If you know this iconic scene from Indiana Jones and the Raiders of the Lost Ark, then you know it comes following the epic search and recovery of the Lost Ark by Indiana Jones. And that exact feeling of confusion seemed to permeate some of the raw details of how the GDPR and other regulations will actually be governed and executed by regulatory authorities.
In this Episode of “Are You DataSmart?” we dive into a recap of the summit and some of the key takeaways.
PODCAST
TRANSCRIPT
Jay: “Are You DataSmart?” a weekly podcast on data security, information management, and all things related to the data you have, how to protect it, and maximize its value. I’m Jay Ward.
Christian: And I’m Christian Ward. And today we’re gonna run through the recap from the Global Privacy Summit thrown by the IAPP, took place in Washington D.C. Jay, how was it? I didn’t get to go, I’m jealous. How was it?
Jay: It was great. It was 55 degrees, so I was in misery coming from Miami, but beyond that it was a great experience. Really capable people and a lot of the regulators who are steering the GDPR through to the finish line on May 25th among others. So it was a really valuable experience and just, quite frankly, interesting to be around that many privacy professionals.
Christian: So set the stage for us, what are we talking about? You know, a few thousand people, you know, one large main stage. If we were there what would we have seen as the main draw?
Jay: Yeah. Well, the mosh pit was probably the biggest draw. It was very well to…
Christian: People dressed up as data breaches and slammed into each other?
Jay: They did, there was a lot of slamming, a lot of baggy khaki pants. So there was a main stage where the headline speakers were, and Monica Lewinsky opened with a really powerful speech on the nature of…
Christian: I saw a lot of comments, people were kind of blown away in just how appropriate her story of, you know, essentially what’s gone through her life by being sort of thrust into the public stage, and what privacy means to an individual in that situation. It’s very, very powerful.
Jay: It was and, you know, especially in this moment it was really, you know, you remember she was 22 years old when this was happening. I mean, it’s just unbelievable. So the mainline speakers are there including Vivian Reding, who basically is the, you know, was the driving force behind the GDPR. And Birgit Sippel who’s also an MEP who is the lead negotiator for the ePrivacy Regulation which is being delayed, but nevertheless they basically expected to be compliant by May 25th. So there was plenty to talk about and then there were breakout sessions and lots of vendors. There was the privacy bash which was, you know, like the nerd prom after the first day. It was a great event, lots of really good people to talk with and, you know, the IAPP has really done a great job of bringing together, you know, the tech, the legal, the consulting, the operational, the security sides of privacy and security, and making a forum for meaningful conversations.
Christian: That’s excellent. You know, I think it’s obviously a bunch of data nerds getting together, but what’s fascinating about it is obviously the venue in D.C. to have so many great international speakers discussing what the changes with the privacy regulation as well as the GDPR is kind of a perfect setting to discuss the differences that the different nations and regions view this with. But I wanna jump in. You had done a post of, you know, some of the highlights that you saw. Or you took sort of five main highlights and then some very notable runner-ups. But first off, the first one that you talked about was really about, you know, sort of what can we expect with GDPR. And I think there’s a lot of people running around screaming that the house is on fire and the fines are coming, the fines are coming. But the reality is you heard some very interesting perspectives there. Tell us a little bit about that.
Jay: Yeah, interesting to say the least. So among the speakers were Helen Dixon, who’s the Data Protection Commissioner for Ireland. Isabelle Falque-Pierrotin from CNIL in France who is the head of the Article 29 Working Party, Vivian Reding, I mean, the lead names in Europe. Elizabeth Denham, who was going to be there, she’s the head of the Information Commissioner’s office in the U.K.. She was dealing with Cambridge Analytica which had just unfolded before the conference began. So the regulatory leaders were there, and I think the first take away that I had and they were saying it loud and clear was that the GDPR is about trust. They described a crisis of confidence, they described, you know, the need for transparency and how although there will be no grace period for application of the GDPR which they were asked. I mean, no kidding they were each asked two or three times, “Will there be a grace period?” The answer is no and…
Christian: Can’t imagine why people would ask that over and over again.
