With their respective keynote addresses at the inaugural IAPP Asia Privacy Forum, Hong Kong Privacy Commissioner for Personal Data Allan Chiang and Singapore Personal Data Protection Commission member Aileen Chia sent a cohesive message: Those companies making a good faith and concerted effort to respect their customers’ privacy have nothing to fear from regulators.
Those who are looking to do the bare minimum, however, should expect increasing scrutiny.
“A sensible organization,” Chiang told a room of roughly 100 lawyers and internal privacy officers in Hong Kong on March 31, “should act with customer centricity. Privacy shouldn’t be just legal and compliance’s responsibility. Top management must be involved.”
“With our enforcement actions,” Chia said, April 2 in Singapore, in front of about 140 attendees preparing for a regulation to come into effect July 2, “we will consider what steps were taken beforehand, how cooperative the organization is and the size of the breach.”
These sentiments echo those of a number of DPAs around the globe who consistently express conflicting desires to both protect their citizens and refrain from stifling innovation or competitiveness.
“I lead an organization,” said UK Information Commissioner Christopher Graham at the DPAs conference last fall, “that wants to be effective in tackling the bad actors rather than filling out forms for people who are probably perfectly compliant anyway.”
“The bottom line is that a focus on privacy as risk is good,” FTC Commissioner Julie Brill told an audience at the Global Privacy Summit recently. “I want businesses to be thinking about that.” The more that’s done, she said, the more the issue will migrate to the C-suite.
In fact, said Chia, Singapore passed its data protection regulation for the very purpose of “building trust to increase competitiveness” in the global marketplace.
It makes sense, then, that many attendees of these first-ever IAPP conferences in Asia were eager for details on creating accountability or helping their clients with privacy practices in their organizations. They heard presentations from IAPP board members like GMAC CPO Allen Brandt, CIPP/US, CIPP/E, CIPM, CVS/Caremark CPO Ken Mortensen, CIPP/US, CIPP/G, CIPM, DHL CPO Gabriela Krader, Merck CPO Hilary Wandall, CIPP/US, CIPP/E, and Bank of America CPO Christine Frye, CIPP/US, CIPM, all paired with local voices like Privex Principle Danny Yip, CIPP/IT, Standard Chartered CPO Benjamin Gerber, SOS International CPO Shireen Advani Lee, CIPP/US, British Council Information Policy Advisor Julie Savoie, CIPP/E, and a host of others.
Many of the most common questions involved variations on: “How?”
It’s common for regulators to agree with Chiang when he says “your program needs to be continually updated and managed by dedicated staff” and that “you need to demonstrate your commitment to good corporate governance,” but the questions remain: How do you get budget? How do you train employees to respect personal data? How do you get buy-in from upper management?
These are, of course, questions familiar to privacy professionals around the world. If the regulators are going to all be in agreement, perhaps it’s no surprise that privacy pros all work the same jobs.
The collected speakers did their best to answer these hard questions, while acknowledging that answers vary from organization to organization. Afternoon keynoter McAfee CPO Michelle Dennedy, CIPP/US, CIPM, noted that one way to start is by getting privacy policymakers to cooperate and communicate with their engineering and product-development peers. By articulating their goals and needs, perhaps privacy professionals can get help in building the tools they need to navigate increasingly difficult regulatory waters.
What was clear by the end of the two conferences, regardless, is that privacy professionals in both cities are hungry for a community of peers with which to work out these difficult issues.
Comments
If you want to comment on this post, you need to login.