The second day of PrivSec Global brought more thought-leaders and industry experts together to dissect the issues driving Privacy and Security today.
Keynote talks, presentations and panel discussions were delivered through two content-packed streams, bringing an international audience up to speed with the very latest industry discussion.
In the morning, China’s comprehensive data protection legislation, the Personal Information Protection Law (PIPL) went under the magnifying glass. The framework took effect last November, providing unprecedented opportunities for privacy professionals in China, but also putting them at direct risk of potential legal action.
Experts at PrivSec Global explored how the PIPL is driving demand for Data Protection Officers (DPOs) in China, and what roles and responsibilities a DPO has under the new laws.
Carolyn Bigg, Partner, Global Co-Chair at DLA Piper’s data protection, privacy and security practice at DLA Piper Hong Kong, said:
“The thresholds under PIPL are not as clear cut as under the GDPR. The real practical expectations of the regulations are that each organisation has a person on the ground who the authorities can speak to.”
“There are three distinctions
- Effectively, historically the DPO has been the first point of contact for regulators in China, but really that person has to be someone on the ground who can deal with the Chinese authorities however they get in contact.
- The connection with global privacy functions is important – the reality is that China DPOs are going to be very reliant on their privacy colleagues around the world, as legislative infrastructures develop. Here, the role has to be seen in a global context.
- The role is broader – the PIPL is one part of a huge framework of laws, so I tend to see it more as a true “data” officer, as we’re talking about many categories of data and the governance is much broader,” Carolyn Bigg continued.
In consideration of the similarities between the concept of a DPO in Europe, against that in China, Dr Amigo L. Xie, Partner at K&L Gates, said:
“Personal Information Protection Officer exists under the PIPL, and the tasks, responsibilities and duties are not the same as the DPO under GDPR. It’s a similar concept,
The morning’s second session at PrivSec Global saw thought-leaders tackle this crucial issue, thinking about how businesses are driving customer trust and success through privacy
Magdalena Avanesian, Founder, Legal Counsel & Privacy Officer at The Tech Lawyer, said:
“I don’t believe that trust can disappear with a data breach because even if something bad happens, it’s how you learn from it. Being honest, transparent and talking to the customer about what happened – that’s where the power lies.”
Jose Belo, Head of Data Privacy at Valuer.ai, said:
“We know that US companies are increasingly investing in cybersecurity and information security. There’s a challenge for European companies – Schrems II has enabled us to close this gap
“When to put questions to the regulators? I think it should be done as early as possible to demonstrate that you are moving toward compliance. Asking the regulator is not to invite trouble, but I think it’s a way to show you’re doing your best and that you’re looking for answers. I think that trust that regulators have on you begins with confident communication. Data breaches that are handled properly cause less damage to the company,” Jose Belo added.
Lukas Rottleb, CIPP/E, Solutions Engineer Lead at OneTrust PreferenceChoice, said:
“Cookie banners are a win-lose situation – people get tracked, they get ads (which is great for the organisation, because they get money), but it’s not great for the customer because they do not understand how they get value from it. I think customers should have the choice and give something back, but that’s not what’s happening in current implementations of current cookie banners.
“Transparency is key, but there’s different sorts; you have long legalese text and drafted policies which simply aren’t understandable to those not within that domain. So, you need easy-to-understand transparency.
“I think it’s key to provide choice to consumers. When they see you are respecting their personal preferences, then that builds trust, too. It adds a layer of trust on top of that which comes from compliance with GPDR and other regulations,” Lukas Rottleb finished.
The lunchtime talk at PrivSec Global looked at data protection law progressions in the Middle East and North Africa (MENA) region. Following the enactment of two data protection laws in Abu Dhabi and Dubai in recent years, the United Arab Emirates (UAE) recently adopted a comprehensive data protection law at federal level.
Lori Baker, VP, Legal & Director of Data Protection at DIFC, said:
“This law is part of a long journey – yes, there are still bits that remain to be developed and clarified, but this law was very carefully thought out to grasp as much of current best practices as possible, while also being forward-looking in terms of what works for the UAE, its businesses and data subjects.
“I think it’s done well in that its job of realising those prime objectives. I think we’ll see some very interesting developments over time – by September 2022, hopefully we’ll see some interesting regulations coming out, too,” Lori Baker added.
Osama El-Masry, Data Protection & Privacy Officer at Vodafone Egypt, said:
“Privacy and respecting customers is an essential part of the sustenance of organisations. If we look at Apple – they are going beyond the mandates and using privacy as a competitive edge. This is the real benefit of these regulations – they are stimulating companies to go beyond. Organisations need to be more proactive and see it as something that they need to do.
