After the recent introduction of multiple privacy laws, enterprises are wading through a sea of recently-enacted data protection regulations, trying to serve their customers. They want to profit financially while also avoiding millions of dollars in fines. But CIOs and other executives are left to wonder how exactly they’re intended to meet these data privacy requirements.
Data privacy is critical for businesses, but sometimes it’s not entirely clear why. For executive teams determined to better protect and serve their customers, it’s important to first understand the intent of data protection regulations and the risks and rewards associated with following them. This analysis of corporate data privacy breaks down the ways that enterprises make money from personal data and the options companies have when approaching the world of information privacy and protection.
What is data privacy, and why is it important?
Generally speaking, information privacy is the state of shielding individuals’ personal, or identifiable, information from anyone that does not need access to that information to survive or to comply with the law. This information includes contact data, home address, and purchase history.
However, data privacy is usually referred to as a legal construct—not just the act of shielding identifiable information, but also any of the laws and rights that governing bodies have set about personal data.
In 2017, the Economist famously claimed that data may have ousted the world’s most valuable commodity, oil, from its place at the top of the list. This alerted the general public to the importance of their personal information.
Accurate, clean, analyzed data is critical for consumer-facing enterprises—with it, they are better positioned to market relevant products and services to consumers and make more money. However, this necessitates regulating the management of those volumes of human contact information and behavior.
What data privacy laws protect individuals?
The concept of legally protecting data isn’t new. In the 1970s, Germany and Sweden enacted data protection laws; by the start of the 80s, multiple European Union nations had done the same. The EU also enacted the Data Privacy Directive in 1995, which placed some protections on the data of individuals in member states, like their right to access. In more recent years, regulatory bodies have implemented newer laws like the GDPR, CCPA, and PCI-DSS to strengthen protections for individuals’ data.
GDPR
The EU’s announcement of the General Data Protection Regulation (GDPR) in 2016 caught many enterprises off guard: it has many restrictions and applies to all businesses that have EU customers, not just EU-residing companies.
Businesses only had two years to implement the GDPR in all its data-protecting glory. That meant updating their websites with opt-out forms, accommodating requests for data access, and determining exactly how long they could store personal information. If businesses weren’t fully compliant by May 2018, they would be subject to fines.
The 2010s saw an increase in restrictions placed on data controllers, or any organizational body that handles individuals’ personal information. The most wide-ranging and well-known is the GDPR, which mandates 99 articles, or rules, for businesses.
The GDPR is very strict; it’s difficult for companies to meet its demands. GDPR obligations include:
- The data controller may only collect the minimum data necessary
- The data controller must be able to demonstrate compliance (likely through audits)
- The data controller must delete data if a data subject withdraws previously given consent to process their data
CCPA
The California Consumer Privacy Act (CCPA) took a similar approach to protect California residents’ privacy. It’s applicable to every business that operates in California, as well as other companies that have $25 million in gross annual revenue or meet other stipulations.
CCPA enables customers to request and receive information on the sale of personal data and gives them the right to delete their data from an organization’s database. The California Privacy Rights Act (CPRA), introduced shortly after in 2020, allows consumers to limit how businesses can share and use their personal data.
PCI-DSS
The Payment Card Industry Data Security Standard (PCI-DSS) mandates the protection of consumer payment data. All businesses that handle credit card data must comply with it. PCI-DSS requires security protections like firewalls on the company network, encrypting both card data and encryption keys, and limited employee access to systems that store card data.
How corporations make money from personal data
Enterprises were already accustomed to their existing practices of storing, processing, and selling personally identifiable information before exhaustive legislation like the GDPR came late in the game. For years, making money off the personal data they collected was what they knew.
Because businesses are accustomed to existing methods of profit and want to provide excellent services to customers, it can be difficult for them to adjust to compliance restrictions, even with the risk of fines.
Also read: Data Collection Ethics: Big Tech and Privacy
Methods of profiting from personal information
Two tightly regulated methods of making money from personal data are selling data to third parties and advertising based on provided and inferred information.
Data is a valuable commodity, and companies sell it to other businesses so that those organizations also benefit from having more accurate information about their customers. However, some regulations, like the GDPR and CCPA, require businesses to notify customers of the ways their personal data will be used and to permit customers to opt out of third-party data selling.
Targeted advertising is responsible for the sidebar ads that look startlingly similar to the items a customer shopped for on Amazon yesterday. In some situations, targeted advertising is a symbiotic relationship: companies earn more money because they know what their customers want, and customers are able to purchase goods that are tailored to them.
