Saluti da Milano!

I am back in Milan attending the fifth annual congress of the ASSO DPO. This has become a mainstay event on the Italian calendar attracting Italian privacy pros, as well as a growing contingent of European privacy stakeholders.

The opening keynote was delivered by Bruno Gencarelli of the European Commission. Speaking in Italian in his native Italy, Gencarelli addressed the delegates on the state of play of the GDPR. While acknowledging the initial negative optics, such as anxiety about fines, he referenced how Europe had survived any initial storm. Contrary to the fear of immediate enforcement, Gencarelli highlighted how European DPAs to date have adopted a more constructive and supportive stance toward companies and organizations — an example of this being the 20 sets of guidelines that have come out from the network of EU DPAs and the EDPB. In true European fashion, he spoke of how, in certain respects, one could consider a "cultural revolution" being underway in Europe and where the national authorities have been integrated into a European network to address compliance and enforcement. The coming months will be important as several existing enforcement cases should test the resolve of European DPAs and the EDPB to adopt a uniform application of rulings — the European Commission will continue to monitor such progress, as this will be a key indicator to the success of the regulation.

On a more reflective note, Gencarelli stated that the culture of accountability has become an accepted priority and standard and one of tangible relevance to companies and organizations. Privacy has matured, and this is good for EU citizens and companies alike, he said, and should contribute to fairness and enhanced competitiveness as the market works toward better outcomes. If we look beyond Europe, he spoke of the GDPR as a catalyst for change with an emerging convergence of privacy efforts globally. “We live in a world of contrasting approaches,” but there is a growing convergence of privacy regulations based on common principles. He referenced the EU-Japan adequacy agreement, which has given rise to one of the largest "common areas" of data flows in the world. Much work still to do, he concluded, but progress is there.

One of the more interesting features of the ASSO DPO conference was the two panels on DPO activity. The panels consisted of European representatives of national data protection associations in the EU and myself, speaking on behalf of the IAPP. Notably, and what might seem surprisingly apparent, is that the role of the DPO has still some way to go in terms of its establishment. National association members are still seeking support and clarity in positioning the role in their respective organizations. That said, a number of privacy areas are clearly at the forefront of member thinking: controller to processor agreements, privacy by design, and privacy governance. Privacy is clearly operating in multifunctional structures across companies, and the lack of awareness and education remains a partial constraint to privacy culture taking root.

I spoke with Matteo Colombo, president of ASSO DPO (and IAPP member). He was delighted with the turnout and the balance of regulatory content versus the business side of doing privacy. It was interesting to hear from the DPAs of San Marino, Iceland, Greece, and Italy, as well as the Bavarian DPAs. There was something for everyone.