We live in an exciting era where business is transforming at an unprecedented rate that we have not fully come to grasp its impact on data privacy. Look at the statistics which are staggering. Globally, smartphone penetration is estimated to be 8 billion subscriptions worldwide. An average smart phone user has 80 applications on their phone and approximately 10 applications are used daily. The mobile phone application collects an enormous amount of personal data such as GPS location, IP addresses, voice, video, contact lists, text messages, passwords and call history. The e-commerce and service providers use advance digital technologies such as artificial Intelligence, machine learning, software robotics to profile and process personal data. Realizing the impact of data privacy and the harm it may cause to individuals and society, many countries globally have been enacting data privacy regulations.
In this blog, we explore perspectives on the future of personal data privacy with trends and challenges ahead in protecting individual rights and enabling innovating at the core of services.
Increasing Personal Data Privacy Conundrum
We are often faced with a situation where we must divulge privacy information to get the services we want. Every e-commerce site that we visit, mobile application we click, social media post that we like and contribute, inherently collects vast amount of data in the form of access to browser cookies, access to phone contacts, photos, videos, preferences, personal messages that it would be impossible for an individuals to comprehend data types being collected and how an individuals is profiled. While “choice and consent” may be offered, an individual is presented with a conundrum of choices, providing privacy information to get services an individual want. We face the dilemma of wanting to get desired services in exchange for personal data.
Thus far, Article 4 of GDPR has defined “personal data” in a most elegant way as “any information relating to an identified or identifiable natural person” The word, “any” has a broad scope in nature.
In future, the scope of personal data definition may be broadened, given the capabilities of automated processing and profiling of an individual based on a number of parameters, biases, and algorithms. A seemingly, innocuous data with no linkage when combined may potentially link to an individual which may potentially be exploited to meet narrow ends beyond the stated purpose at the time of personal data collection.
Global Rise in Data Protection and Privacy Regulations
GDPR was a watershed moment in the history of data privacy when it came into force in May 2018, regulating how personal data must be collected and processed. Since then many countries globally began working on their own data protection regulations. For example,
- In APJ, while Singapore PDPA was passed in October 2012, Singapore joins Asia‑Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) System in 2020.
- In Thailand, PDPA became a law in 2019. Both in Malaysia and Philippines, amendments are being made to their data protection regulations. In addition, applications of the data protection laws are being monitored closely for compliance.
- In India, the personal data protection bill 2019 (PDPB bill) is tabled in the parliament in 2019 and waiting to be passed and be promulgated into law by the beginning of 2022.
Over the next 2-3 years, we will notice a growing trend where countries enacting personal data protection regulations. This brings an additional challenge on how cross-border data transfer can be done while adhering to each of the countries data protection regulations.
The approach and philosophy of personal data privacy regulations vastly vary in tone and tenor between regions. It is well known that the government is supreme in China’s ability to have overarching powers and invasive data rights. While European Union protects the rights of individual data subjects under GDPR, US data privacy laws are generally more in favor of large corporations Furthermore, the US data privacy laws do not maintain federal level oversight on data privacy law and instead chooses to maintain laws enacted at federal and state level leading to lack of consistency. In India, the PDPB Bill in parliament is being debated intensely as it gives the government of the day, an unlimited power to be an executive and adjudicator providing an open-ended exception for state surveillance.
In July 2020, European Union (CJEU) dismantled Privacy Shield agreement between the European Union (EU) and the United States since CJEU determined that the adequacy agreement failed to protect the privacy of its citizens’ data. Companies have been scrambling to find adequate alternate arrangements for such data transfer between the US and EU.
GDPR maintains adequacy determination on data transfer outside the EU and onward transfer from or to a party outside the EU without requiring additional authorization from a national supervisory authority. APEC Privacy Framework has been built with a similar approach for consumer, business, and regulator trust in cross border flows of personal data between APEC member countries.
Eventually, in the future, adequacy arrangements must be worked out between countries/within the regions for global economies to flourish while maintaining reasonable data privacy.
Focus on Privacy Technologies
In the future, many companies will invest in privacy technologies to keep up with regulatory compliance and to meet the compliance for processing the personal data. AI and machine learning will be integrated in the data classifications, personal data processing, storage, transaction processing. Within the storage of the customer data in database, many privacy technologies such as anonymization, pseudonymization, tokenisation, masking would be used.
In many regulations, anonymized data eliminates any linkage to an identifiable individual and hence is excluded from regulations as it is no longer considered as “personal data”. In addition, there would be greater need for homomorphic encryption, obfuscation, de-identification to drive governance and compliance imperatives for the organization.
