Data privacy and data security are often intertwined together in the perception of peoples minds and media. However, thinking about them as two separate but equal entities is a good place to kick off this article. Here, you should think of privacy as a governing body while security is the mechanism that allows privacy to exist, and it's not always the case that having one ensure that the other is present.
As we step into 2022 and into Data Privacy Day this year we want to focus on what's the current situation regarding regulations and technologies, what are current trends in privacy and security, and to get an expert opinion on what will we will possibly see in the near future.
To help us get into it, we interviewed our Head of Data Privacy, Jose Belo. He also happens to be certified CIPP/E & CIPM, a member of the European Advisory Board of the IAPP as well as co-chair of the Copenhagen IAPP Chapter.
Q&A on data privacy and data security
Below are the 12 questions that we asked our Q&A with Jose Belo concerning data privacy, security, and the outlook of this year on the matter.
Question #1: Much has changed in the last few years regarding data privacy and security, so what do you think is the most important thing for companies to know when handling customer data?
Answer: "It has changed a lot, not only in Europe but across the world. The GDPR was pivotal as it not only had a huge impact on companies in the EU but also outside the EU. And that also meant that countries followed the GDPR’s principles and made similar national laws. Also, this means that privacy has become first-page news in most countries, be it for data breaches that happened, be it for ransomware attacks, be it for fines imposed on national or multinational companies.
And that raised awareness has helped immensely in making privacy a differentiator to consumers. Now, people are aware that maybe those products that they like are collecting their data for other purposes. And then they just don’t buy the product anymore. This would never happen a few years back."
[Related Article - How Can Companies Protect Customer Data]
Question #2: Has there been a growing sense of uniformity regarding global data privacy regulations?
Answer: "Yes and no. The GDPR is considered a global benchmark on how to process personal data but we should not forget that the cultural concept of privacy changes from country to country. As an example, in the EU, for privacy law purposes, you are considered a data subject.
In the US, privacy laws are aimed at protecting consumers, a particular aspect of the utilitarian approach that you see in other laws, like US copyright law vs. EU copyright law. So, yes, the GDPR may have become the benchmark, but countries still adopt their own privacy laws to their own concept of privacy."
Question #3: How important is it for companies to follow data privacy regulations?
Answer: "First, it’s not about the fines. Yes, they can be high but if you start thinking of following data privacy regulations just to not be fined, you’re missing the whole point. You’re missing the part where this is something that matters to your employees, your clients, your vendors, your customers. So, to just be compliant for compliance’s sake really does not work. You need to understand that following privacy regulations means that you treat data responsibly, transparently, and with a purpose.
Then there are internal questions that need to be answered. Just because the law allows you to process data, doesn’t mean you have to process data. This is where data ethics comes into play and where what you can do with data must be balanced with what your customers’ expectations of privacy are when they provide you with their data.
It’s very easy to just use the data, just because you can. But the right thing to do is to just use it if you have to or if it serves some specific and defined purpose that is business relevant. And if you don’t, then you don’t need it in the first place."
Question #4: Are you aware of any data protection technologies that are making data privacy and security easier for businesses to manage?
Answer: "Privtech (data security services) is one of those sectors that has seen a major increase due to the compliance needs of companies, as almost all companies process some form of personal data, even if it’s just employee data.
For example, OneTrust, a privtech company, was considered the fastest-growing company in the US in 2020. That was unthinkable just a few years ago. A privtech company outweighing any other Silicon Valley VC-funded company? It’s unheard of. Yet, there it is.
Privtech and data security services are steadily becoming more inventive, more practical, and more useful every day. Saving not only hours of paid employee time but also providing better results in the long run."
Question #5: Who is really responsible for the protection of customer data? The business? The CRM system (like Hubspot, Saleforce, etc.). Third-party vendors?
Answer: "The GDPR calls those responsible for data processing activities controllers. The definition, in itself, is fairly simple to understand - you’re the one that determines the purposes and means of processing. But, as usual, when it comes to legal definitions, it can sometimes be complicated to define who is a controller or who is a processor (or even a joint controller) in a particular data flow. It’s the controller who is accountable for the data processing done by it or on its behalf when done by third parties.
However, and this is why the GDPR makes a lot of sense, the processor, even if it’s not accountable per se, cannot do whatever it wants with the data it receives from the controller. If it does, then the GDPR says it becomes a controller of those unauthorised processing activities.
Also, processors sign contracts before being able to process data on behalf of companies. We call them Data Processing Agreements. But it’s not as simple as going to Google and getting a template. If you say you have such and such control in place and then it’s found out you didn’t, when things go wrong (which is a real possibility), then it’s not just a data protection issue but also a contract law issue."
Question #6: What will be the most important issue to tackle regarding data privacy in 2022?
