In recent years, privacy has been an increasingly hot topic for audit, compliance, and risk management professionals.  With the European Union’s General Data Protection Regulation (GDPR) recently going into effect, we anticipate that privacy risks, issues, and concerns will not be slowing down. Now, where might data privacy be in five years? Although difficult to say, we did speak with industry experts to hear their thoughts on where certain areas of data privacy may be in 2023, and how auditors can prepare.

Privacy and Emerging Technology Risk

With the speed that technology continues to evolve, it’s uncertain what the top privacy risks from emerging technologies may be in five years. Looking back a decade, the risks associated with today’s widespread use of social media technology couldn’t be predicted by experts. However, we have gathered some ideas about emerging technologies and future privacy concerns.

Artificial Intelligence

“Artificial Intelligence (AI) will change the world and is likely to be one of the technologies that can help solve a lot of issues, but like any powerful technology, could cause a lot of issues,” says Rob Clyde, vice chair, ISACA and an independent board director at Titus.

An issue that may arise could be ensuring companies have the proper consents in place for the ways in which they use customers’ personal data. As a company’s AI develops, the ways in which personal data is used may evolve to be different than what their customers agreed to with the acceptance of the original privacy policy, requiring the company to make privacy policy updates and obtain customers’ consent again.

Internet of Things

IoT use will continue to grow, and we will see corresponding technological advances.

“If there is anything we can count on, things will get smaller, faster, better, cheaper, and of higher quality,” says Paul Rohmeyer, associate industry professor and program director - Masters in Information Systems at Stevens Institute of Technology.   

“In the case of privacy, this means that there will be more data captured, more signals captured, and we’ll be able to store and transit data in ways we haven’t anticipated before.”

Not only will this amount of data pose new data security issues, but it also could create data classification concerns.

Drones

The use of drones has raised privacy issues, such as spying, since inception – regardless of whether the drone user is a business, the government, or a private citizen.  

“Individuals were prosecuted very early on for spying with drones. There are rules and laws that prohibit this,” says Clyde. “However, we could see authorities gain approval to use drones to follow private citizens for law enforcement or anti-terrorism issues. They could do this by using facial recognition, or even possibly through an individual’s heartbeat’s unique electric signature. Maybe we’ll see these drones be able to follow someone surreptitiously from a mile away.”

Big Data and Advanced Analytics

Big data and advanced analytics could find ways to make private assumptions about individuals. For example, a shopper who is a member of a grocery store’s loyalty program continually discloses to the store what they are purchasing with the scan of their unique barcode. By aggregating all loyalty members’ purchase data, the store may be able to deduce health conditions the shopper has, such as diabetes, or celiac disease. Individuals may not want others besides their doctors knowing and storing information regarding their health.

Personal Assistants

Personal assistant devices such as Amazon’s Echo (Alexa) or Google Home raise an interesting concern over capturing verbal data that may be private.  “For example, a doctor may be working from home and inadvertently cause the device to listen to a conversation that discloses a patient’s health conditions,” explains Rohmeyer. “This creates a protected health information (PHI) record that has now been shared with a device that was not approved by the patient or anticipated by the physician.” Furthermore, now that PHI has been captured by the device, issues arise if the patient exercises his or her right to be forgotten, as neither the doctor nor the company which made the device may know of the data’s existence.

Development of Laws and Regulations

Privacy risks such as those we’ve discussed are often driven by laws and regulations, which in recent years have strengthened globally.  It will be interesting to see how they continue to develop, both domestically and abroad.

Sectoral vs. Comprehensive

US privacy laws are generally industry specific, rather than comprehensive across all US companies. This sectoral approach has tended to make audit and compliance issues more complicated than they need to be. Judy Selby, JD and Principal of Judy Selby Consulting LLC, sees a future shift in the sectoral approach to laws and regulations that will apply more broadly, regardless of industry.

GDPR Impact

The much talked about GDPR has had a wide impact not only for EU-based companies but others as well. Since many US-based companies are multinational, the GDPR has required changes in business operations in order to comply. Some companies are even taking steps to adhere to the principles of the regulation for business processes that are not under the requirements of the GDPR. For these companies, the anticipated shift to more comprehensive laws will have less of an impact to operations than other US companies which have not begun to apply the principles and concepts of the GDPR.  

How Audit Can Assist

Given the anticipated changes in the privacy landscape, auditors need to find ways to add value to their company. Below are five key takeaways to consider:

1. Cybersecurity Knowledge

IT Auditors should continue to increase their cybersecurity knowledge. “Audit will have a continuing cybersecurity emphasis.  Auditors need to become more cyber conversant,” notes Clyde. “IT audit is being asked to brief the board on cyber risk.  Additionally, the nature of audit will change because many activities that IT auditors perform will be automated. Auditors will need to stay on their toes and come up a level to really understand the business impacts and risks of cybersecurity, and what the company truly needs to focus on.”

2. Risk vs. Benefit

Auditors should work to find the balance between best privacy practices and the business’ desired operations. “Auditors jobs are difficult in that they have to balance between protecting their company’s data, and ensuring they don’t inhibit profitability,” shared Rosario Mastrogiacomo, Director of Product at SPHERE Technology Solutions. “For example, if the marketing department needs access to birthdays of customer family members in order to execute a targeted marketing campaign, the auditor must decide if the benefits of wide access to that data outweigh the risks.”

3. Approach to Privacy

Take a mature approach to privacy instead of only aiming for compliance with applicable laws and regulations. Selby predicts that both regulators and the public will be looking to see companies place an emphasis on the value of data and consequences of misuse, not just for compliance with laws and regulations.

4. Enterprise-wide Involvement

Implement an enterprise-wide strategy for privacy.  “Have a committee with representation from each department meet regularly,” says Selby. “Discuss what the company is doing with data, how the company can be proactive in their approach to handling data, and how better decisions about data can be made.”

5. Prepare for the Inevitable

Have a plan in place for when something goes wrong.  Whether it be a cybersecurity breach exposing personal information or a direct marketing campaign executed without adequate privacy considerations, tabletop exercises held in advance can help the company react appropriately and quickly.

While much of where data privacy may actually be in five years is up for debate, one thing is certain - effective auditors privy to the fast-changing world of data privacy will be more in-demand than ever before. As privacy risks evolve, keeping pace with the latest technologies and having a keen understanding of data privacy will help auditors continue to add value.

Interested in learning more about this topic and others? Our ITAC Conference is taking place this month in San Diego, California. Here's everything you need to know.

Tim Gouw