Datenschutz und Cybersecurity

Privacy Megatrends 2030: A Roadmap for CEOs

Verfasst von

Dr. Jan-Peter Ohrtmann

Companies that best navigate seven privacy megatrends of the next decade will achieve sustained competitive advantages over those who continue the sprint-driven approaches they followed for e.g. GDPR and CCPA readiness.

How were these megatrends identified?

PwC’s team of over 600 privacy professionals in over 40 countries arrived at these trends through three steps:

  • We completed a meta-analysis of megatrends reports issued by eight strategy houses to identify candidate trends;
  • We constructed a cause-and-effect linkage model of the candidate trends to identify relationships among them; and
  • We ranked their likelihood and impact across local-market indicators globally.

Privacy megatrend 1: Race to own the data-value chain

What’s the forecast?

Deals and alliances will escalate as companies compete to control data along their value chains.

Why will it happen?

Converting data into value in a secure and ethical manner is the business imperative of the next decade. Whoever controls their data lifecycle will most direct their destiny. Increasing sophistication of data-valuation models will make clearer for CFOs how much of their revenues depend on data sourced through third parties. As the perceived value of data increases, it will become a heightened target of corporate espionage and state-based cyberattacks. The rise of disinformation attacks will place a premium on data integrity and identity authentication. At the same time, increasing deployment of artificial intelligence, robotics, and other privacy-impacting technologies will create new data-ethics risks. This increased clarity over the revenue and risk of data-value chains will spur a race to partner with or acquire the best-valued information assets.

How will it impact businesses?

Companies creating the most unique and sought-after data, business intelligence, and responsible data-generating technologies will see their valuations escalate. Partners or acquirers of those companies who can define their data strategies, identify these targets early, and conduct effective due diligence of their value and risk stand the best chance of securing an affordable financial arrangement and achieving first-mover advantages against competition.

What should CEOs do?

  • Charge the heads of business and CDO, CMO, CIO, CPO, and CISO with executing a data value-chain strategy and a dynamic inventory of information assets
  • Forge a global position on data and technology ethics aligned with the company’s values
  • Task the CFO with creating a data-valuation model that incentivizes responsible data monetization and risk mitigation
  • Drive strategic acquisitions, alliances, and organizational operating-model adjustments around the executive team’s data strategy

Privacy megatrend 2: Tripolar privacy world

What’s the forecast?

Privacy regulatory regimes will coalesce around the European, US, or Chinese models.

Why will it happen?

These three influential economies derive their current privacy regimes from distinct historical experiences that share some goals in common, but diverge in important and lasting ways. Countries will continue to see advantages over the next decade in passing new privacy regulations, but will gravitate toward the European rights-based, American harms-based, or Chinese control-based model closest to their national prevailing value. Ongoing regional clashes on trade and monetary policy and state-based cyberattacks will reinforce constituents backing data-localization regulations and enforcement.

How will it impact businesses?

The differing requirements and enforcement of the three poles will cause multinationals to redesign cloud migration, data-center consolidation, and supply-chain optimization initiatives to address the different regional requirements. The convergence of privacy regulation with antitrust enforcement, particularly in the technology sector, will further incentivize the unbundling and regionalization of business models.

What should CEOs do?

  • Alter the balance in the global business operating model between what is centralized and what is regionalized to address data-localization requirements
  • Consolidate the data governance, data analytics, data privacy, and information security functions and assign accountability in all operating regions and the three lines of defense

Privacy megatrend 3: Automated privacy enforcement

What’s the forecast?

Privacy enforcement stakeholders will use automated technologies to magnify their powers.

Why will it happen?

Regulators are resource strapped and under pressure to produce results, and several are obtaining greater enforcement authorities as well as higher maximum levels of fines and penalties they can impose. Plaintiff’s law firms are pressed to find new revenue streams, publications must generate new audiences to stay afloat, and advocates are driven to remain relevant. In Europe, efforts are underway to activate the provisions in the General Data Protection Regulation (GDPR) for privacy certification schemes. In the United States, the Federal Trade Commission and a leading consumer advocacy publication have developed privacy labs to review products, mobile apps, and websites. New bot and AI technologies, and relationships with third-party accreditation schemes with these capabilities, provide these various stakeholders the means to continually probe companies for privacy weaknesses that could help them mitigate these pressures.

How will it impact businesses?

Companies will face increased exposure on privacy-related matters. Traditional approaches to privacy compliance that are focused on paper-based documentation of policies and procedures will prove inadequate to this continual, digital scrutiny. Companies that have assumed Big Tech will be the ongoing focus of regulators and activists will find themselves exposed to increasing fines, penalties, lawsuits, and public scrutiny.

What should CEOs do?

  • Direct the CIO, CTO, CDO, CPO, and CISO to design privacy-ready default settings into the digital code of the company’s operations
  • Charge the Chief Audit Executive with incorporating these automated and forensic technologies into the third line of defense to proactively identify weaknesses to external scrutiny
  • Direct the heads of business to sponsor routine testing of their information-incident response processes and reporting of results to the executive team

Privacy megatrend 4: Consumer privacy dispersion

What’s the forecast?

Consumer responsiveness to new marketing techniques will be fluid until an innovator breaks the Privacy Paradox.

Why will it happen?

The Privacy Paradox is the persistent gap between how much consumers say they value privacy and what their behavior reflects. The gap has been large and growing in Western countries, but smaller in Eastern countries and older demographics. The rise of artificial intelligence, government and workplace surveillance, and revelations spurred by automated privacy enforcement will spur protective movement in these attitudes, while growing opportunities to share personal data for socially beneficial purposes will attract permissive movement. A growing portion of consumers will stand ready to leave companies they are loyal to if they find a competitor who is able to give them the same or better conveniences but more reliable control over and value for their data.

