Gartner recently published their report “Top Strategic Technology Trends for 2022.”  End-of-year summaries and next year’s forecasts that fill inboxes this time of year are often discounted.  But this report was significant in that the identified trends suggest a significant shift in the tech culture. 

Among the trends identified by Gartner was a shift away from siloed applications where the infrastructure and processes needed to support applications are treated as independent needs toward a networked architecture where data, security, cloud, and privacy needs are managed cohesively across the entire enterprise.  The need for such a shift was echoed by multiple speakers at last month’s IoT World Conference.  The speakers discussed the need to reimagine existing data infrastructures in order to shift to horizontal platforms that better serve the enterprise.  Such a systemic restructuring requires enterprises to adopt a layered structure or a tech stack that compartmentalizes functionality and increases data visibility across the organization.  This leads to a more trusted approach to IT by increasing access to data and tools.  Ultimately, data utilization and collaboration are improved and the organization increases its return on investment.

Another highlighted trend is based on a movement toward a more dynamic applications environment.  The last few years have shown that nimble organizations are better able to adapt to changing business conditions.  Organizational agility can only be achieved if the IT organization is able to deliver in the face of evolving requirements if its toolkit includes composable applications, automation tools, business intelligence systems, and configurable artificial intelligence.  As IT evolves away from the idea of an all-encompassing application that limits adaptability, they are (1) adopting new systems that treat applications as a series of functional modules that can be restructured as needs change, (2) managing data as dynamic data flows that provide the freedom to rebalance data distribution systems as necessary, and (3) deploying rule-driven systems that allow insight advancement based on derived insights. 

Trending data also demonstrate that organizations are moving to embrace technologies that serve to adapt to the desired user experiences.  This trend represents a shift away from systems that might improve operational efficiencies if it comes at the cost of the human experience.  The days of deploying technologies that require organizational changes or significant employee retraining exercises are coming to a close as organizations embrace systems that enhance desired customer and employee experiences.  Technologies are emerging that support the needs of a distributed organizational structure.  Tools that emphasize customer (and employee) experiences are becoming expectations rather than desires.  And active intelligence systems that are able to process data and directly impact operational processes are supplanting systems that first capture data, mining the data for insights, and then recommend management action. 

The trends identified in the report go well beyond references to technology that an organization can purchase and deploy in an effort to achieve incremental process improvement.  They represent a new IT philosophy about how data systems are architected, operationalized, and perceived by the organization as a whole. 

IT function is continuing to evolve away from its roots as a service function to become an important component of any organization’s strategic mission.  Recent events have accelerated this migration in that the strategic objectives of any organization are either enhanced or limited based on the capabilities of the IT organization.  The trends identified by Gartner signify an acceleration of this movement.  Once these technologies are more fully deployed, the IT function further shifts from the role of being a key strategic advisor to the organization to being a much more active member of the management team.   IT is effectively shifting from being a strategic enabler (or inhibitor) of the organization to becoming a primary actor on the stage of future business.

CPRA and CCPA Data Rules

In November 2020, California passed the California Privacy Rights Act (CPRA) which updates the data rules established by the California Consumer Privacy Act (CCPA) that was originally passed in 2018.  There are those that argue that a patchwork of privacy laws makes it difficult for companies to do business, but the reality is that when these companies adhere to the most stringent requirements and apply them across the board, this issue largely goes away.  CPRA has the potential to become one such lighthouse issue that drives action far outside the California borders. 

CPRA properly recognizes that privacy cannot be ensured unless the data has been properly secured.  Data security is a prerequisite that must be considered before an effective data privacy policy can be put in place.  The law requires that companies that store personal information implement reasonable measures to detect security incidents, resist malicious or illegal actions, and to aid in the prosecution of malicious individuals responsible for such actions.  The requirement that companies aid in prosecution of individuals implies the need to keep detailed records about such attacks.  On the surface, this may not seem like an onerous requirement given that most data security systems log detected security events, however, by linking security to privacy, CPRA has created a need for security threats to be correlated to data repositories and then to potentially impacted individuals.  Most organizations do not have a complete (and auditable) directory of the data held within their organization and this issue may be a major obstacle in meeting these new requirements.