Answer: "Right now, international data transfers are an issue due to the Schrems II Decision and the follow-up guidelines by the EDPB on the matter. It marks a clear change in how we transfer data to a third country, especially to those countries that do not provide the legal data protection framework the EU does.
For companies, this means that new contracts have to be put in place, new controls have to be put in place.This all costs money. The most straightforward path would be for companies to stop relying so heavily on US vendors for their needs.
But we all understand just how hard that is. Not only are companies used to many US vendors’ products, so are their employees. And I am sad to say that, in general, the EU hasn’t (yet) been able to provide solutions that help in that area or that are as feature-heavy as the US solutions.
However, I look at this not only as a challenge but as an opportunity for EU companies to step up their game and bridge the gap that exists today. There is a lot of talk about how the EU wants to incorporate the digital age. But we cannot rely only on the public sector, because this is basically a private sector area.
I am delighted to see that EU private companies have become, slowly but surely, more focused on bettering their products and services. And you add to that the privacy element that has to be embedded in EU companies, their products and services, and you may have, with privacy, a differentiating factor between EU companies and other companies from different parts of the World. And a wider market that has data privacy and security, more and more, as a decisive factor when buying something."
Question #7: Do you think the various laws being passed and considered are comprehensive enough to protect data privacy?
Answer: "Again, yes and no. Technology moves at such a pace that regulations are never able to encompass all that technology is able to do. Blockchain is a good example. So is artificial intelligence, which is Valuer’s core technology. The EU is currently working on an AI Act, but by the time of agreement, the technology itself could have changed drastically.
Still, I think the EU is taking the right steps towards regulating technology. We have all seen, unfortunately, what happens when technology is not regulated. With the most recent example being the massive sharing of personal data for advertising purposes that have nothing to do with selling a product, and without any consent from the data subject."
Question #8: Do you see any loopholes or gaps that need to be addressed urgently regarding data privacy?
Answer: "Enforcement is on everyone’s mind. The GDPR has been around since 2016-2018 and there’s this feeling in the privacy community that enforcement by the supervisory authorities has been lacking. The question many CEOs I have talked to have is “why invest in privacy and spend so much money if nothing happens and I don’t get a fine?” Other CEOs have expressed to me their concerns that the budgets they have provided for good data protection compliance programmes raised the cost of doing business.
And when others don’t incur those same costs by bypassing the privacy programme, the playing field becomes tilted. Those that spend money on programmes have to raise their prices to cover the costs and those that don’t have an unfair advantage. That is why enforcement should be more active to level the playing field.
As stated before, data privacy and security compliance should not be about fines. It’s about respecting your employees and your clients while achieving your business objectives. That should be the first and last reason why you should have a privacy programme in your company.
But still, what is on some CEOs' minds are fair points to me. And that is why enforcement needs to happen. Not only to find out who is mistreating data but also to acknowledge those companies that have put work into it and did the right thing.
If you look at the trends in relation to fines, both in number and amount, both have been steadily rising. Still, we believe that more can be done. And that is something that the European Commission is very aware of and solutions are starting to be spread around. One of them is to have a centralised supervisory authority, immune to national political or economic questions.
Another point to touch on is even though approval procedures are long in the EU, we need regulation to be fast-tracked. Not only because of the risk of it being obsolete by the time it is approved but also because companies need regulation to have legal certainty on what they are currently doing regarding data protection in fields like AI, blockchain or fintech."
Question #9: With new concepts and technologies, like metaverse, do any red flags go up immediately for you? And if so, what worries you?
Answer: "From all my years of experience, there was just one thing that could stop technology that I have come across: the inherent human need for privacy. When technology gave us the mp3, the 100-year-old music industry collapsed. We don’t seem to mind having a smartphone with us that records our every move and our every interaction with someone else. Technology allows that.
The interaction between data and different databases allows companies to build profiles about you, about who your friends are, about what you buy, when you buy it, etc. We have assistants in our homes that can make your life easier until you find out that they were eavesdropping on your conversations. In your own house. My house, my kingdom no more.
But things are changing. Not only have smartphone makers, like Apple, started understanding that privacy is a client demand, not a feature, and have been implementing more and more privacy-enhancing technologies on each version of the iOS. And other tech companies have started to hear their customers (or their wallets) out and apply changes that bring more control in how data is being processed.
So this is where we are right now- the ability of technology to disrupt privacy and the awareness by the general public that this is happening. And the ability of privacy to disrupt technology, if it is deemed too invasive, unnecessary, or uncalled for.
Enter the metaverse. We cannot wipe out what has been done before, especially by companies like Facebook (now Meta), which have consistently been facing charges from public bodies in the EU, the US, and other countries, like Brasil, of violating the privacy of its users. So, my concern is not about the technology itself, which I think will be very popular, but on the way the companies that provide the metaverse deal with the personal data that is collected while using the metaverse.
