Co-authored with Nathan Turajski, Informatica Senior Director, Product Marketing.
Privacy regulation is on the march. Companies are being hit with mega-fines while new sets of rules keep coming into force, yet many organizations seem to be in data denial.
Global market assessments carried out by Informatica and Cognizant reveal a litany of once-active privacy programs that have lost momentum and are idling due to neglect.
Some of this is clearly down to uncertainty about the future business environment. But the biggest driver – misconceptions about what compliance means now that GDPR is ‘done’ – has been influencing privacy spend for some time.
Many organizations seem to have concluded that having ticked the boxes on GDPR, they can declare things are back to normal.
But our ideas about normal need a re-think.
While you look for answers to those questions, privacy regulation rolls on.
California’s Consumer Privacy Act (CCPA) is now the law in the world’s fifth-largest economy, with finalized regulations and enforcement action expected to kick off in the second half of 2020.
Companies should treat CCPA as the canary in the coal mine for the other 49 US states. Its definition of Personally Identifiable Information (PII), for example, goes well beyond GDPR’s provisions and includes IoT, smart devices, and biometrics.
With ideas about what should be kept private expanding in scope, businesses need the flexibility to grow with evolving mandates, changing work environments, and data sharing models.
National guidelines will likely force consolidation of best practice across all 50 states in the foreseeable future to ensure a common national baseline. That may provide the basis for expensive class-action lawsuits and will likely drive even more aggressive transparency requirements than those envisioned by EU regulators.
Consumers are increasingly aware of how well – or not well – companies safeguard their personal data.
The frequency of major breaches has laid bare just how widely dispersed and exposed personal data can be. We know our information is out there, and we know that it’s under constant risk of being misused.
High-profile hacks like those suffered by Marriott and British Airways have raised consumer awareness, while Facebook is currently staring down the barrel of a $2.2 billion fine for loose password protections.
Tolerance for lax data security is so low that surveys have found consumers are more likely to blame the company than the cybercriminal after a breach.
Often the lasting casualties are trust and brand loyalty. Pushing privacy programs down the priority list threatens to raise those risks. It also diminishes a company’s ability to benefit from the ROI that privacy investments can bring.
If your organization is at a crossroads in terms of investment priorities—especially in the new normal of a global pandemic—now is a good time to take stock and assess your risk posture.
Privacy programs can’t be allowed to slide back. Creating a sustainable and repeatable compliance process takes time, budget, and the flexibility to manage technical uncertainties even as the regulatory environment evolves – but there is definite upside.
Privacy-mature organizations have learned that short-term concerns like cost-cutting and sales conversion can be balanced with long-term benefits like loyalty, access to better quality data, and the brand value of trust.
There’s also a measurable privacy dividend: companies that demonstrate data trustworthiness can benefit from at least 5 times more permission-based access to personal data. That means higher quality information for innovative and targeted products and services. 
Winning customer trust requires looking beyond compliance costs and simple fine avoidance. Establishing practices that deliver a sustainable privacy guarantee will give businesses the confidence they need to put risk in the rear-view mirror, accelerate value creation, and leapfrog the competition.
 Boston Consulting Group: Bridging the Trust Gap in Personal Data