Hundreds of people working in the data privacy field congregated at New York City’s Columbia University last week to discuss new privacy laws at the PrivSec Conference, which was hosted by the Data Protection World Forum for the first time in the United States.
Attendees had two full days of lectures, panels, and presentations on the ever-evolving data privacy landscape in the United States and abroad.
Nick James, CEO and founder of the Data Protection World Forum, said the conference was originally born out of concerns, fears, and doubts raised four years ago about the EU’s GDPR. After spending a month organizing a quick conference, and then another and another, James and the Data Protection World Forum realized there was a huge demand for data privacy information and best practices.
“As a result of GDPR, so many other countries have bolstered their own data protection and privacy regulations. But the GDPR made it so that people understood that privacy and security are two sides of the same coin,” James said.
“I’ve run conferences and events for 30 years,” he continued. “This is the only subject matter where you cannot define the job title. With most conferences you know what you’ll get, but here, you get the complete breadth of an organization. The CEO, COO, head of compliance, head of legal, finance directors–then right down to include specialists like the CPO and the DPOs and the CISOs.”
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium)
Much of the conference was designed to give industry leaders as well as legislators a chance to flesh out data privacy laws for the audience. CISOs were also given ample opportunity to air their questions or concerns about California’s CCPA, which takes effect in January.
Lawmakers push for more data protection
Although New York does not have anything similar to CCPA or GDPR, New York State Senator Kevin Thomas explained that his team is hard at work trying to get a data privacy bill passed.
“Whatever is on the books now federally is outdated and not suitable for the current tech landscape that we live in. The EU passed the GDPR and California has their own, so New Yorkers deserve better,” said Thomas, who serves as chairman of the Committee on Consumer Protection.
“Our personal data should not be exploited for personal profit. There needs to be legislation. We passed the Shield Act this year and are working on a new law that would provide three things: Transparency about how your data is used and sold; Control to let you determine whether your personal data is sold; and the creation of data fiduciaries to force companies to be accountable for the sensitive data they control.”
But even as lawmakers push for GDPR-like laws in their own states across the country, CISOs are still struggling just to understand the parameters of the CCPA and other laws that have been passed in states like Nevada and countries like Brazil.
Anju Khurana, BNY Mellon’s head of data privacy and protection for the Americas, spoke at length about the differences between complying with European laws versus American ones as well as the need for companies to buckle down and create data privacy positions within their leadership chains.
“Currently, there are over 100 countries privacy laws so we are dealing with a very fast changing regulatory environment. The laws are coming at us faster and more furious, so you have to take a look at your regulatory environment and see what’s the risk associated there,” she said before asking for a show of hands to see how many people in the audience were CISOs or IT directors thrust into the GDPR-mandated data privacy officer role.
The need for a chief privacy officer
People in the audience who spoke briefly expressed fear about accepting the position and said their company either didn’t appreciate or understand the seriousness of the role. Khurana explained that the GDPR had very specific rules about what a data privacy officer could and could not do and spoke at length about her company’s decision to hire the company’s first chief privacy officer when she was hired two and a half years ago.
“You want to look at the risk profile of your company. What type of data are you processing? If you’re processing large volumes of data, I think you should really consider having a chief privacy officer. You have to look at it and ask yourself if you’re processing data and if you are processing data that is crossing borders into other jurisdictions,” she said.
These kinds of question and answer sessions were integral to the conference’s collegial nature, and James said this was part of what the Data Protection World Forum wanted to foster. When the PrivSec conferences started as the GDPR Summit two years ago, the organizers had no idea how the issues of privacy and security would expand across industries.
Conversations around privacy and security
Originally, the two industries most focused on data privacy and security were those that were already under strict regulation: Financial firms and healthcare organizations. But now, James said, companies that previously had nothing to do with technology were forced to contend with data privacy issues.
“If you’re in hospitality or telecoms or in retail, it’s all new to you. You’ve never had a regulation to deal with, and now you’ve got all these regulations to deal with in different territories. As such, you’ve got a larger universe of software supplies that have sprung up with solutions that allow people to do business internationally and across borders,” he said.
“You’re not going to last very long in the C-Suite if you haven’t done things properly,” James continued. “And yet none of us will ever be safe from a data breach. We will all have a data breach at some stage. It’s about how you respond to that and how you put planning in place. We’re great believers in educating, and that’s why we run these events. To get experts to be able to share their knowledge and experience. And also to develop a culture of privacy within an organization because I think that if you’ve got that culture of privacy dripping down from the top everybody appreciates it.”
He added that he wanted the conferences to popularize the conversation around privacy and security because of the woeful lack of talent and expertise in the field. Referencing a recent GDPR report, he said there was a shortage of 75,00 data protection officers and specialists worldwide.
Part of why the event was held at Columbia University is because the school is creating courses and tracks around data privacy and security, one of the few around the world doing so. There are also a number of professors at the school focused on the subject, and the newness of the topic made it easy for James to secure a diverse lineup of speakers and thinkers.
One of the keynote speakers was New School Associate Professor David Carroll, who spoke in detail about his tangle with Cambridge Analytica’s data privacy violations during the 2016 US presidential election.
“What we want to do is bring people together and create an ecosystem that didn’t really exist before. This is the only conference I’ve had to run where you don’t have to worry about diversity because it sorts itself out, particularly with the male/female split,” he said. “As a conference organizer you never want all-male panels or all-white panels, and sometimes it’s a struggle in certain sectors. But because this is new, you’ve got people that are coming into it from all walks of life so it is naturally very diverse which is fascinating.”
In addition to panels on the CCPA, New York regulations, and even Brazilian laws, conference attendees had access to speeches on changes in advertising technology, recent privacy enforcement cases, how to set up data privacy teams, and more.
James said this was the third PrivSec event this year and organizers wanted the New York conference to kickstart a string of events planned across the US in Chicago, Houston, Dallas, San Diego, San Francisco, and Seattle.
“We just want for delegates to leave feeling like they’ve actually been able to make a bit more sense out of not just domestic data protection laws but international privacy and data protection,” James added. “Every time something like that comes up, people need to understand not only how it relates to them, their org, and their business, but then how does that one particular law relate to the other laws.”
This story was updated to clarify that BNY Mellon decided to hire the company’s chief privacy officer.