Click to learn more about authors Oksana Sokolovsky and Rohit Mahajan.

Here we are one year later, and the dire predictions about the implementation of the EU’s General Data Protection Regulation (GDPR) have not come to pass. If anything, the law has brought the issue of privacy to the forefront, and opened up a larger debate on privacy issues: How much data do companies need to be effective in marketing to their customers and prospects? What personal data should be off-limits? Do corporations have the right to demand specific information about customers in return for access to products and services? What rights should individuals have to unilaterally revoke access to the use of their personal data that was freely shared with companies?

For certain, the GDPR has invoked the privacy and Data Management debate throughout society and has given the consumer a voice to exercise rights over use of personal information. So, in short, what’s next?

More Regulations Are Coming

It is not just GDPR that is driving this discussion; other laws have either been passed or are on the cusp of being passed, including California’s Consumer Protection Act (CCPA). But more than 50 countries have already enacted data privacy laws that govern various aspects of personal information, focused on the private sector, such as Mexico, Canada, Australia, Singapore, India, and Japan.

This shows that the GDPR’s privacy initiatives are global in nature, requiring companies to tighten up on how they deal with the kinds of data under their control, going as far as to question if it makes sense to delete some of that information. For the data that remains, there are several key technologies that can aid in compliance with the regulations:

Data Discovery: It has been said that you cannot search for that which you do not know exists. Companies no longer have just a monolithic data warehouse; information about customers may exist in multiple locations, in multiple databases, and in multiple formats. The GDPR, CCPA, and the other laws require companies to be better stewards of the data, and to honor their customers’ demands to protect the data or to erase it. Couple that with the immense amounts of data being generated and stored in real time, and it is easily understood why automating data discovery is mandatory. Manually conducted data discovery is no longer a viable option. Additionally, discovery of sensitive data and PII (Personally Identifiable Information) in-motion is just as important in a GDPR environment as managing data “at rest.”

It has been said that you cannot search for that which you do not know exists. Companies no longer have just a monolithic data warehouse; information about customers may exist in multiple locations, in multiple databases, and in multiple formats. The GDPR, CCPA, and the other laws require companies to be better stewards of the data, and to honor their customers’ demands to protect the data or to erase it. Couple that with the immense amounts of data being generated and stored in real time, and it is easily understood why automating data discovery is mandatory. Manually conducted data discovery is no longer a viable option. Additionally, discovery of sensitive data and PII (Personally Identifiable Information) in-motion is just as important in a GDPR environment as managing data “at rest.” Privacy Impact Assessment Software: It is not enough to claim to take user privacy seriously. GDPR requires organizations to also consider the potential impact business decisions may have on their users’ data privacy. Several vendors have developed software to help companies identify high-risk data being collected as it pertains to new regulations and create an audit trail to show they have thought through privacy issues proactively with multiple stakeholders.

It is not enough to claim to take user privacy seriously. GDPR requires organizations to also consider the potential impact business decisions may have on their users’ data privacy. Several vendors have developed software to help companies identify high-risk data being collected as it pertains to new regulations and create an audit trail to show they have thought through privacy issues proactively with multiple stakeholders. Automated Data Protection: Again, automation of what’s been a largely manual process will pay dividends in a GDPR-centric world. Protecting against data loss, breaches, and theft should be a key element in a coordinated approach, focusing on not only the information itself, but the security mechanisms in place to protect the data.

As the Privacy Debate Continues, Where Does Society Go Next?

Predicting the future is always difficult at best, but from what we have seen so far, it is fair to say that the privacy regulation floodgates are open. For the immediate future, in the area of data privacy and ethics, Forrester predicts that:

“Consumers will take themselves out of the reach of marketers.”

“The California Consumer Privacy Act will spur other U.S. states to enact privacy laws.” According to Forrester, by the end of 2019, at least five additional states — including Massachusetts, New Jersey, New York, Vermont, and Washington — will pass their own privacy laws, creating a patchwork of rules for firms to comply with.

“Customers and courts – not regulators – will enforce privacy rules in 2019.”

“Consultancies and agencies will offer privacy management to CMOs.”

What’s true of GDPR is also true of CCPA and the myriad of other laws either already on the books or on deck. As a data professional, you have the opportunity to use the tools at your disposal to implement a “security-by-design” approach. Doing so will help you comply with the laws and regulations, and will also help position your company for what comes next in data privacy and ethics.