CCPA required consent before an organization could begin collecting personal information.  CPRA has made the definition of consent more specific.  For example, consent requests cannot be incorporated into broad and general statements of policy.  Consent agreements have to be explicit, self-standing, so the request and its limitations are clear to the individual.  CPRA also calls for consent agreements to be reasonably specific as to the purpose of the data collection, the type of data collected, and how the data will be used.  In addition, organizations cannot assume any general activity on the part of the user can be construed to imply consent.  For example, by simply putting the consent form on the screen, the organization cannot assume the person would agree based on making the consent information available to them.  

CPRA  expands the definition of what is considered personal information.  Technologies that monitor a person’s behavior through heat maps, mouse tracking, historic use patterns, etc are not prohibited but they are considered personal information.  As such, organizations have to obtain a user’s consent before these technologies can be used.  CPRA also goes as far as to set organizational limits to consent agreements.  For example, if the user consents to allowing Budweiser to collect data about them, it does not mean that they have agreed to allow Corona access to that data even though both companies are part of the InBev group.

CPRA serves to extend the regulatory reach of these agreements into the data supply chain.  If an organization provides data to a third party and the user later asks to be deleted from the data set, that request must be passed on to all third parties who received the data, directly or indirectly, from the source organization.  This implies that any organization who provides data to a third party must also track their data distribution systems.  Further, any third parties that accept data from another source are bound to the conditions that the original organization established when the data was first connected.  This requires that not only must a company track (and presumably audit) the data that is held within the organization, this data directory has to also be capable of tracking third party data as it enters or leaves the organization.  Essentially, the organization has to track the provenance of the all data within and flowing through the organization.  If an organization discovers that a down-stream partner is not using the data in accordance with the established consent agreements, the organization is expected to take reasonable steps needed to remediate use of that data.  

CCPA required organizations to disclose the type of information collected about individuals. CPRA expanded the requirement to allow individuals to request organizations disclose the exact information they hold about them and the retention policy associated with their data.  As a part of this process, people can ask that erroneous information be corrected or deleted.  The law also mandates that retention periods cannot be unreasonably long and should be tied to the use case described when consent was obtained. 

CPRA put additional clarity around the activities that are covered by the law.  As originally written, CCPA rules applied to the sale of data between two entities.  CPRA clarified the point by establishing that other non-commercial transfers of data are included under these regulations.  The consent agreement must also indicate any expected data sales/sharing arrangement that might make use of the collected data.  If, by chance the organization decides to share data with a third party after the data has been collected, the original consent agreement needs to be modified and sent to the individuals in order to affirm their continued consent . 

Despite the fact that the ‘C’ in CCPA stood for Consumers, the CPRA laws also applied to employee data held by the company.  CPRA makes it clearer that these privacy rules apply to any personal information held by the organization, not just ‘customer’ data.

CPRA also created a new state agency, the California Protection Agency, which is tasked with enforcing the CPRA laws.  This agency can levy fines and it also has the authority to audit an organization’s privacy (and security) practices.

CPRA only applies if an organization is a for-profit entity that has either more than $25M in revenue OR if 50% of its revenue comes from its data sharing activities.  While small companies and nonprofits are not covered by the law, these other organizations should consider adopting the CPRA practices as a normal market expectation. 

CPRA won’ be enforceable until 2023 giving organizations some time to get their house in order but once it does become effective, it will cover all data that was collected from January 1, 2022 onward.  These requirements have driven many organizations to name a Chief Security Officer (CSO) or a Chief Data Officer (CDO) that is intended to establish and then oversee the organization’s efforts to secure the data they hold.  These personnel have 2021 to get their strategies defined and in place so they can begin monitoring data systems within their organization at the start of 2022.