This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Lessons from IAPP’s PSR 21

DeAndrea Salvador, October 25, 2021

The DataGrail team had a blast at this year’s IAPP Privacy. Security. Risk (PSR) Conference. 

As a first-time attendee, and this being one of the first in-person conferences since, before the COVID era, I wasn’t quite sure what to expect, but the conference did not disappoint. Topics at the conference covered privacy operations, automating privacy programs, predictions on enforcement from California’s privacy agency and the FTC. If you couldn’t make it to PSR 21—we have you covered! This post contains a few top learnings shared during this year’s IAPP. 

Location & Theme of PSR 21

This year’s IAPP Privacy, Security, and Risk Conference took place in sunny San Diego. The conference featured speakers from a broad mix of industries and backgrounds.

First of all, it was also lovely to see several DataGrail customers on this year’s roster showcasing their expertise in privacy. Now, here are our quick takes from PSR 21. The conference alluded to a theme palpable across speakers and conference sessions—change is brewing for the privacy industry. While it was generally felt that privacy had come a long way, conference speakers also pointed to elements of privacy being in a nascent stage compared to other sectors.

With dozens of speakers and a jam-packed conference schedule, it’s hard to fit everything into one post; however, a few themes quickly emerged after attending multiple sessions. 


Theme 1: The lack of a national privacy standard keeps the U.S. from fully competing on privacy’s global stage. Despite this, a focus on privacy by both companies and states is expected to grow significantly. So expect corporate privacy needs (and therefore available jobs) to grow considerably.  

Theme 2: The span and scope of defining privacy are evolving and more encompassing than initially thought. Expect to see data ethics to be a growing part of privacy programs and data privacy management conversations. 

Theme 3: Privacy is complex, but it’s important to get started. Choose the most important areas to your company first and kick your privacy program into action. 

Speakers ranged from privacy executives at companies such as Salesforce, Apple, Google, and filmmakers and regulators.  Let’s dive into our top takeaways from this year’s IAPP PSR conference, sorted by theme and session.



Theme 1: Will there or won’t there be a Federal Privacy Law? 

We have been championing the need for U.S. Federal Privacy legislation and Global Privacy Standards at DataGrail for a while. The opening ceremony at P.S.R. 21 showed that we are not alone in that sentiment. 

In the opening panel, Microsoft’s Julie Brill said, “It’s hard to be part of the international conversation around privacy without a federal privacy law. The US does have a robust privacy system, but it’s hard for the rest of the world to understand what it is.” 

Some experts feel we may have a U.S. version of federal privacy law by 2024. Still, even if we get a national privacy law, it won’t be a magical solution to solve all of our privacy woes. As noted by Michael Rose (Google), “[A federal privacy law] is not a one and done…you’re not regulating [one] company with a law, you’re regulating an ecosystem.”

It is also hard to say just how comprehensive a federal privacy law would be. Many at the conference shared that this is not necessarily a bad thing for practitioners. It is increasing job security for privacy professionals as companies are increasingly focusing on privacy within their companies. 

In the absence of federal regulation, existing agencies are not toothless in privacy enforcement. FTC Commissioner Rebecca Slaughter shared that the FTC has the rulemaking authority and could propose rulemaking that includes the limitation on data collection and requirements for deletion. “By choosing not to act, we are exercising a value judgment that the market is working, absent intervention,” Commissioner Slaughter shared in her keynote at the conference. 


Theme 2: The definition of privacy—and therefore privacy programs—are continuing to evolve. 

Another theme across the conference was speakers challenging original notions of privacy and how practitioners address privacy for their organizations. These challenging sentiments were seen in talks featuring U.S. Federal Trade Commission, Commissioner Rebecca Kelly Slaughter, and panel sessions with industry leaders. 

Could Data Ethics be taking center stage for privacy? 

As TED Fellow and Film Maker Shalini Kantayya highlighted during her keynote address, “We are moving from a democracy to a technocracy.”  Technology already has a track record of guiding elections (Cambridge Analytica). As the use of machine learning, artificial intelligence, and big data continues to develop companies must consider the legal and ethical implications that arise. We have all by now likely heard the phrase, “data is the new oil,” and the expression crept into several conversations at IAPP as well. However, it leads us to a central question: How can privacy practitioners build trusted data practices? 

In the session, Building a Data Ethics Program, Ed Brittan Head of Global Privacy for Salesforce shared, “It’s really important to harness the privacy expertise to build ethical decision-making into our products, and I’ll say it’s all the more important right now, given that we’re in a global arms race to develop AI.”

Privacy leaders were often encouraged for their companies to include ethical decision-making as a part of their privacy program development. 

Theme 3: Crawl, Walk, Run

Across all of the panel and even networking discussions there was a shared empathy among speakers and attendees in that privacy is incredibly complex. As such, for those new to privacy whether because their company is growing or entering a new geographical area, it can be difficult to know exactly how and where to start. 

A shared sentiment was to create a plan and get started by implementing a crawl, walk, run approach to managing privacy programs. With so much at stake for companies with their privacy programs, you can’t allow analysis paralysis to limit you from getting started.

Our Director of Professional Services, Brittney Hall, pointed this out during our panel session, Automations for the Win. “You really have to plot the path ahead, crawl, walk, run style, and prioritize the most important stuff first.” 

As speakers highlighted, you can utilize this philosophy whether you are deciding which part of your privacy program to automate first or if you’re looking to incorporate ethics as a part of your holistic approach to privacy. For instance, when automating your privacy process it is helpful to start with apps most likely to interact with PII such as SSOs or CRMs—prioritizing areas that can give you the highest ROI.

An example of a crawl, walk, run approach for data ethics is to start with observation and learning, to then establish best practices, and finally begin governing. In practice that process could be, creating a data ethics framework, using ethics by design to drive behavior, and finally utilizing an ex-post review to benchmark your company. 

Whatever you decide it is clear that it’s important to buckle up and get started. In an upcoming post, we will provide more detail about what ‘crawl, walk, run’ looks like in action.

 All in all, PSR 21 was a wealth of information, we hope to see you there next time!


Stay tuned as we share tactical advice and further learnings from this year’s PSR conference. Subscribe to our newsletter to be among the first to receive posts like this one. 


Stay informed on the latest data privacy news and privacy regulations and insights with our newsletter.