It's been one of the busiest years on record here at the IAPP. It's no secret that the forthcoming EU GDPR created plenty of opportunities for original journalism aimed at helping privacy professionals navigate the murky waters of compliance before May 2018. But the GDPR-focused pieces weren't the only topics of interest to IAPP readers. 

As the below list of the Top 10 most popular reads of the year indicates, you were also interested in hearing news impacting your colleagues. We lost some privacy greats in 2017, including Joe Alhadeff, former Working Party 29 Chair Stefano Rodota, and Elise Berkower, a founding member of the IAPP. And a story that tapped into concerns from those of you just starting out in the field, "They say privacy's hiring, but who?" made it into the top 10 this year. That story focused on the paradox many seem to face in aiming to get a privacy job: Employers want someone with experience, but how do you gain it if no one wants to give a newbie a chance? 

Below are the most-read stories of 2017. Catch up on the ones you missed, or luxuriate in re-reading one you loved. 

1. Top 10 operational impacts of the GDPR

The General Data Protection Regulation, put forth by the European Commission in 2012 and finally generally agreed upon by the European Parliament and Council in December 2016, is set to replace the Data Protection Directive 95/46/ec. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018. In this 10-part series, the IAPP Westin Research Center outlines specific provisions of the regulation.

2. What skills should your DPO absolutely have?

Based on surveying data protection officer job postings, companies are trying to fill DPO positions with junior associates with only a few years of experience. Many are treating the DPO as merely an IT role with no legal experience or as a compliance role with no real risk or IT experience. But what does the General Data Protection Regulation in fact require and what do those requirements mean for the DPO’s job skills? It may be useful to summarize the necessarily skills into a listing usable to identify qualified DPO candidates, which you'll find at the bottom of this article. 

3. Two pros square off: Must the DPO be a lawyer?

In January, Thomas Shaw wrote an article for The Privacy Advisor on the essential job skills of data protection officers under the General Data Protection Regulation. Having read it, Emma Butler responded online with her views, and, after some back-and-forth, the two decided to write an article together highlighting the many areas they agreed upon and further analyzing where their perspectives and insights differed. Shaw is a privacy and technology lawyer who has worked across disciplines around the world, while Butler was a long-time member of the U.K. Information Commissioner’s Office and is a current DPO. Both are based in the EU. 

4. European Commission, experts uneasy over WP29 data portability interpretation

The European Commission has written to EU privacy regulators to express concern over their interpretation of the data portability clause in the General Data Protection Regulation. Specifically, the Commission appears to be worried that the regulators have interpreted too broad a scope for the GDPR's Article 20. The Article 29 Working Party, the group that represents EU privacy regulators, issued guidelines earlier this month in which it said "the right to data portability covers data provided knowingly and actively by the data subject as well as the personal data generated by his or her activity."

5. A strategic approach to vendor management under the GDPR

If you’re a privacy professional tasked with ensuring your company is in compliance with the upcoming General Data Protection Regulation requirements, one of your main challenges may be communicating the profound shift in how GDPR delineates the roles and responsibilities of “controllers” and “processors.” With this shift in responsibility, companies will need to establish more rigorous practices for managing their relationships with vendors who act as processors.

6. ICO’s Wood: GDPR grace period? No way

If you were hoping EU regulators are feeling generous ahead of GDPR enforcement, you're out of luck. Information Commissioner's Office Head of International Strategy & Intelligence Steve Wood made that clear in his keynote at the IAPP's Data Protection Intensive in London earlier this year. "Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That's not part of our regulatory strategy," he said. "What you will see is a common-sense, pragmatic approach to regulatory principals."  

7. What does legitimate interest mean? CJEU gives its answer

In May, the Court of Justice of the European Union gave judgment in Rīgas, which concerns the right of a victim to identify the person who caused an accident. The facts of Rīgas may be mundane, but it is a useful and significant judgment as it discusses the legal basis upon which public bodies process personal data. In particular, whether a public body could be required to process personal data on the basis that processing was “necessary for the purposes of the legitimate interests pursued by the … third party or parties to whom the data are disclosed."

8. Remembering Joe Alhadeff, 1959-2017

Joe Alhadeff, a friendly bear of a man and a lion of the privacy community, died this year after a long battle with cancer. He was 57. Most recently the VP for global public policy and chief privacy strategist for Oracle, Alhadeff was globally minded, and it is difficult to find an international privacy and data protection effort that he wasn’t involved with. From the OECD to the International Chamber of Commerce to the U.S.-India Business Council to the U.S.-ASEAN Business Council, Alhadeff was a privacy and security policy voice to which everyone listened, whether advocate, regulator or industry representative.

9. They say privacy’s hiring, but who?

Anyone who has been paying attention to the privacy and data protection landscape knows this, if they know anything at all: The General Data Protection Regulation is looming, and firms are scrambling to prepare, staffing up the privacy office and appointing a data protection officer (depending on their stage of preparedness). Given that, one could reasonably assume that privacy professionals are getting scooped up in record numbers. But a thread on the IAPP's Privacy List noted a number of privacy professionals are frustrated with their own ability to get hired, particularly if they aren't considered a "veteran" in the field. One person said, "I see a paradox in that there is a great need for experienced privacy lawyers but few opportunities to get that experience." 

10. LIBE submits more than 800 amendments to ePrivacy Regulation

As the clock ticks on the ePrivacy Regulation — and the ambitious aim of having it ready for May 2018 — members of the European Parliament’s civil liberties committee have submitted more than 800 amendments. The big — though not surprising — news is the proposal to introduce “legitimate interest” as a justification for further processing of data.

photo credit: via photopin (license)