Businesses and data protection authorities are both facing challenges from a complex digital and legal ecosystem with a limited set of resources. That notion was clear during a panel presentation during the final day of the 41st Annual International Conference on Data Protection and Privacy Commissioners in Tirana, Albania.
"We need to operationalize privacy at scale," said Microsoft Corporate Vice President, Deputy General Counsel and Chief Privacy Officer Julie Brill. "Ensuring there are operational controls that are sufficient so that as laws go on the books around the world — like in California, Brazil, China — we need to be able to adjust our practices with the appropriate buttons and dials so we can be agile."
But doing so with limited resources is no small task. And it's not just private businesses that are feeling the pinch. Regulators around the world also face their own set of operational challenges with limited resources as more data subject complaints flood in.
Alexandra Jaspar-Leeuw, the director of the Belgian Data Protection Authority, said the agency has become more strategic in the way it's organized and has worked hard to seek additional resources. It has also set up public awareness campaigns around children's data protection issues as well as those faced by small and medium-sized businesses.
DPAs are also facing prioritization challenges while regulating a vast array of issues. Hong Kong Privacy Commissioner Stephen Kai-yi Wong said his office has received 2,600 data subject complaints in the last four months, many of which stem from the social unrest between the government of mainland China and citizens of Hong Kong. At issue for both sides has been the doxing of Hong Kong-based protesters and the opposing law enforcement officials.
But while Wong's office, like others, may have limited resources, he said, "As a DPA, we simply cannot say we can't do it. We are talking about the fundamental human rights of individuals."
A range of societal issues have challenged other regulators as well. In recent months, U.K. Information Commissioner's Office Technology Policy & Innovation Executive Director Simon McDougall and his team have focused on regulating data protection in the ad tech space, but at the same time, the ICO has also dealt with law enforcement access to a rape victim's mobile phone.
"How do you compare the allocation of resources" in these two cases, McDougall asked. "That's the challenge we face in this data-saturated world," he said.
Part of the solution for both regulators and businesses is a new "hybrid" professional, one not simply grounded in law and policy, but with a range of skills that includes privacy engineering and ethics.
To drive the point home, Brill said if she only had one job opening to fill and she had one candidate with 20-years of data governance experience and one candidate fresh out of school but with a hybrid skill set of law and engineering, she would hire the latter.
"Privacy engineers are an incredible group of people that we need more of," said LinkedIn Vice President and Head of Global Privacy Kalinda Raina, CIPP/US. "Tech can help and having people with greater creativity than some of us lawyers can be a way to help come up with solutions."
She also pointed out that even Silicon Valley-based organizations have limited data protection resources. "One thing we can do," she said, "is leverage what we already have." She suggested several ways to accomplish this task. First off, "ground yourself in the values of your organization." At LinkedIn, she helped get the privacy message across to employees through the lens of LinkedIn users, something every employee could fundamentally understand since the foundational ethos for the company is cultivating user trust.
Raina also stressed the importance of getting leadership involved. Again by using the company ethos, she explained to the CEO how something like the EU General Data Protection Regulation would affect the trust of the company's users.
To help scale, Raina created a "privacy champions program," which included representatives from across organizational departments, from sales and marketing to product and IT, who can in turn go back to their departments and raise any potential privacy issues. "Reach out across the organization and make allies," she suggested.
And for DPAs, as has been demonstrated by the ICDPPC all week here in Tirana, greater interactivity among the regulators, not just in the field of privacy and data protection, but in other industry verticals, like antitrust and competition, telecommunication, among many others, will be necessary to help regulate a world that's rapidly being driven and shaped by advanced technology.
If you want to comment on this post, you need to login.