But legislative bodies want customers to have a choice: if they desire to have targeted ads to find ideal products and services, they are able to opt in; but if they don’t, they are able to opt out. This is the purpose of legislation like the right to opt out in the CCPA.
Benefits of limiting data processing
Regulatory standards intentionally make it much more difficult for businesses to profit from individuals’ personally identifiable data. Another consideration is the rapid growth of data stores, including behavioral data collected from IoT sensors and other business applications. If any of that data can identify an individual, it will also be subject to regulatory compliance.
However, having a beyond-reproach data privacy strategy is not an automatic financial disadvantage, according to Stephen Cavey, the co-founder and chief evangelist of Ground Labs. “Protecting customer privacy doesn’t have to result in losing money,” he said. “However, it does mean rethinking certain parts of your process when it comes to collecting personal data. For example, many organizations can embark on a data minimization strategy, which begins with scrutinizing the data you collect from individuals and scaling it back to essential information only.
“Traditionally, organizations collected as much as possible to aid in research and marketing efforts,” Cavey said. “Under today’s regulatory-driven environment, this is a dangerous practice as the consequences are significant should a data breach occur.”
Limiting data to only the essentials is a difficult process to implement, but it could enable organizations to focus their attention on only the data that matters most.
How to build trust with customers
Additionally, cutting down on data collection and processing lays a long-term foundation of trust with customers. It’s also a better way to avoid fines, according to Jerry Levine, the chief evangelist and general counsel at ContractPodAi, a contract lifecycle management firm.
“A business that simply ignores data privacy regulations would, at least for a short time, be able to beat their peers — at least until they receive massive fines and government and individual actions,” he said.
“But in the longer term… consumers will trust that organization more (and thereby spend more money), government action will be less likely against companies that follow the rules, and new ways of competing will need to be found because privacy protection will become a market driver. This creates a positive cycle for those organizations that lead with privacy where they’ll receive data that they have consent to use (and the consumer will be pleased). That consent will mean better working relationships internally between compliance, privacy, legal, and infosec teams alongside marketing and sales teams.”
In other words, businesses should prioritize the customer, even if it looks financially risky. In the future, when privacy regulations are still strict and growing volumes of data are even harder to manage, it will pay to have launched a customer-focused approach to data privacy as early as possible.
Data privacy breaches and their consequences
Penalties for breaking data protection regulations are not minimal, nor are they intended to be a mere slap on the wrist to Big Tech companies that can “afford” them.
Notable GDPR breaches
The lower range of GDPR fines hits €10 million or 2 percent of annual turnover. The higher tier is €20 million or 4 percent of annual turnover, depending on the part of the regulation that was breached.
Some of the most massive GDPR penalties have occurred in the past two years:
- In 2021, Amazon was fined $877 million for an unknown breach related to cookie consent.
- In 2021, Meta subsidiary WhatsApp was fined €225 million for failing to provide clear information about their reasons for processing data in their privacy policy.
- In May 2022, federal regulators said that Twitter had been fined $150 million for using personal data for advertising without disclosure. They were also required to tell all users affected that their data had been used illegally for targeted advertising.
Many penalties have been laid on these larger corporations, but they aren’t the only ones being punished for their noncompliance, according to Cavey. “Since GDPR’s implementation in 2018, over $1B in penalties have been issued by various EU regulators to companies that have violated different elements of the GDPR,” he says. “While regulators have focused on Big Tech to levy substantial penalties, a large number of smaller organizations have been issued a penalty that would still be considered substantially impacting relative to their size and revenue.”
GDPR enforcement is slow, too: cases can take years for the regulatory bodies in EU nations to determine. It’s difficult for regulatory bodies to keep up with the onslaught of complaints, especially for Ireland. As the European headquarters for Meta, Google, and Apple, among others, Ireland is responsible for handling complaints against those corporations, according to WIRED. The GDPR is only a few years old, and because it’s such an in-depth regulation, it will take time for regulators to determine what articles or tenets have been broken and what the appropriate punishment will be.
Learn more about GDPR requirements and compliance at Datamation.
Data privacy law enforcement in the United States
The United States has implemented few data privacy laws as of yet, and states have the opportunity to design their own, according to Spencer Smith, the vice president of marketing at marketing automation company Evocalize. For example, the California attorney general can place fines of $2,500 per CCPA violation, as well as $7,500 fines for violations after notification.
“The lack of centralized privacy laws in the US means each state has the opportunity to pass tougher and more stringent laws,” he says. “While the recent Connecticut Data Privacy Act looks similar to California’s CCPA (and the other three states with similar laws), Connecticut’s is even stricter on children’s data, biometric data, and the right to cure.
