Three Privacy Trends in 2019: More Breaches, More GDPR Compliance, and New State-level Laws

Data privacy is about trust. Can your customers trust that you are handling their information appropriately, doing everything you can to protect their information, and making sure you’re not keeping it for longer than you need? To earn customers’ trust in 2019, you should engage in best practices when it comes to information governance to ensure customer (and citizen) privacy.

We predict three major privacy trends in 2019:

  1. More high-profile data breaches
  2. Continuing to deal with GDPR rollout
  3. More state-level privacy laws

Last year, there were many stories about data privacy and how it impacted consumers in both the U.S. and the European Union. Unfortunately, we’ll see these same trends continue in 2019, and probably grow, dominating business news. From more data breaches, to further GDPR enforcement, and a shifting legislative landscape, your organization needs to be prepared to address privacy in the coming year.

Trend #1: More data breaches

The big breaches of 2018—most of the damage had occurred before the year began—were of course Facebook and Marriott (with fallout from the 2017 Equifax breach bleeding into the beginning of last year). There were plenty of others: British Airways, Orbitz, and Quora come to mind.

No surprise or crystal ball needed here. This is going to keep happening. And there are no predicative insights about who will be hit next (other than looking at the industries hit over the last few years.)

That said, I could see problems in the big telecom sector (Verizon, AT&T, or Sprint) or in media (think Comcast or Spectrum/Time Warner). Another area of vulnerability could be in the burgeoning financial technology (FinTech) sector with fast growing new companies such as SoFi, Venmo, or Square. These organizations don’t have the defensive resources of larger financial services firms.

Trend #2: Continuing to deal with GDPR enforcement

GDPR dominated the privacy and information governance world during the first half of 2018. The new European Union regulation still will be front and center in 2019.

We’ve already seen this with the announcement by France’s top data-privacy agency, known as the CNIL, imposing a fine of €50 million (around US$57 million) this month on Google for running afoul of GDPR. CNIL said Google had failed to fully disclose to users how their personal information is collected and what happens to it after it's collected.

We see two things happening with regard to GDPR:

  1. The imposition of substantial fines, such as we’ve seen with Google, after a breach or failure to protect privacy is discovered.
  2. A growth in data subject access requests, resulting in increased costs to organizations.

The enactment of GDPR in May, 2018 came and went without any major penalties being levied, until, of course, the French fine on Google this month. Though Facebook and Equifax were fined for their breaches, both could have been fined much more under current GDPR provisions. Ultimately, their fines were levied under the old EU statute because of when the breaches occurred; that is, prior to GDPR’s effective date.

In 2019, the main question is who will be next to get hit with the BIG FINE? Will some fines be even larger than that imposed by the French on Google?

It’s unclear if Marriott will have that distinction. That breach affected up to 500 million people, with hackers accessing names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender data, Starwood loyalty program account information, and reservation information. But because the hacking started back in 2014, it’s possible that Marriott fines will fall into the Facebook/Equifax pre-GDPR camp.

Trend #3: More state-level privacy laws

We saw two new major state laws related to privacy in 2018, in Colorado and California. These laws, in addition to similar efforts in Massachusetts and New York, showed that the regulation of privacy may be similar to what we see when it comes to the regulation of automobile emissions standards: a state-by-state hodgepodge of effort.

I believe we are unlikely to see federal privacy law changes or anything similar to GDPR in the U.S., given the divided legislative branch and tensions between the legislative and executive branches.

That doesn’t mean that federal legislators still may not try in this area. They may do so by not focusing on privacy, per se. HuffPost published an article at the beginning of the month talking about plans for antitrust legislation that may emanate from the new House of Representatives.

I believe this effort is partially in response to some of the high profile breaches this past year, such as what happened with Facebook, and the consolidation of so much consumer data by so few companies. With divided government in Washington, D.C., the chances of this type of sweeping reform passing are slim. But one possible compromise could be in the area of data privacy.

In the meantime, states will continue to refine and enact their own laws, making compliance harder for any company doing business in more than one state—and especially hard if you also have EU resident data. I’d look for new or revised privacy regulations in places like Washington, Oregon, and perhaps Illinois. See What California’s New Privacy Law Means for Business.

Good information governance is a great weapon to help you manage privacy in 2019.

If you’re a chief information security officer or a chief privacy officer, what should you do to make sure your organization is viewed as reliable and trustworthy? Whether or not you are subject to European or new state laws (or both), good information governance practices make sense.

Know what type of data you have, where it’s being stored, and where it’s going to be kept. Be sure you have the right resources in place to manage the information, and check that your policies are aligned throughout the organization. And get rid of information you no longer need. It makes protecting really important information—and overall compliance—that much easier.

It makes business sense to simultaneously protect data and privacy.

When it comes to data and privacy it’s in all companies’ best interest to act ethically and protect people’s data. I’m not just talking about this from a dollars and cents perspective. There’s organizational reputation to consider.

It makes business sense to protect data and privacy. Wouldn’t you love it if your organization were viewed as a leader in trustworthiness?

New call-to-action

Rich Medina
Jim Polka
I’m a Principal Consultant. My expertise is in security-based information management and strategic deployment of ECM technologies.