Data privacy made headlines in 2021, from Amazon receiving the largest data privacy fine in history to the SolarWinds breach to revived discussions about federal privacy legislation. If the last 12 months were any indicator, data privacy will remain a hot-button topic in 2022 -- even if it doesn't get the job done.
"There's going to be a lot of noise about data privacy in 2022 but not a lot of options," said Jack Poller, analyst at Enterprise Strategy Group (ESG), a division of TechTarget. "This is a complex problem. There are so many different competing stakeholder groups that it will take a while for people to get a reasonable consensus that can be acted upon."
As attention continues to build, let's look at four data privacy predictions for 2022 and beyond.
1. Privacy regulations will expand
Governments across the world are requiring enterprises comply with new or updated data privacy regulations. The European Commission, for example, added two new standard contractual clauses to the 2018-enacted GDPR that will go into effect this year. These clauses require businesses follow specific compliance rules when transferring personal data outside of the EU, as well as when transferring information between data controllers and processors.
GDPR has motivated governments to implement and improve upon similar legislation. CCPA, which was signed into law in 2018 and gives California residents the right to control their own personally identifiable information, was largely influenced by GDPR. As of January 2022, there are active privacy bills in Alaska, Florida, Indiana, Maryland, Massachusetts, Minnesota, New Jersey, New York, North Carolina, Ohio and Washington. More legislation can be expected. Privacy laws that passed in Virginia and Colorado, for example, will go into effect in 2023.
Separate state legislation creates what Poller called a "patchwork effect" -- and its repercussions will soon be felt.
"There's a desire for consumers and businesses to have laws in place, but then you get too many laws," Poller said. "There's going to be a desire for people to start collapsing those laws into regional or national laws."
Discussions of federal privacy legislation will continue in 2022, Poller predicted, but laws likely won't go into effect until 2023 or 2024. Garnering support for privacy legislation is a grueling task, as constituents and stakeholders often have varying viewpoints. The process is further complicated by the influence of big tech companies, such as Google, Meta and Microsoft, which often lobby to help draft and create legislation amenable to them. Enterprises also often frown upon regulations, fearing a compliance nightmare, a financial burden implementing required data privacy and regulatory processes, or potentially hefty noncompliance fines.
"We'll see a lot of debate and a lot of noise this year about privacy but not a lot of movement in 2022," Poller said.
2. More organizations will hire data privacy pros
With more privacy regulations on the horizon, organizations will continue to feel the pressure to employ privacy-centric professionals in 2022, such as a data privacy officer or chief privacy officer.
Fifty-four percent of respondents to 2021 ESG/Information Systems Security Association research said their company had employed a data privacy officer for a year or more, and 26% said the position was recently established. This is significant compared to 2019, Poller said, when 42% of respondents said they had a data privacy officer, while 28% said they would rather delegate privacy responsibilities to others within the company.
"The role of the data privacy officer is more about regulatory compliance than it is actually ensuring data privacy," Poller said. In general, data privacy officers are more concerned about following privacy policies and frameworks. After a data breach, for example, privacy officers may ask several questions, including the following: Do we have to report the incident? If so, who do we report to? What next steps must we follow? How do we notify people impacted by the breach? CISOs, on the other hand, are more concerned about detection, prevention and overall cybersecurity management post-breach.
Poller predicted the role of privacy professionals will evolve in the future but not necessarily in 2022.
"At some point, there's going to be a shift. The privacy role will change from compliance or regulatory to compensating controls," he said. "Data privacy officers will have the ability to recommend and/or make decisions that change the behavior of the company."
3. Privacy and security collaborate … maybe
The industry is experiencing a dichotomy Poller called an "internal/external privacy-versus-security lens."
External forces -- consumers -- are concerned about privacy and its impact on personal information. Internal forces -- companies -- are concerned about data security and preventing data breaches that damage trust, create bad publicity and are simply bad for business. In the middle are advocates who have started linking security and data in hopes of mobilizing attention toward their cause.
"There's a perception that, if you can tie privacy to security and make privacy a security problem, it becomes linked with the rest of cybersecurity," Poller said. In cybersecurity, he noted, issues often get more noticed. Take ransomware attacks, for example. Ransomware attacks -- which aim to steal and expose sensitive data if a ransom is not paid -- are constantly making headlines and will likely continue to do so in 2022. The ransomware headlines have, however, pushed greater awareness and conversations about privacy in the boardroom and even spurred government response, including legislation in various states, an executive order to boost cyberdefenses and various proposed ransomware bills in the Senate, including the Ransom Disclosure Act and the Sanction and Stop Ransomware Act of 2021.
"If you can integrate privacy and security, then you can get enough attention for them both to become important enough that people pay attention to them and do something to change their behaviors," Poller added.
4. Will privacy's reckoning day come in 2022?
Privacy talks won't cease anytime soon. Yet, despite regulations, companies have been left relatively unscathed by fines and aren't taking privacy as seriously as they should. "There's a perception that, until those major awakening events happen, companies and organizations are still going to pay lip service to the whole concept of updated privacy," Poller said.
And, though customers are voicing data privacy concerns more often, it often has little impact on an organization's bottom line. Poller said there is not a large enough mass of consumers who could get together to put an economic pain on a company to force it to change its behavior. "The reality of the world we're in today is that very few consumers make a choice not to deal with a company because of data privacy issues," he added. Plus, he said, the convenience of using Google and shopping on Amazon or Walmart far outweighs the data privacy risks people perceive.
So, what will it take?
"Privacy advocates are frustrated by the fact that nothing has happened significantly enough to force a change in behavior," Poller said. "The only way it's going to happen is if a financial event of significant consequence occurs." Such an event would need to significantly impact an organization's financial reports and raise shareholder concerns.
Don't be surprised if that event happens in 2022, he added.