Predictions 2021: Privacy and Compliance

What should we expect in the worlds of privacy and compliance in 2021? Industry experts weigh in:

More consumers will submit data subject to access requests (DSARs)

“Now that the California Consumer Protection Act (CCPA) is in place, we will likely see an increase in customers submitting data subject access requests (DSARs). However, numbers will vary tremendously from company to company. Generally speaking, individuals either don’t know or don’t care that they can ask for this information until something brings it to their attention. For example, the publicity surrounding a ransomware attack might make them think, ‘I’m a customer of that company.  I want to know what they’ve got on me!’” – Rick Hedeman, Sr. Director of Business Development at 1touch.io

More CCPA-type regulations

“The new US administration will continue the work done by the previous two administrations on privacy regulations and enforcement. This will start with ensuring higher security and transparency for anything related to voting but will be much wider. We can expect more CCPA-type regulations and stricter privacy regulations. What is still not clear is whether there will be an effort to bring a federal PII regulation to the US, such as GDPR in the EU. If so, any bill will most likely be met with initial pushback as it would mean that the stricter states may need to loosen mandates whilst less strict ones will need to increase PII controls and have a way to implement them.” – Mathieu Gorge, CEO of VigiTrust and author of the new book The Cyber-Elephant in the Boardroom

The biggest threat to personal privacy will be healthcare information

“Researchers are rushing to pool resources and data sets to tackle the pandemic, but this new era of openness comes with concerns around privacy, ownership and ethics. Now, you will be asked to share your medical status and contact information, not just with your doctors, but everywhere you go, from workplaces to gyms to restaurants. Your personal health information is being put in the hands of businesses that may not know how to safeguard it. In 2021, cybercriminals will capitalize on rapid U.S. telehealth adoption. Sharing this information will have major privacy implications that span beyond keeping medical data safe from cybercriminals to wider ethics issues and insurance implications.’ – Joe Partlow, CTO of Reliaquest

More scrutiny from data protection authorities and more fines

“During the pandemic, privacy compliance became even more important due to the rapid rise in cybersecurity attacks targeting the remote workforce. As work from home continued in 2020, many news sources reported a significant increase in cybersecurity and ransomware attacks, including phishing campaigns to steal login credentials. As a general trend, data protection authorities have used their investigative and enforcement powers to issue an increasing number of fines in 2020 and I believe this will continue through 2021. The enactment of new privacy regulations, like California Consumer Privacy Act, which will begin in the second half of 2020, will only further fuel this. Data protection authorities are relying on companies to implement robust security protocols and educate their employees to protect consumer and personal data. Companies that fail to do so are vulnerable targets.” – Elizabeth Schweyen, Senior Manager, Global Privacy and Compliance at Druva

“Another factor that may lead to an increased number of fines is increased funding for data protection authorities and the expansion of their investigative and enforcement resources. Recent court cases in the EU have focused on appropriate methods of data transfers, highlighting the need for parties to enter into contractual arrangements that clearly detail each party’s obligations concerning data transfers outside the EU. Data protection authorities are scrutinizing these arrangements to ensure that consumer rights are adequately protected.” – Jung-Kyu McCann, General Counsel at Druva

New data regulations, like CPRA, must be enforced at the API level

“After CPRA passed in November 2020, many other states and countries may follow suit in implementing data and privacy laws to give consumers control of how their personal data is being used. However, enforcing regulations like GPCR, CCPA and CPRA needs to start at the API level. When it comes to managing consumer and employee identity, APIs are a key leg of the identity stool, dictating how the app handles user data, identity governance, and who has access to privileged data. It will be much simpler for companies to ensure they are compliant with these regulations if their APIs are updated or built from the ground up. On the flipside, if federal officials monitor and enforce these data laws at the API level, it will be evident which parts of the app’s code must be altered to comply and avoid large fines.” – Jasen Meece, CEO of Cloudentity

Consumers’ data confidentiality will be top priority

“As we look ahead to 2021, society will continue to reason about the importance of consumer privacy and countering the “echo chamber” effect of social media as current data privacy protection and related regulations have not yet curbed the collection or use of personal data. With many Americans expressing initial concerns surrounding data collection, especially with the new tracking tools used for COVID-19, there will be continued conversations surrounding the government’s role in protecting consumers’ personal data. We will see more and more firms investing in solutions that include end-to-end encryption and user-controlled encryption to ensure consumers’ data confidentiality.”  – Andrew Sellers, Chief Technology Officer & Co-Founder, QOMPLX