Data protection is a business issue, says IAPP

This is a “special moment” in the history of data privacy and data protection, says Omer Tene, vice-president and chief knowledge officer for the International Association of Privacy Professionals (IAPP).

“There is a bit of a frenzy and a buzz with the EU’s General Data Protection Regulation compliance deadline fast approaching, and the Facebook-Cambridge Analytica scandal feeding into it,” Tene told Computer Weekly at the IAPP Data Protection Intensive conference in London.

Commenting on the GDPR compliance deadline of 25 May 2018, he said it is not a significant date like 1 January 2000 was in the Y2K crisis, after which it was forgotten. “The deadline is just part of an ongoing process,” he said. “Many businesses will not be compliant, but will continue to function and work towards compliance.”

In the past few years, the IAPP has seen tremendous growth in membership, standing at 40,000 worldwide, with 10,500 in Europe, including 3,000 in the UK alone, but Tene does not ascribe this to the GDPR alone.

“Steep growth started even before organisations started preparing for the GDPR,” he said. “It took about 10 years to reach the 10,000-member mark, but membership started growing quickly about five years ago, and we have added 30,000 members in that time.”

Tene believes this has been driven mainly by businesses’ recognition that data is a precious asset as well as a potential source of risk.

Unlike the information security industry, the data privacy industry does not have a gender bias issue, he said. “Our membership is approximately 50/50 and there is roughly equal representation of men and women at all levels of seniority, right from the very top down, with equal salaries for men and women doing the same jobs.”

The privacy industry started about 20 years ago, said Tene, when companies started appointing privacy officers and treating privacy as a strategic business issue rather than a compliance issue. The first movers were data-intensive companies such as DoubleClick, IBM, Axiom and Microsoft.

As a result, the privacy industry is more mature in the US, but has started to pick up significantly in Europe and in recent years, largely driven by the GDPR, said Tene.

“Data privacy is increasingly a business issue, and we are seeing a growing emphasis in business on data management, data governance and data risk,” he said.

Companies in data-intensive industries, such as technology, internet companies, marketing and healthcare, and especially those in the US, are also the leaders in terms of understanding that good data protection makes good business sense because it enables them to be innovative in their use of data without increasing risk, said Tene.

“While this approach and understanding is maturing in the UK, it is lower down the curve, while in the rest of Europe, it is really only in a nascent phase of building up,” he said. “Companies are increasingly understanding that it is not a regulatory or compliance issue, but a business imperative to maintain consumer trust.

“The ability to use data in innovative ways and the ability to ensure that data is properly managed so that people’s rights are not infringed are very closely intertwined, as Facebook is experiencing now.”

Tene believes national data protection authorities have an important role to play in ensuring that the Facebook-Cambridge Analytica case not only raises awareness of privacy issues, but does not simply blow over and also delivers meaningful and positive change, like the Snowden revelations did.

“The GDPR alone will not ensure continued awareness and change,” he said. “It is incumbent upon regulators to ensure it, and on citizens to bring individual or class actions because, despite the fact that European and national privacy laws have existed for decades, there has been very little meaningful implementation of it on the ground.

“Laws alone are not enough. You need to have the infrastructure and capacity on the ground and, in this respect, the US is actually more advanced than Europe, even in the absence of [privacy] laws, because it is not just a legally driven issue.”

Asked about awareness of the GDPR in the US, Tene said the multinationals are well on the path to implementation, but awareness and implementation are much lower among smaller and community-based companies.

“It is very much in US corporate governance culture to comply with laws, driven by a desire to protect the board from liability,” he said. “I don’t think the GDPR will be an exception.”