9 MIN READ
IAPP: Privacy. Security. Risk. 2019 – What we learnt
By Calligo on 3 October 2019
Over two days, keynotes and panels explored how privacy and technology must work together simultaneously, discussing topics such as building privacy programmes to accommodate a wide range of data privacy laws such as GDPR and CCPA (California Consumer Privacy Act), Privacy by Design, as well as bridging the gap between privacy and security.
This topic came up repeatedly, and is a subject close to our hearts – appointing a Data Protection Officer.
Currently, under GDPR, articles 37-39 state that if your business is a public authority or if your business handles and processes large quantities of personal data, you are required to appoint a DPO. However, many companies are either not appointing someone at all, or they’re struggling to find an external candidate due to the expense of hiring the right skillset. And, not to forget arguably the most common mistake companies are making – appointing the wrong person internally.
We have seen many businesses appoint someone internally, on top of an existing position, to act as their DPO. This isn’t always wise.
J. Trevor. Hughes, President & CEO of IAPP
A DPO needs to tick several boxes, which are rarely possible for an internal appointment:
- A DPO is a very technical and multi-faceted role, and one that has evolved quickly in recent years and that few have experience in
- A DPO needs the latest knowledge of data privacy and GDPR, as well as being able to advise on the data protection and Infosecurity.
- A DPO must act independently, with no conflict of interest with any other data or privacy-based role, so cannot hold a role in IT, security, HR, finance or legal for example.
- A DPO must have access to the highest management levels
To avoid these issues, organizations are increasingly outsourcing their DPOs. Our Data Protection Officer as a Service (DPOaas) provides companies access to independent privacy consultants who will monitor your compliance, conduct audits and represent your organization to data subjects and regulators.
Another hot topic during the event was unsurprisingly the introduction of CCPA. With similar implications as GDPR, CCPA will radically transform how businesses across the USA and beyond handle Californians’ personal data. Also, despite having well over a year to prepare for its arrival on the 1st of January 2020, many businesses are falling short.
Seemingly mainly because of a lack of understanding or awareness of the status of the Californian privacy law itself, organizations are struggling to come to terms with its nuances and requirements, such as data consent, opts-ins/outs and consumer access requests.
And whilst businesses play catch-up, another stream of conversation that followed was “what’s next?” Privacy does not stop with the GDPR and CCPA, and with proposed privacy laws from many more US states and countries, what will the next new round of obligations look like? And how will businesses prepare?
A subject that many privacy professionals can relate to – being able to understand and be understood by IT and Infosec teams.
As privacy laws evolve, they are driving an ever-increasing technical agenda. For example, GDPR’s Privacy by Design requirements are not an issue of legislation, but of technical oversight. Performing these obligations therefore naturally requires privacy professionals and their counterparts in technology and security to co-operate.
Unfortunately, both sides tend to speak a different language. Some words have completely different meanings on both sides of the fence. For example, to a privacy professional, the word “ensure” implies a guarantee that a certain action will be taken, but the same word to a security professional means that there will be vague oversight of a situation. These are far from the same thing! Unsurprisingly, the split lexicon of the two teams can lead to misunderstandings that have substantial commercial and reputational impacts on the business.
Calligo’s Jennifer Wu, Privacy Consultant, even presented on this topic on the Little Big Stage during PSR. Jennifer highlighted the common mistakes both sides are making and how it’s hindering Privacy by Design. She also made recommendations on how to avoid these issues, and how Privacy teams and IT / Infosec teams need to build a better working relationship, which depends on speaking the same language.
If you missed Jennifer’s presentation or would like to discover how to understand or be understood by your CISO and CIO, our ebook “The Privacy Rosetta Stone” provides real-life case studies on three businesses who encountered this language barrier, the impacts it had on their businesses, and how they fixed the problem. It also includes top tips on how to identify a good and bad Privacy and Technical relationship and how to create your own Rosetta Stone.