Since joining the IAPP in 2022, many conversations I have had with members in Europe have included something about the profession changing and what a challenge that represents.
The roles and responsibilities of traditional privacy professionals have clearly been challenged by a perfect storm of technology and regulatory evolution of unprecedented speed and depth. And we observe this empirically across the board, regardless of the size, nature and activity of the organization — private and public sector alike.
Taking data protection officers as an example, Article 39 of the EU General Data Protection Regulation requires a DPO to monitor "compliance with (GDPR), with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data." Agreed to in 2016, that text reads very differently in 2024.
European legislators created numerous new pieces of legislation ranging across data governance, data sharing, cybersecurity, health data, content moderation, artificial intelligence, competition in the online world, and more — to say nothing of national legislation. The EU Court of Justice has built significant jurisprudence on countless aspects of the European data protection legal framework. And last but not least, since 2018, data protection authorities have reached very consequential decisions, mandated transformative corrective measures and adopted over 45 interpretive guidelines at the EU-level. If someone were to print all the European documents relevant to personal data protection, it would make for a pretty big pile.
This challenging environment means the job will keep you on your toes and will be intellectually stimulating, all within a community that is genuinely supportive. But there is more to it.
Good governance is at the very least recommended, if not actually mandated. Articulating how and why bad governance slows things down — including business operations and revenue generation, not to mention intangibles like tarnishing an organization's reputation — has helped many digital risk management leaders and privacy professionals, in particular, leverage their scope of work and negotiate upward their role, title, resources, and presumably, compensation.
That complexity also helps build an argument that digital responsibility is needed more than ever. Its core mission of managing digital risk is essential as ever as digitalization is a well-established normal across public and private sectors. Digital responsibility also has a way of attracting and coalescing experience and knowledge from cross-functions in order to build, leverage and disseminate thought-leadership for data governance throughout an organization and build a culture of thoughtfulness, awareness and accountability.
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.