Last week, the Nymity team headed to beautiful Washington, DC as a platinum sponsor of the IAPP 2019 Global Privacy Summit.
While it was expected (and reflected in the agenda) that the CCPA was at the top of everyone’s minds and dominated the discussions at the event sessions, other topics also received considerable airplay. Sessions on the impact and role of technologies such as blockchain, AI, machine learning, and cloud storage were popular, as well as discussions on the evolving role of the privacy office and, in particular, the emerging role of the Data Protection Officer.
We spent a busy few days speaking at sessions, attending sessions and talking to thousands of privacy professionals at our stand, about our next generation of solutions. Here are some of our observations coming out of Summit:
Privacy isn’t Going Anywhere
With the IAPP crossing the 50,000-member threshold and Summit itself breaking records with over 4,300 attendees, the privacy community continues to grow. Organizations are recognizing that privacy compliance is not a “one-and-done” project but requires ongoing attention and maintenance. To that end, we are seeing businesses increasing investment in resources to develop, maintain, and support ongoing privacy compliance. It was exciting to see so many attendees new to privacy, and eager to learn best practices.
Not surprising was the amount of discussion around CCPA and compliance. During the course of our conversations we continually observed the increasing anxiety businesses are feeling over how unprepared they are for compliance. The lack of holistic privacy programs is contributing to that anxiety. Privacy professionals are working to bring the case for investment in additional resources – be it people or tools – from the ground up. Our session “Address CCPA Compliance Requirements While Building a Global Privacy Program” was standing room only and attendees were turned away at the door, demonstrating the intense interest in addressing this challenge.
Enforcement: Empty threats? No!
With GDPR coming to its one-year anniversary and the number of investigations, particularly into American technology companies rising, an overflowing crowd gathered at the keynote to hear from Elizabeth Denham, Information Commissioner, U.K., Helen Dixon, Data Protection Ireland, and Andrea Jelinek, Chairwoman, European Data Protection Board; Director, Austrian Data Protection Authority. While there has been both criticism and support of the pace and progress of various investigations and sanctions, European Data Protection Authorities continue to demonstrate commitment to the enforcement of the GDPR. The panelists confirmed many investigations are ongoing, but have to be taken step-by-step to ensure a proper process.
Will the Feds Come Marching In?
Aside from CCPA readiness, the most prominent theme arising last week was the possibility of a federal privacy regulation being passed in the United States. Will it come? Does it have a chance? What will it cover? Will it resemble the GDPR? Will State Attorneys General get enforcement powers? There are definitely more questions than answers. However, the prevailing sentiment is that a federal law would be welcomed by companies who are increasingly anxious over potentially having to be compliant with 50 separate state-led consumer privacy laws.
The Road Ahead
With the state of uncertainty of the regulatory environment, companies taking a “wait and see” approach to how new legislation will unfold, do so at their own risk. Getting started with a privacy program can seem like a daunting task. However, particularly with CCPA and other potential consumer data protection regulations coming into play, there are places you can get started. We recommend focusing on consumer rights requests and building an inventory of processing operations. By tackling these two areas you can not only ensure compliance with CCPA but also input a foundation in place to more quickly address any changes to existing regulations or even net new laws.
Nymity has developed a number of resources to help companies understand and address CCPA compliance and, specifically, data subject rights.