In recent years, privacy has been an increasingly hot topic for audit, compliance, and risk management professionals. With the European Union’s General Data Protection Regulation (GDPR) recently going into effect, we anticipate that privacy risks, issues, and concerns will not be slowing down. Now, where might data privacy be in five years? Although difficult to say, we did speak with industry experts to hear their thoughts on where certain areas of data privacy may be in 2023, and how auditors can prepare.
Privacy and Emerging Technology Risk
With the speed that technology continues to evolve, it’s uncertain what the top privacy risks from emerging technologies may be in five years. Looking back a decade, the risks associated with today’s widespread use of social media technology couldn’t be predicted by experts. However, we have gathered some ideas about emerging technologies and future privacy concerns.
“Artificial Intelligence (AI) will change the world and is likely to be one of the technologies that can help solve a lot of issues, but like any powerful technology, could cause a lot of issues,” says Rob Clyde, vice chair, ISACA and an independent board director at Titus.
Internet of Things
IoT use will continue to grow, and we will see corresponding technological advances.
“If there is anything we can count on, things will get smaller, faster, better, cheaper, and of higher quality,” says Paul Rohmeyer, associate industry professor and program director - Masters in Information Systems at Stevens Institute of Technology.
“In the case of privacy, this means that there will be more data captured, more signals captured, and we’ll be able to store and transit data in ways we haven’t anticipated before.”
Not only will this amount of data pose new data security issues, but it also could create data classification concerns.
The use of drones has raised privacy issues, such as spying, since inception – regardless of whether the drone user is a business, the government, or a private citizen.
“Individuals were prosecuted very early on for spying with drones. There are rules and laws that prohibit this,” says Clyde. “However, we could see authorities gain approval to use drones to follow private citizens for law enforcement or anti-terrorism issues. They could do this by using facial recognition, or even possibly through an individual’s heartbeat’s unique electric signature. Maybe we’ll see these drones be able to follow someone surreptitiously from a mile away.”
Big Data and Advanced Analytics
Big data and advanced analytics could find ways to make private assumptions about individuals. For example, a shopper who is a member of a grocery store’s loyalty program continually discloses to the store what they are purchasing with the scan of their unique barcode. By aggregating all loyalty members’ purchase data, the store may be able to deduce health conditions the shopper has, such as diabetes, or celiac disease. Individuals may not want others besides their doctors knowing and storing information regarding their health.
Personal assistant devices such as Amazon’s Echo (Alexa) or Google Home raise an interesting concern over capturing verbal data that may be private. “For example, a doctor may be working from home and inadvertently cause the device to listen to a conversation that discloses a patient’s health conditions,” explains Rohmeyer. “This creates a protected health information (PHI) record that has now been shared with a device that was not approved by the patient or anticipated by the physician.” Furthermore, now that PHI has been captured by the device, issues arise if the patient exercises his or her right to be forgotten, as neither the doctor nor the company which made the device may know of the data’s existence.
Development of Laws and Regulations
Privacy risks such as those we’ve discussed are often driven by laws and regulations, which in recent years have strengthened globally. It will be interesting to see how they continue to develop, both domestically and abroad.
Sectoral vs. Comprehensive
US privacy laws are generally industry specific, rather than comprehensive across all US companies. This sectoral approach has tended to make audit and compliance issues more complicated than they need to be. Judy Selby, JD and Principal of Judy Selby Consulting LLC, sees a future shift in the sectoral approach to laws and regulations that will apply more broadly, regardless of industry.
The much talked about GDPR has had a wide impact not only for EU-based companies but others as well. Since many US-based companies are multinational, the GDPR has required changes in business operations in order to comply. Some companies are even taking steps to adhere to the principles of the regulation for business processes that are not under the requirements of the GDPR. For these companies, the anticipated shift to more comprehensive laws will have less of an impact to operations than other US companies which have not begun to apply the principles and concepts of the GDPR.
How Audit Can Assist
Given the anticipated changes in the privacy landscape, auditors need to find ways to add value to their company. Below are five key takeaways to consider:
1. Cybersecurity Knowledge
IT Auditors should continue to increase their cybersecurity knowledge. “Audit will have a continuing cybersecurity emphasis. Auditors need to become more cyber conversant,” notes Clyde. “IT audit is being asked to brief the board on cyber risk. Additionally, the nature of audit will change because many activities that IT auditors perform will be automated. Auditors will need to stay on their toes and come up a level to really understand the business impacts and risks of cybersecurity, and what the company truly needs to focus on.”
2. Risk vs. Benefit
Auditors should work to find the balance between best privacy practices and the business’ desired operations. “Auditors jobs are difficult in that they have to balance between protecting their company’s data, and ensuring they don’t inhibit profitability,” shared Rosario Mastrogiacomo, Director of Product at SPHERE Technology Solutions. “For example, if the marketing department needs access to birthdays of customer family members in order to execute a targeted marketing campaign, the auditor must decide if the benefits of wide access to that data outweigh the risks.”
3. Approach to Privacy
Take a mature approach to privacy instead of only aiming for compliance with applicable laws and regulations. Selby predicts that both regulators and the public will be looking to see companies place an emphasis on the value of data and consequences of misuse, not just for compliance with laws and regulations.
4. Enterprise-wide Involvement
Implement an enterprise-wide strategy for privacy. “Have a committee with representation from each department meet regularly,” says Selby. “Discuss what the company is doing with data, how the company can be proactive in their approach to handling data, and how better decisions about data can be made.”
5. Prepare for the Inevitable
Have a plan in place for when something goes wrong. Whether it be a cybersecurity breach exposing personal information or a direct marketing campaign executed without adequate privacy considerations, tabletop exercises held in advance can help the company react appropriately and quickly.
While much of where data privacy may actually be in five years is up for debate, one thing is certain - effective auditors privy to the fast-changing world of data privacy will be more in-demand than ever before. As privacy risks evolve, keeping pace with the latest technologies and having a keen understanding of data privacy will help auditors continue to add value.