On the campus of Columbia University, privacy attorneys, technologists, and other enthusiasts gathered for the PrivSec Conference New York 2019 as part of the Data Protection World Forum event series. Through this two-day conference, speakers from all sectors and industries explored the link between data privacy and data security. Three themes stood out:
1. Privacy requires a cultural shift.
As privacy takes more of a center stage for commercial enterprises, government organizations, legislative bodies, and especially consumers, privacy practitioners are beginning to recognize and push for a shift in how privacy is implemented. It can no longer be a simple check-box compliance activity or treated as part of a required audit, but necessitates ongoing monitoring activities and integration across teams (such as legal and cybersecurity) in order to successfully identify and put the necessary protections in place to secure the sensitive data or PII/PHI. Privacy teams need a seat at the proverbial table to engrain data protection into the fabric of risk management.
2. The regulatory landscape is not going to simplify anytime soon.
Both abroad and at home, privacy legislation continues to evolve. Here is a quick summary of where it currently stands:
- EU GDPR is in full effect;
- Nevada and Maine legislation has been passed;
- CCPA is set to go into effect on January 1, 2020;
- 17 US states have some sort of privacy legislation or task force underway;
- Brazilian LGPD is set to go live in August of 2020; and
- Members of the US Congress have introduced at least seven privacy and data protection bills in 2019 alone.
Accompanied by a changing regulatory landscape, Americans seem to be interested in defining a more “American” approach to privacy including the introduction of a data fiduciary. Consumers are looking to organizations, especially media platforms, to take more responsibility for the data they hold and for there to be an obligation to protect it.
3. Technology can be an enabler for leading-edge privacy programs.
To move privacy past a simple check-box activity, technology can be used to quickly identify and remediate privacy risks and potential incidents before they reach the front page. Technology can also be instrumental in simplifying compliance activities, such as identification and verification of data subjects during a data access request or automating data deletion and opt-out requests.
While we can’t expect privacy programs to immediately jump to a fully operational and robust data protection powerhouse, organizations are starting to take the necessary steps to identify sensitive data and put protections in place to safeguard that data. Privacy teams are also recognizing the shift in the regulatory landscape and are planning people, process, and technology changes that will catapult them into a proactive rather than simply reactive state. Privacy and data protection can be complicated, but having the right decision makers involved can simplify even the most difficult problems.