOs can help control risk while gaining insights.
But the CIO's role in privacy doesn't extend too much further beyond technological solutions, according to Willemsen. It is not the CIO's job to make operations legal, it is the responsibility of the entire company.
Willemsen compared the CIO's role in privacy to a motorcycle: If a business unit comes to the CIO asking to go faster and the CIO provides them with an elite motorbike, it is still the business unit's responsibility to abide by the rules of the road; speed limits, traffic signs and overall caution. It's all compliance.
Enter the GDPR-required chief data privacy officers (DPO).
Despite popular opinion, "privacy officers do not make your organization compliant," said Willemsen. DPOs enable compliance by helping bridge the "gaps" in their practices and protocols, "and that's it," said Willemsen.
However, the DPO should "co-influence" all areas of business strategy because all units have their hands in data. If a company is fined for data misuse, everyone feels the pain.
No law of the land
Willemsen predicts that in five years' time, each U.S. state will have some resemblance of a comprehensive data privacy law either in effect or in drafts. There are roughly six federal proposals in draft, including one by Senator Marco Rubio, R-FL, introduced in January.
Rubio's American Data Dissemination Act (ADD) would call on the Federal Trade Commission for recommendations for privacy requirements "Congress can impose on covered providers," according to the proposal. The requirements would closely mirror requirements set by the Privacy Act of 1974.
But another bill, proposed by Senator Ron Wyden, D-OR, took consequences further. Wyden's proposal, made in November 2018, would require fines up to 4% of annual revenue and 10 to 20 year "criminal penalties for senior executives."
Wyden's proposal came about a year after Equifax's breach and after then-CEO Richard Smith's Hill hearing. Smith took responsibility for his actions but faced no personal penalties. Former CIO of Equifax U.S. Information Solutions Jun Ying, however, was recently sentenced for insider trading.
Jail sentences for executives "who get it wrong," or lying to a commission or customers about privacy is "a business case for compliance," said Willemsen.
There was a 662% increase in cases during the first six months of GDPR for the European Data Protection Board, receiving about 95,000 complaints during that time period. At least for some time, companies operating exclusively in the U.S., without European customers were "dodging the GDPR bullet," said Willemsen.
Privacy's price tag
As recent penalties handed down by GDPR watchdogs and the FTC show, a privacy infraction will cost a company, with or without a federal data privacy law.
But, Willemsen points out, recipients were not penalized because they were breached. A breach "is never a reason to be sanctioned at all," he said. What does matter is how long discovery and remediation took.
When it comes to scaling response protocols, there are three key questions to answer:
- How long does a response to a customer inquiry take?
- How much does each response cost, in terms of money or time?
- How many requests can a company fulfill in the mandated timeframe?
On average, 36% of companies require three weeks or more to respond to consumer requests, 30% take two weeks or less. The kicker is the average cost per request. More than one-quarter of companies report an average cost of $1,000 to $2,000 per request.
Facebook was another example of failing to proactively demolish customer concerns about privacy, leading to its record $5 billion fine from the FTC. On the other side of the Facebook fine was Cambridge Analytica, a now-defunct research firm.
Cambridge Analytica's demise was the ultimate consequence for a "deliberate situation" involving unethical use of consumer data provided by Facebook, said Willemsen.
However, if the CCPA had been in effect, the consequences would have been devastating, Willemsen said.
$5 billion is about one-quarter of Facebook's overall profits. GDPR calls for 4% of annual turnover. The CCPA, however, has a clause requiring companies to pay up to $750 per individual harmed by a breach. But if the incident was deliberate, the cost is up to $7,500 per individual.
For argument's sake, Facebook's reparations for Californians with Facebook accounts could have exceeded $183 billion. Privacy is more than a scarlet mark on a company's reputation, it could be its end.