Everyone is excited to give 2020 the boot. And while we don’t quite know what to expect in 2021, it can’t get any worse. Or can it? As businesses prepare for a new year, with a new set of challenges and new ways of working that may never change, one thing they need to be prioritizing is data privacy. Because if the dominoes fall and privacy is involved, the repercussions can result in a disaster.
The pandemic has reversed attitudes on privacy. Before, both businesses and consumers saw a clear line forward: more privacy. Now, it’s less defined. Contact tracing apps? Pre-pandemic, the idea could have been seen as violating personal privacy. Now? It’s become more acceptable – within guidelines – to track people’s whereabouts and risks. Monitoring employee behaviors online? Before it was a questionable practice that trod a fine line between privacy and corporate necessity. But now, businesses are faced with large remote workforces and many are considering ways to keep an eye on productivity, despite employees’ distaste or resentment. And, as consumers are taking more of an interest in understanding how their data could be used, and within what limitations, there is less surprise or paranoia around legitimate ad targeting and personalized content.
Data privacy has changed rapidly in the last 12 months. It was already arguably the most changeable, fluid and impactful board issue, and also one of the least well-understood. But the changes to the consumer and corporate worlds that we saw in 2020 will have immediate and long lasting echoes in 2021.
In no other area will businesses be required to balance public health, legal obligation, public interest, employee care, personal privacy, and more. Here are a few things that we predict will take precedence next year:
Data ethics will be more important. Consumers are caring less about their data being captured and more about how it is used, especially if it is sensitive data. People are savvier about acceptable uses, and even more willing to object. Consent, selling and sharing will remain definitions of importance and the expectation will be placed on businesses to communicate how they are specifically caring for it – where it is going, who it is going to.
Customers are looking for transparency about how data will be used today, but also how it might be used tomorrow, however hard that might be to advise on.
Privacy protection will need to be continuous and holistic. As we have seen with 2020, changes happen. Workers are more dispersed. Businesses need privacy managed as a single data flow, not siloed by department. Understanding of how data is interacted with and the liabilities it causes needs to go across the entire organization, otherwise, privacy fails. All departments are responsible, from the CEO to IT to HR and all need to be aware of corporate data privacy protection. This will require – without compromise – the cultural change that has been spoken of for the last few years finally manifesting.
Personal circumstances will continue to drive professional changes. Businesses are driven to make changes to the policy when practices directly affect people. A great example is during the pandemic when businesses had to deal with contact tracing. Multiple methods started being used, from internal documents, paper sign-ups, to an array of apps and QR codes, most of which were hurriedly put in place with minimal track record or expertise in data privacy. As a result, many businesses will find they aren’t meeting their data privacy obligations. The next anticipated phase is who is and isn’t vaccinated – information you can’t have unless it is voluntarily provided. Businesses will try to figure out how to protect the company while still protecting workers and the duty of care on both sides will be a priority and a challenge.
Employee monitoring will become a bigger trend. Employees are data subjects too. Securing data and day-to-day operations from remote locations will be a massive focus. But because of the renowned blurring of personal and professional lives, and devices’ role in that, businesses will work out how to be mindful of how they protect their data and track its use or vulnerability, while not inadvertently monitoring employees’ home lives.
Data privacy law enforcement will return to a more punitive attitude. When laws like GDPR came into effect, the focus was on fines. The fear of violating the law was enough to make responsible businesses comply at every turn as much as they were capable. Today, there is even more legislation in play.
Supervisory authorities have largely understood the confusion that multiple legal frameworks cause. They have also been understanding of the degree of work that is required of many to become compliant, perhaps reversing years of naively irresponsible data use. Their policy has often therefore been to support first, punish if necessary. Signs of genuine attempts to be compliant have gone far.
The turmoil of 2020 has extended that generosity. But 2021 is likely to see a return to stricter measures. Businesses can’t have it both ways – they can’t plead naivety when their customers are taking a more profound interest in how their data is being used. The European Data Protection Board has instructed European Supervisory Authorities to increase scrutiny and shorten their patience. 2021 is likely to see more fines, and larger ones.
Data privacy isn’t new, but the attitude shift is. People care more, demand more and the
scale of changes that have occurred in the workplace due to the pandemic make it all the more critical for businesses to keep their eye on the (data) ball across the entire enterprise. This won’t be easy. It requires a cultural shift where the organization leads with privacy at all times. No matter what trends stick in 2021, continuous privacy is going to determine if an organization is safe or not.