Greetings from London!
The IAPP is back in London this week for our final installment this year of the GDPR Comprehensive event series. Following on from our inaugural February event in Brussels, and our New York edition, this year’s trilogy ends in London and it is proving to be as in demand as the preceding events, with a truly international representation yet again signing up for IAPP content. Confirming the "International" in IAPP, we have participants from as far afield as Taiwan, Malaysia and New Zealand; North America, with a nice spread of states; and the EU are there in force, too. And as you might suspect, the virtual streaming option has brought in yet more participants from around the globe.
Earlier in the week I was in Paris, attending the Hunton & Williams Centre for Information Policy Leadership workshop on “The Role of the Data Protection Officer (DPO) and Risk and High Risk under the GDPR.” For background, CIPL is a global privacy and security think tank presided over by Bojana Bellamy who needs no introduction in privacy circles. An accomplished professional and established thought leader in the field, I am pleased to say she is also a former chairwoman of the IAPP board of directors.
Well attended by a broad cross section of industry, and with over 20 representatives from EU regulators and government entities present, the discussion and debate centered around key questions and propositions concerning the overall enablement and environment within which the role of the DPO could effectively function. The nature, scope and accountability of the DPO role will bear determinant influence on the increasing significance of the organizational role that, for the first time, was formally mandated within the new EU GDPR framework. The DPO role has and will — as many seem to suggest — continue to evolve from its nascent beginnings as primarily a function of compliance to something considerably more, hopefully catalytic force within the strategic and governance structures of organizations. Opinion was diverse on matters, and I think for those of us invested in the functionality of the role and what it might entail getting clarity around the "systematic – large-scale and regular” criteria underpinning the legal framework will be pivotal to establishing the importance of the role and data protection as a whole going forward.
Most notably, there is an expectation from industry for the WP29 to pave the way in creating this clarity. From what I heard at the workshop, the regulators are rising to the challenge, both on national initiatives as well as collectively through WP29 platforms; they are well engaged and heavily invested in determining this guidance. As complex and as geographically diverse as you can expect, the EU28 legal frameworks are no small trifle. Government consultations and interdepartmental consultations among strings of concerned ministries and public agencies are in full flow. Plans are afoot to change or modify legal structures where applicable. The rewriting — or redrafting — of national data protection acts is underway. Regulators are preparing for life under the GDPR and the scope that it too will bring their structures — recruitment and training are "de rigueur," as you might expect. The preparation is underway and the mobilization of resources that accompanies such a change is quite phenomenal in its entirety.
The subject of the GDPR and the role of the DPO is one that for obvious reasons is close to our mission and activity here at the IAPP. Together, the GDPR, Privacy Shield, and other global developments elevate the need for, and role of, data protection professionals as 2016 draws to a close. From Turkey to Japan, Peru to Brazil, major privacy legislation has been proposed, or come into force. Perhaps no area of global public policy has seen as much activity as privacy and data protection in recent times.
We just released our second annual