“The benefit of being proactive is that regulations are less of a burden because you already have your transparency, consents etc. in place. You are then looking at the way these practices must be implemented, as opposed to starting cold,” Osama El-Masry continued.
Lucy Tucker, Associate at Latham & Watkins, said:
“The legal basis [for processing] is very interesting across the region, compared with the GDPR the new UAE federal law doesn’t have legitimate interest as a legal basis. Organisations that are relying on legitimate interest will have to find another legal basis.
“For marketing, it’s likely that you will have to change what you’re doing in this region. Consents are interesting too – they are the primary legal basis, similar to the definition under GDPR, but a key component missing in the UAE law is that the consent must be freely given. A lower standard of consent may have to be adopted in the UAE in comparison to that stipulated under the GDPR,” Lucy Tucker added.
In the afternoon, attention turned to harnessing the power of AI and analytics at a time when organisations are collecting droves of sensitive data to derive intelligence and create new value.
Kash Mehdi, Informatica, said:
“The challenge is that companies every 12-14 months, their data almost doubles. So, the role of AI is to help companies break the silos that this data sits in, and get access to data scientists as quickly as possible.
“We find that Informatica’s AI solutions are helping our customers to break these silos, gain visibilities, and help their firms to become more data-driven.
“We have customers who want to connect to all the systems that they have. We recommend that they start small, then scale fast,” Kash Mehdi advised.
Raising awareness among employees is a vital component of any organisation’s security programme. But even the most security-savvy staff members are still liable to make a mistake—and one human error can cost a company millions.
In a tea-time focus talk at PrivSec Global, experts considered the fundamental security controls every company needs in addition to staff training.
Setting the tone, Victoria Guilloit, Partner at Privacy Culture, said:
“Everyone needs a certain level of security awareness in accordance with their role.”
Tsholofelo Rantao, CISM, Data Protection Officer at FNB South Africa, said:
“Organisations need to start investing in people and empowering them to have an eye for security.
“Security needs a layered approach, so you need ways to ensure you invest in both people and technology. You need to define what training means to your organisation – is it going to be an engagement-based concern wherein people mature as the information matures?” Tsholofelo Rantao added.
Claude-Étienne Armingaud, Partner - Practice Group Coordinator, Data Protection, Privacy and Security at K&L Gates LLP, said:
“Training can be anything and it’s often perceived as a chore. I was never a fan of lecture-style training, because here you’re talking about something that is so operational. Training is about application of that training in the real situation.
“In terms of the process – whatever you think of, something else will happen. It’s not a matter of if, but when. Whatever you fail to think of is what you’ll be unprepared for. So, review what you can do, and try to understand what can be automated in terms of cybersecurity that can help you, such as intrusion detection,” Claude-Étienne Armingaud added.
“There’s a requirement to tailor your training to your workforce based on their roles. Some people will need to know that they cannot solve an entire cybersecurity problem on their own. They need to be cognisant of what to do when the worst happens,” Claude-Étienne Armingaud continued.
A panel discussion at PrivSec Global then studied fundamentals of privacy for security professionals, in a session sponsored by Exterro. Outlining the definitions, Shannon Togawa Mercer, Senior Associate at Wilmer Cutler Pickering Hale and Dorr LLP, said:
“When we say privacy, we mean the legal or ethical framework around how personal data and PII is processed.
“Security, especially in cybersecurity, often refers to something broader than the protection of personal data; we’re talking about the protection of IT infrastructures and systems. Security also requires the consideration of legal frameworks,” Shannon Togawa Mercer continued.
Steve Wright, Privacy Culture, said:
“People’s attitudes towards this issue is critical here, but one size does not fit all. You’ve got to teach and train people and give it to them using words and language – thinking about how people in your business will respond to the messages.
“Empathy is a great thing – personalising the training. The missing bit for me is about lots of organisations – especially with the GDPR – concentrated on making sure we had the correct lawful basis etc. but we missed the fact that from both the security and privacy perspective that we share common goals. More alignment is needed, and perhaps we need to change the Board’s mind.
“Privacy is often seen as a legal issue, but it’s not – it’s a business issue, it’s a people issue. We have to bring this world together with security and recognise it’s about data, respect, responsibility and accountability, right the way down to the shop floor,” Steve Wright said.
Glen Hymers, Head of Data Privacy and Compliance, Data Privacy and Compliance Team, CDIO Directorate at the Cabinet Office, said
“The conflict of interest between privacy and security – it’s like marking your own homework. It’s two sides of the same coin – you can’t have “data privacy” without security, but you can have security without data privacy.
“As a security professional, the thing to be aware of is the legal bases for processing data in the first place, then thinking about how we can work to ensure security by design is embedded,” Glen Hymers concluded.