“Power to the People” — a popular slogan for political activism and protests (and a great John Lennon song to boot) – has been a rallying cry for individuals to take control back from the powerful and corrupt. While not revolutionary in nature, we are undergoing a new digital age call to action by a global citizenry seeking to reclaim power over personal information and to hold organizations accountable for their behavior.
How will these forces of change impact digital transformation for legal, compliance, privacy and risk leaders in 2022? Here are four predictions for the upcoming year.
Individuals will flex their data muscles
With more than five billion people likely to have their personal data protected under modern privacy regulations by the end of 2023, this upcoming year will see an empowered world community reclaim greater control of their information. I anticipate a significant increase in submitted Subject Rights Requests (SRR) – specific executable rights enabling individuals to understand how their data is being used and/or to access, correct or limit use of that information. Enterprises will prioritize SRR management with a focus on process automation and reporting on program performance. Many legal departments, responsible for handling SRRs, are taking advantage of eDiscovery platforms with machine learning and redaction functionality to support the culling and review process to meet the challenges imposed by stringent deadlines. Driven by consumer demands, also expect biometric privacy to take center stage – with greater scrutiny around regulation and providing consumers with stronger legal recourse.
Data privacy management technology is a business driver
Privacy spending has been growing rapidly year over year. According to Gartner, worldwide privacy-driven spending on data protection and compliance technology will exceed $15 billion annually by 2024. This is no surprise as leaders brace for the impact of new laws such as China’s Personal Information Protection Law (PIPL). Many organizations are feverishly preparing for the California Privacy Rights Act (CPRA) or developing programs to comply with the new privacy laws of Virginia and Colorado.
To date, the need for technology has been centered around risk mitigation driven by fear of regulatory penalties and a rising global tide of privacy actions (e.g., class and mass claims). That shifts in 2022. Reputational management, keeping customers happy and preventing customer defection will dominate boardrooms. Executives will look to innovation as a source of competitive advantage. Organizations that foster an integrated, data-centric approach to privacy management – leveraging data discovery and classification tools, risk mapping and data management platforms with strong retention capabilities – will be in the best position to execute on these priorities to earn individual trust and retain the right of custodianship of one’s personal data.
A regulatory tsunami is on its way
Brace for an onslaught of regulatory and corporate investigations in 2022. The Biden Administration’s strategy on countering corruption – promising greater transparency and corporate accountability at home and abroad – will set the tone. Increased funding to support investigative activities and a transnational information sharing strategy will emerge. Whistleblowers will continue to play a critical role in driving agency enforcement and appear to be less reticent to come forward (safe from view) due to new remote work realities. In Europe, as member states continue to transpose the EU Whistleblower Directive, local versions will provide a baseline level of protection and encouragement to report.
Data review and analysis, critical to the investigative fact-finding process, will prove to be problematic. This challenge will arise not only due to rising volume and complexity of data, but as coverage expands with a deeper interest in global operations and increased dealings with third parties. Recent survey findings indicate legal and compliance professionals continue to conduct time-consuming manual review – thwarting the ability to conduct efficient and robust investigations. Data analytics and technology-assisted review will be key ingredients to expedite investigations and refocus resources to more strategic, high value work.
Compliance programs must be data driven
In 2022, organizations will be expected to apply data analytics as a critical compliance program ingredient. Leading the charge is the U.S. Department of Justice (DOJ). In June 2020, the DOJ updated its guidance on the Evaluation of Corporate Compliance Programs. In assessing program effectiveness, key considerations include whether compliance and control personnel have sufficient access to relevant sources of data they need to allow for timely and effective monitoring and/or testing of policies, controls and transactions, as well as to determine what is being done to address any impediments that might limit access to data.
Today’s enforcers, including departments such as the U.K.’s Serious Fraud Office and many U.S. agencies, are employing data analytics to investigate potential violations. In the year ahead, I expect regulators to penalize programs that do not use similar tools to assess their risk landscape, identify harrowing trends and remediate violations and misconduct. Demonstrating efforts to follow this approach will go far in achieving a more favorable resolution and reducing reputational harm.
A new digital age revolution is underway. Facing an emboldened world community, businesses must demonstrate accountability and trustworthiness to build and maintain trust. Pursuing a data-driven approach not only helps organizations avoid penalties but differentiates them from those failing to invest appropriately.