In this Volunteer Spotlight, The Privacy Advisor caught up with Web Hull, CIPP/US, CIPP/G, and asked him to reflect on privacy developments and predict emerging trends. Having worked in the privacy space since 2000, he's has seen the growth of the field firsthand. He got his start as both a consultant and with the Global Privacy & Compliance Group at Iron Mountain. He's now lead information security privacy specialist at Houghton Mifflin Harcourt.

The Privacy Advisor: Having been involved with the IAPP since its inception, how would you describe the growth of the field?

Hull: Astronomic. Who would think that with a start of maybe 200 people at the first conference that it would grow to where it is today, with no end in sight. It’s phenomenal.

The Privacy Advisor: What do you see as emerging trends in privacy?

Hull: To start with, there will be more rules, laws and regulations that overlap to some degree. It’s not just state to state, but country to country and region to region. I expect a continual growth in specific rules, regulations and standards that might not all be in harmony – making a real challenge for people in a multi-country business to adapt, develop and comply. Additionally, I think there will be increasing pressure on companies that have a direct interface with customers to be more and more restrictive on how customer data is collected, shared, used, disclosed, and protected. This will be a real challenge for companies to not only operationalize, but to ensure they have a sustainable business model with increasing restrictions on the use of data. For vendors, I think you will an increasing and more finely detailed restrictions, controls, monitoring and reporting for evidence of compliance. Finally, I think this will be the year, or couple of years, where data flows down to fourth and fifth parties becomes heavily focused upon.

The Privacy Advisor: How do you think the U.S. will move forward with federal privacy legislation?

Hull: There is a history of continual proposals for federal legislation and we already have it for some sectoral regulation such as HIPAA, but my experience has been that action first takes place on the state level. After a couple of dozen or more states adopt overlapping or conflicting rules, the federal regulators and legislators will wake up to the need. I’m not sure we are at that point yet. There is emerging consumer pressure to do something, but I don’t yet see it as point where the federal government needs or is willing to step in. There will be pressure for it, and there will always be advocates in Congress for it, but I don’t see a lot of traction in the near-term.

The Privacy Advisor: What do you see as the top privacy needs from your clients?

Hull: Having been both a consultant and an in-house privacy officer, I think the top privacy need from clients has been this: How can I get into, stay in, and if, I’m really good, anticipate what I have to do continually be in compliance. A lot of times, the need comes from a reaction to something that might have happened, such as experiencing data loss or a new regulation. The question becomes, “What do I have to do operationally, in regard to my customers and my regulators, in order to be in compliance?” Privacy becomes a central component of the products that companies are offering to their customers. Sometimes it’s not seen as that, its seen as an add-on or a non-functional attribute, but the customer sees privacy as being core to the product. Companies need help to implement, articulate and communicate to their various customers.

The Privacy Advisor: What do you think has been the greatest privacy milestone so far?

Hull: I can’t say there is one milestone or even just a handful — instead, what you see is a greater understanding of what constitutes personal information and personal data and you see evolving ways to identify how it is used, how it flows through an organization, and how its protected. Nonetheless some of the key milestones domestically would be the Gramm Leach Bliley Act, the HIPAA Privacy and Security Rules, the Massachusetts Data Protection Act, and the Privacy Policy requirement. Internationally the GDPR is a major milestone for two reasons, for its micro approach to how data is collected and used, and for its extraterritorial extension. There are many more I could include but the greatest development has been the growing privacy awareness and the need for organizations to provide an operational solution to properly handle data.

The Privacy Advisor: What piece of advice would you give new professionals looking to enter the space?

Hull: First advice: Join IAPP. Attend KnowledgeNets and conferences, volunteer, get active. After that: Read. Read. Read. This discipline changes every single day. Find a way to stay current and look ahead. Finally: Develop a skill to operationalize, in a practical manner, privacy requirements.