Nordic Privacy Arena 2023

?? Biggest highlight: Getting to meet so many fellow DPOs and GDPR nerds, finally, in person at #NPA2023!

Another highlight was having all five Directors from the Nordic data protection authorities present, nicely captured in the middle above (photo by Forum f?r Dataskydd ).

• ???? Anu Talus, Tietosuojavaltuutetun toimisto – Office of the Data Protection Ombudsman & Chair of the European Data Protection Board kicked things off and talked about regulating new tech. Memorable quote: "When trying to solve a privacy challenge, don't create a bigger one" re. CSAM.
• ???? Line Coll, Datatilsynet: introduced us to her charming dog and lead us through the intriguing transition from the dark side of business to being a supervisor. Also take note of her comment about embedding privacy and data protection in a sustainable business. ??
• ???? Cristina Angela Gulisano, Datatilsynet: showed us how some of the excellent work they do in Denmark (that I often refer to) with not only practical guidelines but an entire "GDPR Universe". We might also get an update on the notorious Helsing?r case by the end of the year (tip: we have no less than THREE episodes on this on the Grumpy GDPR ???, two of which Allan Frank guested). Go listen! :)
• ???? Karin L?nnheden, Integritetsskyddsmyndigheten (IMY): talked about eroding privacy and that our rights are more crucial than ever (and got a few quite grumpy questions from your truly ??) and the important balance when prioritising our work ((Schrems) trees vs the forest, for example).
• Then, Michael Hopp moderated the panel discussion, leading to an intriguing conversation on scope, where both Cristina and ???? Helga Thorisdottir from Persónuvernd concluded that "Scope is everything". One to note!

The DPAs mentioned the particular value of the Nordic collaboration, which has a long history not only in privacy and data protection, but generally (that I can attest to, having worked myself at Nordic Innovation ).

I'll just suggest one thing, that might be missing: sharing more guidance. Look to Denmark, and I believe Cristina mentioned it specifically, that everyone can shamelessly copy what they do! Perhaps even better: agree who takes responsibility for what, distribute tasks and then translate it all. Oh, don't forget the diagrams! ??

#SharingIsCaring, not least since we all are too familiar with the challenge of being understaffed and under-resources (DPAs and DPOs alike!).

The DPAs also talked about their increasing focus on more efficient case-handling, which was great to hear, considering the sometimes intolerable long case-handling times...

There were many other nuggets and take-aways from this year's Nordic Privacy Arena, too many for a short LinkedIn article, but here's a selection:

• Abtin K. gave us food for thought in his presentation AI for privacy dummies. And the only thing everyone can agree on, is that we need to regulate AI...
• Hearing from experienced DPOs is always interesting and that panel was no exception, thanks for sharing Nils G., Olle, Arnd, Kerstin, Phoenix and Juha. Juha mentioned one of the most important words when working in/with privacy and data protection: Culture—one of the two key C's I talk a lot about, especially when teaching, the other being Communication.
• Day 1 ended with fireworks with David Jacoby 's fascinating (and a bit terrifying) talk "I have nothing to hide" and the pertinent question: "Do you really need to connect your toothbrush?" ?? (Answer: It never was, I still have a dumb house!)
• Day 2 was kicked off by the eminent Paul & K Royal, from the well-known Serious Privacy ???, who gave us a great summary of the event so far, live podcasting from the scene. As a fellow podcaster, I know this is not a small task, so well done both of you! ??
• Kim Parviainen then, on very short notice, gave an excellent presentation on transfers, reminding me of the article I wrote half a year ago on one of those infamous examples he mentioned on EEA-based processor re-transmitting personal data to a controller in a third country. Still keen to hear others' opinions. Read it here: Time to rethink the GDPR (guidelines)?
• Next up was Odia Kagan to present the ???? perspective on the DPF in a particularly informative presentation jam-packed with several examples of Article 5 principles "implementation" in both US legislation and case law. Very interesting! ?? Odia also kept everyone up to date throughout the event, check out her LinkedIn posts here.
• Eleonor Duhs talked about upcoming ???? changes, for example the removal of the DPO role, being replaced with a "senior responsible person". I wonder what the UK DPOs are doing now, career-wise. ??
• The transfer panel wrapped up the discussion and Stephen Bonner from the Information Commissioner's Office promised to wear the ICO raid jacket next time. ;)

• Finally, the prize for the most memorable quote goes to Allan Frank , saying that the CJEU is "like a box of chocolates, you never know what you're gonna get". ?? Spot on!

And that was everything I got to hear before leaving, unfortunately missing out on Olle Pettersson 's CJEU update that must have been such a nugget! Fortunately, Olle has kindly shared his presentation here (thank you!).

Not least, a huge shoutout to Filip Johnssén & Dataministeriet for organising the mingle and handing out well-deserved prizes to Caroline Olstedt Carlstr?m , Olle Pettersson & Odia Kagan for their amazing efforts and contributions to our community. ??

Then, a final note, that you might be tired of hearing me say, but it's so important: ? THERE'S NO SUCH THING AS 100% COMPLIANCE. And while I'm at it: ? There's no such thing as "remove all risks" either. I'll have to write a dedicated post to this alone, but for now: Dear DPO, just lower your shoulders, there's no point trying to achieve the impossible.

As Cristina Angela Gulisano from the Danish DPA said: "We can always find something." ??

Did you attend? What's your key take-away(s)?

#gdpr #privacy #dataprotection #networking