As someone who spends their workdays — and more than a few work nights — talking to executives about their most pressing data security concerns, I found that regulatory compliance became the most popular topic of conversation in 2022. But while compliance is a hot topic, it’s certainly not new. If I were to pinpoint when compliance discussions occurred with growing frequency, I would say it was after the adoption of the EU’s GDPR in 2018 — the most aggressive and widest-reaching data privacy regulation to date.
While GDPR may have introduced the conversation, the numerous data privacy laws that have followed (more on that later) have elevated it to ubiquity. What is notable is how the focus of these conversations has shifted from “What can you tell me about compliance?” to “What should we be doing to avoid fines?”
Given the growing concern over data privacy compliance in the past year, I fully expect 2023 to be the year when compliance takes center stage as a top business priority across verticals. Let’s take a closer look at the factors that have led to this ‘perfect storm’ of regulatory awareness.
Data privacy laws are expanding
Since GDPR, countries outside of the EU have adopted similar legislation, and more countries are following suit. The U.S.-based companies that operate on a global scale have had to quickly evaluate data security measures to maintain compliance with various international privacy regulations.
And California, the first state to enact such a law in 2018, will commence enforcement of a more stringent version called the California Privacy Rights Act (CPRA) in 2023. Three other states — Michigan, Ohio and Pennsylvania — introduced privacy bills in 2022. A significant number of companies are already covered by at least one data privacy law, and those who aren’t covered certainly see the writing on the wall.
Complying with multiple laws is inherently complex
Understanding the confusing nature of a single data privacy law is one thing, but navigating numerous laws is another. No two data privacy regulations are identical, so action plans for addressing them often vary from law to law. For example, the Utah Consumer Privacy Act (UCPA) is widely considered to be more favorable to businesses, while CPRA offers more consumer protection. Also, many laws have different definitions of what sensitive data is and how it should be protected.
These are just two complicating variances, and there are many more across all of the state data privacy laws. The complexity deepens for companies that operate both stateside and abroad. Many business leaders have told me that trying to satisfy each law is akin to walking in the rain without getting wet.
Cloud migration left companies vulnerable to non-compliance
The pandemic and subsequent cloud migration had an unintended compliance-related consequence on many businesses: Under-protected cloud data. As companies tried to facilitate an overnight transition from an office setting to a virtual workplace, many prioritized speed over security and, subsequently, left data exposed — while potentially putting themselves out of compliance. Today, many organizations are still catching up to ensure that their cloud processes are in line with the data privacy regulations with which they must comply.
Data privacy fines are grabbing headlines
Sometimes, a splashy news story can get your attention faster than the fine print of a legal document. In 2022, retailer Sephora incurred a $1.2 million fine for not complying with the California Consumer Protection Act (soon to be replaced by CPRA on Jan. 1, 2023). In 2021, Amazon was hit with the largest GDPR fine to date of $887 million and WhatsApp suffered a $267 million penalty.
As state data privacy laws begin enforcement in 2023 — and the specter of fines becomes a reality — organizations are going to be making a concerted effort to maintain compliance and avoid seeing their name in print for the wrong reasons.
How companies use and share data has changed
If your data sits in an on-premises database throughout its lifecycle, maintaining data privacy compliance is a straightforward task. But this is not 1995. Today, data analytics and data sharing are critical components of every business, and data is on the move to extract market-differentiating insight. However, data movement makes complying with data privacy laws inherently more challenging.
In the last year, my clients and prospective clients have expressed well-founded concerns about the balancing act between data utilization and ensuring its protection. And the prospect of doing so is even more challenging when you consider that data analytics occurs in the cloud, which, as discussed, carries its own set of vulnerabilities.
Data privacy is not a fad or a passing fancy. It is here to stay, and now is the time to start addressing it as a top business priority.
Ameesh Divatia is CEO of Baffle.