Privacy is a business-critical discipline for many organizations, enforced by multiple regulations. Most recently, the European Union’s General Data Protection Regulation (GDPR) has driven a global movement of maturing privacy and data protection laws with stricter requirements.
Privacy requirements dramatically impact an organization’s strategy, purpose and methods for processing personal data
“Multiple countries are implementing regulations inspired by the GDPR principles, a movement that is likely to continue into the foreseeable future,” says Bart Willemsen, Senior Director Analyst, Gartner. “These privacy requirements dramatically impact an organization’s strategy, purpose and methods for processing personal data. Furthermore, breaches of these requirements carry financial, reputational and regulatory implications.”
Security and risk management leaders must take note of the following Gartner 2019 predictions for privacy to ensure transparency and customer assurance.
By 2020, the backup and archiving of personal data will represent the largest area of privacy risk for 70% of organizations, up from 10% in 2018
Today, organizations hold backups of large volumes of personal data that is both sensitive and vulnerable with no clear intentions of using it. Because the sensitivity is a constant characteristic and the vulnerability is arguably equivalent, the volume dictates the level of risk, and represents the largest area of privacy risk today. Additionally, privacy regulations have introduced penalties and stiff fines for violations, making the risk of holding unused personal data potentially very expensive.
Over the next two years, organizations that don’t revise data retention policies to reduce the overall data held, and by extension the data that is backed up, will face a huge sanction risk for noncompliance as well as the impacts associated with an eventual data breach. GDPR, for example, introduced regulatory fines of up to 4% of annual global turnover or €20 million, whichever is greater, for noncompliance.
By 2022, 75% of public blockchains will suffer “privacy poisoning” — inserted personal data that renders the blockchain noncompliant with privacy laws
Blockchain is a promising technology; however, businesses looking to implement blockchain technology must determine whether the data being used is subject to any privacy laws. For example, public blockchains need an immutable data structure, meaning once data is recorded, it cannot easily be modified or deleted. Privacy rights granted to individuals include the option for customers to invoke the “right to be forgotten.” In many such cases, personal data processed about them must be deleted.
This raises immediate concerns, as entries in a public blockchain poisoned with personal data can’t be replaced, anonymized or structurally deleted. Therefore, businesses are unable to meet the need to keep records with their obligations to comply with privacy laws. Organizations that implement blockchain systems without managing privacy issues by design will run the risk of storing personal data that can’t be deleted without compromising chain integrity.
Read more: Assess Blockchain for GDPR Compliance
By 2023, over 25% of GDPR-driven proof-of-consent implementations will involve blockchain technology, up from less than 2% in 2018
Although GDPR guidelines have been in effect since 25 May 2018, organizations are at different levels of compliance. The pressure to fully comply is increasing, driving organizations in or doing business with the EU to further evaluate their data collection processes. However, most are struggling with integration costs and technologies that can help speed up compliance.
“The application of blockchain to consent management is an emerging scenario at an early stage of experimentation,” says Willemsen. “Various organizations have started exploring the use of blockchain for consent management because the potential immutability and tracking of orthodox blockchains could provide the necessary tracking and auditing required to comply with data protection and privacy legislation.”