In recent years, data privacy has shifted from a hot topic to a regulatory requirement for most organizations and a demand from many consumers. Businesses can no longer just sit back, relax, and hope their current data protection processes align with the growing list of privacy regulations and protect consumer data. Instead, they must have a scalable strategy for managing the privacy risks, complications, and technologies of the future. 2021 saw a series of shifts in the data privacy landscape, and the momentum of this change is not expected to slow down any time soon.
So, what changes can we expect in 2022, and will these become the new normal for privacy? Here are nine key trends we believe will shape the world of privacy in 2022.
1. Privacy regulations will continue to expand.
Over the past few years, the proliferation of data privacy laws has accelerated around the world – and 2022 will likely be no different. In 2021, there were more than 160 consumer privacy bills introduced; at least 25 states proposed comprehensive privacy legislation; and two states (Virginia and Colorado) officially enacted their own privacy laws. And that was just the United States. China issued the country’s first comprehensive data protection law (Personal Information Protection Law) and a law aimed at protecting national security interests in the usage, collection, and protection of data (Data Security Law). Brazil's General Data Protection Law (LGPD) also went into effect on August 1, 2021, after being delayed by the Covid-19 pandemic.
By the end of 2023, data privacy laws are expected to cover the personal information of 75% of the world’s population, an increase of 10% from 2021. As the pandemic drives more people online than ever before, the volume of data being created or replicated has almost doubled. By 2025, the global datasphere is expected to reach 175 zettabytes (up from 33 zettabytes in 2018). As more consumers demand privacy and control over their data, countries around the world will continue to either adopt new regulations or strengthen existing laws to address these concerns. Last year we saw how quickly some laws can be passed, and 2022 is expected to trigger an avalanche of new data privacy laws and protections.
2. There will be an increase in regulatory fines issued.
The world is undergoing one of the most dramatic transformations ever – the shift to digitization. But, with the rise of the digital world comes an increase in data privacy laws to improve data governance and protect the large volumes of sensitive personal information pouring in. This growing regulatory landscape is making it challenging for organizations to comply with all relevant laws and their specific requirements in a timely manner. For this reason, we expect to see an increase in the frequency and severity of the regulatory fines issued in 2022.
This past year, Amazon was issued the largest GDPR fine to date - $887 million – exceeding the amount of all previous GDPR fines combined at that time. In fact, the GDPR tripled the total amount of 2020 fines in just Q3 of 2021. Any previous grace period or leniency provided by the Information Commissioner's Office (ICO) has ended, and no violation is too small to avoid costly penalties. The GDPR has also reduced the time U.S. banks have to report a cybersecurity incident from 72-hours to 36-hours. Without a proper incident response plan or strong third-party risk management program, U.S. banks will likely see an increase in noncompliance penalties.
In more recent news, the Austrian DPA has ruled that health focused website that had been exporting visitors’ data to the U.S. through Google Analytics was in violation of the GDPR. Although no financial penalty has been issued as of date of publication, Google Analytics has been made illegal in Austria, effective immediately. This landmark case could potentially have a domino effect, leading to cloud services from Amazon, Facebook, Google, and Microsoft being ruled incompatible and forcing organizations to act quickly to avoid being fined for violating EU data protection laws.
In addition, new privacy laws are being implemented with significantly harsher noncompliance fines. The newly enacted Personal Information Protection Law (PIPL) in China is similar to the GDPR, but its penalties go up to 5% of the company's annual revenue (compared to the GDPR at 2-4% of annual global turnover) and can also include potential criminal penalties. China's DSL, which went into effect in 2021, also has similar penalties for noncompliance. As more countries place a priority on data protection, the fines and penalties issued for violating requirements will increase.
3. Data subject requests and complaints will continue to increase.
The Covid-19 pandemic created an immediate need for innovation and the quick adoption of digital technologies among businesses and consumers. But, as the number of data breaches grows each year, consumers are becoming more wary of the personal information they share with businesses and want to know exactly how much of their information is being gathered through smartphones, computers, health monitors, and location services, to name a few.
Organizations that do collect personal information must comply with a host of privacy laws that give consumers more control over their data, such as the GDPR and CPRA. As consumers continue to exercise their right to know, update, restrict, and delete the processing of personal information businesses have collected about them, we expect to see an increase in the number of data subject requests and complaints in 2022.
