IAPP 2018 Global Privacy Summit Recap: Q&A with Jonathan Boston & Doug Pollack

​Just a few weeks ago, global privacy experts from around the world gathered in Washington, D.C., for the 2018 Global Privacy Summit. Hosted by the International Association of Privacy Professionals (IAPP), the conference focused on the ins-and-outs of privacy laws and procedures.

​Several ID Experts leaders attended, including Jonathan Boston, senior vice president of global sales, and Doug Pollack, chief marketing officer. In what follows, they discussed their key takeaways and highlight the trending topics at the conference. Their words have been edited for clarity.

​Q: Can you summarize what this conference was about and why it’s an important discussion to have at this particular moment in time?

​JB: The conference was about individuals having fundamental privacy rights, and how those rights should be protected. So much of the conference took a global view with the upcoming General Data Protection Regulation (GDPR) going into effect. Our world is more intertwined from social and economic perspectives than it has ever been, so the importance of protecting the identity of every individual is critical.

​DP: This year, in particular, has brought individual privacy rights into a much broader national and international dialogue. The combined effects of the Equifax breach, the implementation of GDPR and the Facebook incident have combined into a perfect storm for ensuring a higher level of privacy protections for all, especially outside of the EU where they have set a very high bar.

​Q: What important themes did you see throughout the industry and represented at the summit?

​JB: Some of the important themes beyond GDPR, throughout the discussions, centered on HIPAA, data security, emerging technology like blockchain and the impact it will have and how to effectively respond to a breach.

​DP: Two key issues stood out for me at this conference. First was the impact that GDPR will have worldwide on all organizations that have any access to personal information. With GDPR compliance required by May 25, 2018, this is a significant and timely issue. The second issue focused on the obligations of technology companies that use an ad-supported business model to maintain a high level of privacy standards for their users. The recent Facebook incident was mentioned in many sessions since it is likely to have a far-reaching impact on the future of privacy in the technology industry.

​Q: What role did the discussion around GDPR play throughout the conference? How does that play into the American regulatory conversation?

​JB: America is always going to be the proving ground for compliance and privacy regulation; however, with GDPR, some questions still remain regarding its overall effect. GDPR will globally impact the processing of all personal data of EU residents. It will be closely watched to track both effectiveness and enforcement, and it will certainty impact our developing privacy laws domestically.

​DP: The GDPR conversation has renewed vigor in light of Facebook revelations. U.S. legislators face pressure to impose privacy regulations, especially focused on technology companies that use an ad-supported business model, like Facebook, Alphabet’s Google and many other free consumer platforms. U.S. legislators will naturally look at GDPR as a potential model that could be repurposed for improving and up-leveling privacy protections for Americans.

​Q: We’ve seen unfolding implications of privacy laws for the future of western democracy. What can citizens do to protect themselves/be vigilant?

​JB: It’s important to remember the basic concepts of privacy protection: don’t leave the door open for the bad actors to come in. Use technology to your advantage to protect your identity. Give yourself the advantage of notices when transactions, both financial and medical, are happening in your name. Don’t use the same password for all sites that you have to login to, and ensure you’re careful with public Wi-Fi and environments that could expose your sensitive information.

​DP: Individuals cannot be complacent about their privacy. We’ve seen these past few months, with Equifax and Facebook, how our privacy can be compromised in many ways, leading to consequences many individuals never imagined. Whatever happens in terms of laws and regulations, individuals must take a more aggressive posture relative to ensuring their privacy in all aspects of their lives, but especially as it relates to online and electronic applications and tools.

​Q: Which of the sessions that you each attended was your favorite and why?

​JB: For me it was a session with Birgit Sippel, who is a member of the European Parliament and the Committee on Civil Liberties, Justice and Home Affairs (LIBE). She stressed that “Privacy is about freedom, justice, and equality in the 21st century and that it is all of us, the privacy pros, at the helm of the ship.”

​DP: My favorite session was “Privacy and Competition: Big Issues for Big Data.” In this session, the three speakers (Giovanni Buttarelli, European Data Protection Supervisor, Edith Ramirez, Former Chairwoman of the U.S FTC, and Peter Swire, a privacy lawyer) explored a fascinating topic that is at the intersection of antitrust and privacy in the context of big data.

​What I found most interesting about this is how the FTC is starting to look at prospective consumer harms in technology industry consolidation. The FTC has historically evaluated the potential consumer harms in most mergers/acquisitions antitrust actions specifically in terms of increased prices to consumers, resulting from reduced competition. However, when dealing with consolidation of technology companies that offer free services using an ad-supported business model, their antitrust investigations have begun to look at the privacy harms to consumers, since price increases to consumers is not relevant in these instances.

​I find this to be a very interesting evolution of how antitrust regulators are looking at mergers and acquisitions in the new internet economy.

​Q: What were you most surprised about during the conference, either thematically or programmatically?

​JB: We [privacy professionals] have made such a global impact on the importance and impact data breaches have on our global world economy. It’s actually quite exciting to witness the impact that GDPR has on privacy professionals, and the true caring and sense of responsibility we in the data privacy world have to do the right thing and to ensure the rights of individuals are adequately protected.

​DP: I probably shouldn’t have been surprised, but I hadn’t fully grasped that the EU authorities are proselyting the adoption of GDPR in other jurisdictions as an international privacy standard. I also was somewhat surprised at how many organizations are “late” in dealing with their GDPR compliance efforts and responsibilities.

​Q: Based on your experience at the conference, what advice would you give to executives who are considering data implications for their own organizations?

​JB: My advice is to ensure you have a crisis plan solidly in place. Partner with an experienced data privacy and cybersecurity law firm, have a breach response agreement executed with a leading breach response provider like ID Experts and continue to educate your employees on cybersecurity basics. We’re actually seeing tremendous growth with companies of all sizes including identity protection as an employee benefit, to reinforce the importance of protecting both the company’s and the individual employee’s privacy.

​DP: If you aren’t already, pay special attention to GDPR, how it affects your privacy program and the risks associated with non-compliance.