Episode 38: IAPP Outlook – Top Challenges in Data Privacy Compliance

Marie Patterson:

Welcome to Archive360's Information Management 360 podcast. My name's Marie Patterson and I'm the Chief Marketing Officer at Archive360. And joining me today is Caitlin Fennessy, Vice President and Chief Knowledge Officer for the IAPP. That's the International Association of Privacy Professionals. Caitlin, thanks so much for taking the time to join us on today's podcast.

Caitlin Fennessy:

Thank you, Marie, really appreciate being here.

Marie Patterson:

So let's maybe start with a little background before we jump in. Can you tell our listeners what the IAPP is and does, and maybe a little bit about your role within the organization?

Caitlin Fennessy:

Yes, of course. Happy to. So the IAPP is a nonprofit policy neutral professional association, and our mission is to define, promote, and improve the privacy profession globally. So as a privacy professional association, we basically do all of the things that professional associations do. We provide training and certification. We organize the largest privacy conferences globally in the U.S., in Europe, in Canada, Australia, Singapore, London, around the world.

And we publish a daily newsletter via email to over 80,000 privacy professionals globally. That is filled with privacy research from our in-house research team as well as from expert contributors that are among our members and reach out to us with some really thoughtful contributions. Beyond that, we basically bring privacy professionals together so that they can learn from each other in a whole host of ways. We have what we call knowledgenet chapters around the world, which are chaired by professionals in our space, and they have both in-person and virtual gatherings. We have a listserv. So just basically we allow privacy professionals to come together and share best practices and track all of the myriad developments in our field so that they can do their jobs within organizations and governments and civil society all that much better.

My role as the chief knowledge officer is to lead our research in publications, programming, external affairs and communications team. So basically I'm charged with shepherding our content products and engaging across the leaders in our community.

Marie Patterson:

Well, I very much appreciate you taking the time. Clearly this is an organization with a lot going on, so I would imagine that you are super busy. Maybe for those that are not already members of the IAPP, what's the best way of learning more about the organization?

Caitlin Fennessy:

Yeah, thank you for the question. There is so much going on in our field. I've been in the field for, it's hard to believe, over 14 years now, and I can't recommend it enough, first, for anyone thinking about getting into privacy. And that is exactly because it is so constantly changing as you suggested Marie. That there's always something new to learn and that's what makes it fun.

So if you are already in the profession and trying to track all that's going on, interested in learning more, the number one best thing to do is sign up for our Daily Dashboard. So if you go to iapp.org, you can find information to sign up for our newsletter that is free and does not require membership or the like. And it's just a great entry point so that you can track on a daily basis the key developments in the field, whether they are legislative, technical, programmatic, and then if you want to get more involved, you'll have every opportunity to do so. And I expect perhaps in this conversation with everything going on in this space, we might talk about AI as well, but I'll flag that just yesterday we launched our inaugural edition of our weekly AI governance dashboard as well. So that's something you can sign up for as well.

Marie Patterson:

This sounds like just a great resource, as you say, for those that have been in the profession for a while and maybe those that are thinking about getting in the profession.

Caitlin Fennessy:

Thanks.

Marie Patterson:

That's great. So as you say, a lot going on. I know that for subscribers of this podcast, you will know that we've been having a lot of conversations with individuals about privacy laws and the evolution of privacy laws, particularly in the United States. And I believe, Caitlin, that I think just last week was it that Tennessee has introduced their own state privacy legislation, the Tennessee Information Protection Act, and that brings us up to, is it seven states in the United States that have passed-

Caitlin Fennessy:

I believe we have eight now.

Marie Patterson:

Eight, okay.

Caitlin Fennessy:

I feel like I have to count on a daily basis now because the state landscape is moving so quickly. But yes, you're absolutely right. Tennessee has joined the mix of states with a new comprehensive state privacy law that has now been signed into law.

Marie Patterson:

Okay. So just one example. You mentioned AI. I know that the IAPP has been speaking a lot and providing a lot of training around the European Data Protection Board's coordinated enforcement actions. So maybe it would be helpful to bring to our listeners what you are seeing and maybe what the IAPP is seeing some of the key, maybe the top three key data privacy issues that organizations and data privacy professionals are having to deal with now, this year.

Caitlin Fennessy:

Yeah, thank you for that question. And I have three that I typically think of when asked that question, but Marie, I think you were so right to raise the state landscape. So I'm going to call that number four I think.

Marie Patterson:

Okay. Yeah, great.

