Data Privacy Day Exclusive Q&A with IAPP

Happy #DataPrivacyDay2020! 

Now, more than ever, we need a day like this to pause and give respect to the immense amount of data collected each day from every corner of our lives. According to this article by the World Economic Forum, By 2025, it’s estimated that 463 exabytes of data will be created each day globally. Don’t know what an exabyte is either? Thankfully they explained that, too. It’s 1,000,000,000,000,000,000 bytes. (For comparison a gigabyte is 1,000,000,000 bytes) Let’s just say we create a lot of data every minute of every day.

International Data Privacy Day is an effort to raise awareness around respecting, safeguarding and trusting data. While the conversation around data privacy has exploded over the past few years, the day itself stems from the “Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection.”

In honor of International Data Privacy Day, we asked Paul Jordan, the Managing Director for Europe of IAPP (International Association of Privacy Professionals), a few questions to shed some light on Data Privacy in 2020.  

Q: What’s the biggest difference for privacy professionals between international data privacy day 2020 compared to 2019? 

A: International Data Privacy Day has come a long way since its inception, back in 1981. The objective at the time was to raise awareness regarding privacy protection of personal data. We have come some way since then, I’d say. With the advent of GDPR in Europe and CCPA in the US, the legislation has given rise to privacy and data protection awareness more than anything else. Privacy has entered the mainstream; there’s no turning back the clocks. For privacy pros, it has become more of a celebration and a chance to take stock of where we are and where we are headed. Just to give you an example, through the IAPP network of KNET (chapter) events in honor of International Data Privacy Day, in 2019 we had 63 events organized globally, this coming week we will have 92 events to celebrate all things privacy: we have almost doubled the number of events in 2 years, which I think speaks to the phenomenal success of the day, but also speaks to the enthusiasm within the global privacy community to mark the date. There is a growing maturity in the field. This year, I think the focus will be on how to improve privacy programming and what’s coming in the near future that will impact existing implementation.

Q: What’s really next for data privacy in Europe? 

A: That’s a good question, ultimately GDPR will still be a focus for organizations in 2020 and beyond; it’s not going away, nor should it. Some folks may have thought this was a limited project in time, but the reality is that GDPR will serve as a continual assessment mechanism for (personal) data-driven business models and initiatives. There will be more emphasis on the operationalization of privacy policy and its execution in the year to come. I suspect we will see a greater focus on privacy programming outputs as well as KPI measurements, and reporting. Regulatory reporting will also be a priority for companies in 2020, as European member state regulators become more active on the enforcement side (of GDPR) and more active in assessment and audit.

 A more mature and strategic privacy attitude as a result of GDPR in the boardroom should also drive more targeted privacy investment as data privacy risk becomes a measure for business; investment in data protection education, as well as vendor solutions, will be critical considerations for companies in an increasingly digital environment. Understanding risk mitigation will be at the top of the board agenda. Third-party risk, in particular, will be a key consideration, there were significant mediatized breaches involving multinationals in the last years, assessing risk through the supply chain where data flows and transfers may be more vulnerable should focus attention. The EDPB (European Data Protection Board) published guidelines on data processing agreements in 2019 in relation to Article 28 of the GDPR regarding controller-processor agreements, which I think reflects regulatory concern in this regard. Moreover, the EDPB published draft guidelines on privacy by design and default; this too will drive organizational attention in 2020 and the next years: this will be the single biggest preoccupation for privacy teams in Europe (and globally); again it’s finding the right balance between data utility and protection. 

On the legislative horizon, one can not forget the e-privacy regulation which failed to materialize in 2019. I think we can expect some movement here, there is sufficient political momentum within the EU to get one decision or another in 2020. It’s likely to be revised; although worse case it may be pulled wholesale by the European Commission for a re-think. With the current Croatian presidency and German presidency of the EU in the latter half of the year, we should see some clarity. An ECJ ruling in the Schrems II case somewhere in Q1 could also have a profound impact on Privacy Shield and SCCs, so keep your eyes peeled. I heard we may have a ruling by the end of February. 

Finally, AI applications (such as facial recognition) and digital trust generally are going to dominate the data privacy debate for the foreseeable future, so demonstrating an ethical approach and outward duty of care to data protection will figure on agendas. All in all, there is no shortage of topics to keep privacy pros and their organizations busy in 2020.    

Q: We heard a lot about GDPR and CCPA, are there lesser known regulations underway that companies which operate globally need to keep their eye on?

A: There is a swathe of privacy laws being revised and/or implemented globally. Thailand passed a first fairly comprehensive data protection law in 2019 and I know of at least 2 sizable western multinationals companies working on that presently. The Brazilian, LGPD was passed in 2019 and will come into force in 2020. Brazil is a significant global economy and figures in the top 10 economies worldwide, so that’s significant. It is also worth keeping an eye on India, as their data protection act continues to gather momentum. These developments, among others, demonstrate the global and contemporary dimension to privacy and data protection legislation which will be significant for global companies and their supply chains. Notably, for the next 1-3 years, there is much fervor and debate on a possible Federal privacy law in the USA. If that comes about, there may well be seismic shifts in data privacy for organizations. We will have to see where global evolutions land and where privacy convergence or differentiators end up in terms of impact.

Closer to Europe, we will also have to see whether the UK obtains adequacy following Brexit. There are some concerns surrounding the Snoopers Charter and the recent ECJ advocate general’s opinion on national security interests and their incompatibility with the current e-privacy directive and EU privacy rights — the timeline for Brexit to actually take effect is at the end of December 2020, until then all EU law and trade regulation remains in effect. There is a lot to resolve by then.

Q: What are some of the things IAPP is going to be focused on in 2020? 

A: 2020 is a key anniversary for the IAPP: the organization turns 20!

We’ve been around a long time, and it speaks to our brand and credibility within the privacy and data protection fields. I’ll give you a couple of examples of some great developments taking place. Firstly, we are looking forward to the inaugural IAPP DPI Netherlands which launches in June. Our DPI event series has proved popular so we are expanding. Secondly, organizations of all sizes are investing significantly in technology and technologists to help ensure compliance with new privacy legislations and data protection regulations. As a result, we have revamped and updated our CIPT certification and training products to serve these technologists who may not have “privacy” as their main job but are charged with embedding privacy controls in tech. And there are a number of functions that could benefit the revamped CIPT such as systems architects, software designers, data analysts, IT risk managers, etc. 50% of the content is new with new domains in privacy engineering and privacy by design methodology; more UX, UI, and IOT orientation. We will also be launching in support of the new CIPT certification a new textbook, online training, and live training — all coming in 2020.

 

We will have other new developments. Overall though, the organization — and global privacy community — is growing at a fast pace, internally we are focused on assessing and reviewing our organizational structure to be continuously ready for growth and to keep serving the community with service and innovation of the highest standard. Like any other organization in this fast paced world, we too need to take stock and evolve. So stay tuned!

More stories like this one

Nov 28, 2023 - 5 min read

Q4 2023 Collibra release: helping customers reduce data risks and improve...

Read more
Arrow
Jun 23, 2023 - 4 min read

Privacy in an open-data world: Why government agencies need to be proactive

Read more
Arrow
Jan 25, 2022 - 3 min read

Gaining control of personal information ahead of CPRA

Read more
Arrow