Data privacy has finally become an elevated subject in the enterprise and is no longer just considered a subset of the IT security function. Cross-departmental teams are addressing the privacy issue at a business-wide level, and the subject of privacy is of increasing prominence to the board. The EU’s General Data Protection Regulation (GDPR), certainly, has played a key role in provoking the enterprise to contemplate data privacy as a holistic issue rather than a mere “task” that is relegated to security. In 2018, data security conferences have acknowledged this maturation of the privacy function within the enterprise, with sessions and presentations focusing on the multidisciplinary nature of data privacy.
Privacy is an interdisciplinary pursuit with multiple stakeholders
The core tenet of security is to protect data, while the core tenet of privacy is to protect the rights of the individual. While data security is a critical and necessary component of privacy, privacy itself is therefore a much more holistic challenge than any single technical capability can address in isolation. Any enterprise discussion of data privacy must involve (at a minimum) stakeholders from IT, legal, compliance, lines of business, and HR departments. It is a deeply interdisciplinary pursuit that is horizontal in nature, and any organization that delegates sole privacy responsibility to a single business unit is at risk of noncompliance with data protection regulations, and worse, at risk of damaging the trusting relationship it maintains with customers and consumers.
The technology conferences of 2018 have reflected this matured perspective toward privacy, and privacy is no longer portrayed as just a checkbox requirement for which IT must be responsible. It is now a board-level issue, earning its seat at the “adult table.” At the RSA security event in April 2018 in the US, there was a rich corpus of privacy and GDPR-themed programming. Sessions were well-attended, and the audience questions were nuanced and generally business-oriented rather than technical in nature. While the 2017 security conference also had prominent data privacy session topics, the 2018 conference reflected a much more mature view of the subject, portraying privacy as a business opportunity rather than simply a compliance burden. Speakers at the 2018 conference, many of whom were chief privacy officers, underscored the need to collaborate across business units to align the goals of data privacy with existing enterprise objectives, such as those for the better management of data.
Strong data privacy practices cannot be implemented by security tools alone, and instead require a fundamental cultural shift in the business. In the self-service era, this means that all business users must be trained and aware of data privacy topics, and data privacy practices such as data minimization must be internalized by everyone that uses data in their daily roles. This requires a cross-disciplinary approach, with an enterprise privacy “task force” composed of high-level executives across business units. Not only does the business need to be cognizant of how it handles data internally, but it also needs to be vigilant of the data handling practices of partners and third-party organizations. It requires cooperation both internally within the business, as well as strong external relationships and lines of communication.
This year’s conferences highlighted the holistic nature of data privacy, with session topics ranging from privacy rights in the world of AI, to employee surveillance by employers. While GDPR has brought data privacy to the forefront, it is simply the beginning of what promises to be a perennial discussion. Organizations are beginning to realize the high-level benefits of robust data privacy practices, such as increased trust with consumers and improved data quality. Those that treat data privacy as a board-level issue are those that stand to strategically benefit, while those that simply relegate data privacy tasks to IT are at risk of experiencing a burden from compliance.
Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.