The Long Road to Data Privacy Compliance

In an age where digital data increases at blinding speeds, achieving data privacy compliance takes a long time.

In early 2020, the California Consumer Privacy Act (CCPA) went into effect. If the reaction to prior privacy laws in Europe is any indication, it will likely take years for U.S. companies to fully prepare themselves for privacy regulations.

Research by ZoomInfo suggests that when a new privacy regulation or similar influence debuts, the ripples extend out for a lengthy period as companies acclimate to the provisions. Meanwhile, corporate projects to tackle privacy, data compliance, and information security initiatives spike sharply in the face of fines. In the two-year period after the first GDPR fine corporate chatter increased as much as 16 times over a two-year period, according to ZoomInfo’s numbers.

The best case study with which to observe how businesses prepare for privacy regulation is the General Data Protection Regulation (GDPR), a massive law that affects any company collecting personal information about customers in the European Union (EU). GDPR was adopted in 2016 and went into effect in May 2018.

“The legislation has raised the EU’s profile among regulators and lawmakers around the world and inspired similar regulations … in California, home to many of the tech giants,” CNET wrote in May 2020.

Corporate Projects Related to Data Privacy Soar 

ZoomInfo analyzed its database of 14 million companies to look for projects related to privacy. We tracked the number of times the terms “privacy” and “data” appeared in the platform’s Scoops feature, which uncovers hard-to-find information about companies, such as upcoming projects or new initiatives. 

The results were notable. Although there were mentions of data and privacy in 2016 and 2017, once GDPR went into effect in 2018, the number of upcoming projects involving data privacy increased greatly; the number of these Scoops jumped 2,200% from 2016 to 2019. 

Number of scoops mentioning privacy-related topics
Figure 1: Scoops related to data-privacy initiatives have steadily risen. Source: ZoomInfo.

Note: The numbers for 2020 were as of May, which may indicate that the full year will surpass 2019 in data-privacy-related Scoops. This trend could reflect continuing concerns about GDPR compliance and also point to new interest in CCPA, which went into effect in January 2020.

Timeline of GDPR Fines
Figure 2: Timeline of cumulative GDPR fines spread out by date. Source: GDPR Enforcement Tracker.

The increase in Scoops in 2019 could reflect a collective corporate concern for privacy laws, or it may be related to the €430 million in fines (about $449 million U.S.) doled out under GDPR that year.

The increase in Scoops in 2019 may be related to the €430 million in fines doled out under GDPR that year.

Growth of Data Privacy Titles Echoed GDPR’s 2018 Rollout

Before privacy projects and fines came to the forefront, GDPR inspired companies to hire privacy executives to oversee compliance.

ZoomInfo examined its collection of 4.5 million business executives, looking for signs of growth among certain job titles associated with privacy, compliance, and information security — among them chief privacy officer, a relatively new addition to the C-suite. These roles play a large part in the burgeoning idea of the privacy experience for customers.

In a small sampling that tracked job title growth over several years, the number of new privacy executives from 2016 to 2018 rose 57% before plateauing and dropping 4% from 2018 to 2019. That rise mirrors the build-up for GDPR’s rollout.

Growth of new privacy executives 2016-2019
Figure 3: New privacy executive job titles rose 57% from 2016 to 2018, according to sampling. GDPR enforcement began in May 2018. Source: ZoomInfo.

One of the key mandates of GDPR is the need for regulated companies to designate a data protection officer, which in many cases can be a chief privacy officer. 

“With increased scrutiny over how personally identifiable information is protected, the need to establish, hire, or elevate the role of a chief privacy officer is growing,” leadership consulting firm Spencer Stuart wrote in 2019.

Recent Decrease in New Privacy Officer Hiring

In a more in-depth analysis, ZoomInfo looked at the number of privacy execs hired from July 2019 through March 2020 at all companies in its database and at companies either on the Fortune 500 or Inc. 5000 lists. 

Both data sets show a similar slowdown of hiring new privacy executives, other than a noticeable spike in October. The conclusion is that if companies dealt with European personal data, the vendors largely hired execs to manage those responsibilities as GDPR went into effect in 2018. Since then, many of those firms have not needed to hire as many privacy leaders.

Growth of new privacy executives 2016-2019
Figure 4: The number of new privacy execs dropped from 2019 to 2020. Source: ZoomInfo.

“This increased attention has manifested itself in the elevation of the office of privacy from a department that often resided in compliance to a standalone function led by someone who may directly report to general counsel, CEOs, and audit committees,” according to the Association of Corporate Counsel.

Looking at the numbers in more detail, however, shows that the percentage of privacy execs compared to all execs is higher at Fortune 500 and Inc. 5000 companies. In many months since July 2019, that proportion has been double at Fortune 500 and Inc. 500 firms vs small businesses. This makes sense as larger businesses collect more data, are more publicly visible, and have larger risk-averse legal teams that closely track privacy laws.

Percentage of new privacy execs compared to all execs
Figure 5: Companies on the Fortune 500 or Inc. 5000 have a greater percentage of privacy executives. Source: ZoomInfo.

Larger businesses also do not see privacy as simply a legal issue but a core part of their businesses strategy. “Privacy is the most pressing legal issue, if not the most pressing strategic issue, in our space,” said Julia Shullman, chief privacy officer at TripleLift, an ad placement technology company that is on the Inc. 5000 list. Shullman spoke to AdExchange in February 2020.

“Privacy is the most pressing legal issue, if not the most pressing strategic issue, in our space.”

Julia Shullman, chief privacy officer at TripleLift

Data Privacy Compliance Takes Time

As of this writing, enforcement of CCPA in California is set to start on July 1, 2020. In looking at preparation for GDPR, ZoomInfo’s research shows companies will increase the hiring of privacy executives as they approach a regulation’s teeth.

It’s reasonable to predict that CCPA’s fines won’t come into full force until 2021, at which point there will be a mammoth jump in privacy-related initiatives at firms that need to comply with the California law. Similar privacy laws in other states, or perhaps a federal regulation, will start a new compliance cycle.

Thus, the path to data privacy compliance is not immediate, but instead, an ongoing trek marked by milestones that take years to achieve. The need for more privacy oversight also creates jobs, a much-needed consideration in today’s economy.

[Related Reading] ZoomInfo Reaches Another Privacy Benchmark