Data Privacy Goes Global
Part One of a Two-Part Series
Data breaches and the ripple-effect damage they initiate have consumers increasingly worried about their personal data. Since the introduction of the European Union’s (EU) General Data Protection Regulation (GDPR) in 2018, lawmakers around the world have taken notice and responded with a steady increase in privacy regulations.
Embrace a new era of privacy
Modern privacy regulations now cover the personal data of 65% of the global population, up from just 10% in 2010. Additional U.S. privacy laws are expected to pass in 2023, bringing that number to an estimated 75% by the end of 2024.
Rapid changes in privacy regulations and expectations make it an ongoing challenge for businesses to stay ahead. Recent legislative activity in the U.S. includes the introduction of nearly 140 consumer privacy bills in at least 25 states and Puerto Rico. And at least five states—Iowa is the most recent—voted in comprehensive consumer privacy laws that take effect in 2023. Four more states have active bills that are expected to become law this year. Meanwhile, other states have proposed bills at various stages within the legislative process, and a U.S. federal privacy law has bipartisan support but hasn’t been finalized. Additionally:
UK privacy laws are under active review.
The EU Digital Services Act, which regulates online content, has been introduced in the EU Parliament.
Progress has been made toward addressing transatlantic data transfers in the EU–U.S. Data Privacy Framework.
More focus is going into protecting the personal data of children.
Efforts are underway to create meaningful regulation of artificial intelligence.
The new data laws are actively enforced through hefty fines for noncompliance. But it’s not just regulators who are paying attention. Consumers are more aware of how businesses use their data, although many are still in the dark about data-privacy practices that companies are increasingly required to implement. That leaves consumers feeling more suspicious and concerned about the security of their personal information. The bottom line: Data privacy is taking on new urgency, and companies are clueing in to how fundamental data privacy is—in policy and in practice—for success among today’s consumers.
Use data to build emotional connections
Brands that are transparent about their privacy practices have an opportunity to build trust, confidence, and connection with customers. Even tech companies—including giants like Apple and Google—support new data-privacy laws and are updating their policies. Apple CEO Tim Cook has publicly stated that protecting data privacy is “the most essential battle of our time.”
As consumers rely more and more on digital interactions, they’re placing increasing value on the privacy of their information, and legislators are taking notice. Businesses need to do a better job of being transparent and educating consumers about what data they collect, how it’s used, and how it’s protected. Companies also need to follow through on data-privacy pledges they make, including how they use the data to personalize their brand experiences.
Following these three basic principles and approaches paves the way to building stronger emotional connections with consumers.
1. Take inventory
A first step toward compliance with new regulations is understanding the data you have. What type of data do you collect and why? How is that data used and stored? Is it shared with any third parties? If so, what processes are in place to support the protection requirements and identify and mitigate risks. Do you have a way for consumers to opt out of the use of their data?
From there, make sure your team has a full understanding of your legal obligations. Then develop a strategic foundation for privacy compliance, implementing appropriate measures to protect the data, and build internal processes and competencies that support the rights of consumers by creating a privacy-first culture.
2. Know your obligations
Most privacy laws share a few main provisions—such as obtaining consumer consent before collecting or using personal data—accompanied by expectations for securing and protecting the data. However, the various laws feature important differences, so it’s crucial for businesses to understand the legal obligations that apply to them and enact best practices to maintain those requirements.
Consider the cross-jurisdictional nature of the laws. For example, the landmark EU legislation, the GDPR, applies to all businesses with personal data of individuals in the EU, regardless of where the business is located. To comply with the laws, businesses need to understand where the individuals (aka data subjects, to use the legal term) are located, which laws cover their personal data, and what rights the individuals have. Only with that broad view can companies implement the appropriate data-privacy measures.
Moreover, while regulators outline requirements in the regulations, they often don’t prescribe exact measures companies should take. That leaves businesses to contend with a patchwork of new laws that call for data protections but leave leeway in how to accomplish that. To avoid enforcement action, some companies are adopting requirements that conform with the most restrictive laws.
(Note: The Lacek Group doesn’t provide legal advice. Check with your company’s legal counsel as you make decisions about how your business will handle individuals’ data.)
3. Create a strong privacy foundation
Once you understand the data your company holds—and the risks and requirements associated with it—you can focus on planning for compliance. Privacy by design and by default are key principles of data privacy. This means embedding privacy into the operations of the business. It’s vital to assess risks and impacts of data-handling procedures—and to stay abreast of policy updates and security requirements. Creating business protocols with privacy at their core will make it easier to manage regulatory changes and integrate them into daily operations.
Plan ahead to implement data privacy as a feature, not a bug
New privacy laws—and the increasing consumer expectation for transparency and responsibility—should be handled with care. Act now to understand the data you collect, how you use it, and what your current legal obligations are. In doing so, you lay the groundwork for a successful data-privacy program that meets or exceeds legal obligations and builds trust with consumers.
The second installment of this blog duo will discuss specific strategies for developing and implementing a data-privacy strategy that works for your company and your customers today and sets you up for success in meeting or exceeding new legal requirements.
Wanda Kauffman is director, technology solutions for The Lacek Group, a Minneapolis-based data-driven loyalty, experience, and customer engagement agency that has been delivering personalization at scale for its world-class clients for more than 30 years. The Lacek Group is an Ogilvy company.