Caitlin Fennessy:

It's worth flagging the state landscape, as you said, in the U.S. since there is no federal law at this stage, the states have stepped in force. And just in the last few years as we have eight states now with comprehensive privacy laws and we publish a tracker, another thing your listeners can check out if they're interested in this space, that tracks all of the active state level comprehensive privacy bills and then those that have been passed. And there is a host of other states where we could still see adoption this year.

Marie Patterson:

Absolutely.

Caitlin Fennessy:

That's really a challenging, I think, space for companies because of course there are differences across that landscape and it's just one piece of a really complex international landscape where more than 100 countries have comprehensive privacy laws that they're having to track and to figure out how they align.

Let me mention the three other top issues that are on my agenda. Maybe I'll just cite them and you can tell me how deeply you'd like to go into each of them. But I think one issue that we have been tracking for quite some time, and this is where my historical expertise comes in, is data transfers. So we expect to see in the next week, and likely on Monday, May 22nd, a decision out of the Irish Data Protection Commission in the Meta data transfers case. This will be a huge decision for privacy professionals to pay attention to.

In our annual privacy governance survey, again, we saw that data transfer issues are privacy professional's top priority and top challenge in our field. And that's because of the constancy of the uncertainty around how companies can legally transfer data across borders, particularly out of Europe, but increasingly around the world in compliance with data protection laws. So this decision out of the Irish authority that we expect on May 22nd could throw that into even greater turmoil if there is a stop transfers order specific to Meta's use of standard contractual clauses for its Facebook service. Now, all that might be specific to one company. Obviously there are implications for all companies transferring data out of Europe. And so that's something we're watching really closely, and that case actually dates back a full 10 years to the Snowden revelations. So there has been uncertainty in this space for a long time. So that's one then.

Marie Patterson:

So sorry, before you move on to the second one, as you say, this is something that's been around for a long time, and that every company that does business internationally has had to be thinking about. Have you within the IAPP been providing any recommendations to your members of things that they should be doing right now or preparing for right now ahead of that May 22nd decision?

Caitlin Fennessy:

Yeah, it's a great question. The challenge here... So the short answer is yes, we have been flagging for privacy professionals that they should be alerting their CEOs and their boards of directors to the increased risk in the data transfer space as we anticipate and look toward this decision. The landscape for data transfers could get rockier in the next few months before it smooths out. And that is because if there is stop transfers order associated with this decision, it suggests that there is not currently a fail safe way to comply with EU data transfer restrictions under the GDPR when transferring data to the United States. And that is because the adequacy determination, which is, in short, the European Commission saying that the United States has adequate sufficient central equivalent protections for data was invalidated by the European Court of Justice in 2020. And that relates to their concerns regarding U.S. surveillance practices and protections.

So in short, this is a government to government challenge because the concerns relate to how U.S. government authorities access and protect personal data that is transferred commercially. And so the U.S. government and the European Commission are very close to resolving this challenge. There is a new framework that governs protections in the national security sphere. The European Commission at the staff level has said that they think it is adequate, they think it should receive an adequacy determination, but that process is still playing out. And so until there is a new adequacy determination, there is just not a clear cut way to comply with EU rules. What we have done is put out all of the information and analyze and explained how the European Data Protection authorities say companies can work to comply the additional safeguards they can put in place. But if this decision suggests that what Meta has not done, or what Meta has done is insufficient, I expect that will have much broader ramifications across industry until there is an adequacy determination.

And I guess the last quick thing to mention there, every company is going to make their own risk calculus, and when I say there's, there's challenges they'll face, it's unlikely that other investigations will reach their conclusion and lead to fines and enforcement actions against a broad swath of companies. The risk, as I see it, is that European providers will demand data localization from their U.S. or multinational service providers, that they'll be asking themselves whether they should switch to local providers. And so I think that could create some business risk that U.S. companies could lose clients over the next few months due to the increased uncertainty. The U.S. government and the European Commission will work to resolve this as quickly as possible. And we do expect the decision that will come out will have a transition period hopefully to allow for a diplomatic resolution in the interim.

Marie Patterson:

Okay. Yeah, I think you'll mention of the there will be a period, it's not as if it's going to be a decision on Monday, and that's it. As of Monday, you have to be in compliance. There will be that period for organizations to adjust. But certainly it's something that even without a decision taking place, as you can imagine, we're involved with our customers on almost a daily basis. It's something that's of concern to, not just to organizations in the private sector, but clearly also to federal agencies, particularly where they have employees that are working in different countries and doing rotations maybe around different embassies in the world.

Caitlin Fennessy:

Yeah, it's a great point.

Marie Patterson:

Yeah. Yeah. Okay. So that's the issue of data transfers, and I think we both know that it's definitely not the last time we'll be hearing about it. After Monday's decisions I'm sure that there will be appeals and so forth, but what are you seeing as maybe the second major issue that we're facing in terms of data privacy?