Jay: It’s like they’re nervous or something, I don’t get it. But they said there’s not gonna be a grace period, but as under the previous regime, diligence is really gonna be key because what you wanna do is demonstrate good faith. And, you know, Vivian Reding in her speech, you know, it was just one of those classic moments where you’re like, you know, Europe is still Europe. She talked about incorporating the “Anglo-Saxon model of accountability” which I guess means, you know, like the Americans, the English, and the Germans were gonna be holding people accountable. It’s just I love when, you know, those little bits of distinct character of European countries shine through. But that’s what we’re looking at, we’re looking at an accountability regime here and you know…
Christian: And I also like the joke by Andrea Jelinek where she talked about the two-day grace period?
Jay: Yeah, there’ll be a two-day grace period because the regulation goes into effect on a Friday.
Christian: That’s so brutally cold, but honest.
Jay: I know, that’s the famed Austrian humor that everybody talks about. So there’s not gonna be a grace period, but it’s really not from what I’m hearing from the regulators about slapping fines on immediately, though no doubt they are going to. I think for most companies it’s gonna be a question of they’ll enforce it, but they’ll enforce it in an attempt to create an accountable, transparent, compliant industry.
Christian: Well, and, you know, as we were hearing and we’re gonna cover what is under the armor a little bit later on another podcast, you know, one of the questions that comes out is, you know, it’s very easy to say that you’re in control and that you can prevent breaches, but they’re gonna happen to everyone. The reality of data storage, data solutions is that there are human elements involved, there’s technical elements involved, but having an actual plan, it certainly seemed like from the comments on the social media feeds, while there is no planned grace period, to your point, I think they are looking for an honest attempt to become not only compliant but to really get behind the spirit of the message which is having a really great privacy framework, response, and planning. And so that certainly…would you concur that’s definitely a message you heard?
Jay: I concur. I think that that goes to some of the other points that I made in the blog that, you know, GDPR isn’t the only thing going on and there’s a lot of confusion in the marketplace. But the goal has to be to create a workable transparent framework for dealing with data security issues if you want to at least avoid, you know, the fine. You may not necessarily avoid involvement with the Data Protection Authority. But in some cases that may work out to your benefit because if there isn’t a fine and it’s simply an effort to bring you into compliance, that’s better. That’s as good a grace period as you can hope for.
So the takeaway for me was even if you haven’t done anything, you need to start now. Start now, really be diligent about it, document the processes, and I think that will help get you where you need to be in the short and the medium term. Long term, I do think you need to have a robust plan and you need to really flash out and approach the data security that incorporates all of the principles of GDPR. But for now, it’s okay to be working really hard to get there.
Christian: Your second point or take away was really interesting to me, certainly coming from the technology world and the business side where, you know, getting the involvement of women at the highest levels of most areas of technology has certainly been a challenge to many in the industry for years. I was really pleased to see and actually when discussing your first point all of the names that you went through were women.
Jay: Yeah, I know. It’s an interesting and an opportune thing to be at this conference and to see that, you know, the leaders in the field, these are women. And everybody is keyed into what they’re saying and paying attention. And it’s not something that, you know, we’re all talking about like, you know, I guess we need to think about things differently or approach things differently. No, it was that these are the people who are leading the regulation, these are the people who are setting the framework and they happen to be women.
And it’s a great thing to be able to see, you know, at least in one small area of Commerce and Regulation a place where, you know, there’s something more approaching parity. So I was very excited, I thought that was great. I really thought that was something that spoke to the way privacy professionals approach what they do. And their approach, you know, it’s such a new industry, it’s such a new field that, you know, hopefully we’ll be able to avoid being saddled down with some of the, you know, the really nasty baggage of the way the law profession developed.
Christian: Keep balance.
Jay: Yeah, you know, I mean law firms still to this day are overwhelmingly male at the top.
Christian: Technology, look, obviously the technology gap has been well-documented. So number one, great to hear that, but number two, really interesting to see the lineup of speakers and, like you said, the people at the forefront driving it being centrally a very strong panel of women. So that’s certainly refreshing. There was also another thing that actually in some of those talks provided by those leaders that you brought up which was a third point which was around just that there’s a lot of confusion still out there from the audience as, you know, seeking guidance. What do you mean by that?
