The IAPP DPI UK Intensive: Reflections on a fascinating conference

I often find the most challenging aspect of attending a conference is coping with ‘information over-load’. So, with such diverse subject matter at this years IAPP's DPI UK Intensive, I was keen to summarise and share what I personally took away from it. I attended specific sessions on holistic data strategies, AI and its impact on privacy regulation, the Children's Code, PET’s and ‘what non-lawyers can bring to the profession’. All of the above are reflected in the content below, however I've also incorporated aspects of more generic conversations that took place in and around the networking sessions.

1. Privacy for commercial benefit?

I learnt how concepts of privacy - and a company's associated management of data - should be seen as far more?than an 'obligation'. As large and as frequent as the fines associated with lack of privacy compliance are becoming, there's plenty of incentives for companies to implement innovative and effective privacy policies.?

A 2017 report by the International Energy Agency estimated 2% of global carbon emissions are derived from data storage centres - with that figure expected to rise to 3.5% by 2025. A streamlined and efficient approach to data storage will help reduce an organisation’s carbon footprint, complement its ESG initiatives, and ensure the data it processes is up to date?and accurate.?

Clear, user-friendly, and transparent privacy policies also have a positive impact on the way an organisation is viewed, by consumers and employees alike. As society becomes increasingly wise to the dangers associated with sub-standard privacy and cyber security policies, it's likely this will be reflected in the choice of companies they buy from, or work for.?Remarkably, Cisco’s Benchmark Study in 2020 found that for every dollar an organisation invested in its privacy structure, it received a return on investment of between $2.7 and $3.4.

Investors too are becoming increasingly privacy conscious. I learnt from one delegate?that the business they worked for was instructed by a global investment bank to appoint a Group Privacy Director prior to an IPO. As 'ethical investing' becomes increasingly popular, it’s safe to assume this scenario will become commonplace.

2. Children's privacy?

I was lucky enough to attend an excellent seminar dedicated to children's data.?

I learnt how sophisticated the approaches taken by regulators and thought-leaders in the privacy sector are. Even the name - The Children's Code - was selected as an alternative to the original, more functionally named?'Age-Appropriate Design Code’ and was specifically chosen to better reflect and appeal to the demographic it serves to protect.?

There are now over 90 methods and techniques associated with age assurance and estimation, including specific ‘ICO approved’ methodologies. The technology involved is ground-breaking too - facial recognition software can determine, with 99% accuracy, which 9- to 11-year-old users are under 13.?

However, what really struck me was the depth of thought and analysis that has gone into protecting children's online data and behaviour. Techniques to reduce incentives for children to lie about their age were discussed – this included reducing age-barriers for the 'lower risk' aspects of online gaming, as well as highlighting 'child-only' online features as benefits to the consumer. There’s also an increasing number of measures being designed to prevent adults contacting and profiling children online.

3. Solutions to the privacy paradox?

The 'privacy paradox' is a term that was first used in 2001, to describe the seemingly paradoxical behaviour of online users who care about their privacy yet continue to use online products that collect or sell their personal data. The cartoon below is light-hearted, but perfectly summarises the emotional response of the consumer to varying levels of data use.

‘Transparency’ – with respect to how, why, and in what way an organisation manages its consumer’s data – seemed (to me) to be a broadly applicable solution to manage this paradox, with visually confusing privacy interfaces increasingly being seen as unacceptable by a more educated consumer base.?

However, a more specific solution - the use of PETs - was described in a brilliant final session of the conference. PETs (Privacy Enhancing Technologies) aim to reduce and anonymise personal data, whilst retaining the commercial characteristics of a broader data set to ensure it is fit for purpose.

The ICO have called for more investment in PETs and made it clear they fully support their development and use. There is global interest here too. By way of example, the IMDA in Singapore are one?of several leading associations known to be trialling PET 'sandboxes'.?

Challenges remain. Many organisations are reluctant to incorporate PETs for fear of ‘getting it wrong’, and continuing advancements in technology might erode the anonymity to data that PETs bring. However, the general consensus here is positive, optimistic and progressive.?

4. The GDPR was but a starting point for data protection and privacy regulation.

If there was any doubt about the above statement, the DPI Intensive set the record straight. The increasing size, scope, focus and relevance of the subject matter to the world we live in today was clear for all to see.?

Technological advancements stand?out as the key driver, and none more so than the impact of AI on concepts of privacy.

Bear in mind that AI is, in many ways, juxtaposed to the very principles the GDPR was founded on. After all, the very existence of AI is based on data use. Broader and more historical data sets, lead to more effective and accurate AI technology.

?There is a great deal of work yet to be done – by regulators and corporates alike - to ensure advancements in technology are not made at the sacrifice of consumer rights.?

5. Privacy isn't just for lawyers.

Of course, I wasn't expecting everyone at the event to be in law, but neither was I expecting such a diverse mix of skill sets and backgrounds.

I met several delegates that had worked their way into senior privacy roles from marketing, finance, technology and HR backgrounds. The common theme, or link, between ‘previous roles’ and ‘privacy-centric roles’ being data-centric responsibilities.

There was an excellent session that explored this theme further, focusing on ‘what non-lawyers could bring to the privacy profession’. During this session it became clear how critical the contextual knowledge of an organisation is with respect to privacy leadership and strategy, thus supporting the argument for non-lawyers to be involved in advising on privacy-related matters.

The increasingly broad role that consultants will play in the privacy sector was also clear to see. From globally recognised professional service brands to boutique privacy consultancies - the future looks set to be incredibly busy for all concerned.

Overall, attending the IAPP's DPI UK conference was an amazing experience that left me feeling inspired and energised about the future of the privacy sector.

Indeed, as I wrote this article, I couldn't help but wonder what next year's event will look like and how the topics discussed at this year’s event will continue to develop. I have no doubt that it will be another busy and exciting 12 months for anyone working in the sector.

Finally, I’d like to extend my congratulations and thanks again to the IAPP team for organising such a well-coordinated and forward-thinking event.