By Gabe Doran interesting interview with J. Trevor Hughes is President and CEO of President and CEO of the International Association of Privacy Professionals (IAPP), the world’s largest association of privacy professionals, which promotes, defines and supports the privacy profession globally.
Trevor is widely recognised as a leading privacy expert and during the Summit, he gave a talk in the main auditorium on the nature of privacy through the lens of time, titled ‘The Privacy Imperative Throughout History’.
Welcome to Dublin. Tell me about the work of IAPP and what motivated you to come to speak at the Data Summit.
The Data Summit is an obvious place for us to be. We have a very strong relationship with the Irish Data Protection Commissioner and the Data Protection Minister. We’re in a very nascent field, which is the field of privacy professionals. And that makes our organisation, IAPP, a bit different; it puts us on a very steep growth curve. Five years ago, we had 20,000 members. We now have 30,000. We are growing as privacy issue becomes more sophisticated and complex globally. We represent all private data protection authorities. We serve a brand-new privacy-driven field.
As well as embracing the digital economy, we’re moving towards engaging with the Data Economy. How important is this for businesses in the digital sector and across different sectors?
I think it’s inevitable – there simply aren’t organisations today that can’t in some way be in contact with our digital economy. They are using data, they’re using the web, the tools that tech provides to help them to jobs better. So, the data economy has an inevitability to it. With that comes a need to recognise, understand and respond to data protection and that’s where IAPP comes in. The progress of the digital economy brings with it responsibility to manage data appropriately, to manage data responsibly, and that’s where the IAPP has really found traction and significant growth.
Creating data protection officers for any organisations whose operations involve monitoring of data subjects is part of the GDPR regulation. In the short to medium term, will this prove to be a burden for businesses in some cases or will future benefits outweigh this?
The biggest & usually fist question among an industry is “will this slow us down, will this cost more, will this hamper our efforts to go faster in the digital economy?”
I think the premise of this question is false and the idea that good data protection slows an organisation down is false as well. There are costs associated with GDPR, but those aren’t compliance costs, those are costs for doing business the right way. Just like we would not like organisations building unsafe products, it is a cost to ensure your products are ‘safe’ and secure and appropriate for the market place, so too data protection is an issue like that.
Another way to describe it, is when cars were first introduced in late 1800s – brand new tech, revolutionary, on its way to change nature of society and cities– however when originally introduced, cars did not have brakes, so as a result, cars were ridiculously dangerous things to drive. So much so that you couldn’t go very fast, you would crash.
And in fact, to deal with the lack of safety with cars, laws passed in the US called red flag laws, where you had to have someone walk in front of your car waving red flags so that everyone in town would know that there’s this unsafe thing coming down the road.
Thus, you could ask the question, what is the function of brakes in cars and the first answer would be to slow cars down, but the reality is that safety increased while allowing cars to really become more useful, more functional and efficient.
Data protection is the same – I think good data protection is like brakes on cars and an uninformed view would say data protection slows the digital economy, but a sophisticated view would say good data protection, over time, allows the digital economy to go faster. And I firmly believe that.
You’ve mentioned previously how not only data protection officers but various other positions in organisations need to develop their understanding of privacy rules – what advice would you give to organisations in terms of training individuals within these roles?
There are three points to make here. Firstly, as we move towards a more robust digital economy, everyone who touches data within an organisation, which is a remarkable amount of people in an organisation, human resources, business development, IT engineering, sales, is a privacy risk for that organisation.
This leads to my second point, which is, going forward, everyone in an organisation who touches data will need to have enough knowledge of privacy to not create a risk and not do something stupid involving data.
Thirdly, this means organisations are going to have to embrace role-based, functionally appropriate training across the enterprise. You don’t need the receptionist at the front desk to have a law degree and 80 hours of data protection training, but you do need the receptionist to have enough privacy training so that he or she knows not to widely share that a doctor called an employee in the office one day or that someone had a particular visitor.
You need role based functional training, appropriately designed to respond to the needs of the privacy risks of everyone in the organisation. We’re certainly not there yet, but this does not in any way eliminate the need for incredible expertise in data protection functions across enterprises.
Dublin is home to the EMEA HQs of big brands– with the onset of GDPR how do you see the role of the Irish Data Protection Commissioner developing & becoming more robust in years to come?
Two points to make here – Ireland’s Irish Data Protection Commissioner has already established a strong reputation for strategic and engaged regulatory function in Ireland & I think this conference is an example of that. I think that Helen Dixon’s speech was an example of that; the Data Protection Commissioner has brought pragmatism with a firm hand to the Data Protection Authority here in Ireland. It is also notable that the Irish Data Protection Commissioner has successfully expanded the function, scope and size of her office to meet and prepare for growing need for regulatory oversight in the Irish marketplace.
