Five Privacy Predictions for 2021 from Forrester

“Before I dive in into the specific predictions…[I just want to say that] I think that privacy professionals today understand this very well, but sometimes the larger organization might struggle to see it.”

Privacy is about requirements, it’s about regulation, it’s about Compliance and this will stay. And this is absolutely important [as we] have a duty to comply with requirements. [But] we also have a duty to do the right thing for our employees and for our consumers.

Values-based companies will elevate customer and employee privacy as a strategic business and social imperative.

―Enza Iannopollo, Forrester

Enza Iannopollo, Senior Analyst Serving Security & Risk Professionals at Forrester, joined former Obama Administration Official and WireWheel CEO, Justin Antonipillai on January 21, 2021 to discuss the FORRESTERNOW report Predictions 2021: Privacy. These predictions have already proved quite prescient.

Prediction #1: Employee Privacy-Related Lawsuits Grow 100%

“During the time of the pandemic, we did a study in Europe: I asked employees whether they felt comfortable sharing medical information with their employers and what their expectation was after the end of the emergency.

“There was an understanding that during an emergency ‘we really need to share some of that data,’” relates Enza. “But what’s interesting is that across these countries in Europe over 60% of employees clearly said, ‘we expect these data to be destroyed as soon as the emergencies over.’”

It’s for Your Own Health & Safety

Many companies took the approach: “This is health and safety. ‘I have a clear duty to make sure that I comply with health and safety regulation and privacy is something that, in these moments, I can forget about.’ That was a mistake,” Iannopollo says.”

And these companies will likely have to deal with the liability this approach created.

“The other element…beyond COVID…is the appetite for more workforce analytics. [Companies] want data for benchmarking purposes…for a number of reasons.” And some organizations think they can just take the data collected on employees for a number of different purposes” and use it for workforce analytics. “You can’t do that.

“There are specific purposes [for which] the employee data has been collected [financial, regulatory, HR] and this isn’t something that you can just take from one system and move into another…there are important implications. And this is where we think we are going to see a lot of that activity around employee privacy.”

To Enza’s point “fashion retailer Hennes & Mauritz AB €35.3 million ($41M) for collecting personal data from employees, including details about their health and religion, and making them available to managers at a German H&M service center over the last five years” (Stupp, 2021).

She cautions: “many vendors that actually work to enable this kind of workforce analytics point out that they anonymize the data. Really verify that claim of anonymization” and that it is not “simple pseudonymization.” [1]

Prediction #2: 40% of Privacy Leaders will Report Directly to CEOs

We see company after company making sure that the privacy compliance office has the right tools to show the company is compliant. In almost every company we’re working with exactly what you’ve predicted is being implemented.

Of course, the marketing organization is now part of that effort because you need to be able to tell the story and show that you can vindicate the rights of individuals with their data in a simple user experience.

―Justin Antonipillai

While privacy teams are not yet mainstream across organizations “they are becoming much more strategic,” says Iannopollo.

In her work with organizations Enza is seeing first-hand significant collaboration across business groups like HR, marketing, data governance and InfoSec. “Working across a number of stakeholders means the privacy team needs to have a Privacy Officer with visibility across their organization.” Importantly, she sees that many more organizations are recognizing that privacy is a value and are increasingly aware that consumers prefer to buy from companies that embrace those values.

Privacy teams “need to collaborate at a strategic level because it’s about innovation and opportunities like data monetization.”

Prediction #3: UK Becomes Third-Party for Data Protection

“I would say it wasn’t that difficult to write this prediction” laughs Enza. (In fairness, Brexit was still very much in flux when these predictions were made in September/October of 2020.

No One Likes Uncertainty

While the UK is a third country concerning data transfers from the EU effective 1 January, a transition period of up to six months was agreed.“ This is very welcome news and was the best possible outcome for UK organizations given the risks and impacts of no adequacy,” writes the UK’s Information Commissioner, Elizabeth Denham in a recent ICO blog post. That said:

At the end [of the transition period either we have an adequacy decision by the European Commission, or every company that is engaged in transferring the data of EU citizens into the UK for storage or processing purposes will need to find other ways to make sure that those transfer can still happen lawfully. [but] it is not a decision that is set in stone…even if granted it could always be taken away.

