[By Daniel Barber, CEO and founder, DataGrail]
Data privacy is a volatile market. While consumers continue to demand stronger personal data protections, companies are scrambling to keep track of an ever-evolving patchwork of applicable laws and regulations.
In this environment, cybersecurity professionals need to understand the current state of data privacy as well as where it’s headed. The stakes are high. These market shifts have put CISOs under increased scrutiny, with missteps regularly leading to burnout, dismissal, and even legal action.
Below, we’ll discuss what’s next for data privacy regulation and how it will affect the role of CISOs within their organizations.
Adapting to regulatory change
There has been a groundswell of concern about how personal information is acquired, used, stored, and sold in recent years, prompting governments to enact laws that regulate how consumer data is leveraged. This has led to the establishment of important privacy frameworks, such as the GDPR in Europe or the CPRA in California. Although there is still no federal law protecting data privacy in the U.S., Gartner estimates that nearly 75% of the global population will have its personal data covered by privacy regulations by 2024.
Nevertheless, technology continues to outpace regulation. Take AI, for instance. In addition to acting as a boon for businesses and CISOs, advances have led to a rise in data privacy concerns. Regulatory responses to these developments have made CISOs’ jobs even more complex They are now required to find solutions that not only respond to the GDPR and CPRA (neither of which explicitly govern AI) and ever-evolving data privacy legislation, they also have to take into account burgeoning AI regulations such as the in the EU’s Artificial Intelligence Act and & China’s Internet Information Service Algorithmic Recommendation Management Provisions.
In practice, this all means that cybersecurity professionals need to develop innovative approaches for uncovering data risks and mapping AI use, all while getting ahead of enforcement.
Protecting Data Privacy Makes Business Sense
The regulatory landscape is undoubtedly evolving, but it does not need to handicap CISOs as all is being sorted out. There are several business reasons CISOs need to implement well-defined data privacy practices today that will hold up to future legislation.
- The recent uptick of privacy rights requests reveals how people are pushing for more control over their data. Eight in 10 consumers believe that the U.S. should have a federal law to protect their data. While consumer data can be useful for personalizing products and advertising, CISOs should remember that it’s also necessary to implement efficient systems for putting privacy back into the hands of users. Failure to do so risks lowering consumer trust, tarnishing brand reputation, and potentially losing customers.
- Customers, clients, and vendors are also driving data privacy management and compliance. Companies expect their vendors to protect their customers’ data, and if/when that trust is violated, they will take their business elsewhere. Your clients and vendors will hold you and be held to the same standards to reduce their risk.
- Finally, Boards have a voice in data privacy practices and the systems used to comply with the expanding range of regulations. As they continue learning how critical data privacy is for brand image and customer satisfaction, they’ll expect CISOs to offer cutting-edge solutions.
Three strategies for staying ahead of privacy risk
Given these new drivers of data privacy compliance, how can cybersecurity pros get ahead of risk?
To adapt to evolving technologies and regulations in 2024 and beyond, CISOs can start with three strategies: internal collaboration, privacy by design, and external partnerships.
First, CISOs and their legal counterparts should be working in lockstep. To make these collaborations fruitful and sustainable, CISOs and GCs need to ensure that they’re speaking the same language. This will enable the former to learn about the legal context of data privacy and the latter to weigh in on more granular solutions.
Second, CISOs must ensure that their solutions take privacy into consideration at every turn, across all levels of the workforce. For example, how is personal data handled by marketing? Customer support? In the development of products, services, and systems? What is the potential impact of the use of personal data in each respect? By asking and answering such questions on the front-end, CISOs can prevent putting out fires after the fact.
Finally, when it comes to risk prevention regarding new technologies such as AI, find the right partners. In a space this fast-moving, many organizations don’t have the knowledge or personnel required to get ahead of risk. They don’t yet know what they don’t know about the exact consequences that will follow the use of these technologies. For that reason, beware of any company that claims to be able to ‘control’ AI. Instead, seek out partners that can help you with discovery and monitoring. Such partners can help CISOs gain a holistic understanding of their organization’s data privacy risks and keep pace as they evolve.
One thing is certain in 2024: data privacy needs to be top of mind for CISOs. Whether it’s because regulations evolve or based on the demands of consumers, customers, vendors, or boards. CISOs must plan for data privacy by working across teams, instilling a culture of privacy within all levels of the organization, taking privacy by design, and choosing the partners who can best assist them with discovery and monitoring so that they will be ready to adapt to whatever comes next. Those that take data privacy seriously will position their organizations for success in navigating this period of rapid change.
