The year of 2020, on the surface, seemed mostly about hunkering down at home, wearing masks in public, and attending virtual conferences.
The pandemic also spurred digital acceleration, with floods of users moving from brick-and-mortar stores, workplaces, and school buildings into the digital universe. Consumers’ day-to-day behavior, around the world, transformed almost overnight to online shopping for groceries, communicating with family via online messaging and video chat, and working or studying from home.
This abrupt change in the way we all live during 2020 has reinforced concerns about the abundance of online data we hand over every day, and whether the privacy of that data is adequately protected. It’s likely that 2021 will be the year in which these concerns will take front stage among business priorities.
In light of this, we have a few predictions for 2021 that will help you stay on track even as we all adjust to the “new normal” and (hopefully) see our old ways of living, shopping, working, and studying go back to something more recognizable.
1. Privacy legislation is likely to see dramatic global expansion
Most merchants, especially those who have expanded their sales on a global level, have already encountered data privacy legislation. In a nutshell, these regulations apply to all companies that process personal information when the company reaches a certain amount of revenue, customers, and other thresholds.
According to Gartner, by 2023, more than half of the world’s population–as much as 65%–will have its personal data covered under some kind of modern privacy regulations.
The EU’s General Data Protection Regulation (GDPR) has already had a major impact on the data protection and privacy landscape since its adoption in 2018. California adopted its own similar legislation shortly after, with the California Consumer Privacy Act (CCPA) and The California Privacy Rights Act (CPRA) expanding CCPA.
It’s expected that other countries around the world will be rapidly adopting this type of legislation in 2021. India is likely to see their privacy law be enacted this year, and China will launch its first comprehensive special legislation in the field of data and the first proposed protection of data rights in regional legislation. Canada, Brazil, and New Zealand recently introduced legislations similar to Europe’s GDPR.
An interesting nation to watch will be the United Kingdom: as it stands now, Brexit would mean that the GDPR is not binding there, which could bring friction between EU nations and the UK over internationally shared data services. For now, the EU/UK Trade and Cooperation Agreement, which came into effect on January 1st, 2021, provides that EEA personal data can still flow freely to the UK, for a period of 4 months, extendable with an additional two. This brings new requirements for data controllers, however, who have to review their privacy setup going forward. For example, data controllers outside the EEA that collect EEA and UK data, as well as data controllers in the UK that collect EEA data will have to adjust their website policy and other privacy communication to correctly reference both the UK GDPR/ 2018 Data Protection Act and the EU GDPR. These entities are also advised to check whether additional notifications to competent authorities are required, and check the record of processing activities and make appropriate changes.
We expect data transfer mechanisms from EU to US (Privacy Shield) and UK (adequacy decision from European Commission) will continue to be under scrutiny in 2021.
2. Data privacy will be of increasing concern and attention of consumers, and those worries could affect business’ bottom line
Consumers are more aware of and concerned with the growing threats to the privacy and security of their personal information. Large-scale data breaches like the ones at Equifax and ClixSense could make them be more inclined to take actions to protect it: one study conducted by Cisco revealed that over 50% of consumers will abandon a company because they don’t trust their data policies or data sharing practices.
The good news? Companies that get consent from their users and are transparent about their privacy controls and what data third parties might be able to access could see a 30% increase in their digital commerce profits compared to their competitors, according to a Gartner study.
Payment providers can also link up with an identity provider, who supplies all the different identity methods and can store that personal data centrally in a way that is GDPR-compliant. This contributes to a secure shopper experience, but also lets the consumer share data previously entered and then automatically populated with each new sign up, to ease that process.
Additionally, adherence to the ePrivacy Directive (which builds on the EU’s GDPR) will reassure customers by requiring their consent before cookies (small text files stored in the user’s web browser) are stored and accessed in computers, smartphones, or other device connected to the internet. The ePrivacy directive came into effect in 2002 to ensure that all communications over public networks respects fundamental rights. The European space has also debated the introduction of an ePrivacy Regulation. This regulation would repeal the ePrivacy Directive, broaden the scope of the current ePrivacy Directive and align the various online privacy rules that exist across EU member states.
3. Your employees will need privacy reassurance, while insider threats could also increase
With so many employees working from home during the COVID-19 pandemic, it’s inevitable that networks are heavily targeted by malignant digital predators to take advantage. The reverse can also be true: employees who are working from their own computers, outside the purview of IT and administrative teams, could more easily use company data in nefarious ways.
Businesses should consider reviewing and possibly overhauling their approach to their data use and data protection practices, to ensure that personal data will remain secure at all times. They will also find they need to communicate, educate and reassure employees more on their privacy rights and obligations.
This privacy review could also assess the organizational, physical, and technical risks involved in working from home, as well as employees accessing systems and data remotely, and help identify appropriate security measures, like requiring secure Wifi networks and company-authorized VPNs.
4. Businesses will expect more from payment service providers to manage the new data privacy challenges
Over this past fateful year, payments systems providers have worked hard to protect and maintain their high level of trust from their partners. When considering some recent statistics, like the following supplied by Forbes, it’s clear that this diligence will need to continue:
- 35% of U.S. households have experienced a data security problem over the past year, including identity theft, data theft, or a computer virus.
- Only25% of consumers think companies handle their personal data responsibly.
- Just10% of consumers believe they are in complete control over their personal data.
- 69% of consumersbelieve companies are vulnerable to cyberattacks.
Another report, from McKinsey & Co., provided a rosier outlook. Their findings suggest that, although data privacy expectations will continue to increase the same record-taking might also be used for developing new protections that benefit users. Using data in the battle against COVID, like the phone data used for contact tracing and contagion tracking, has been largely successful and more accepted by users, one positive biproduct of COVID.
As more consumers increasingly value data protection, companies have the opportunity to comply with privacy regulations while they capture business benefits and build trust with their customers.
Businesses should prioritize transparency, ongoing and evolving customer support, adherence to regulatory compliance, and periodic review of their data protection practices during 2021. These steps will go a long way towards offsetting any negative effects of 2020 and building the next “new normal.”