How will it impact businesses?

High rates of consumer adoption of new technologies and market techniques will be needed to justify investments companies are making to accelerate their digital strategies. Companies who bring the paradigm of their traditional consumer based into a new age or geographical demographic, will experience lower returns unless they adapt to the continually evolving privacy and value expectations of those new demographics. Consumer-facing companies who stand the most to gain are those who can outrun competitors in offering a better mix of price, quality of product and service, and flexibility of privacy controls.

What should CEOs do?

  • Take a global position on consumer privacy rights to data access, portability, correction, use restriction, and erasure
  • Charge the CMO with introducing bespoke customer-experience journeys that are in line with the cultural and legal expectations of the three privacy poles and reflect the company positions on data and technology ethics
  • Direct the CIO, CMO, CISO, and CPO to develop a consumer identity management capability that delivers the consumer privacy rights and customer-experience journeys

Privacy megatrend 5: Employee privacy culture

What’s the forecast?

Employees will form unique cultures in how they react to technologies in the workplace.

Why will it happen?

The COVID-19 pandemic accelerated companies’ technology-based tracking of employee status and productivity. The concurrent social unrest focused attention on technologies such as facial recognition and artificial intelligence that could be used to increase racial and socioeconomic disparities. As consumers bring their technology and privacy attitudes into their places of work and also experience the global market’s reaction to the data and technology ethics of their employers, they will form shared opinions and expectations about privacy in the workplace.

How will it impact businesses?

Companies that are most closely aligned with and intentful in positively shaping their employee privacy culture will achieve the most productivity from their employees and the easiest adoption of new technologies and data analytics in the workplace and in their products and services. Multinationals straddling differing privacy cultures across the three privacy regulatory poles will find the most difficulty rolling out technologies globally, and may need to consider different regional approaches to optimize employee productivity and returns on investment.

What should CEOs do?

  • Direct the CHRO with deploying an employee privacy program that is aligned with the company’s data and technology values, aims toward an endemic positive privacy culture, includes an employee council that reviews and communicates privacy and ethical impact assessments for new technologies and data uses in the workplace, includes a feedback mechanism for all employees, and equips employees with the means to manage their personal privacy at work and at home, including work-providing means for securing home offices
  • Charge the heads of Customer Service and Public Relations and CHRO with formalizing a feedback mechanism for product and service ethical performance

Privacy megatrend 6: Trusted technology first movers

What’s the forecast?

A confluence of the aforementioned trends will create once-in-a-generation openings to set trusted technology standards.

Why will it happen?

A symbiotic relationship among technology innovation, public opinion, and regulation across the three privacy poles will establish evolving and sometimes conflicting consensuses of socially acceptable technology. To survive and thrive through the aforementioned trends, the most impacted companies will push new, higher standards across their enterprise and through their supply chains and data-value chains. The first GDPR industry codes of conduct and certification schemes will likely emerge in the EU as one outcome of this trend.

How will it impact businesses?

Companies whose technology and data practices diverge the most from the emerging global norms, or who generally operate a decentralized group of autonomous business units acquired through inorganic growth, will face the most cost and challenge adapting to emerging standards. First hit will be business-to-business companies serving the technology, media, and telecommunications sector. At the same time, companies who are instrumental in shaping a new standard’s content and rollout will reap competitive advantages with enterprise customers, end consumers, and employees.

What should CEOs do?

  • Commission the CIO, CDO, CTO, and heads of business with identifying the top strategic technologies and data uses that the company’s business strategy depends on, and the company’s current status relative to existing or needed trust standards for those technologies, and advise on whether to assume an industry leadership role
  • Direct the resulting trust standards to be incorporated into every aspect of the business

Privacy megatrend 7: Privacy engineering talent shortage

What’s the forecast?

Demand for people who can apply complex privacy requirements to business problems will exceed supply.

Why will it happen?

The six other privacy megatrends all point in this direction — a sustained, global need to design all aspects of a company’s operations around new trusted technology and data-ethics standards that can withstand continual probing of external stakeholders. Needs will increase for staff trained in STEM and mathematics degrees, already in high demand, as well for those trained in philosophy and ethics. Software and hardware engineers will need to acquire privacy expertise while attorneys will need to acquire deeper technology and ethics acumen. While current privacy certifications in the market offer an introduction to acquiring these needed skills, no training program currently replicates the expertise acquired meeting the ‘10,000 hour’ rule of on-the-job skills mastery. The rate of increase in demand for these advanced skills will outpace the already limited pool of multidisciplinary talent progressing through their years-long learning paths.

How will it impact businesses?

Multinationals who take the traditional approach of depending on one or two people in their legal department to meet all their privacy needs will not meet their 2030 business objectives related to technology or data. They will be outflanked by competition, experience higher rates of consumer and employee attrition, and slower sales cycles. They will absorb an increasing amount of risk in their data-value chain.

What should CEOs do?

  • Charge the Chief Audit Executive with monitoring and reporting on the company’s privacy talent risk, planning for a growing privacy business exposure
  • Direct the CHRO and CPO to develop a learning and development training curriculum to foster internal privacy talent across the three lines of defense
  • Ask the CPO to increase connectivity with third-party service providers with privacy talent to diversify the company’s talent sources
  • Guide the CFO to budget appropriately for these seven trends