CEO Perspective: Data Privacy
How are enterprises coping with the changing data privacy landscape, what challenges are they facing, and what new regulations are ahead? Daniel Barber, co-founder and CEO of privacy platform DataGrail, shares his thoughts with Upside.
- By James E. Powell
- June 26, 2020
Upside: Data privacy seems to be rising to the top of consumer’s concerns. How have enterprises responded?
Daniel Barber: The Age of Privacy is definitely here. Over 83 percent of 2,000 Americans we surveyed expect to have control over how businesses use their data. As a result, enterprises have needed to adopt a privacy-first lens when it comes to elevating the customer experience and maintaining brand trust. What that looks like from a tactical perspective varies, but we’ve seen a few typical patterns emerge.
Privacy program maturity varies by company. Companies that conduct business in Europe likely had to adhere to the GDPR, although on average it took them seven months to achieve readiness. Three out of four companies spent over $100,000 on technology solutions or consulting services to become GDPR-ready. This investment may have assisted their efforts supporting California’s Consumer Privacy Act (CCPA). For businesses operating locally, the CCPA may be the first broad piece of legislation they’ve addressed.
However, the majority of companies took a readiness approach to each legal regime. This decision comes with caveats. Gartner predicts that by 2023, 65 percent of the world’s population will have its personal information covered under modern privacy regulations, up from 10 percent today. As a result, legal complexity will increase over time.
What are the biggest challenges an enterprise faces when it comes to data privacy? What’s getting in the way of addressing these issues?
Data privacy complexity has two axes: an increasing number of national and international legal regimes and the number of systems that organizations use to store personal data.
New regulations are constantly emerging (Washington, New Jersey, New York, Hawaii, and other states have proposed bills in the works), and existing ones are continually amended (the CCPA has already undergone two draft revisions). Certain provisions, such as California’s “do not sell” requirement, push businesses to make specific changes.
Moreover, the average Okta customer uses 88 applications, up from 72 apps just three years ago (that’s a 21 percent increase). Based on internal data, we’ve seen that Fortune 500 companies typically use over 100 systems that contain personal data, with the number increasing, especially across marketing and e-commerce.
As a result, the challenge is not only how to achieve compliance, but how to stay continuously compliant over time. What happens if a new system is added (or removed) that contains personal data, and how does that affect your workflows? Similarly, what happens if new fields that contain personal data are added (or removed) but there isn’t visibility into those changes? Solving for those nuances is critical to staying continuously compliant over time without dedicating resources every time a change happens.
Are regulations such as the GDPR and CCPA effective -- and are they enough to satisfy customers? Is a chief security officer necessary to implement compliance?
Consumers continue to expect more from businesses. As of January, our survey found that four out of five Americans believe there should be a law to protect their personal data. CCPA has only been in effect since the beginning of the year and enforcement does not begin until July 1, so there is still some time before we can assess its effectiveness.
In the work we have done with our customers, a chief security officer might be the person championing a privacy program, but not always. Data privacy touches many different areas of a business and can span responsibility across legal (general counsel), privacy, security, and compliance teams. Additionally, we have seen involvement from operations (COO and BizOps), IT, and marketing teams in the decision-making and implementation process.
Many enterprises complain that the number of new regulations on the horizon will make for a patchwork of requirements that will make their jobs much harder. Where do we stand with a national standard for data privacy in the U.S.? In an election year, are its chances better or worse than average?
Given the current challenges across the socio-economic landscape, we would not expect a federal bill to proceed in 2020. However, with local legislation moving forward across several states, businesses will apply increased pressure at the federal level.
Does an enterprise’s move to the cloud make things easier, harder, or have no effect on implementing data privacy?
In most cases, the foundation of a successful data privacy program is performing a data discovery, inventory, and mapping exercise. With most companies using more than 88 systems, there is often a big effort to discover and map all data (with the potential for the exercise to be outdated as systems and fields change).
Using cloud-based systems can make compliance easier, especially if utilized in conjunction with a technology (such as that from our company) that integrates cloud and on-premises applications. For example, DataGrail automates much of the discovery, inventory, and mapping process and removes the manual effort from the implementation workflow.
[Editor’s note: Daniel Barber is the CEO and cofounder of DataGrail. The company’s purpose-built privacy management platform ensures continuous compliance with GDPR, CCPA, and forthcoming regulation. Prior to DataGrail, Daniel led revenue teams at DocuSign, Datanyze (acquired by ZoomInfo), ToutApp (acquired by Marketo), and Responsys (acquired by Oracle). He also advises several high-growth start-ups including Chorus.ai, Outreach.io, and SignOnSite.]
James E. Powell is the editorial director of TDWI, including research reports, the Business Intelligence Journal, and Upside newsletter. You can contact him
via email here.