Data privacy is having its moment, and the topic made its way into many of the sessions, keynote addresses, and general conversations at RSA Conference 2019.
One of those keynotes focusing on data privacy offered the perspective of Ruby Zefo, Chief Privacy Officer with Uber, who shared the stage with fellow panelists J. Trevor Hughes, President & CEO of the IAPP and Kalinda Raina, Senior Director, Head of Global Privacy of LinkedIn.
2018 Was Year of GDPR
When GDPR came online last year, it changed the conversation surrounding data privacy. A lot of organizations spent a lot of time preparing for it and had to rethink how privacy fit into the overall security outlook. Hughes pointed out that IAPP’s membership doubled in about 20 months – proof that the concerns surrounding data privacy are exploding.
There was so much emphasis put on the build up to May 25 last year that what often gets lost is how we continue to move forward. GDPR is a dynamic, not static regulation, after all. Some of the trends we’ve seen since the regulation went into effect include improved data breach reporting and people taking advantage of their rights to protect their privacy.
Zefo used the analogy that GDPR is a lot like raising a baby. We waited two years for the GDPR baby to be born, she said, and now that it’s here, we can’t leave it in its high chair to fend for itself. “Whether you think it is attractive or not is up to you,” she added, “but you still need to take care of it.”
Taking care of GDPR, raising it to maturity, may involve thinking about it differently. Uber, Zefo said, was already addressing data privacy issues and has a mature program. “We stopped labeling it GDPR,” she said. “We’re still working away on all those different controls and customer friendly things we wanted to do, but I wanted a common platform where we develop a good customer experience.”
GDPR is spreading its wings now, she added, and we’re seeing more countries adopting privacy laws, and states coming up with their own regulations. The trick is developing an organizational privacy program that gives customers the same protections in Las Vegas as they would have in San Francisco.
Most Challenging Aspect of GDPR Preparedness
Zefo said one of the most challenging aspects of implementing GDPR was tying together multiple work streams. All of the tasks needed to be coordinated so no one was going off the grid and there wasn’t duplication of work.
“Another issue is what to do about consent,” she continued. “Consent still plays a role, but it is getting more difficult. If you’re an app provider like we are, you have a leg up because you can give knowledge in real time when they most need it. But if you’re not, it is very challenging to figure out how to get it right with the explicit consent required.”
Enforcement Environment
If GDPR is a baby that was birthed and in the earliest stage of being raised, enforcement is in its toddler stage. “For a while, every headline was about some massive data breach,” said Zefo. “Now, there are a lot of headlines about how data is being managed, how is it collected, what it’s being used for and how it’s being shared. Those things are in your control.”
She predicts the emphasis on what organizations can control, rather than hacker behavior. Right now the fines for not taking the proper steps to protect data are pretty low because regulators are still figuring things out. But once we begin to see more violations and the environment becomes more stable, we should expect those fines to increase.
CCPA and Beyond
The time has come to shift focus from GDPR implementation to preparing organizations for CCPA and the increasing influx of new privacy legislation across the U.S. CCPA goes into effect on January 1, 2020. Like GDPR, it will have a somewhat territorial affect, but the law has its differences from GDPR, as well, and those differences must be addressed.
You can’t take a wait-and-see approach to CCPA preparation, said Zefo. Although there is still some tinkering being done with the law, the basics won’t change. CCPA has some vague and contradicting aspects to be addressed – such as defining household data – but that’s not an excuse to not be preparing for it.
And during RSA, Washington state also passed a privacy bill in its senate. This highlights a problem in U.S. regulations – these laws are less harmonized and as it trickles down into the individual municipality level, the laws will conflict against each other and become almost unworkable for organizations.
Other Data Privacy Thoughts around RSA
There were other sessions that put an emphasis on data privacy and I did notice that the discussion made it into sessions that were about other security-related topics. Todd Inskeep, Principal, Cyber Security Strategy with Booz Allen Hamilton, talked about third-party risk management, and added that privacy regulation elements need to be included in vendor contracts to ensure that all parties remain in compliance.
While the keynote address delivered by Bruce Schneier, Fellow and Lecturer, Harvard Kennedy School, focused on the need for the creation of Public Interest Technologists, his point was the importance of having someone who understands technology involved in developing policy surrounding security and privacy. When those in government tasked with writing laws to address the way our data is shared on social media don’t understand the basics of Facebook, you get laws that don’t help anybody. There is a need for someone to bridge that gap.
And finally, in a private conversation, Anthony Di Bello, VP Strategic Development at OpenText, told me he was surprised there wasn’t more discussion surrounding the role security will play in data governance and data privacy.
Maybe the security angle will take a more prevalent role at RSA 2020? That will be a question to answer next year.