GDPR was the star of the show for the 2018 IAPP Global Privacy Summit. No surprise there. What was surprising was the range of content and speakers that were there. There were multiple data protection commissioners in the building, including Isabelle Falque-Pierrotin from France and Helen Dixon from Ireland, as well as the newly elected chair of the Article 29 Working Party, Andrea Jelinek from Austria. There were some sessions on understanding the basics of the GDPR, sessions on preparing your organization for the upcoming deadline, as well as some sessions speaking to the different consulting and attestation options available to help meet the Regulation. Everywhere you looked it was GDPR and this overwhelming feeling of “The End is Nigh!” There were even shirts given out at the Convention Center that substituted “GDPR” for “Winter” in the popular “Winter is Coming” line from HBO’s series Game of Thrones.
But the GDPR exposure did not stop there. There were also several new books released by the IAPP, including two specific to the GDPR, including the DPO Handbook: Data Protection Officers Under the GDPR and Hands-On Guide to GDPR Compliance. And the vendors, the vendors! If only you could have seen how many vendors there were in the exhibit hall gearing their services toward the GDPR! I overheard several people say “All these marketing materials will only be good for the next month or so…” as most banners, whitepapers and collateral made mention of the looming GDPR deadline. The guest speakers for the opening and closing sessions also had wonderful speeches and content, which undoubtedly threw the GDPR into the mix. Unfortunately, most references seemed to hint at the fact that the GDPR was past due, something that the business world had needed for years, and that the United States still had a long way to go to catch up.
Being a privacy professional at a firm that offers a wide range of readiness and attestation services, you can surmise that the most common engagement I have been involved with in recent months is GDPR related as well. So, naturally, I was thrilled that GDPR was the star of the show. It was good to see that people were taking GDPR seriously (even if it was two months before the effective date of the Regulation). Still I was not at the GLOBAL Privacy Summit solely for the GDPR. This was my first year attending the conference, so I was there to see what all the fuss was about. I was hoping that there would be more options available and more privacy initiatives to listen in on from a global perspective, and I was not disappointed.
Israel, Japan and Canada, Oh My!
Yes, the General Data Protection Regulation and European Union were the star of the show, but there were many other acts to be seen. There were sessions with Data Protection Commissioners and privacy leaders from numerous other countries, including Canada, Japan, Israel, Argentina, Brazil, Costa Rica, Mexico and more. There were sessions specific to privacy updates in Latin America, the Asia Pacific, and of course the United States. There were plenty of sessions catering to international privacy updates. I found it unfortunate that I could not make them all but learned some very interesting information from those sessions I was able to attend.
For example, I learned from Daniel Therrien, the Privacy Commissioner of Canada, that the federal law enforcing data protection on private businesses, the Personal Information Protection and Electronic Documents Act (PIPEDA), is required to be reviewed on a periodic basis and is up for review in the next few years. As it is up for review, there was mention of considering some of the new concepts introduced under the GDPR for those updates. Canada has been a global leader for data protection for quite some time and has had some of its concepts, such as privacy by design, incorporated in other privacy laws and regulations as well. For example, Therrien made mention of the Data Privacy Act of 2015, where updates were made to the definition of consent and when consent could be considered valid. There were also updates made to the Commissioner’s powers and the scope of application for PIPEDA.
When asked about Canada maintaining their adequacy decision, Therrien responded by saying it is always something to be considered when making updates to privacy laws. They are looking to continue to be a leader in the space, which means keeping up with emerging technologies and making sure that updates to privacy laws are in the right direction. Regarding Canada privacy law, Therrien also made mention of the privacy toolkit available on the Office of the Privacy Commissioner’s website. The toolkit is basically a guide for how organizations can meet PIPEDA requirements. I would equate it to material put forth by the Information Commissioner’s Office in the UK – very helpful, straightforward, and wonderfully put together.
I also heard about some of the privacy updates in Israel, from Alon Bachar, the Head of the Privacy Protection Authority. The most pertinent update for Israel was with their Privacy Protection Regulations, entering into force on May 8, 2018. The Regulations are meant to strengthen the requirements for data security and enforcement of Israel’s Privacy Protection Act. The Regulations introduce some interesting concepts, including breach notification to ILITA (Israel’s Data Protection Authority) and data subjects, data minimisation requirements and a required information security officer. Apparently, the Regulations have been making waves over in Israel, mainly for some of the more specific requirements, as well as how they are to be applied (interestingly enough, there are different regulations for “databases” of different risk).
The updates from Fumio Shimpo, the Commissioner for International Academic Exchange at the Personal Information Protection Commission of Japan, were also very enlightening. The recent updates from Japan were regarding their Personal Information Protection Act (PIPA), which went into full effect on May 30, 2017. Fumio Shimpo showcased some of the important updates to the Act, which were meant to bring the Act up to par with EU legislation. Some of the updates included the addition of “sensitive information”, personal data transfers to foreign third parties, record keeping requirements for disclosures and requirements for processing anonymized personal data. Because of these updates, Japan is currently undergoing adequacy talks with the European Commission and hopes to gain that adequacy decision in the near future.
Overall, the information gleaned from the sessions on global privacy updates was more than I expected. I think that the only downside of the conference was that there were so many sessions at the same time that I couldn’t attend all of the international updates! Obviously, there is only so much time in the day though, so no fault there. There were just so many interesting sessions that it was hard to choose which ones to go to and which ones to miss. At the end of the day though, I am glad I attended the Global Privacy Summit and will most certainly be attending future iterations. The conference confirmed for me that the global privacy landscape is ever changing and that there will always be new privacy considerations as long as technology continues to evolve. And the evolution of technology doesn’t appear to be slowing down any time soon…