According to Forensics Research, the Global GDPR Services Market is expected to reach $3.3 billion by 2025. The enactment of GDPR has significantly changed how organisations handle personal data in the EU. However, due to the global nature of today’s business operations, this particular law has affected how companies and legislators think about data protection beyond the European borders. As a result, in 2019 we saw an increased level of compliance with data processing requirements and a strong focus on cybersecurity.
2020 will be another key year for global data security. Dyann Heward-Mills, qualified barrister and CEO at global DPO provider, HewardMills, gives her top predictions on the data security landscape for 2020 and beyond.
Globalisation of privacy
New regional requirements will be coming into force across the globe in 2020. While the EU created a comprehensive regime on data protection in 2018, the legal landscape on data protection will continue to evolve as new legislation will come into force in the US, Brazil, India, Singapore and Kenya. Notably, organisations operating in California will need to keep a watchful eye on the Attorney General Regulations for the implementation of the California Consumer Privacy Act (CCPA).
Protection of children’s data is a highly critical aspect of data protection law that should be closely monitored in 2020. Given that there is a general consensus on the importance of children’s online privacy, we should expect a relatively coherent approach to children’s data protection, which may affect a multitude of industries.
We are expecting stronger enforcement of employee data protection rights in the new year. The significant number of employees submitting data subject access requests (DSARs) shows that there will be a need to upskill compliance and audit teams as companies manage the increased workload.
New industry spotlights
Data regulation is moving from a broad-spectrum approach to now focussing on specific industries, ensuring appropriate regulations are being installed. The fintech and health-tech industries, in particular, are due some extra attention in 2020.
There will be less of a focus on what and more attention on how to implement adequate data security through the new “privacy operations” departments. We are also expecting stronger enforcement action in relation to cookies, real-time bidding, and similar technologies in the adtech space. Concerns have been raised about this industry’s behaviour and compliance. It will be interesting to see how the regulators will address this issue in 2020 and beyond.
Data protection authorities, via their opinions and guidance, have contributed to improved clarity and coordination between the role of legal/compliance/IT/Risk and audit teams on data protection issues. Furthermore, the need for data protection officers (DPO) has become better understood at every level of business.
2020 will likely see an increased level of transparency and expectations around Privacy Notices, Data Protection Impact Assessments and Legitimate Interest Assessments. There may also be an increased demand for Codes of Conduct and privacy standards such as Binding Corporate Rules (BCR).
Ethical data handling
On top of extra regulations and scrutiny, there will be a greater emphasis on ethics in the context of privacy and data protection. The DPO function has scope to grow in demand and importance with greater expectations from internal and external stakeholders.
At HewardMills we are finding that more and more organisations are recognising the value of in-depth knowledge and the need for complete autonomy of the DPO function. Businesses have a greater appreciation for the fact that their reputation is closely aligned with their processes around privacy and data protection. As a result, operationalising data protection regulations is becoming a priority for many organisations.
The future of DPOs
A DPO must work independently, whether they are internal or outsourced. Given their statutory role as a link between the organisation, the supervisory authorities and the data subjects, it is important that the DPO balances their obligations toward all relevant stakeholders.
However, true impartiality and efficiency may be difficult when the DPO has multiple roles within an organisation. As such, we may see more organisations use external DPOs in the future as the duties of the DPO become better defined and crystallised. Used correctly, the DPO is a partner that helps navigate organisations towards ethical and legal handling of personal data.
Organisations that do not meet their legal obligations are bound to encounter problems with the regulators and it is in their best interest to avoid the hefty fines that GDPR violations carry. For example, if an organisation is not adequately prepared to respond to DSARs, it may miss the one-month GDPR deadline or not provide an adequately full response. As such, practical knowledge on how to operationalise legal obligations is the key to success.
As we embark on a new year with a multitude of jurisdictions strengthening their laws and raising awareness, we are likely to see a more sophisticated era of data protection.
Dyann Heward-Mills, CEO, HewardMills