Data privacy was the buzz phrase of 2018, a year when the letters GDPR were rubbed off my keyboard because I’d typed them so many times. But that was last year. What do experts think will happen in 2019 when it comes to data privacy?
“In 2019, privacy will continue to be an area of focus for the global market, as new regulations such as ePrivacy start to be fleshed out and additional regions such as the U.S. look to implement their own data privacy laws, all of which could have global financial impact,” said Mounir Hahad, head of Juniper Threat Labs, Juniper Networks, via email.
One thing is that we can expect more legislation surrounding data privacy. In fact, expect data protection legislation to influence societal expectations on security, which will trickle down to companies and their supply chains, according to Geoff Forsyth, CTO at PCI Pal.
“Consumers have always felt protective of their data, but with new legislation redefining the data landscape, consumers have grown more confident and firmer in demanding their data be treated with respect, that its uses are kept visible and clear, and that it is used only as they agreed,” Forsyth said in an email comment. “The pressure these new societal expectations will exert cannot be overstated, both on public-facing companies and through them all the way down their supply chains.”
Security and Privacy Will Merge
We’ve already begun to see a convergence of security and privacy; data privacy and data protection are separate but equal in this privacy-centric outlook. Consumers and employees – everybody, really – are paying more attention to how well organizations protect data and ensure data privacy. According to network security expert and Portnox CEO Ofer Amitai, expect to see more companies seek guidance and solutions to keep up with all the new compliance regulations.
However, privacy will take priority this year, as organizations adopt a “Privacy First” approach, Don Foster stated in a Commvault blog post. But he doesn’t anticipate adopting this approach will be easy. “The challenges these enterprises will face as they seek to integrate data privacy best practices into their existing applications, as well as new mobile, IoT and other applications, will be significant,” he wrote. “Enterprises will need AI-powered, automated, outcome-driven data management solutions to address these challenges if they hope to implement strong data privacy policies without sacrificing productivity or agility.”
GDPR at a Year
A personal prediction: In May, there will be countless evaluations of GDPR as the regulation hits its first anniversary. Okay, that’s not a difficult prediction to make because we’re already seeing evaluations of how GDPR has been working. Luther Martin, Micro Focus security technologist, predicted that GDPR will be impossible to enforce as we move forward. There has been a lot of chatter about enforcement and whether the fines will work as a deterrent. But Martin said the fines will be almost impossible to enforce because of political considerations or established laws and regulations.
“In the U.S., for example, 26 USC Sec 891 of the Internal Revenue Code allows the U.S. to arbitrarily double the taxes of business or individuals from countries that unfairly discriminate against U.S. businesses in certain ways,” said Martin. “It's likely that levying large fines against U.S. tech giants for failing to comply with the GDPR would trigger Section 891 penalties, allowing arbitrary retaliatory doubling of taxes on EU businesses and citizens.”
Expect other countries that don’t already have such laws about penalties against large enterprise to come up with some, rather quickly, because it will be politically expedient to do so. Countries without similar laws, said Martin, will be at a disadvantage, “leaving the world in a situation where all of the privacy laws that assert control over their citizens' data, no matter where the data is stored or processed, are rendered ineffective against businesses from more powerful countries.” Or, in other words, countries required to enforce GDPR could find themselves between a rock and hard place trying to get organizations in countries like the U.S. and China to follow the regulations and pay the fines.
Even so, researchers at NordVPN think that GDPR has put such an important spotlight on data privacy that we’ll continue to see the trend of more countries outside of the EU and more U.S. states coming up with data privacy laws and regulations. And that’s important, these researchers added, because too many of us are frustrated with the way big tech has handled personal data. Consumer trust, the researchers predicted, will play a major role in how big tech goes forward in their internal data privacy policies.
PJ Kirner, CTO and founder of Illumio, thinks that big tech and other organizations will take data privacy more seriously, and insist that these policies are followed by their vendors. “If a third-party vendor is managing critical data and systems, enterprises will increasingly require these vendors to adopt their internal security standards, Kirner said. “For example, we are already seeing the largest financial institutions executing this practice with the law firms that handle their eDiscovery, regulatory response, M&A, and IP-related transactions. I think we’ll see more organizations push their policies to their vendors in 2019 because they’re starting to recognize the value of consistent and transparent security protocols across the digital supply chain. Not only will this provide peace of mind, it will also increase efficiency, streamline operations, and allow best practices to be shared.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba