Over the past year and a half the dialogue around privacy, and the social implications of violations of privacy, has shifted significantly, according to Trevor Hughes. Partly that shift has been driven by the Cambridge Analytica scandal, said Hughes, who is the president and chief executive officer of the International Association of Privacy Professionals (IAPP).
However, beyond that particular case, he thinks that increasingly there has been recognition “that we leapt headlong into the digital economy, to the digital revolution, and we’re sort of cleaning up some of the issues that that’s created now,” the IAPP CEO told Computerworld.
“Privacy is transitioning,” Hughes said. “There is this recognition that it is no longer just about individual harm. It’s not about ‘have you violated my data’ or ‘how have you used my data in a way that I wasn’t expecting or I find offensive or problematic’. There are societal level concerns associated with privacy now.”
That includes a recognition that “violations of privacy, misuse of data create real challenges for open and fair elections, democracies generally, fundamental freedoms broadly – things like free speech and other things,” he added. “Even freedom of thought and choice.”
The introduction of the European Union’s General Data Protection Regulation (GDPR) has been a key driver in recent growth of the IAPP, the CEO said.
Hughes said the GDPR has also led to the privacy tech vendor community exploding.
When it comes to compliance with regulatory regimes such as the GDPR, companies “can’t run it out of an Outlook email client and Excel spreadsheets any more – it’s impossible,” the CEO said. “So there are very sophisticated privacy impact assessment management tools, consent management platforms, data inventory platforms, data flow and rules-based engines for restricting data – there are tools that help people.”
The IAPP last year released an “inventory of what was out there” for its members, including a classification of the types of solutions being offered by vendors. The first version, released in January 2017, had 36 companies listed.
“We just released the fourth version of that report in September, and we have 192 listed,” Hughes said. “Not only has our membership exploded, but the services, the industry around the privacy field has exploded as well,” the CEO added. “It’s companies like OneTrust, and TrustArc and DataGuidance – a lot of them have ‘trust’ in their name or ‘data’ in their name!”
In addition, a lot of the bigger players in the tech sector have been adding GDPR and privacy management components to their platforms, he said.
“So Salesforce as a CRM SaaS, all of the major cloud service providers – Google, Microsoft, Amazon, they are having to step up with much greater functionality in the way of privacy management, and so for the first time ever some of those major companies are exhibiting in our conferences because this space is exploding,” he said.
The IAPP, which was formed in 2000, describes itself as the world’s largest privacy organisation. Although the not-for-profit is incorporated in the United States it operates globally, Hughes said.
It has around 45,000 members in 109 and is growing at a “significant clip,” the CEO said.
In January 2017, the IAPP had some 25,000 members. “We have just about doubled – we will be very close to doubling in 24 months in membership,” Hughes said.
“We represent all the people in the world who work in the field of privacy and data protection – so all the chief privacy officers, the privacy lawyers, and also the privacy engineers, which is a rapidly expanding field of specialisation within the IT community.”
Around 40 per of IAPP members are lawyers. Members come “from many, many different disciplines – marketing, HR, IT, law, risk, business process management; you name it,” Hughes said.
The IAPP has a staff of 160, with just over 140 based at its headquarters in Portsmouth, New Hampshire. In addition it has a sizeable presence in Brussels, with around 10 people based there, and 12 people in major markets who act as country leaders.
“We are in the market for leadership in Australia and New Zeeland and that’s one of the reasons that we’re here,” Hughes said.
The organisation recently absorbed iappANZ, which was formally an affiliate. When Hughes spoke to Computerworld it was shortly after the launch of a Melbourne chapter of the IAPP and ahead of the debut of Sydney and Auckland chapters.
The IAPP itself is “policy neutral”.
“We like to think of ourselves as a big tent,” Hughes said. “We don’t do any lobbying. I don’t go to legislatures around the world to testify or to push forward a position. Rather we like to bring in regulators, bring in legislators and public policymakers, bring in advocates and academics, bring in industry, bring in public sector professionals — anyone who is interested in the issue — and create a forum which they can have an open and engaging dialogue, a productive dialogue, on the issues.”
“People all around the world are struggling with very similar issues, they’re struggling with the same types of risks all around the world,” he said. “The laws may differ a little bit, but ultimately the risks are largely the same.”