Secondly, there’s no question that Ireland is a data hub not just for Europe but also for the world. Lots of data flows through Dublin, lots of digital decision making occurs in Dublin. As a result, the Irish Data Protection Commissioner needs to be up to that task. And looking forward, I would predict more growth and more need for the type of strategic thinking Helen has brought to office already. Certainly, challenging days lie ahead but there are encouraging indicators of sophistication in engagement from the data authority here in Dublin.
I don’t think any other Data Protection Authority in Europe has tripled the size of their office. That requires a lot of political clout. I also think that Ireland is still the only EU country that has a DPA and a Data Protection minister. A very powerful combo, that communicates the strategic investment & strategic perspective that Helen Dixon is taking, but also being taken by the Irish Government at the same time.
We don’t have another data protection authority like this in Europe.
What can be done to foster a stronger culture and awareness of data protection in preparation for GDPR and after its implementation?
I want to make very clear that May of 2018 is not a finish line. Not for one second should anyone think that that is the end of our work; in many ways, it’s just beginning – these are the prep stages for GDPR regime we’re about to enter.
Rome wasn’t built in a day and neither will GDPR compliance be built in a year. I think, based on many organisations and surveys released this week, that there’s much awareness work to do in Ireland – we will need to continue to work on these things for quite a long time. In order to successfully embrace what the GDPR is trying to achieve though, we need to go beyond compliance. – yes, organisations need to comply with black letter law of GDPR, but compliance is just the start.
Just because it’s legal doesn’t mean that it’s not stupid. Organisations have ability to incur massive privacy risks not just by breaking the law but by violating the privacy of their clients, market or society.
So that suggests we need to drive privacy sensitivity across enterprises. We need to instill with privacy the same type of instant reaction that we have to recycle bins around an office.
We know that when we go to a rubbish tip, we look for the place to specific types of rubbish. We need that broad institutional awareness so that we handle data appropriately – that takes time, education, awareness campaigns, enforcement from authorities. Frankly, it’s a lifetime of incredibly important & invaluable work, so it’s engaging for those of us who are part of this part of the profession.
You recently spoke at IAB’s ‘Interact 2017’ event on the proposed E-Privacy regulation by the European Commission. The proposed regulation has attracted criticism from publishers and online advertisers for offering users a single “switch” style opt-out from cookies- can you outline possible solutions?
I started as privacy pro in AdTech industry, so I have some experience and some scars to show from those battles.
Firstly, I have some sympathy for AdTech industry when they say browser controls are too blunt an instrument and not all cookies are created equal. But the ‘blunt instrument’ nature of a single browser switch creates some concerns.
Secondly, one of the dynamics we’ve seen emerge is that given the diffuse and global nature of AdTech industry, nefarious actors will find ways around controls, so a ‘switch’ idea may create a false sense of security.
Another concern is that it delegates authority over consumer protection mechanisms to private actors in the market place, and those privacy actors have their own interests as well.
Regarding my contra opinion; Cookies have been a consumer protection issue that have been debated now for twenty years. Cookies were invented in by founder of Netscape in the mid-90s.Soon after their adoption, privacy issues with cookies became understood, so it was around the late 90s that cookies began to be talked about as a privacy issue. We’re still talking about cookies as a privacy issue.
I think there is a moment of clarity that needs to manifest, where AdTech does some soul searching and asks “What is it about this function that is still causing privacy concerns?” The e-privacy regulation is clearly a thundercloud on the horizon – it hasn’t fully broken over to AdTech industry yet, but it’s on the horizon – and it’s not the only one. If the AdTech industry doesn’t get a sense of how to address these issues, it may find itself going the way of pop-up advertising.
In the wake of recent terrorist attacks, the subject of having internet companies develop back doors within their encrypted consumer devices and apps, i.e. WhatsApp, is trending again in political debate. Are consumers at potential risk from such an idea?
This is a massive philosophical question – we heard this break out in the opening panel this morning. I think that the idea that privacy and security live at odds with each other is again a false proposition –these two areas are very much intertwined and interrelated. It is without question that national security is a vital aspect of society and keeping citizens physically safe from harm is a vital national interest.
So too is protecting the privacy of citizens while enabling the societal interests of privacy to be respected and recognized. I can’t draw the line for you and say *this* level of security is the way to set things. There are however, important debates happening globally right now, related to encryption and the potential trade-offs.
It’s notable that end-to- end encryption creates barriers to legitimate intelligence gathering, while on the other hand, the creation of back doors creates a vulnerability that can be exploited by not just well-intentioned governments but nefarious actors as well – a potential ‘weak link in the chain’.
There needs to be ongoing discussions on how we negotiate these interests, as opposed to balancing these interests, as it’s not about balance.
It’s about negotiating to achieve the greatest possible result for each, without compromising either – this requires a dialogue between two domains – data privacy experts speaking with national security experts.
Edited and prepared by Oscar Michel, Masters in Journalism, DCU.