The business demand for data privacy professionals is expected to gain momentum during the coming year amid a growing patchwork of rules in the U.S. and abroad that, in some cases, impose stiff penalties on violators.
In a recent poll, 62% of data privacy experts predicted an uptick this year in the need for legal or compliance skills related to privacy, while 69% anticipated higher demand for expertise on the technical side.
The study, conducted by ISACA, an association focused on information technology governance, also found that data privacy is still largely understaffed and some companies are scrambling to catch up.
“I think organizations are starting to see that it can be really serious to their bottom line if they’re not compliant with privacy laws and regulations,” Safia Kazi, privacy professional practices principal at ISACA, said in an interview.
CFOs, because of their experience with risk, can be especially effective when combined with privacy professionals, she said.
Businesses that operate internationally face a web of regulations related to data privacy and security across the globe, resulting in potential legal headaches for corporate executives. The situation is only expected to get worse.
In the U.S. in particular, companies this year will have to comply with a flurry of new privacy laws at the state level. As of Jan. 1, two such laws became effective: the California Privacy Rights Act, which expanded the California Consumer Privacy Act, and the Virginia Consumer Data Protection Act.
Later this year, three additional new privacy laws will become effective in Colorado, Connecticut and Utah.
“Suddenly, the impact of privacy in the U.S. has ratcheted up dramatically,” Ojas Rege, a senior vice president at privacy and security software provider OneTrust, told CFO Dive. “This will be the year of privacy in the United States.”
Who is impacted
The sweeping new privacy laws impact a wide range of businesses that collect or use personal information about individuals residing in the respective states, and impose new and complex requirements, according to a Jan. 4 alert published by the law firm Wiley Rein LLP.
“While businesses have invested significant resources into updating privacy protocols and notices to meet the Jan. 1, 2023 effective date for California and Virginia, there is still more work to be done to ensure covered businesses are ready for 2023 privacy compliance obligations,” the alert said.
Forty-two percent of the ISACA respondents said their enterprise privacy budget is “somewhat or significantly” underfunded, down from 45% in 2022 and 49% in 2021.
The association, which is made up of more than 165,000 professionals who work in IT-related fields, sent survey invitations during the fourth quarter of last year to about 46,000 of its constituents — mainly data privacy and security practitioners. A total of 1,890 respondents completed the survey.
While many corporate executives are thinking about the potential fallout from data breaches — which are often in the headlines — there are still significant gaps to fill when it comes to broader data privacy obligations that are rapidly coming into force, according to Kazi.
“It is possible to have good security in place but not be doing privacy very well,” she said. “Privacy also addresses issues like how you’re collecting data and how you’re communicating this to consumers.”
In October, the French Data Protection Authority imposed a fine of 20 million euros on U.S. facial recognition company Clearview AI for failing to comply with requirements under the EU General Data Protection Regulation, which took effect in 2018.
The company came under scrutiny after reports that it had compiled, without legal consent from affected individuals, as many as 20 billion facial images from publicly available websites and social media platforms into a massive database that was made accessible to clients, including law enforcers.
The fine, which was the maximum allowed under the law, was imposed after a prior formal warning from France. The company’s data-handling practices have also been scrutinized in other jurisdictions, including Canada, the U.K. and Australia.
In addition to beng fined, the company was ordered to change its practices.
Besides fines, privacy breaches can have other significant consequences, including reputational risks, according to the ISACA report.
“The number of privacy laws and regulations will only increase in the coming years, and making headlines for a privacy violation can damage trust with consumers,” the report said.