―Enza Iannopollo

Iannopollo senses an appetite in the UK to make changes to regulations regarding data productions so she sees as a potential trigger for reversal. Absent an adequacy decision, it means “an organization would need to run risk assessments to determine whether the country they are sending data to has adequate productions [and] whether current standard contractual clauses alone” are sufficient. If not, additional safeguards will need to be applied.

Bruno Gencarelli, the European Commission’s Head of International Data Transfers took time out from his Brexit negotiations to join Justin for the plenary session of WireWheel’s 2020 SPOKES Privacy Conference (December 2020) to discuss the possible futures of data transfers regarding Brexit and the U.S. post-election. Justin and Bruno were two central figures in crafting the transatlantic data transfer protection schemata between the EU and the U.S. where they too made some predictions.

Prediction #4: CMOs Will Invest in Consent and Preference Management

I have seen [this relationship] improving and maturing in organizations… I have had the opportunity to interview some CMOs that said the privacy [requirements] they had feared so much are bringing them new opportunity.

New opportunities to innovate. New opportunities to develop projects they couldn’t before. And the base of that is data hygiene: the granularity of knowing who is consenting to this, who is not consenting to that.

― Enza Iannopollo

This has created more transparency. And it is becoming clear that embracing values like transparency creates the opportunity for that transparency to drive trust.

Enza sees this culture of trust “bubbling up.” And she notes that consent and preference management is something her clients have been “prioritizing for a long time.” They understand that consent and preference management implementation “is really important…’It is my face to the outside world.’ So they tend to prioritize that.”

I think a lot more CMOs, to your point are looking at the privacy obligations, not only as a check-the-box compliance item, but looking at it as an opportunity to engage with a customer at the right moment…

They will need the right tools and infrastructure to make sure that they are managing their customer preferences correctly and actually doing the right thing when a consumer says, ‘don’t sell my data.’ It’s part of the broader movement around ethical advertising.

―Justin Antonipillai

Prediction #5: CCPA 2.0 Will Lead to the Federal Legislation in the U.S.

I think there might be an opportunity, not to pass a federal bill in 2021, but to start having a serious conversation about what can happen in terms of a bill moving forward. And it’s also interesting to see how that can have relevance on the international stage, because of course, the relationship interests of data transfer between Europe and the US may also change.

―Enza Iannopollo

“So there are a number of things that, depending on this process,” proffers Iannopollo, that “I am comfortable saying I believe this prediction will come through.”

Antonipillai raises a prediction of his own: “CCPA 2.0 makes it much more likely that if privacy shield is put back into place, the European Commission could recognize California as adequate: an interesting possibility. In other words, you could have one portion of the US recognized as an adequate regime by Europe. [2]

Enza is already seeing, in the wake of California’s CCPA and the passage of the CPRA (Proposition 24), other states setting up these sorts of privacy protections. “So I think we are going to see more bills at the state level which then increase that fragmentation issue that might [in turn create] urgency around the creation of a federal bill. That may be the way forward here.”

Eight Privacy Recommendations

1. Ensure adequate policies and controls concerning employee data already resident in your systems.
2. Develop a privacy-by-design approach for workforce analytics projects.
3. Make privacy a value-add to your customer experience and “put aside the idea that privacy is just going to diminish the customer experience” and recognize that this will “increase the reputation of the brand.”
4. Evaluate the executive reporting structure. It should support accountability, an organization-wide visibility, and business-enabling strategy planning and development.
5. Map your data transfers. “Go back to your GDPR maps for data flows” to determine if they involve the transfer of EU citizens’ data to the UK and “need to be remediated because of Brexit.”
6. Carefully vet vendor’s use of “consent” and “preferences,” as these are different categories with separate purposes and use cases.
7. Focus on increasing your ability to collect the data directly from your customer and reduce the dependency on third parties for data. That is a key, not only for a risk mitigation and risk reduction, but again, the opportunity to engage directly and orchestrate the relationship to control and manage the relationship so much better than having a third party involved in it.
8. Perform gap analyses to determine the changes necessary to bring your program into compliance with the new (and evolving) privacy requirements of the CCPA and will prepare you for CCPA 2.0 (the CPRA) which goes into effect in January 2023 with a one-year lookback.

[1] Recital 26 of the GDPR notes in part that “Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person (emphasis added).

[2] Article 45 of the GDPR states: “A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorization.” California would be “a territory” in this regard.

Watch 2021 Privacy Predictions: 5 Key Takeaways Webinar Replay