In 2020, there was a 62.5% increase in data protection complaints since the implementation of the GDPR. In 2021, Amazon was fined a record-breaking penalty of $887 million based on a complaint by “La Quadrature du Net”, a French privacy group that claims to represent thousands of people. As more and more consumers begin to view data privacy as a human right, the number of data subject requests and complaints filed will increase until that is achieved.
4. The role of Data Protection Officer (DPO) will grow in importance.
The privacy landscape is changing rapidly, and being unprepared can lead to costly fines, such as the $5 billion settlement by Facebook for privacy violations. Not to mention, as cloud adoption steadily rises across various industries and digital transformation drives the adoption of new digital products, tools, and software, embedding end-to-end privacy measures like Privacy by Design and privacy engineering. To align with the influx of new privacy laws and amendments,, many organizations are appointing a Data Protection Officer to oversee and review their compliance efforts and data protection strategies – even when it is not mandatory. In 2022, we expect the role of DPO to grow in importance, especially as their responsibilities evolve to encompass a holistic view of data privacy, security, and education beyond just the GDPR.
Since the adoption of the GDPR, the demand for a DPO has steadily increased, rising by over 700% over the last five years. In 2020, Data Protection Officer was ranked as the second highest emerging job on LinkedIn's 2020 Emerging Jobs report for the United Kingdom. The Chinese Personal Information Protection Law (PIPL) and the Brazilian General Data Protection Law (LGPD) - both effective in 2021 – share many similarities with the GDPR, including the requirement of appointing a DPO for organizations processing personal information. Furthermore, the IAPP estimates that more than 500,000 organizations will need to appoint a DPO in the next few years.
As companies process, store, transfer more data across borders than ever, and the privacy landscape becomes a tangled web of regulations, the importance of a DPO will grow more evident in 2022.
5. The new year will put a spotlight on third-party risk management.
Faced with supply chain disruptions, growing cyber threats, and increased regulatory scrutiny, third-party risk management (TPRM) has become more important than ever. The average company shares their data with roughly 583 third parties, and 51% of organizations have experienced a data breach revealing sensitive and confidential data that was caused by a third party. Despite these statistics and the sheer number of high-profile attacks (e.g., Target, SolarWinds, Accellion), many organizations are either unaware of how many third parties have access to their data or fail to invest in a strong third-party risk management program. A robust data governance strategy and data mapping exercise can provide visibility into the lifecycle of sensitive data; but without these, organizations can become susceptible to third-party data breaches and lead to hefty regulatory fines, lawsuits, and reputational damage. In 2022, we expect to see a rise in the number of third-party attacks, and in turn, a greater investment in agile and adaptable third-party risk management programs.
The increase in sophistication and frequency of cyber-attacks targeting vendors and suppliers is also driving many companies to review their dependence on third parties and reevaluate the effectiveness of their TPRM programs. Third-party programs must be able to support business growth while still maintaining security protocols and meeting regulatory requirements. Forrester predicts that roughly 60% of security incidents in 2022 will result from issues with third parties. Although third-party risk will play a leading role over the next year, third-party risk management will take center stage among business leaders.
6. The Schrems II decision will become a more pressing topic.
For almost five years, the European Commission deemed the Privacy Shield agreement adequate to protect the data privacy of EU citizens. But, in July 2020, the Court of Justice of the European Union (CJEU) delivered the Schrems II judgment which invalidated the EU-U.S. Privacy Shield agreement due to invasive U.S. surveillance programs. Over 5,000 U.S. companies were immediately forced to switch to new data transfer mechanisms, such as GDPR-sanctioned Standard Contractual Clauses (SCCs), binding corporate rules (BCRs), and derogations, as they waited for a successor framework or a long-term personal data transfer mechanism.
In June 2021, the EDPB adopted the Recommendations, which provides a six-step process that organizations must follow for personal data transfers, along with guidance on the new SCCs and how to implement them. While the new SCCs took place almost immediately, companies were given a grace period until December 27, 2022, to transition all existing contracts to the new SCCs. This transition is not a small undertaking, but critical for organizations wanting to continue to transfer data after the deadline. While this decision first took place almost two years ago, the Schrems II judgment has altered the state of international data flows and will continue to have a significant impact on EU-U.S. data transfers throughout 2022.
