February 28, 2020
Compliance & Risk Outlook for 2020
Between changes in regulation, technological advancements, and shifting consumer preferences, data privacy compliance is a dynamic issue for every business. These trends are expected to continue for the foreseeable future, necessitating even greater attention from business owners. We narrow down the top compliance and risk concerns for the upcoming year and assess their ramifications across industries.
Emerging State Level Data Privacy Regulations
The most immediate compliance development in 2020 is the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. Like GDPR before it, the CCPA is a landmark privacy law that gives consumers the power to take back control of their privacy and personal data. The impact of the legislation is significant. Not only is it expected to cost billions of dollars in initial compliance initiatives – an estimated $55 billion – but it fundamentally changes how companies operate and work with consumer data. As far as data privacy laws go, CCPA marks a beginning, but not an end. Many states have already followed suit with their own form or version of data privacy laws. One example is Nevada Senate Bill 220 that took effect in October 2019 and contains much the same regulations as CCPA. Additionally, New York, Pennsylvania, Maryland, are among many states that are debating the best way to approach the demand for consumer privacy protection. The ramifications for companies in 2020 and beyond hinges upon their ability to remain aware of evolving regulations and rapidly adapt their business practices in response. The effort to comply is significant and the cost of failure is high. Accordingly, many companies are seeking solutions to address essential compliance functions, which leads to our next outlook for 2020.
The Continued Wave of Compliance Start-Ups
In an October 2019 report, IAPP noted over 300 businesses now selling privacy compliance solutions, ranging from large professional services firms among the Big4 to tech start-ups and everything in between. Without a doubt there is a lot of energy and capital going into data privacy in 2020. Afterall, CCPA, as GDPR before it, has widespread implications for all businesses – no matter where they are located. As we’ve discussed, it fundamentally changes how corporations collect, store, secure and use customers personal data. Although data privacy is not a new risk, the expanding body of regulations has certainly shined a spotlight on it, increasing awareness among stakeholders and effectively increasing the underlying risk (e.g. reputational, loss of business) and cost (e.g. fines, penalties) of non-compliance. The renewed focus on this issue has led to a large and yet unmet demand for privacy compliance management solutions, many of which appeared on the IAPP report.
With respect to the 300+ new vendors and service providers in the space, like other “hot”, “niche” sectors before it, we expect the ecosystem to evolve quickly with still more new entrants coming into the space; best-of-breed vendors / solutions will emerge; while others will opt to build integrated suites. We are already seeing some of those trends take root with companies like OneTrust and TrustArc, who have taken on significant investment, poised and proving to be major players in this space with the potential to lead the consolidation trend. Consequently, companies will continue to invest in efficient solutions to complex compliance demands while remaining wary of what is unproven.
AI Versus Data Privacy, Striking a Balance
A final compliance issue that companies should be focused on in 2020 is the impact that data privacy may have on the insatiable demand for artificial intelligence. Advancements in AI and ML have fueled innovation across virtually every sector, reshaping how businesses operate, make decisions and drive productivity gains. Despite the promise of these technologies, they may pose a critical risk to consumers and the companies that employ them. Simply, true AI technologies must be trained on massive amounts of data. When these solutions are implemented in privacy-sensitive industries like healthcare and finance, protecting this data and maintaining compliance must remain at the fore. We have seen some discussion on this topic beginning to take root, but expect it to accelerate and get a voice over the course of 2020.
A Final Word
Demand notwithstanding, from our vantage point there is no silver bullet to data privacy compliance. The recency of regulations and lack of regulatory guidance, generally results in companies leery of full-scale adoption of yet proven technologies, opting instead to either build in-house capabilities or rely on established technology and consulting partners for advice, guidance and/or management of core compliance needs. Our view is that corporations are still assessing their data privacy & security posture and are working on building capabilities, technological and/or operational, to comply with the more challenging requirements of CCPA, specifically the right of consumers to access and delete their own data on demand. Companies should consider how they are investing in compliance solutions for the long-term while keeping today’s dynamic compliance environment in view.