How To Think About Privacy As An Enterprise Risk in 2023

 

A new year is upon us, and with it will come major changes in how organizations handle personal data. Of course, this is not the first time we've seen significant changes:

• 2018 brought enormous changes to Europe as the General Data Protection Regulation (GDPR) became effective;
• 2020 brought major changes to the U.S. as the California Consumer Privacy Act became effective; and
• 2021 ushered in massive change in China with the introduction of the Personal Information Privacy Law and the Cyber Security Law.

This year will also be a year of change, as multiple jurisdictions implement new laws governing personal data, automation, and digital commerce. In the U.S., Canada, and Europe, strict new laws will significantly increase the level of existing regulation, and many people will gain new legal rights that they have never before had.

Rather than list all of the many new personal data protection laws coming into effect in 2023, I would like to offer some high-level thoughts about personal data risk in 2023 that organizations should consider: 

• Overall, privacy risk is trending strongly upwards, as a result of more complex and strict privacy laws. Accordingly, past experience is a poor indicator of future results.  The likelihood and severity of a privacy violation cannot be predicted using historical data alone.  Therefore, many common risk quantification models will be insufficient to predict privacy risk.
  
• It is becoming more difficult to assess risk globally. Fines and settlements are based on a variety of factors that differ from jurisdiction to jurisdiction.  An activity can be lower risk in one jurisdiction and higher risk in another.  Global organizations need to understand the risk environment in every country in which they operate.  In the past, it may have been acceptable to simply apply GDPR as a global standard, but it is probably not wise to take such a simplified approach in the future.
  
• Many jurisdictions utilize an enforcement model focused on deterrence rather than consistent application. Given limited enforcement resources, they aim for a small number of very large fines which will act as a deterrent rather than aiming to catch all violations and punish them proportionately to the harm they cause.  Therefore, plenty of companies will "get away with" privacy violations, which may create a false sense of security.  Those who are targeted for enforcement are likely to be punished quite severely.
  
• As many companies--especially consumer-facing companies--continue to pursue digital transformations, they are adding more and more technologies and third party data custodians.  This creates internal complexity and an ever-expanding personal data environment.  An expanding personal data environment requires more and more resources to govern effectively, and at some point can become unsustainable.  Organizations should apply a rigorous process to their digital transformations that ensure that older technologies and third party data custodians are retired as rapidly as new technologies and third party data custodians are onboarded.  This means explicitly acknowledging tradeoffs and making hard choices.
  
• As organizations pursue agility and decentralization, they are granting more autonomy to individual business units to make decisions closer to the "front lines."  This can be a smart management strategy.  However, organizations should know that personal data privacy risk cannot be limited to a business unit.  If one business unit creates a privacy violation, the laws increasingly hold the entire organization (meaning the top-level parent organization and all affiliated entities) responsible, and fines are often based on the global revenue of the entire global enterprise.  For example, if a small division of a small local subsidiary violates the GDPR or China's PIPL, the result could be a massive fine equal to 4-5% of the entire global revenue of all affiliated companies.  Similarly, cyberinsurance underwriters consider risk holistically, and a poor practice by one small division can affect the insurability of an entire enterprise.  Finally, reputational risks often cannot be limited to a single brand or business unit of the organization.  Media reports have tended to name the parent organization or affiliated brands in negative press coverage, even when the privacy violation was committed by only one small division of the company. Accordingly, organizations probably should not allow small divisions to take on risk that could threaten the entire enterprise.
  

I hope these thoughts are helpful to anyone considering a privacy risk management strategy in 2023.