Dimitri Sirota, co-founder and CEO, BigID
Siri, Are You Listening? Overcollection of consumer data has been an issue for quite some time, but the introduction of smart home devices like Amazon’s Alexa and Google’s Nest have exponentially accelerated consumer data collection, much of which is superfluous and lacking in value. Large and small organizations alike are not taking the necessary steps to identify which data is sensitive and which should be deleted. By not making this distinction and just storing all the data they get, companies are exposing themselves to potential security and compliance risks. As rash, unnecessary and potentially invasive data collection becomes even more pervasive in devices across the home, I expect the public backlash to grow louder in the new year.
Richard Bird, chief customer information officer, Ping Identity
America Gets Serious About Federal Protections for Data and Digital Identity: The U.S. is one of the few remaining developed countries without a national data privacy standard, which is giving rise to a patchwork of state-based regulations that will likely prove to be harmful from both an economic and commercial perspective. It is even starting to raise concerns about national security and the protection of U.S. citizens in today’s deeply connected world. In 2020, we will likely see Congress step up to address data privacy at the federal level – and in the process work to protect more than just data, but also the digital identities of all Americans. We’ve already seen various business sectors race to develop the de facto “standards” for this critical aspect of modern day consumer privacy and security — particularly financial services, healthcare and internet technology companies — but in 2020 commercial interests may see their dreams pushed aside by lawmakers. Emboldened by rapid progress on data and security regulation, we will likely see the federal government take digital identity under its wing, in effect creating a robust set of consumer data protections.
Rajesh Ganesan, VP, ManageEngine
Privacy laws will result in increased focus on employee accountability. More countries are following the European Union’s lead by implementing data protection laws similar to GDPR, such as the Thailand Personal Data Protection Act (PDPA) which goes into effect in May 2020. Under such scenarios, the role of Data Protection Officers (DPOs) assumes significance as they must work closely with the CIOs and tech teams to ensure that organizations comply with the law. With increased awareness of and emphasis on data protection, there will be an even greater focus on the handling of users’ personal data and its security. Employees at all levels will be held accountable as organizations strive to meet compliance. Therefore, there will be a need for upskilling and education programs to handle this aspect. – Rajesh Ganesan, VP at ManageEngine
Anurag Kahol, CTO and co-founder, Bitglass
Ambiguity around CCPA will cause a slow start to enforcement in early 2020; this is made more likely by the fact that several groups are still suggesting changes to the original version of the regulation. In other words, California legislators are not prepared to adequately and consistently enforce the new law. Additionally, many businesses are still unsure about its specific requirements, and are not ready to be in compliance when the regulation goes into effect in January. This is particularly true of small and medium sized businesses that don’t have the same amount of resources as larger corporations – it is more challenging for them to discern what they need to do in order to be in compliance. As a result, we will most likely need to wait some extended period of time before we see the first significant fine under the new law; much like GDPR. In fact, it took nearly a year for British Airways to be fined $250 million under GDPR – its breach was reported in September 2018 and the company was not fined until July 2019. Similarly, once the initial lull period that will follow the enactment of CCPA comes to a close, we will see similar, significant fines being given to companies that fail to meet the requirements demanded by the new law.
In 2020, we will see a U.S. federal data privacy law be drafted and considered. This is needed to avoid a patchwork of differing data privacy laws from each state, to facilitate more nationwide business, and to enable international commerce – facing numerous regulations can be a barrier that keeps foreign businesses from entering a market. Complying with data privacy laws can be a top challenge, particularly for small and medium-sized businesses that lack the same resources as larger companies that are better equipped to navigate all of the regulations with which they are faced. Some of the largest tech firms in the U.S. as well as a group of 51 CEOs have already asked U.S. lawmakers for a federal privacy law.
Rasmus Holst, chief revenue officer, Wire
Zero-trust on the rise as enterprises will “trust no one.” The first half of 2019 had 4.1 billion records exposed due to data breaches. This trend will only increase as global work infrastructures continue to change. For example, complex systems are becoming more interconnected and employees are becoming more mobile, leading to them being less guarded by traditional forms of security. In 2020, zero-trust environments – one that assumes that all data, devices, apps and users are inherently insecure and must be authenticated/verified before being granted access – will become essential for all applications that organizations use most frequently. Moreover, enterprises will demand – and technology vendors will proactively conduct – third party audits to address (lack of) security concerns.
Doug Dooley, COO, Data Theorem
CCPA fines will exceed $200M in its first year of existence. January 1, 2020, will be the first official day that the California Consumer Privacy Act (CCPA) will go into effect. However, the way the regulation is outlined, lawsuits can be filed for privacy violations occurring in 2019. It is my estimate that very few companies are prepared to meet the guidelines outlined in CCPA. Further, unlike the General Data Protection Regulation (GDPR) which went into effect in May 2018, there are no maximum limits capping how large the fines could be for CCPA violations. The first CCPA rulings served by the courts will no doubt create big headlines, and put added pressure on companies to be proactive about protecting the data privacy of their customers.
George Gerchow, CSO, Sumo Logic
We will see a movement emerge in the tech industry to streamline privacy: This year we reached the one year anniversary of GDPR and have continued to see data privacy regulations come to the forefront of business conversations around the globe, both at the national and local levels. In January 2020, the California Consumer Privacy Act (CCPA) will go into effect within the United States – a bill similar to that of GDPR that will impact not only the local region but also all U.S. and foreign entities that conduct business with the state of California. Many of these regulatory acts outline robust data protections, but they lack a clear path to implementation. To avoid disruption to business and day-to-day operations, we’ll see increasing demand for the tech industry to come together to streamline privacy and adopt a consumer privacy-by-design mindset. In addition, organizations will continue to be challenged to remain agile and continue to scale their business while adhering to these privacy regulations.
Nigel Tozer, solutions director, EMEA
Expect CCPA to Fuel a Data Collection and Processing Backlash: The California Consumer Privacy Act (CCPA) will highlight data collection and monetization in the US, just as the General Data Protection Regulation (GDPR) did in Europe. This will fuel a backlash on data collection and processing in the US, especially around political ad targeting during the 2020 election year. Companies such as Facebook and Google will come under greater pressure to distance themselves from this area, and data analysis companies that are now largely unheard of will be in the news for the wrong reasons.
Ilia Sotnikov, VP of product management, Netwrix
Data privacy will become a necessity for all organizations, regardless of industry, which will drive the creation of new business services.
The GDPR has been in effect for more than a year, but less than half of organizations in the U.S. achieved compliance by the deadline, according to Ponemon. In 2020, data privacy will become a priority for even more companies as more U.S. states will adopt privacy regulations similar to the GDPR and the CCPA, ultimately resulting in a federal regulation that will leave no organization untouched. The first to be affected will be financial institutions, followed by the education, healthcare and public sectors.
Since data privacy laws require consent for data collection and prohibit gathering more data than needed or keeping it longer than required, they will dramatically impact marketing, data collection and retention practices. Therefore, CIOs and CISOs will need to gain deeper insight into the data being collected, where it is being stored and how it is used by employees.
As a result, the U.S. market will see new offerings that combine legal and IT services to help organizations interpret the various compliance mandates and develop actionable plans to achieve, maintain and prove compliance.