Report IAPP Privacy Intensive: UK 2019, Thu, 14 March
The second day at the IAPP Privacy Intensive began just five minutes later than the first day, as the networking session after day one dragged on until late, thanks to the high spirits of our Irish friends.
The Closing General Session was heavily thought provoking. Delegates heard about recent initiatives in protecting children’s personal data but what was really striking was the presentation of the former Editor-in-Chief of the Guardian.
As the person in charge of the newspaper at the time of the Snowden and Assange revelations, the editor questioned the right and the role of the government in defining the meaning of public interest. He personally faced tremendous pressure from the UK authorities, which did not want him to publish the documents revealed by Snowden and Assange, as that would be outside the Government’s perception of public interest. The editor questioned whether any legal privileges remain at all between doctors, lawyers and journalists on one hand, and the people who speak with them on the other. According to him it doesn’t - its been shaken up, just as the vertical world of authority, precedence and value is being destroyed by the horizontal world of complete distrusts and instant communication without verification. How does he percieve Facebook? As the horizontal plain.
The second panel Privacy by Design and Emerging Tech: A Match Made in Heaven? Or Hell? continued the philosophical discourse by addressing the question of How do we avoid a conflict of interest between corporations, politics and technology on one hand, and putting people first on the other? Well, apparently there is a way! More and more emphasis is put on building trust, privacy and security into technology before it is released to the market. Technology can serve the public good, but it can also go against it. And obviously, making money is not necessary evil. Accumulated wealth can and is used for the public good, but maybe some more regulation needs to be directed towards these goals. That would require busting the myth that privacy and innovation cannot go hand in hand.
The third panel Brexit is Coming — Are You Ready?, composed of one shining light in privacy, delivered clarity with surgical precision on data protection compliance after Brexit under any scenario.
The audience was advised on the plans that would need to be put in place (or to already have in place). Despite the just agreed extension, a no-deal Brexit is still technically possible. The plan starts with examining current and future data flows and then ensuring intra-group agreements refer to UK entities as importers. By taking a proactive approach and reaching out to customers and partners and the UK processors offering to enter into SCCs. The services provided by EU processors to UK controllers necessarily attract the application of Chapter 5 of the GDPR. Also, as issues are expected around the one-stop-shop, UK companies with EU operations/branches are advised to find a lead data protection authority outside of the EU by finding evidence for their main establishment and to invest in their relationship with their new EU lead authority which will no longer be the ICO. Businesses should also keep in mind, that their EU regulator will not be an alternative but an additional one. Brexit will affect BCRs, as they are also supervised by the lead authority and appx. 1/3 of all approved BCRs have been approved in the UK, a case that’s bound to change in the future.
Adequacy cannot be taken for granted, in particular when considering certain UK law-enforcement legislation. It is unlikely that the EU regulators are to start enforcing against all transfer-related breaches that will, in the absence of proper safeguards, potentially occur automatically on no-deal exit day. However, if there is an ongoing or fresh issue (e.g. an investigation, data breach etc.) and in addition to it a breach of rules on transfers to/from the UK is found, then that breach must be and will be taken into account by the authorities.
The fourth panel GDPR, e-Privacy and Adtech: 50 Million Reasons to Pay Close Attention to Cookies discussed data protection compliance of the AdTech industry, which is perhaps the most challenging place to be if you are a privacy professional. The IAB Europe shared their progress with their code of conduct. The industry association has been working hard to develop effective tools that help its members with their transparency and lawful basis obligations. Consent and transparency management tools are being rolled out onto publisher’s websites. Admittedly, still not all members have managed to follow the non-binding IAB code.
The UK ICO confirmed that AdTech area is an area of interest which implies enforcement in this field is likely to be one of their priorities. However, the ICO expressed commitment to work with the industry in order to understand it better and to support its compliance efforts. They said they are looking specifically at transparency, lawful basis and security. They are also running events and creating new guidelines. They hope organisations will start seeing privacy as a way to build trust.
The fifth panel GDPR Compliance: Convince Customers, Partners, and the Board You Are Compliant discussed validating GDPR compliance for accountability purposes, both internally and with third parties. But what does it even mean to be GDPR-compliant in the first place?
The panellists were unanimous that investing in accountability is the best insurance policy in case things go wrong. Even if there is, for example, a data breach, given that an organisation is capable of showing the investigating regulator it has taken all the right steps before the breach occurring, then that would be a decisive mitigating factor. This is how investing in accountably should be presented to the board by privacy professionals. However that’s easier said than done and the regulators haven’t been helpful at all. The codes of conduct or certifications, suggested as means of demonstrating compliance, and hence, being accountable, are not being developed. A few better-resourced regulators are developing certifications, but only at a national level, which is an approach not suitable for global enterprises. In the absence of a multilateral standard, the panel discussed alternative certifications, such as those coming from ISO and APEC CBPRs. The bottom line of panel is thus: Privacy pros of the world, unite! And demand that your regulator cooperates with other European regulators in order to establish a common certification standard.
Last, but not least, several senior IAPP members confirmed how hot the privacy market is at the moment. The imposters have started jumping off the bandwagon and the true leaders in the field are being appreciated. No one knows them better than we do. If you are struggling filling in a role in your organisation, or if you are struggling finding a role in privacy, please get in touch with the leaders in the field, the head-hunters of Data Privacy Recruitment!
___________________________________________________________________
Written by Yancho G. Yanchev
___________________________________________________________________
Follow us on Twitter @LastWeekInPDP and visit our WEBSITE
For privacy jobs and vacancies follow @dprecruitment