“With newly minted laws on the books, regulators are still learning how to enforce them and enact punishments (in some cases, laws are so new that regulators have no experience). Without a robust set of precedent-setting cases, it will take some time before regulators and businesses reach a common understanding and equilibrium.”
Like the GDPR, forthcoming US legislation will require time to develop a system that truly protects consumer data and compels corporations to prioritize the same.
Also read: The Argument for a National US Data Privacy Framework | eWEEK
Next steps for CIOs and data officers
Data privacy is overwhelming for businesses, especially those that want to follow the heart of the law and protect their customer base. For CIOs, data protection officers, and other executives and business leaders, managing all regulatory standards can be an exhausting process. Company-wide approaches to protecting clients’ personal information can help an enterprise stay consistent and decrease the chances of a regulatory breach.
Create a dedicated privacy plan
To comply with regulatory requirements, ensure that a strategy is implemented company-wide. If every stakeholder is aware of the restrictions placed on data access and the requirements for enterprise information security, they’ll be better prepared to individually comply.
Once a dedicated team has determined how the organization will approach privacy, it should disseminate this information to the entire business. All employees are responsible for protecting personal data.
Deploy sufficient security and data recovery measures
Article 32 of the GDPR also requires businesses to have a system in place that allows them to restore data access quickly in the event of an outage. Disaster recovery is a critical component of this. Enterprises should have a disaster recovery plan and consistently backed-up data, so that if an emergency occurs, they’ll still be able to meet customer requests for data access.
Learn more about creating an enterprise disaster recovery plan.
Craft a clear privacy policy
Focusing on clarity and transparency is one of the best approaches for CIOs and data protection officers to take in a company privacy strategy. Companies like WhatsApp have been fined partly for not having a clear, informative privacy policy; small and large businesses alike will be held accountable for the clarity of their policies.
If your business is preemptive in providing an easy-to-navigate privacy policy, with clearly listed reasons for processing customer data, you’ll be moving in the right direction. Because the GDPR is so exhaustive, it’s difficult for businesses to follow it perfectly without having the right intent or focus.
View data privacy as an investment for the future
Maintaining data privacy is a benefit for businesses rather than a problem, according to Sophie Stalla-Bourdillon, senior privacy counsel and legal engineer at data access control firm Immuta. “Making privacy protection a top business priority should be viewed as an investment rather than an expense,” she says.
“For one, as data security and data privacy are converging, data sobriety means fewer security breaches and increased agility when it comes to cross-border provision of services, which potentially means a broader market to target.
“Second, when there is a legitimate business need to use or reuse data, and they are making privacy properties core properties of IT systems, such as purpose limitation, data minimization, or transparency through comprehensive audit trails, it will not hurt the business. If anything, this will strengthen the business’s ability to control the data flows.”
Implementing data privacy has its difficulties, too, Stalla-Bourdillon acknowledges. Challenges include the expenses of deploying new infrastructure that supports data security.
“What is costly, however, is to restructure or get rid of legacy systems that do not embed such properties,” she says. “Architecting fit-for-purpose data platforms are resource-intensive but are often a win-win in the long run.”
Ultimately, consider what will be the most beneficial for your enterprise in the next few years and even decades. Expending effort and money at the outset, while difficult, better prepares your company to protect data, avoid fines and reputation loss, and most importantly build lasting, trusting relationships with your customers.
Determine what data is necessary
Regulations like the GDPR mandate that data controllers only collect necessary information. Although that’s partially up to an organization’s discretion, businesses must determine a methodology for collecting only necessary data so they’re prepared to comply with standards long-term.
Ultimately, Cavey of Ground Labs notes that all enterprise compliance programs must be approached with a focus on data first. But that includes knowing exactly what data is being processed and where it’s stored.
“Overall, the most straightforward advice to overcome any confusion or fear of attempting to comply with data privacy laws is to start with the data,” Cavey says. “Ultimately all privacy regulation requirements are triggered when personal data is stored, transmitted, or processed within an organization. By first understanding where that data processing and storage exist, you can rapidly assess the objective effort needed and focus your efforts accordingly.”
Enterprises must determine the locations where data is stored and the exact amount of data they need to operate successfully.
Again, keep your customer’s interests at the forefront of your decision-making. If processing one particular necessary piece of data will best serve their needs—while also protecting their data and keeping it as private and secure as possible—then it’s likely a safe decision.
Considering a platform that helps you manage your regulatory compliance? Read Top Governance, Risk, and Compliance (GRC) Tools next.