2021 brought increased data privacy legislation and a crackdown on software vulnerabilities that could lead to data breaches in the United States.

As the cybersecurity community deals with new challenges with widespread effects such as the Apache Log4j vulnerability, data privacy leaders from the International Association of Privacy Professionals (IAPP) outline what to expect next in the field.

Data privacy talent shortage deepens

"The trendlines for privacy that formed in 2021 will accelerate and will bring new risks and complexity for organizations. More national laws will be passed. More state laws will be passed. More (and heftier) enforcement will occur. Companies will continue to leverage privacy to build trust and engage customers, but will also weaponize their differentiation against laggard competitors in privacy. Organizations — public and private — will struggle to find experienced talent to manage their programs as the privacy talent shortage deepens," says Trevor Hughes, President and CEO, IAPP.

Privacy enforcement drives organizational change

"In 2022, privacy enforcement actions will light up the headlines based on the substance of their demands rather than their dollar value. Growing privacy enforcement has already served as a wake-up call for companies, but there is much more to come. Data protection laws around the world are complex and difficult to follow to a T. As a result, companies watch the courts and regulators closely to gauge expectations and risks. Their actions have led the AdTech industry to rethink its cookie-based business model and big and small companies alike to challenge government demands for data. Multi-million-dollar fines have granted privacy professionals entry to boardrooms globally, but it will be enforcement actions that demand changes in business practices; breakup data-based consolidation; and force disgorgement of ill-gotten data and learning that lead to the biggest changes. We have seen some already. These are the enforcement risks that will appear on companies’ financial statements; that will be debated ahead of M&A deals and IPOs; and that will extend prime-time television campaigns on privacy. Meanwhile, international data transfers will become ever-more complex as countries veer toward data localization," says Caitlin Fennessy, Vice President and Chief Knowledge Officer, IAPP.

Global data management takes the stage

"Transitioning from a year that saw the passage and entry into force of many new national, regional, state and local laws, 2022 will be the year for organizations to take stock of a fundamentally changed global privacy landscape. For most organizations, privacy programs must now be fluent in multiple legal cultures. While a small but significant percentage will pursue a strategy of data localization, the overall trend will be for organizations to manage their data and data processes on a global scale," according to Müge Fazlioglu, Senior Westin Research Fellow, IAPP.

Organizations debate data property rights

"If 2021 was the year privacy overlapped with competition law, 2022 will be the year privacy teams think more about property rights in data. With the growing complexity of third-party data sharing; the impending data regulations in Europe; and the myriad new privacy laws in the U.S., firms are debating who owns not only the risk to handling personal data, but also the rights to it," says Rita Heimes, General Counsel and Privacy Officer/DPO, IAPP.