Jay: So there were some really trenchant questions, I can recall a woman who was talking about what if, you know, we market and sell our products to people in China? What if those Chinese nationals go to Europe and then they’re technically in Europe? Are we then all of a sudden subject to GDPR? And the response was something along the lines of we have our people looking into it, and then she pressed a little bit harder like, “Well, who’s looking into it?” And basically, it was “top men” from Raiders of the Lost Ark, like there was no…
Christian: “Top men.”
Jay: Right, so there are still answers that no one has and there still are questions that have yet to be asked. This is, you know, it hasn’t gone into effect yet but there’s a lot of confusion about how various aspects of it are gonna apply, how the ePrivacy regulation is gonna be enforced. You know, what type of representative do you need to make sure that you’re fitting in with requirements for DPO versus European representative? It’s a lot of sort of interstitial issues that have to be fleshed out before we have a crystal clear picture of the regulation.
Christian: Your next point was great in which I got a sense because I saw a lot of the photos of the vendor floor. Clearly a lot of floor space, a lot of square footage, you had pointed out that there’s just no shortage of vendors. What did you see as a dominant theme of the vendors other than the really exciting riveting lawyer booths? What was the actual sort of SaaS or technologies that people were talking about?
Jay: Those lawyer booths were just where fun goes to die. Because I’ve sat in them before and, you know, you just sit there and you have to talk about being a lawyer and nobody wants to talk to lawyers because why would you wanna talk to us. But it was…I think the dominant theme was something along the lines of our company, whoever it is, has come up with a customized solution for this particular issue. And a lot of times it was about breach response and a lot of times it was about the data audit, so your data inventory. But no matter what the vendor was or what the product was. it really was oriented towards the GDPR.
This wasn’t like general overall here, let’s do talk about data [inaudible 00:13:04], or let’s talk about, you know, how to hash information. No, this was about how do we come up with programs, SaaS or otherwise, that are GDPR compliant. And it’s interesting because, you know, if you think back 15 years ago, there weren’t conventions where people like, “Oh well, let’s create apps that will make you Socks compliant.” Obviously, there weren’t apps back then but, you know, other than Applebees.
So what we have now is an entirely new framework where you’re incorporating the innovative engine of the very industry that’s being regulated to take account of that innovation and the effects that it has on individuals. I know that’s super meta but it’s an interesting concept to me. Like what’s the relationship between using the tools of the information age to create privacy compliant solutions to the problems created by the tools of the information age?
Christian: Yeah, it’s very much like watching someone stand in a bucket and lift themselves. So all right. So knowing that, another element that you talked about of just, you know, there are other things going on, so while the SaaS solutions and the vendors were certainly focused on GDPR readiness, compliance, response, what was the main thrust of things non-GDPR? What else were people talking about?
Jay: Well, plenty. You know, the regulations related to PIPEDA and the Right to be Forgotten in Canada, or biometrics, or facial recognition technology for teens, or the technology concerns at the Federal Trade Commission. I mean, we could easily have filled the entire program of this event with non-GDPR related issues because there are so many of them. I mean, we could have had an entire session discussing the New York Department of Financial Services regulations that went into in effect in February, but you know, this just happened to be the focus because we’re leading up to the GDPR.
So I think the mistake that it’s easy to make is to assume that the only thing in the world of data security to be aware of right now is GDPR. It’s not. There are other countries that have laws of their own. You might not know it, but they’re out there. The Japanese government, the Philippine government, I mean, like there’s lots of laws aimed at the insecurity that are coming into force now. Some of them driven by GDPR, some of them are a reaction to GDPR. So I think it’s important to remember that you can’t just be focused on GDPR. You need an approach to data security that covers all of the jurisdictional bases and make sure that you’re following all of the requirements, both of your locality, your industry, your jurisdiction, whatever.
Christian: Excellent, excellent. Well, that’s a great recap, I would certainly say certainly sounds like congratulations to IAPP, the organization that put on the Global Privacy Summit. Certainly sounds like many people enjoyed it, a lot of good information and take away. Again, jealous that I couldn’t be with the rest of the data nerds and my brother there, but certainly sounds like you got quite a bit out of it.
Jay: Yeah, it was absolutely…it was really worth it and so, and the swag was good. That’s always important.
Christian: Excellent. Well, thank you everyone for listening to the recap of the Global Privacy Summit from Jay Ward who attended, and thank you for listening to this episode of “Are You DataSmart?”.
Jay: Thanks again.