Fifteen years ago, the idea of data protection was hiring a hacker to test the strength of your network perimeter security. Eventually, that same guy started selling you the tools you needed to protect yourself from hackers like himself. Jump forward to 2017 and the security industry is now a multi-billion dollar market, busting out of its seams with hyper advanced technology and talent to safeguard petabytes of data. But if security is all about locking down data, privacy is all about protecting that data while it's being put to use to drive business value.
In today's data-driven business environment, privacy professionals are dealing with the same issues CISOs with no budget faced in the 90s – where are the tools to monitor and create an inventory of sensitive data, manage who has access to it, and establish procedures that ensure that it remains compliant with regulatory standards like the European Union's (EU) General Data Protection Regulation (GDPR)?
As an industry I believe that privacy is evolving along the same trajectory as security -- powered by increasing demands to use personal data, growing user privacy concerns regarding the use of their information, increasing regulatory requirements, and the need to operationalize privacy controls to ensure business continuity. For instance, the need for data protection officers (DPOs) is rapidly increasing -- according to the International Association of Privacy Professionals (IAPP), 75,000 new DPO positions will be created just as a result of GDPR. Similarly, in a recent survey by Dimensional Research, close to 70 percent of respondents stated that privacy management is becoming significantly more important to conduct business. Another parallel to the evolution of security can be found in the growth of privacy budgets, specifically when it comes to investments in technology. According to the same survey by Dimensional Research, 95 percent of professionals say they need technology to help manage privacy and nearly half of those are now investing significantly larger budgets to acquire those solutions.
Three major drivers have magnified in the last 12 months that have pushed privacy into boardroom discussions alongside security.
The forcing function of GDPR. Though privacy has evolved with consumer, corporate and regulatory pressures for years, with the May 2018 mandated compliance with GDPR now acting as a forcing function, the threat of substantial fines is pushing privacy to a C-suite topic. In hard numbers, failure to comply with GDPR can result in €20 million in fines or 4 percent of annual turnover, whichever is the greatest.
With previous privacy regulations it was enough for businesses to claim that they are compliant. With the new GDPR, businesses are required to operationally track and report their privacy compliance to prove it. The implications of that difference cannot be understated and it will require businesses to be smart about what processes they deploy to track operations, without causing productivity loss. Furthermore, GDPR is broad and GDPR is global. In a pre-GDPR world, hiring a privacy lawyer often might be enough to manage compliance but with new more far-reaching regulations, the impact of privacy management will be felt across corporate functions beyond just the legal department.
Without good privacy, security efforts will fall short. The first step in safeguarding data is protecting it from outside hacks and attacks. I would argue that security is a tenant of privacy and now that the security business has developed into a mature industry, the natural next step is for privacy solutions to develop on top of it. Once security is in place, the next question is how can businesses put that data into use while still remaining within the confines of legal regulations and in alignment with consumer requirements?
Today's data-driven business models require data-driven protection. At the end of the day, privacy and security teams are managing the same thing – the data. To maximize the value of enterprise data it is no longer just about securing it from outside attacks, but also ensuring its availability and usability to drive other business functions like marketing. Ensuring the privacy and integrity of data when it is in use has gone from being a static function of complying with a small set of policy regulations, to a dynamic operation that involves proactively managing risk and compliance across departments and jurisdictions.
Looking ahead, I believe that these three drivers will cause enterprises to think about security and privacy more holistically. Rather than pitting budgets against each other, the promise of new business opportunities through smarter use of data assets will require security and privacy to meet on equal footing as part of overall data governance. As companies continue to change their approach to data so that it can be used by the entire organization, our role as vendors will be to empower security and privacy professionals with the technology solutions and processes they need to do so in a safe – and compliant – manner.