7. There will be an increase in spending on cloud services.
The restrictions made by the Covid-19 pandemic challenged business in ways never before imagined, and for many, accelerated their move to cloud-based storage and operations. Now, over 90% of businesses currently host their data and IT environment in the cloud. Annual spending on cloud services is expected to reach $482 billion in 2022, a 22% increase from 2021. By 2026, public cloud spending is expected to exceed 45% of all enterprise IT spending, up from less than 17% in 2021.
However, the increased adoption of cloud services has presented a range of new privacy risks and challenges. As more data is collected and stored in the cloud (e.g., public, private, hybrid), protecting and securing it across multiple environments is becoming more complicated. In addition, companies must comply with the relevant data protection laws, even across multiple cloud environments and storage locations.
In 2022, while we know spending will increase on cloud services, we also expect to see a spike in cloud related breaches to accompany the transition.
8. China will impact international data flows around the world.
Over the past year, China placed an emphasis on increasing their protection over national security considerations and personal information. Passing both the Personal Information Protection Law and the Data Security Law in 2021, China aimed to build a comprehensive regulatory system for both cybersecurity and data protection. Along with the Cybersecurity Law (CSL), these three laws set strict restrictions on cross-border data transfers, making it more challenging to transfer data overseas unless certain conditions are met.
China retains the legal authority within its laws to regulate data for national security, public interests, and political purposes. For instance, "important data" and "national core data" produced by critical information infrastructure operators must be stored in China or undergo a security audit before being transferred. China is one of the most populated countries in the world, and many companies are either headquartered or have branches in China, so these new laws and restrictions will strongly impact international data flows in 2022.
9. The number of privacy professionals will grow, but there will still be a talent shortage.
From mandatory business shutdowns and massive layoffs to worker burnout and a wave of resignations, the job market has seen some major changes over the last two years. Most notably is an ongoing event known as the “Great Resignation”, which recognizes the abnormally high number of resignations across a wide range of industries. In September 2021 alone, roughly 4.4 million workers resigned in the U.S. (3% of the American labor force), and by the end of 2021, more than 40 million Americans had quit their jobs.
Although the cybersecurity workforce shortage has decreased over the past year (from 3.12 million to 2.72 million), cybersecurity was also impacted by the events of 2021, with job transitions and resignations increasing by 4.5%. Due in part to heavy workloads, employee burnout, and the lack of career advancement opportunities, the demand for data privacy professionals is continuing to outpace the supply of qualified workers, putting many organizations at risk. Privacy teams will be forced to continue to navigate the intricate regulatory landscape and defend against evolving privacy risks with fewer resources than ever.
In addition, many organizations are battling against the disadvantages of hiring job hoppers (candidates who frequently move from job to job), despite their strong qualifications and skills. Hiring is a costly and time-consuming process, so employing a candidate who will potentially leave within a year can drain valuable resources. Job hoppers can also put a strain on HR departments that must securely retain, store, and destroy the employment records of candidates and employees. With the average millennial worker expected to have up to 16 jobs within their career, many HR departments might not be equipped to handle this amount of personal information, putting it at risk.
For employers, the struggle to recruit, hire, and retain privacy talent during a global cybersecurity workforce shortage and the great resignation, while balancing the growing percentage of job hoppers, will challenge organizations over the course of 2022.
From the increase in privacy compliance obligations to the fallout of Schrems II to the growing adoption of the cloud, 2021 was an exciting year for privacy. California, Colorado, Virginia, China, and the EU all either passed or amended data protection laws, and some of the biggest fines, penalties, and settlements were issued for privacy violations. And as cloud adoption steadily rises across various industries and digital transformation drives the adoption of new products, tools, and software, taking a Privacy-by-Design approach and embedding end-to-end privacy measures into the development process will become critical for organizations in the coming years.
Even with all the excitement of the past year, 2022 is poised to be just as monumental. New laws, enforcement actions, and compliance initiatives will keep organizations busy and digital transformation will have businesses balancing data protection and growing privacy risks and vulnerabilities. As we continue to navigate the new normal of data privacy, keeping these trends top of mind and taking action where necessary will ensure your organization stays prepared for what 2022 has in store.
Want more insights into the latest privacy news?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.