Caitlin Fennessy:

Yeah, so I would say another near term issue that we're tracking closely, and I expect many companies are as well, is the European Data Protection Board's coordinated enforcement action on the role of the DPO.

Marie Patterson:

So yeah, let's clarify what the DPO is for listeners who may be familiar with it.

Caitlin Fennessy:

Yeah, I know it's a great point. So the data protection officer is a mandated role under the GDPR, the EU General Data Protection Regulation. And there are certain stipulations related to the DPO role. And it's worth flagging that many governments around the world have embraced this idea of a mandated data protection officer. And I believe dozens of other governments have this role. But in the GDPR'S case, there are some very specific requirements about how the role should be structured. So the DPO must have expertise in the law and practice of privacy. They must provide training, oversee the training of the relevant staff within the organization. They must report to the most senior level. They must have a degree of independence in that they cannot be fired except for specific cause. They cannot be fired for doing their job. They have certain responsibilities with regard to both individual complaints coming in as well as directly to the regulator. They typically are meant to service the point of contact to the regulator, and they must be resourced effectively to do their job.

So there are certain stipulations that those who are required to have them must put in place. And in the first year of the GDPR alone, over 500,000 DPOs were registered with data protection authorities across Europe. So that's another component, they are meant to be registered. So what we have here is the European Data Protection Board, and collectively all of the EU DPAs, data protection authorities, the regulators, coming together and saying, "Okay, we're not sure that companies have structured and resourced and supported the DPO role effectively. And we see the privacy officers within organizations as a critical component to carry out the vision of the GDPR in practice, and therefore we're going to focus some investigative and enforcement attention collectively this year on making sure that they're doing that."

So from the DPA's, the data protection authority's, perspective, this is meant to be supportive of the role. And I think that that's really helpful. But I also think it's important to look at it from the flip side, from an organization's perspective. The DPAs have sent out questionnaires, they've been sent out by the individual member state DPAs to organizations, to their data protection officers, asking a series of questions related to those requirements about the resourcing, about the expertise and training and to whom they report and like. And some of those letters require a response, others are more voluntary. But the DPAs have said that the next step in some cases will be investigations and that we should also expect a report at the end of the year, but also enforcement in this space.

And so from organization's perspectives, as they receive these inquiries from their enforcement agencies in country, I think there's going to be a lot of anxiety and nervousness about are they going to investigate? Are they going to come after us on this? And so what we expect to see is organizations to focus some attention on how they have structured and supported and resourced and trained and educated their privacy, their data protection officers.

And overall, I think that will be a really positive thing for our field. These officers within countries are required to have the support to maintain their expertise. They're required, as we said, to report to senior levels. And we've seen over time the level of privacy professionals within organizations, they have moved to more senior levels. And I think some of that is due to these GDPR requirements and therefore the focus that organizations are placing on having a strong privacy team and strong privacy leadership. So if you have gotten one of these questionnaires, know that you're not alone. And we've published some resources on the IAPPs website outlining what those requirements for DPOs are to help you navigate them. And we actually just did a LinkedIn live talking with some, both in-house and external privacy officers about what the role looks like in practice, as well as talking with the lead official at the European Data Protection Board about this enforcement action and what is expected here, so hopefully those will help.

Marie Patterson:

So I find this super interesting, linking back to what you were talking about with changes in the, or potential changes in the data transfer landscape and the fact that you were mentioning that privacy professionals should really be talking about this at a board level. And it sounds as if for the DPOs, again, particularly the idea that these individuals need to be reporting at a senior level and having that level of independence, this would infer a seat at the table board level discussions. Is that correct?

Caitlin Fennessy:

Yes, absolutely. I think that the important point there is that the seat at the table that privacy professionals are increasingly getting with the board, with CEOs, is not only mandated by laws around the world increasingly, but it's also increasingly needed and necessitated by circumstances. So whether it's data transfer risks that are created. A whole host of companies, for instance, mentioned data transfer and privacy risks in their U.S. SEC filings. So their financial filings this year is a material risk that could impact their bottom line. But I think as we move on to talk about AI and the like, and I think there's an increasing recognition that how data writ large is protected and handled has a direct impact on customer trust and hence the bottom line. So whether this seat at the table is coming because it's mandated by law or because of regulators', investigations, or simply this recognition, I think we're seeing it more and more.

