The Human Side of Privacy: 2018 IAPP Global Privacy Summit Recap
For those tasked with the daily, detailed work of ensuring their organizations’ compliance with data breach notification regulations–particularly in light of the complexity of preparing for new regulations to go into effect, namely GDPR–it could be easy to forget the person in personal data. Speakers from this year’s IAPP Global Privacy Summit reminded us of just how reductive that vantage point can be, touching on the very human element that lies behind every privacy incident.
In the opening keynote, Monica Lewinsky spoke of her experience as “patient zero” of cyberbullying and losing her personal reputation on a global scale, thanks to the early days of the internet and viral news. Her keynote was a compassionate look at the impacts of privacy loss, and the extreme consequences that can result. Though the technology may have changed in the twenty years since she made international news–and the potential for immediate and widespread consequences even greater–the human element has not.
It is no surprise then that, coupled with a rise in malicious and non-malicious personal data breaches, the demand for respect to individual privacy has escalated, and with it increased activity around privacy regulations. New regulations have cropped up in the U.S., including New Mexico’s Data Breach Notification Act enacted last year and South Dakota’s recently-passed data breach notification law. A trend towards more stringent breach notification requirements has emerged as well, most notably the EU GDPR’s 72 hour notification timeline.
This increase in privacy regulations creates heightened complexity for organizations trusted to protect their customers’ personal and sensitive data. As a result, the field of privacy has exploded. GDPR compliance requirements alone are driving the need for roughly 75,000 mandatory Data Protection Officers (DPOs), according to statistics from the IAPP. As Trevor Hughes, president and CEO of the IAPP, pointed out during his opening remarks, while the IAPP global membership has seen strong growth over the last few years, there is a huge delta between the existing number of members (38,000 across 107 countries) and the demand for DPOs. In addition, the American Bar Association recently recognized privacy law as its own specialty, only the 15th speciality to be recognized. With this recognition and immediate demand for privacy officers, Hughes notes that these individuals will not be found in the wild – they must be developed from existing talent within organizations.
Hughes also emphasized that the work of privacy officers is deeply human. This was echoed in comments made by Helen Dixon, Commissioner, Office of the Data Protection Commissioner (ODPC) of Ireland, in the standing-room only session about GDPR, moderated by Ruth Boardman, Co-head, International Data Protection Practice at Bird & Bird. Understandably, organizations are concerned with the practicalities of preparing for GDPR, including the potential impact of GDPR’s hefty fines for noncompliance. Dixon reminded us that these fines are in place to help drive compliance and ultimately to ensure we do the important work of protecting the fundamental privacy rights of individuals. She also shared that the most common complaints from individuals received by the ODPC (over 50% of complaints) relate to subject access requests, which are very personal and specific to individual use of personal data.
Finally, Birgit Sippel, MEP, Group of the Progressive Alliance of Socialists and Democrats, and rapporteur for the EU’s new ePrivacy Regulation (ePR), talked about the underpinnings of the regulation, which would govern electronic communications and complement the GDPR. As Sippel stated, prior consent for tracking a user online has been a legal gray zone – until GDPR. Under the GDPR, consent must be freely given, specific, and informed, and the same principles would apply to the ePR, protecting individuals’ fundamental rights online. As Sippel emphatically stated about the ePR—a thought that can be applied to the intent of privacy regulation overall—“ePrivacy is about freedom, justice, and equality as basic principles for a free and democratic society.”
- On-demand IAPP webinar recording now available: GDPR’s 72-hour notification: is your incident response plan ready?
- Looking good on paper: Benchmarking data reveals importance of paper incidents across industries