As part of the DataGrail team, I attended my first Global Privacy Summit (“GPS”) in Washington two weeks ago and wanted to share a few of my thoughts as someone who is newer to the privacy world. While it wasn’t my first IAPP event, GPS was by far the biggest privacy gathering I’ve been to and it was a great experience to hear from some of the speakers as well as mingle with attendees at our booth. Here are a few of my takeaways:
1) The Focus is on “Continuous Compliance” vs. “Readiness”
There were a large number of companies present at IAPP with both domestic and international operations. The companies with international operations, particularly in the EU have had a head start on the US companies that are now preparing for CCPA, and they were active in sharing their learned experiences around building their GDPR compliant privacy programs. One of the discussions heard across the vendor floor and in presentations was that there is a significant difference between getting ready for GDPR (pre-GDPR) and operationally acting in compliance with GDPR regulations (post GDPR). In my discussions with these GCs and DPOs, their GDPR readiness process had been more of a checklist, understanding what was required and then putting those pieces in place and checking them off the overall list. However, once GDPR was enacted, they struggled operationally to execute different requirements of the privacy legislation. Especially for larger companies, the workflows and processes that had been mapped out were much harder to execute in practice. Thus, with CCPA coming in January, these same companies were using IAPP as an opportunity to understand what other privacy programs were doing to ease the burden of continuous compliance (the execution part), not just readiness.
2) The Privacy Space is Going to Get Crowded
If the vendor floor this year was any indication, there are going to be a lot more companies entering the privacy space over the next couple years as additional privacy legislation is enacted in the US. Sure, there were the same few companies that have been around for quite some time, but many people I talked to who had been to IAPP before said there was a definite shift in vendor attendees. Often times, new legislative frameworks are the catalysts for technological change and GDPR, CCPA, and the new legislation coming in the next year or two have spurred on significant investment in the privacy world. In response to the new technology companies popping up in the space, we also saw some of the older players building different elements of technology into their typically service-oriented offerings. The net result will be privacy programs having more options in building their privacy tech stack and much more efficient and effective options for maintaining compliance with the new legislation.
3) More Privacy Programs are Building their Privacy Program Internally
This was a takeaway that is anecdotal based on the conversations I had with different companies at the DataGrail booth. I was very surprised and excited by the number of companies who had started hiring internal privacy teams as opposed to outsourcing that role. It’s a no-brainer that Enterprise-size companies require an internal team, but we talked to many mid-market and even SMB companies that had already brought people on internally to manage privacy. This is a reflection of the importance privacy is playing nowadays and the focus that privacy is getting from the C-suite. If nothing else, it’s a great time to be a privacy professional because there is so much demand for an effective internal program!