Marie Patterson:

Okay. And then the second question I had around this, Caitlin, was clearly this relates for the moment to the GDPR, so this is a European mandate. As we're starting to see more and more states in the United States implement data privacy laws, I know that we'll probably be talking about whether or not we have a federal law for quite some time, but can you see a push for a similar role for U.S. based organizations, whether mandated or organizations voluntarily wanting to see a more important role for data privacy professionals within their companies?

Caitlin Fennessy:

Yeah, so I have two thoughts on that question, and it's a really great one. So first, I think it's worth noting that the idea of a senior privacy officer within companies is actually more American and has been more common in the United States than in Europe, despite the fact that we don't have hard laws requiring it here.

And so in the U.S., the senior most privacy role is typically turned to the chief privacy officer. In the research that we've done annually, we have found that chief privacy officers are often at a more senior level and compensated accordingly at a more senior level than their European counterparts. We also saw U.S. companies very early on, going back to the IPPs founding more than 20 years ago, embraced this idea of a chief privacy officer. So we have seen it naturally in practice in the U.S. for quite some time.

But kind of paired with that, the ADPPA, the American Data Privacy Protection Act, which got further than any privacy bill at the federal level in the last Congress did embrace and call for a privacy officer within that text in it. We view that as an incredibly important recognition of the role that privacy professionals play in translating policy into practice. Obviously, bills and laws, they're important, they're very important in setting standards and the requirements, but if you don't have the people to do the work within organizations, they're a little more than a paper tiger until you see that enforcement. And so having that role is critically important. We haven't yet seen state laws embrace that, but I certainly wouldn't be surprised if we start seeing that in some of the future bills.

Marie Patterson:

So I think all of this is a really great segue for the third key issue, and you've touched on it already as probably the biggest thing maybe that organizations are thinking about.

Caitlin Fennessy:

Yeah, thank you. So certainly what is capturing my mind and attention and imagination these days is what I'm sure so many of those listening in are thinking about, and that is AI and what it is going to mean for organizations. So just last week actually here at the IAPP, we launched a major new initiative for us in launching our AI governance center at the IAPP to do basically for AI governance professionals within organizations, everything that the IAPP does for privacy professionals. And I think you might ask how these two things are linked. I will ask rhetorically.

So we've done some research in the AI governance space over the past year, and what we found was that in a majority of cases, more than 50% of times, when organizations are developing AI governance programs internally, they are doing it on top of mature privacy programs and leveraging those programs and handing the file to privacy professionals. They have been the first at the table to figure out what AI governance means and what it should look like within organizations.

We also know that in 40% of cases, they're building AI impact assessments and leveraging privacy impact assessments. So what we did last week, and called for, was effectively a call to action for the privacy profession. So I think it's maybe important at the outset to say, when I talk about AI governance, I'm not just talking about the organizations building these new algorithmic models and AI systems. But we're thinking about next steps, about the organizations that are going to take these new AI capabilities and systems, and many have already for years, but I think we're going to see just a perfusion of this with the new generative AI technologies, those organizations that are going to build AI into their own products and services and then release them, deploy them into the market.

So they need to think about what that means, how they are governing these systems. And so we don't think we have the 20 plus year runway that privacy has had to build a profession of hundreds of thousands of professionals and organizations around the world. We have to do this at the pace AI is moving. And therefore we think privacy professionals are best placed to tap so that we can scale a new AI governance profession much, much more quickly. And that's because when we look at privacy professionals, not only are they being handed the file, we think they have really transferable skills in this space. And that is because, as we've talked about throughout this conversation, privacy professionals work in a rapidly evolving technological and policy landscape that certainly will apply to AI. We have some major new laws coming down the pike in Europe and Canada and elsewhere, but it's going to change quickly.

Privacy is also a really interdisciplinary field. There is no question that AI governance will be as well. And as a result, privacy professionals within organizations have gotten very accustomed to working with their colleagues across disciplines and across the organizations so that they can implement privacy in practice. And so when we think about AI, we know that AI governance professionals too will have to work across organizations and privacy has the structure to enable that.

However, I think it's really important to call attention to the fact that right now, privacy professionals don't have the skillset or the full skillset necessary to do AI governance. They're going to have to learn more about explainability, for instance, which is not the same as transparency in the way we have typically thought about it. They're going to have to think more about bias detection and algorithmic discrimination. They're going to have to learn something about IP protections because as we all know, AI systems are scraping the web for their training data, and they're producing a lot of material that is raising intellectual property and copyright questions. Then there's the whole issue of misinformation and content moderation and how we're going to deal with that.

