Practical Privacy Under Trump
Accountability Means What Your CEO Thinks It Means.
Just after Thanksgiving, I was disinvited from two panels that were to have been part of a December 2024 privacy and security risk management conference in New York. It was nothing personal. The entire event was canceled. The conference organizer explained that after Donald Trump won the 2024 Presidential election, so many attendees cancelled that it no longer made sense to hold the conference.
Most of the cancelling attendees apparently anticipate less privacy enforcement under the new Trump Administration. Given their sense that starting in January 2025, FTC and other federal regulators will be less active, there was little enthusiasm for incurring the expense -- at New York City prices no less -- to attend a December 2024 conference to talk about mitigating privacy risk.
Understandable perhaps, but mistaken - and a perfect example of how privacy leaders and C-level executives (the people who control privacy budgets) so often get nowhere together. The disconnect comes down to a basic difference in how privacy teams and business leaders use and understand accountability.
In William Goldman’s 1973 novel, The Princess Bride (and in the wonderful movie version), one character repeatedly exclaims, “Inconceivable!” in response to events that are not only readily conceivable, but are obviously happening. Inigo Montoya (our hero) responds:” You keep using that word! I don’t think it means what you think it means.” That’s what the discussion of accountability between privacy teams and executives is like.
All too often, the discussion proceeds something like this: We must be accountable, privacy leaders say, and to do that, we need money and headcount. Absolutely, the C-Level executives say, we are and will be accountable. We’re so glad you understand why your request for money and headcount is denied.
Because indeed, C-level executives do not think accountability means what privacy people think it means. In the privacy world, accountability means responsibility to data subjects and regulators. Put another way, in privacy terms, accountability means that you did with personal data only what you told people you would do, what you had consent or another legal basis for doing, you did what you did lawfully and securely, and you did nothing else. Further, you created and maintain all the documentation necessary with respect to all of the above to satisfy your friendly neighborhood privacy regulators, should they come calling.
In the C-suite, accountability means something very different – it is the responsibility executives have to make decisions that maximize the business owners’ return on investment. For business decision makers who think the incoming administration will sideline regulators, the last thing accountability looks like is devoting more resources to privacy compliance.
For two important reasons, that is a mistake and harms the businesses involved. First, in the United States, the states’ attorneys general and other state and local privacy regulators will be operating in 2025 regardless of what happens at the federal level. The same goes for DPAs (data protection authorities) wherever the business operates abroad. So, whatever happens at the FTC and other federal agencies under the next administration, the risk of privacy enforcement in 2025 is real.
Second and more broadly, centering discussions about the ROI of privacy programs on enforcement is unconvincing and ineffective. Sure, the threat of enforcement is real, but enforcement is hardly certain, and for many individual businesses, enforcement (at any level) is sufficiently unlikely that leaders can be forgiven for deciding to deal with it when the need arises – if it does. Most privacy leaders who try to scare executives into allocating more and better resources to privacy programs using the threat of enforcement will fail and lose credibility in the process. That scraping sound is your seat being moved from the boardroom to the kids’ table.
The additional rationales typically employed to show ROI for properly supported, effective privacy programs -- greater customer trust, access to larger markets, and enhancing the company’s reputation by demonstrating high ethical standards are -- like the threat of enforcement – totally legitimate but sadly unmotivating. None of these arguments are an effective approach for obtaining executive buy-in for a fully supported privacy program, because they are vague, subjective, and lack the one thing that reliably grabs attention in the C-suite – actionable metrics.
It’s time for privacy leaders to reframe the discussion and start making the case for the resources they need in terms of hard numbers and dollars and cents – the factors that motivate executive decisions every day. Gathering the necessary cost information isn’t as hard as it might seem. In fact, without too much work, you will ready to show your leaders that the cost of encrypting a given volume of data is a rounding error in comparison to the cost of responding to a breach response concerning the same data. There’s more to be said about that. Details in another post that I’ll have out shortly.
You raise points that are valid outside the political landscape. The key question to bridge the gap between the views of accountability is “how can we quantify the likelihood and risk avoidance that security by design affords in a way that is viewed as realistic vs alarmist to business leaders?”