This year’s IAPP Data Privacy Summit has provided privacy professionals with a great opportunity to discuss the biggest issues in data security. We’ve heard from regulators, industry leaders, and specialists in every topic from facial recognition to the ethical use of data. It’s an incredible event, and one that every privacy professional should consider attending – the swag ain’t bad either.
Here are my top five takeaways from this year’s Summit, and thoughts for the future.
1) There will be no “grace period” for GDPR.
We heard from Isabelle Falque-Pierrotin, the head of CNIL and immediate past president of the Article 29 Working Party, Andrea Jelinek, current head of the Article 29 Working Party, Helen Dixon, the Irish Data Protection Commissioner, Viviane Reding, former EC Vice President and lead drafter of the GDPR, and Birgit Sippel, MEP and lead negotiator for the ePrivacy Regulation. I’ll sum up their entire view of the “grace period” question by quoting Andrea Jelinek: “There will be a two-day grace period for GDPR, because the Regulation goes into effect on a Friday.” Yikes.
2) Women, at long last, are leaders in data security.
Did you see the list of names in item 1? For English-speaking companies who select Ireland or the UK as their lead Data Protection Authority, you’ll work with either Helen Dixon or Elizabeth Denham. And everyone will be accountable to Andrea Jelinek, as the soon-to-be-head of the European Data Protection Board. It’s a big, and welcome, change for the privacy field.
3) There is still a lot of confusion out there
In every session, it was clear that there were plenty of good, and unanswered, questions about the effect of GDPR or changes in the regulatory environment. Although lawmakers and regulators alike want to encourage calm, they also can’t possibly have every answer. In the absence of perfect answers, then, their goal is to see substantial efforts to comply with the unclear portions of regulations, and due diligence. Good faith goes a long way.
4) “There’s an app (or a SaaS) for that”
There was no shortage of sponsors at GPS18, and the technological prowess of some of these companies can’t be denied. Some were providing SaaS platforms to audit data and others were offering full service incident response. The problem isn’t that there aren’t any good vendors out there, it’s finding the right one for your company. I spent a lot of my time carefully reading their materials and asking questions (sometimes questions that vendors didn’t want to answer in front of other prospective customers). Navigating which vendor or third party provider can handle your compliance needs is a difficult task, especially because they all want you to believe that their product is the one stop shop for all compliance needs. But there is no single solution to data security: if there were, we’d all have bought it by now. Think carefully before you buy.
5) GDPR isn’t the only thing going on
We, understandably, are spending a great deal of time focused on GDPR given its Damoclean looming, but the reality is that there are a number of important changes coming in a number of jurisdictions, including Japan, Canada, and the Philippines. I spent some time talking with the Canadian Privacy Commissioner Daniel Therrien, and he discussed Canada’s proposed law that, in effect, implements a right to be forgotten. For American businesses operating in Canada (and there are a lot of them), the effect of such a law could be enormous. You need to have counsel that accounts for all of the relevant legal regimes that affect your company, and avoid Brussels-based tunnel vision.
- Simon Schama spending twenty minutes quoting Thucydides to explain why John Bolton was dangerous
- Viviane Reding essentially saying that the US had retreated from global privacy governance
- Birgit Sippel making a Tinder joke to a room full of privacy pros