Even if it’s like a parallel world, the law still applies to the metaverse. And if companies haven’t learned anything from peoples’ reaction to things like Google Glass, home personal assistants, and/or tracking you across the web to build a profile so that they can advertise stuff to you in the hopes you buy it, then the metaverse may find some backlash, or even worse, a low number of clients and engagement.
And the metaverse’s way of dealing with personal data in a business setting is also of concern. As a privacy professional in a company, do I really want board meetings where sensitive business information and personal data are being shared in a platform that does not have controls in place to make that conversation remain confidential and inaccessible to anyone outside the company? Of course not. And neither will any CEO accept this."
Question #10: What does the future look like to you regarding privacy and companies, institutions, etc. ability to protect data?
Answer: "I think that the future, right now, is uncertain. Things in the privacy world have changed very quickly in the last few years. Just remember that you had a few decades ago, in your house, a list in the form of a book that had all the names, addresses, and phone numbers of everyone in the country in your house. A real national database was accessible to all at all times. And no one questioned it.
Today, that idea sounds crazy to us. So, if the concept of privacy for us has changed, what can be said about the concept of privacy for millennials, born in the age of the Internet and social media, sharing personal data widely with little to no concern for privacy? Will they look at how we currently protect data privacy and still think it is the right way? Or will they, reaching an age where they are the ones in charge, change the status quo?
Because they are the ones we are talking about when we talk about the future of privacy. Is the concept of privacy going to change and be more lax in the future? That to me is the first question. And I have no answer to it, to be frank.
For companies, this difference in the concept of privacy will also be important, especially if you are a company that targets different demographics. So, I do think that these companies will first follow their clients and what they deem acceptable and then probably see how they can work with a more stringent approach to privacy, which is the European benchmark. Will that impact future versions of the GDPR? I have no answer to it again.
Then there’s 5G (and eventually 6G) and what it allows IoT to do. It has been predicted that 70% of all personal data shared in the World by 2025-2030 will come from devices you have, not directly from you. That is a major shift in the way we collect personal data.
Are companies ready for that? Is the regulation, with its data minimisation principle? Will it still be viable to accept to collect the least amount of data in the future? Or can we expand the amount of data collected, with the consumer’s consent, for legitimate purposes that bring benefits to the consumer, without violating his right to privacy? Are we able to do that ethically? I don’t know.
And let’s not forget AI and all the changes it can bring, especially towards the massification of automated decision making, profiling, facial recognition, and the impact it has on the national security apparatus. Are we ready to take all that into account? Will we, in general, tradeoff privacy for security? Will we not? I also don’t know.
These are tough questions to answer. But they need to be answered. And that is why working in privacy right now is so rewarding."
Question #11: What should companies be aware of in terms of keeping their customer data safe?
Answer: "Before saying the obvious answer, which is to do a privacy program, I think that companies really need to think about why they want to keep their consumer data safe. And also, why this is important for the company, not only for the consumer.
And then ask how their data strategy helps them in moving forward and how personal data helps in achieving that, without infringing on the privacy of the clients. You answer this and you won’t look at a privacy program as a cost but as a way to improve your company’s bottom line while respecting the rights and freedoms of your clients and employees. To me, it’s a win-win."
Question #12: What is the main thing a regular consumer can do to protect their data online?
Answer: "Don’t share it would be the obvious answer, but we’re way past that point with the way the world is today, so interconnected. So, to me, the main thing you can do is to know your rights, know that you can ask companies questions regarding how they process your data and know that if they do not answer you there are consequences for the company.
So yes, I think knowing you have a fundamental right to privacy and that right can be upheld by you or by a supervisory authority is very important. Being aware of these rights means you can ask the right questions if you think your data is being misused by the companies you interact with."
Jose Belo is Head of Data Privacy at Valuer.ai. He is a certified CIPP/E, CIPM and Fellow of Information Privacy by the IAPP. He is also a Member of the European Advisory Board of the IAPP and is currently co-chair of the Copenhagen, Denmark IAPP Chapter.
There's no doubt that 2022 is looking to be an exciting and complicated year for data privacy. Landmark legislation, such as GDPR and others internationally, are a step in the right direction, but knowing how to navigate those privacy protection waters when data is being transferred between countries and regulatory bodies is looking to be a major issue.
On the security side, it looks like is the proverbial 'arms race' scenario, as new technologies will undoubtedly cause issues with data protection much like it has always. It's about the security technologies being able to keep up with the times. But you can also say this about legislation and its need to keep up with technology, never mind the regulator bodies to make sure they enforce legislation.
It will also be an important year for companies who will need to keep a better eye on privacy regulation, but also how to keep customers data safe. The bridging of these two and overall ability to keep on top of everything is a massive undertaking, and one companies are seemingly not doing alone given the massive rise of PrivTech companies in the last couple years. Undoubtedly, it will be a big year for data and it will be interesting to see how companies and consumers handle the upcoming changes.