Automated Personal Data Processing with Artificial Intelligence and Machine Learning
In the future, the intensity of AI and machine Learning applications will be pivotal in making predictive analysis, profiling and decision making in industry applications such as stock market trading, human resources, medicine, disease control, health care operations. Organizations get personal data from multiple sources and in the future profiling by automated means can become a norm, given the volume, velocity, and variety of data.
Inadvertently, this may lead to AI “bias” in decision making due to nature of data sets that are fed into systems. This may lead to violation of equal opportunity and may threaten social cohesion due to inequality. Regulators are weary of potential risks and opportunities with use of AI and ML and are moving in the direction of regulating processing of personal data with AI and ML technologies.
Rise in personal data collection for tracking during pandemic
As the world reels under the effect of pandemic (COVID-19), responsible governments around the world have put in measures that involve contact tracing applications that collect personal data, GPS, places visited, time spent at each place and individuals contacted via blue tooth signals. While purpose limitation and collection limitation principles may have been applied, it is not entirely transparent if the data will be processed by the governments for any other reasons. There has always been a conflict that exists between protecting public health vs protecting personal data privacy.
Despite best of measures put forward by the government to protect personal data of the populations, cyber risk is at the peak now, given the spam, phishing, ransomware, social engineering, malware masquerading, sophisticated and organized cyber-attacks perpetrated by cyber threat actor is on rise, posing greater risks to individuals.
SAP Data Privacy Contracts, Tools and Audits
We turn our attention, in this section, on how SAP handles personal data protection at multiple levels – contractual assurance, data privacy by default and by design in cloud applications and security assurance via independent 3rd party privacy audit and certifications.
SAP is committed to help our customers to be compliant to data protections regulations. As a data processor, SAP provides contractual assurance via Personal Data Processing Agreement for SAP Cloud Services and comply to data protection regulations to an extent applicable for SAP cloud services.
SAP Cloud Applications – Privacy by Design and Privacy by Default
SAP Cloud Applications operating on a SaaS model have many built-in data protection and privacy features that can be configured by customers. SAP supports privacy by design and privacy by default concept. This includes configuration on consent management, read access logging, change log, security audit logs, data deletion and retention rules, data subject information reporting, encryption at all levels – Data Encryption in Transit, Data at Rest Encryption (DB Volume), Columnar Encryption, Application Encryption, Backup Encryption. Customers have access to application level data privacy and protection configurations to enable them to configure privacy settings based on their privacy policies.
Security and Privacy Tools
SAP supports several data protection and privacy tools that can be integrated into cloud applications and may be available as an additional subscription or enabling them as a part of cloud bundle. Few of the tools are listed here:
SAP UI Data Protection Masking: This tool conceal data, reveal on demand with proper authorization
SAP Identity Access Governance: This service help to provides Access Governance, access analysis, role design, access request, access certification, and privilege access management.
Identity Authentication Service (IAS): This services helps to authenticate and manage users
Identity Provisioning Service (IPS): Allows the provisioning of centrally managed identities and their access across the enterprise.
SAP Data Custodian: SAP Data custodian offers full stack transparency and control which includes infrastructure, operating systems, databases, SAP enterprise applications. SAP Data Custodian KMS is a SaaS based application offering Customer Controlled Key Management Service.
SAP Data Retention Manager: This tool help to manage retention and residence rules to block or destroy personal data and related transactional data for applications
Audits and Certifications:
SAP cloud services are audited for BS10012:2017 privacy standards. This is a British standard providing best practice framework for a personal information management system that is aligned to the principles of the EU GDPR. Many of SAP cloud services have achieved with compliance to norms of ISO 27018 , an international standard created specifically for data privacy in cloud computing. The full certification and compliance can be found here
Looking at the rear view, the GDPR has contributed significantly to raising global awareness on data privacy, enabling data privacy regulations, and set higher standards, enforcing data privacy compliance. The cascading impact of GDPR has given rise to many countries to develop their own data privacy regulations. While cross-border personal data flow between inconsistent regulations may continue to be a challenge, organizations are much more aware of their risk, obligation, and opportunities in data privacy regulations. In the next five years, it is expected that privacy tools and technologies will evolve, and organizations will continue to adopt and experiment capabilities to remain compliant to regulations. In alignment with GDPR requirements, SAP Cloud Services provide contractual assurances via Personal Data Process Agreement for SAP Cloud Services, Privacy by Design and Privacy by Default in cloud application for customers to configure, SAP Data Privacy Tools and independent privacy audits which help our customer to take control of their data and remain compliant with data privacy regulations.