So we are moving into these new domains and we'll provide training and certification. We're going to host a conference in Boston in November to help not only those who are doing AI governance now, and those coming from completely other fields, whether it's engineering or data science, but also privacy professionals scale up and train up in all of these areas. And I am really excited about this space because not only is it something new and exciting to learn about, but it feels really important. Those who've been paying attention know that people are raising somewhat existential concerns. Therefore, I think it's really important that we all focus on this now and think, "How can we ensure that AI is deployed within organizations in a safe and trustworthy way? How can we build the profession that will monitor this and build the guardrails around it so that it serves us well as we look forward?" And so we're really excited to jump into this space, and I have no doubt that many of your listeners are themselves beginning to grapple with these issues if they haven't already been working on them for several years now.

Marie Patterson:

So great coverage, I think, and a lot of fantastic information in there, Caitlin. I wanted to pick up on a couple of things that you'd said. When we talked about the role of privacy officers earlier on, right at the beginning of the conversation, you were talking about the fact that much of the role had been focused around policy and keeping track. So for instance, another state introduces a privacy law. What does that now mean internally in terms of our policies? But thinking about AI, it sounds to me as if the role requires so much interaction with the IT department, with the chief data officers, with the marketing teams, with the sales teams, how are you advising your members to start to think about bringing together the different constituents as they look at their usage of AI?

Caitlin Fennessy:

Yeah, so there are so many great questions in what you've just outlined there. And so let me maybe take a step back and say that privacy itself is quite multidisciplinary. I think about the legislative and the law and policy piece of the job as just one part of it, even within privacy. And so I can share that only about 40% of our membership is from the legal field in the IAPP. And in fact, in our latest governance survey, 41% of privacy professionals responding sat within the legal department. So even within privacy, we have those kind of doing the legal pieces. We have privacy engineers working with the teams that are building the products and services and building the protections in at the much more technical level.

We have compliance officers who are charged with building the privacy programs and operationalizing the legal requirements. And so that can be conducting privacy impact assessments. It can be operationalizing data subject access requests, and other rights such as to deletion and the like. So there are privacy folks working across organizations. Of course, I think it's important to recognize plenty of people also have a team of one who has to do all of these things at once.

Marie Patterson:

Certainly, yeah.

Caitlin Fennessy:

And so they are therefore, in some respects, also relationship builders with others across the organization. And so when I look at AI, I think it is going to be very similar in terms of AI governance and how organizations will need to structure these roles. You will need to have effective communicators who can work across teams and help them translate from the legal requirements, which we expect to see very soon. Right now we have the EU AI Act, which is already passed the committee stage in the EU Parliament and will soon have a full parliamentary vote and enter trilogue.

In Canada there is a bill that is expected to make progress very soon in this space. And so you'll need the professionals within organizations to take those policies, translate them into compliance programs, and then be in close touch with your data scientists and engineers about what they mean in practice for your data sets and how they map across the organization, how they're used. And then what is done with this data, how user interfaces are built, and how all of these systems are explained to end users.

I guess the last quick thing I'll note there is that we actually heard that the European Parliament was even looking at whether the DPO, the mandated DPO role, could be leveraged in some way for AI requirements and impact assessments and the like. So I think the policy makers too are looking at these intersections. And of course, we've seen privacy regulators jump in with enforcement actions. There was a temporary ban, for instance in Italy with regard to chatGPT that came out of the Italian Garante, the privacy regulator there. So yeah, a lot of intersections.

Marie Patterson:

Well, I think all of this is really fantastic information for our listeners. As you said, if listeners are interested, please go to the IAPP website, and I think you mentioned that's iapp.org. Caitlin, so much fantastic information here. Thank you so much for joining us today. If any of our listeners want to follow up with you, what's the best way of getting in touch with you?

Caitlin Fennessy:

Yeah, thank you. You can certainly always find me on LinkedIn. Connect with me there. You can shoot me an email. My email is fairly easy. It is caitlin@iapp.org. Sign up as we chatted about for the Daily Dashboard or the new AI governance dashboard to keep apprised on fast evolving fields in both of these spaces. But yeah, happy to follow up with questions.

Marie Patterson:

That's great. So Caitlin Fennessy of the IAPP, thank you again for joining us today and covering so many aspects of what's going on around data privacy. If anyone has questions on this topic or would like to talk to Archive360 about it, please send an email mentioning this podcast to info@archive360.com or you can email me directly at marie.patterson@archive360.com. That's M-A-R-I-E dot P-A-T-T-E-R-S-O-N at archive360.com, and we'll get back to you as soon as possible. Again, Caitlin, thank you so much for joining us today. It's been a real pleasure speaking with you and appreciate you spending this time with us.

Caitlin Fennessy:

Thank you, Marie. I really enjoyed chatting with you.

Marie Patterson:

Thank you.