Our team had the pleasure of attending Gartner’s annual Security & Risk Management Summit last month. More than 4,000 cybersecurity and risk management leaders and practitioners from around the world gathered to exchange ideas about how to improve the efficacy and agility of their organization’s infrastructures.
Most of the privacy sessions touched on two core themes:
- Assessing the landscape of privacy regulations and pain points
- Regularly taking stock of your organization’s data privacy practices
With presentations on topics like the business value of cybersecurity and how to convince employees to care about security and risk, speakers covered an impressive amount of ground and left attendees with much to ponder and implement across their organizations.
Let’s explore some of the summit’s key trends and takeaways to bear in mind as you build, revise, and employ data privacy strategies across your organization.
Trust Is More Valuable Than Ever
Gartner Vice President Analyst Bernard Woo’s presentation, Outlook for Privacy, 2023 — Trends, Technologies and Regulations, made the case that “If data is the oil of the Internet, then trust is its currency.”
With recent headlines focusing on data leaks and unlawful data transfers, this topic has never been more timely or important for tech and security leaders. The notion of digital trust is central to the current wave of consumer sentiment and privacy awareness. Our 2022 report, The Great Privacy Awakening, found that 74% of people wouldn’t shop at their favorite retailers if they found out the retailer didn’t keep their personal data safe. Importantly, the numbers were highest among Millennials and Gen Z — groups that represent the biggest spenders today.
Beyond ethical or legal obligations that companies may have, taking privacy concerns seriously makes good business sense: Zoomers have a considerable amount of buying power and the potential to become lifelong customers.
Woo recommended companies take several action steps to externally and internally establish data privacy as a core value and maximize consumer trust. These steps include:
- Designing and maintaining a frictionless and user-friendly front end
- Building consent and transparency into every step of the user experience
- Aligning data privacy across all levels of your organization
- Executing purpose-driven data orchestration
- Identifying where data lives in your company and potential data-related risks
Data Localization Is Moving Front and Center
Woo also discussed how the proliferation of cloud services further cements the importance of data localization: The practice of collecting, processing, and storing data from a resident of a particular country within that same region. An increasing number of countries are passing laws placing strict guidelines on how data controllers process data from their citizens, so planning for data localization and keeping abreast of developments should be top of mind.
Countries like Russia and China currently have laws mandating the storage of data within local jurisdictions, whereas India recently abandoned an exhaustive data localization law and will continue identifying “trusted geographies” permitted to store and transfer data from Indian citizens.
The likelihood of similar carve-outs within the EU remains to be seen. The 2020 “Schrems II” ruling invalidated the EU-US Privacy Shield that enabled US companies to receive data from EU citizens. Progress on a new pact called the Trans-Atlantic Data Privacy Framework recently stalled, with the EU parliament reopening negotiations following concerns about the framework’s compliance with the General Data Protection Regulation (GDPR).
In the meantime, US companies must navigate the complex web of countries with data localization laws. Expect more action steps to emerge soon, but here’s a general framework of what you should prioritize right now:
- Lay the Foundation: Be sure to understand which countries overlap with the data you’re storing, and identify their protocols for data transfers
- Inform, Inform, Inform: Immerse yourself in any and all data localization laws that do or could eventually impact your business
Developing a thorough grasp of data localization and how it impacts your company can be a large undertaking, but understanding and complying with local ordinances goes beyond protecting your business by presenting the possibility for competitive differentiation.
Data Privacy & AI: An Inevitable Conclusion?
With AI permeating headlines in just about every industry and niche, it’s no surprise that it came up at the summit. Given how fast AI is moving and developing, it’s difficult to come to a clear consensus on best practices and identify the highest-order risks.
With most business leaders predicting that AI will transform decision-making within companies, many US-based organizations may be asking themselves how data privacy plays into this seismic shift.
These questions are already being explored abroad, as the GDPR includes restrictions on data-informed decisions “that have a legal or similarly significant effect on individuals,” and are free of human involvement. The US may follow suit, as the FTC just opened an investigation into OpenAI’s ChatGPT over potential consumer harms.
Generative AI like ChatGPT and other large language models (LLMs) continue to grab headlines and serve as a catalyst for conversations about their impact on data privacy. One takeaway that came up during the summit is that it’s currently more or less impossible to truly delete personal data from LLMs, or in some situations, very difficult at best.
Using these platforms’ opt-out options is likely not enough on its own, so the consensus appears to be that it’s better to prevent personal or sensitive data from getting into LLMs in the first place.
As the technology continues to develop and the risks become clearer, companies need to stay updated on how AI is both implemented and regulated. The EU remains at the forefront of data privacy regulations and guidelines, so it’s a good idea to take stock of their most recent laws like the EU AI Act.