Recently, the International Association of Privacy Professional’s “Privacy. Security. Risk.” (“P.S.R.”) conference returned to Las Vegas. While exploring the conference and meeting with other privacy professionals, we couldn’t help noticing some trending privacy topics in the presentations and discussions. These areas represent some of the most pressing and quickly developing areas in privacy law and we expect these to impact companies and their privacy programs now and over the years to come. Here, we present the top five topics from P.S.R., with a brief explanation of why these topics are so relevant.
It is no surprise that the California Consumer Protection Act (“CCPA”) dominated discussions this year. Between the upcoming enforcement date and Alastair MacTaggart’s surprise announcement that he was introducing a ballot initiative to enhance the CCPA, attendees and panelists were all looking to California.
The focus on the CCPA is reminiscent of the focus on the General Data Protection Regulation (“GDPR”) prior to its respective effective date – however, the CCPA is not simply GDPR: Part 2. While the notice requirements, security requirements, and certain data subject rights are similar to those in the GDPR, the CCPA also puts focus on data subjects’ ability to opt out of the sale of their data to third parties. In addition, the CCPA may not apply to all companies doing business in California, even if they do process personal information of California consumers. (For more information about whether your organization will fall under the scope of the CCPA, read our previous post entitled “Does the CCPA Apply to Me?”.)
With the effective date of the CCPA looming and other states looking at implementing their own similar laws, the CCPA is poised to be a key area of privacy compliance in the coming years.
2. Unifying a Privacy Program
GDPR, CCPA, Privacy Shield, state laws, sectoral laws, data transfer laws – the number of regulations affecting data privacy keeps growing. This continuous development in privacy regulation prompted the second most-discussed topic at P.S.R.: how do you create a privacy program that addresses all the emerging privacy laws and can adapt to future laws? While some companies take a checklist approach of addressing one requirement at a time as separate and discrete tasks, most privacy professionals recommend treating development and maintenance of a privacy program as an ongoing unified process.
3. IT Security and Data Breaches
Between discussions of breach response and the slew of state-level data security requirements, IT security and data breaches were huge topics of discussion at P.S.R.. Panel discussions focused on the importance of addressing and preparing for both security breaches and ethical breaches (carelessness with data or improper use), Equifax’s new Chief Privacy Officer (“CPO”) addressed rebuilding a privacy program and public image after a large and public breach, and panelists and attendees debated how to structure a privacy program within a company.
There has been some discussion in the privacy community around the degree to which privacy and security are separate fields. Yet, with baseline security requirements included in privacy laws like the GDPR and state data security regulations, it seems these practices will continue working closely with one another and companies that can confidently address both domains will excel.
4. Internet of Things and AI
New developments in the “Internet of Things” (various devices and objects that are connected to the Internet) continue to challenge the privacy industry as we try to adjust privacy practices to address the data collection, sharing, and tracking concerns of data subjects and privacy advocates raised by interconnected devices. Now, the recent interest in machine learning and artificial intelligence joins the Internet of things as an area to watch.
Many of the privacy challenges for both the Internet of things and artificial intelligence stem from lack of transparency and notice for data subjects. It may not always be readily apparent what information IoT devices collect about the users, how that information is used, and who it is shared with. This is a growing concern as interconnected devices expand to include children’s toys, ovens, and garbage cans. Likewise, the data sets that artificial intelligence systems are trained on and the algorithms that make up the artificial intelligence systems are often unknown or unintelligible to the average user – a growing concern as artificial intelligence is used in everything from job applications to criminal sentencing. The development of both these areas shows no sign of slowing down, so this topic will remain hotly discussed for the foreseeable future.
May 25, 2018 was certainly not the end of the GDPR era – rather, barely the beginning. More than one year on, the compliance work continues. Enforcement actions under the GDPR have begun, companies are dealing with increasing numbers of data subject requests, and data maps and privacy policies continue to require updates as practices change.
Now that the initial panic of preparing for the GDPR has passed, privacy professionals are diving deeper into the nuances of specific requirements. Popular GDPR panels at P.S.R. included how best to deal with data subject requests, encryption standards, privacy impact assessments, cross-border data transfers, and compatible uses of collected data. As the European Data Protection Board continues to develop and put forth guidance on emerging GDPR issues, enforcement actions establish precedent on GDPR, and companies continue to grapple with maintaining their privacy and compliance programs, the GDPR will remain a cornerstone privacy regulation moving forward.
At VeraSafe, we are constantly tracking the regulatory landscape and developing programs for our clients that address these evolving areas of privacy regulation. To learn more about these privacy regulatory trends, and how your organization should address them, please contact VeraSafe today to schedule a free consultation with one of our privacy experts.