Greetings from London!
I was delighted to participate in Ankura’s data protection seminar on global trends this week, an event organized for their clients and partner organizations. There were a number of panels with both local and global privacy experts tackling some of the current trends faced by the community at large. Panel discussions were focused on the evolution of DPO roles and e-discovery with a view to international litigation, as well as cybersecurity and resilience.
On regulatory matters, there was much discussion on emerging topics defining the landscape, including the intersection between AI and data protection.
Panelists also addressed the need for a global privacy baseline or frameworks within companies. Organizations working across multiple jurisdictions are being asked by their senior management and boards to look at establishing a standard or common approaches where possible. This is likewise due to a need for internal controls, both from a cost and risk perspective. The commercial challenge faced by organizations is managing the "depth and breadth" involved in data management while respecting legal obligations and differentials that can vary both in the EU and outside. The extraterritorial nature of the law is complex.
Data protection practitioners and leaders see the need for a greater sense of integrated tools, particularly as organizations increasingly come to rely more on technology to deliver services. The convergence and interdependence of privacy functions with their counterparts working in information security are abundantly manifest. One example of this enhanced cooperation comes in the form of supplier (processor) audits. Where security may have been the traditional focus of such audits from an organizational governance viewpoint, privacy inputs are now becoming integral components so that both concerns can be addressed in a more uniform way.
With global privacy frameworks, other priorities mentioned were privacy-by-design projects and diverse sets of PIAs. Moreover, to help tackle and streamline those efforts, organizations agree that central privacy support for regional PIAs is a necessary and increasing activity for DPOs and their teams. A common remark involved the actual integration of companywide data protection policies and procedures. More often than not, there is an identified need to work with transformational and/or change management functions both from internal and external standpoints.
It was also discussed how important it is for companies to understand data subject access requests on a global scale, not only as governed under the GDPR, but also as a key requirement under the CCPA. Tools are needed to manage those DSARs across multiple jurisdictions. There has been a sharp increase in DSARs across the board. The review exercise of data subject rights is complex from the extraterritorial view. Organizations should take these seriously as they could become contentious for obvious reasons.
In wrapping up the day, I spoke with Noris Ismail, managing director of data privacy at Ankura, who said the role of the DPO goes clearly beyond the GDPR. Being independently influential, diverse in skills, and creative in approach, the DPO needs to seek further alignment with the information security office to ensure consistent and effective information governance.
If you want to comment on this post, you need to login.