Big brands and industry heads spoke at PrivSec Global today, allowing an internaiotnal audience to get to the forefront of discussion on data protection, privacy and cybersecurity.
In a highlight morning discussion, Robert Bateman, Analyst and Research Director, GRC World Forums, chaired a debate on the UK’s divergence from EU GDPR and how it affects digital advertising.
Alasdair Macdonald, COO, Glimpse Protocol, said:
“Technical changes are going to supersede a lot of the regulation work, I think. In North America, half of the audience is already operating free of cookies, and that will just grow. This massively impacts a lot of the services that rely on cookies.
“Wider in sandbox proposals there’s a stack of other issues – regarding privacy budget, fence frames, issues around authentication around anti-fraud, etc. A lot of the work that’s going on around what private consumer data is pointless, because a lot of these techniques are steadily being shut down anyway,” Macdonald added.
Focus then fell on organisational resilience, with panellists reflecting on a recent Swiss Re/GEC Risk White paper’s definition of cyber-resilience as “an organisation’s ability to sustainably maintain, build and deliver intended business outcomes despite adverse cyber-events.”
Annick O’Brien, COO, CybSafe, said:
”Really, we’re looking at IT as just being a facilitator. You need whoever is responsible for IT to speak with the Board and make sure that there is alignment throughout the organisation – with legal teams, compliance teams, DPO’s etc. – to ensure that teams are matching up.
Fleshing out these perspectives, Amit Tenglikar, Associate Director - Advisory Services, BDO Chartered Accountants & Advisors, said:
“Cybersecurity is about business continuity and remaining agile in the event of disaster. You have to look at how your existing resources and how you can maximise the potential of them.
Ties Beekhuis, Systems Engineer, HYCU, underlined how life is harder for smaller organisations who have to “keep up with new developments in the market and with all the new attacks that are taking place.
“For these kinds of companies, it’s essential to focus on the resilience as well as the cybersecurity side. An attack is a matter of “when” not “if”,” Beekhuis added.
As the day progressed, audiences were taken on a deep-dive into DSARs (Data Subject Access Requests), and the importance of a people-centric approach to this crucial e-documentation.
Panellists looked at transparency at the heart of DSAR processes, well as data mapping, and data retention management.
Offering guidance on practical steps that organisations can take with regard to using automation for compliance ends, Adrian Leung, Data Protection Officer, Equifax, said:
“Explore ways to have a user-friendly portal for DSARs. Then you have to gather information, collate it, and work out presentation formats. Then think about a secure way to transfer ways to send the data to the data subject. You need the portal to be secure end-to-end.”
“Consumers often find it annoying that they need to provide ID when they use these portals. So, portals need to take pain away from that process,” Leung added.
In the afternoon, data transfers went under the microscope in a keynote sponsored by OneTrust.
Leading the talk, Alexis Kateifides, FIP, CIPP/E, CIPM, Lead Privacy Counsel, OneTrust, began by showing audience a statement released by the European Data Protection Board:
“Transferring personal data to third countries cannot be a means to undermine or water down the protection it is afforded in the EEA. The Court also asserts this by clarifying that the level of protection in third countries does not need to be identical to that guaranteed within the EEA but essentially equivalent.”
“One of the top things we’re hearing about is how privacy is helping enable the business – not actually slow it down. International data transfers are obviously a big part of how every organisation operates,” Kateifides said.
Offering guidance on these issues, Kateifides added:
“For third-country assessments, evaluate the laws and practices of the third-country independent of a specific data transfer. Ask questions like: is there a data protection law; are there government surveillance laws; is there an independent supervisory authority?
For transfer-specific assessments, evaluate the details of a specific transfer and importer in the context of the third country. Ask questions like: what categories of data are transferred; have you received a government request; are there onward transfers to sub-processors?” he continued.
In a keenly-anticipated session, Alistair Cole, Partner at Privacy Culture, chaired a debate on staff working overseas, and how remote working impacts on data protection and security within an organisation.
Mark Chang, JD, MBA, CIPP/E, Director of Risk, Compliance, & Privacy, Florida State University, set the tone:
“Most people, now they can move anywhere, they can save a lot of money, so they don’t see the point of being in the office. So, how can you encourage employees to keep you in the loop if they are outside the jurisdiction?” Chang said.
“Are people that much more productive just because they’re sitting in front of a camera being monitored? Having the trust of having your employees doing their work, it shouldn’t be an issue now,” Chang added.
K Royal, Associate General Counsel - Privacy Intelligence, TrustArc, said:
“I think employees being able to work from anywhere – maybe it’s not a big issue in the US, where you have lots of States. But looking globally, does my boss care if I’m working from the UK? Probably not, so long as I have WiFi.
“Privacy is very closely aligned to the legal profession, and we historically don’t support remote environments. We like people to be in the office,” K added.
“I’ve seen a lot of complications coming in in the government sector where you have a high percentage of older workers who align to more traditional working models. Privacy and security has really had to set up so that all workers can accommodate the data in their possession,” K continued.
Offering insight into how organisations can cope with this “new normal”, K said:
“Make sure you protect those endpoints – even if they’re using their own devices, make sure you’re securing those and encrypting those. Try to put in fundamental security protocols. Also, role out appropriate training – it doesn’t have to be horrible, it can be fun! – but employees need to know what they’re doing and what they’re handling. That’s probably 50% of the battle – knowing what you’re handling.
“Policies may need to be updated – does your notice cover that your employees might be working all over the globe?”
Don’t miss day two of PrivSec Global! Themes explored include the impact of RegTech; deep-sea phishing and its increasing sophistication as a cyberthreat; AI systems within privacy and security, and much more!
Access expert advice and guidance from senior leaders representing organisations such as Christian Dior, Salesforce, HSBC, Bloomberg Law, OneTrust, TrustArc, NOYB, European Blockchain Observatory, Verizon Threat Research Advisory Center, HSBC, Qatar Financial Centre, Oracle, Huawei Portugal, MITRE, Oxford Internet Institute, Equifax, Deutsche Bank AG, University of Glasgow, DCMS, Orrick and lots more.