In my last post, 10 Data Privacy and Governance issues to watch in 2017 (Part 1), I outlined the first of the top ten things that I feel we need to watch for in 2017.
Since then, events have moved along and many of the ones I thought would be on this second list have fallen down into the Top 20 like last week’s boy-band sensation. Thus is the fickle nature of predicting the top 10 of Data Privacy issues.
By: Daragh O’Brien
Ethical Information Management moves mainstream
As organisations begin to mature in their approach to Data Protection/Privacy in Europe and elsewhere, we will begin to see a shift in emphasis from legal compliance to ethical management in the information space.
This will not be limited to just personal data but will encompass other data domains as well. Scandals such as the Volkswagen emissions scandal, Facebook’s mood manipulations, and the impact of “fake news/alternative facts” on global politics will prompt a rethink of business models and approaches.
In the privacy space this will drive innovation, but it will also lead to a convergence of disciplines between Information Quality Management, Information Governance, Privacy, and Ethics.
Organisations that are still complaining about the basics of data privacy compliance will increasingly be left behind as organisations that embrace more ethics based approaches begin to demonstrate sustainable competitive advantage in the market.
Ethics-Washing and Privacy-Washing will continue to be marketing strategies for some vendors
In the same way as the green movement attracted vendors who boasted about their ecological credentials only to be found to be bullshitting (see “Volkswagen Emissions Scandal” above), so too will the practice of Privacy-Washing or Ethics-Washing of products or services will become increasingly common.
We have seen this begin already with Facebook’s publication in 2016 of a report on Ethics in Information Management which set out some core principles, which Facebook was easily shown to be in breach of with a number of product initiatives in the company.
This will become more prevalent. Consumers, and organisations selecting data processing partners, will need to conduct appropriate due diligence on claims made.
By end 2017 into 2018, we will likely find at least one major tech vendor prosecuted by an EU Consumer Affairs agency for misleading claims about their privacy policies and practices, even without any substantial breach of GDPR being identified.
However, the probability of prosecution in the United States recedes through 2017 given the deregulatory zeal of the Trump Administration and the curtailment of the FTC’s powers of enforcement under Article 5 of the FTC Act, the traditional basis for prosecution of data privacy breaches by companies in the United States.
A major US technology company will relocate headquarters operations to the EU by end 2017
This is a bold prediction, and one that would have been largely unthinkable under previous US administrations. However, I am of the view that the political and regulatory climate in the United States under Trump will make it more and more difficult for US technology firms to continue to operate effectively from US bases.
Less than a fortnight after taking power and we have witnessed chaos in immigration policy affecting all the major technology companies. We have also witnessed the terminal gutting of Privacy Shield (some legal commentators hold to the view that Privacy Shield is still extant, but the ‘tone at the top’ is the US Executive branch don’t care about privacy rights, so it is inevitable Privacy Shield will fall at this point).
Faced with a crisis in recruitment, uncertainty over the safety of their non-US born staff, and increased complexities conducting business with the EU and other jurisdictions with maturing data privacy laws, leading US firms will begin to relocate Headquarters, operations and R&D functions to the EU.
This will be blasted as a tax issue by the US Government who will respond by levying tariffs on products or services manufactured by these companies. The companies in question will position this as a question of ethics and protection of fundamental rights, for both their staff and their customers. Tax considerations will be secondary.
This will add to complexity for the Irish DPC as it is inevitable that these companies will seek to expand their EU footprint through Ireland, particularly as Ireland will be the only Common Law legal system in the EU so it will be less complex to reconfigure their operations accordingly.
The recent move by Apple to switch their iTunes business from Luxembourg to Cork signals that Apple are less concerned with tax than might heretofore been a consideration.
For those who might dismiss this “worst case scenario” prediction, all I can say is that I predicted in 2015 that at least one major UK bank would relocate operations to Ireland post-Brexit. Barclays announced that move last week.
The Data Privacy Compliance tools market will hot up through 2017
Vendors are piling into the GDPR market like bees around a flowerbed as organisations look for magic bullet solutions to their GDPR compliance headaches.
This market will continue to heat up through 2017.
- It is inevitable that some new-entrant tools will be acquired by established Data Governance/Master Data Management/Metadata management solution vendors to round out their offerings.
- Other “new-entrant” tools will oversell and under-deliver, setting GDPR compliance initiatives back in a number of organisations
Tools promoted by organisations with limited experience in data privacy and data governance will be sold using a combination of FUD and snake-oil.
However, market differentiation will be challenging for vendors in this market as the underlying technical challenges and opportunities are broadly similar across the various verticals. The key differentiator is likely to be implementation and execution experience and support for the “soft skills” in data governance and associated change management.
Buyers will realise there is, to quote W.E Deming: “No such thing as instant pudding”.
Tools emerging from a “tick-box” compliance pedigree will struggle in the risk-based model of GDPR and organisations will begin to realise that there is no easy correct answer to GDPR compliance issues, rather a measure of maturity and sustainability of controls and governance.
This will in turn drive a focus onto ethical information management and values-driven data privacy compliance strategies through the second half of 2017 into 2018.
Organisations need to take care when selecting GDPR assessment and support tools. Consideration should be given to migration path or integration paths with MDM, Metadata Managemen and Data Governance tools, particularly at the Enterprise level of the market.
The recent announcement by Collibra of a US$50 million investment in their GDPR solution highlights that this is seen as a massive market opportunity by established vendors. But buyers should consider the longer term requirement of sustaining their Data Privacy initiatives when scoping their requirements for a tool.
The “MacGyver” approach to GDPR readiness will be seen as not “fit for purpose” by regulators or investors.
Organisations struggling with GDPR programmes are, in many cases, using spreadsheet based tools or surveys to conduct assessments. Many have started multiple GDPR initiatives in different silos (one client I am working with had an initiative in Legal, one in IT, another in Governance, and yet another in their BI function). These two factors often lead to “MacGyver” approaches where organisations try to “improvise” a control structure using spreadsheets and cobbled together questionnaires.
This is a situation that W.Edwards Deming described as “best efforts without a theory of knowledge” and it inevitably leads to chaos and duplication of effort. This, in turn, will lead to missed deadlines, unclear planning, and confusion with key stakeholders.
Through 2017, organisations will begin to adopt more structured Information Governance based approaches to GDPR compliance assessment and will standardise internal tools and methodologies drawing on lessons from other compliance initiatives. As Regulators in the Privacy sector begin to see emerging good practices, “MacGyver” approaches that were aimed at “getting something done” will increasingly fall out of favour, and will be replaced by structured plans and more coherent approaches.
Organisations starting now on their GDPR journey are likely panicking and trying to achieve significant amounts of project delivery in a short space of time with limited funding and an unclear plan, despite the near certainty that they will not be able to achieve full compliance with GDPR by the 25th May 2018.
Through 2017, organisations will begin to focus on ensuring they have a clear, credible, resourced, and operative plan for the implementation of GDPR controls over a period post-May 2017, as part of a properly structured and phased plan.
Agile methods will be adopted based on prioritised requirements. Agility will be valued over improvisation.
Publisher’s Note: All images used in this blog post are facilitated by the Creative Commons Zero user licence.