Hi everyone. As mentioned, I'm Saami. I'm a principal researcher and privacy management at the International Association of Privacy Professionals and my focus is on researching how organizations may ever grow in privacy compliance requirements both now and in the future. So my current research focus includes understanding how organizations are managing privacy risk frameworks, looking at the compensation or privacy professionals through our salary survey, which is a product that we've got under development at the moment, as well as looking at understanding how organizations approach privacy governance. Before this, I spent almost eight years in consulting working with global organizations of the net requirements from privacy regulations. And today I want to talk about the role of privacy in building enterprise resilience, whether there are overlaps between the two topics and what might organizations consider across both these topics to, before we get into all of that, where is privacy in 2022?
One thing for sure, it's never been higher on the political agenda, countries have picked up privacy legislation faster than most other laws. Now I would never have expected that in 2022, over 50% of the world's population will be covered by privacy laws. And importantly with India and China pricing privacy laws, this puts 80 plus percent of the world's UDP subject to privacy laws. And in the last few years we've seen a proliferation of those laws across the world from China to California. A number of these have built on the concepts introduced by the EU general data protection Regulation, which which has been some of the foundation, but also they've, the new ones have included new requirements and specifications. Though trends and patterns continue to emerge across these regulations, each one adds its own spin on regulation and privacy. Some of the most recent regulation represent opening salvos in ongoing shift from privacy focused on notice and choice towards one that's rooted in principles are data minimization and use specification.
Well what about enforcement or the difference between 2019 and 2021 is staggering in terms of the total number of enforcement cases that we're aware of in 2019, for instance, we saw fines of around 72 million euros in just over 150 enforcements bars forward to 2021. And that's shot up dramatically to over a billion euros and fines across over 400 cases. And the indications are that this journey is likely to increase as regulators turn their focus away from Covid related work back towards the issues that they were looking at pre pandemic. For examples, we've seen this as being topics such as realtime bidding, international transfers, subject a request and breaches to name just a few.
I'm be the uk. And in the UK we're in a fairly interesting position at the moment if you're, if you're not aware, we have a new information commissioner. We have the Department of Media Cultural and Sport looking at how the UK can provide business flexibility whilst ensuring protection and a somewhat interesting political landscape that plays out day by day with, with lots of surprises. So whether the UK moves closer to the US or stays close to the EU or chance's own course to privacy, it's going to be a fascinating journey to watch topics like epri, cookies, ad tech, iot, all continue to have developments too and remain spaces to watch out for. And these are all areas that are going to be covered in more detail by the A A P over the next year. But what about data itself? The volume of data, the variety and velocity of it is, is massive with a, with an estimated 74 zetabytes created in 2021.
Let's keep this simple cause I know that's a bit hard to conceptualize what I mean, what's that byte? To put that into context, that's nearly 600 billion, 128 gigabyte iPhones. But what's clear is that with continued developments in technology and the ongoing hyperpersonalization of products and services, the volumes and variety and velocity are exponentially increasing every day. Organizations are trying to manage this while striving to devise a perfect data mix of personal data, which provides a platform to unlock new opportunities for our insight based decision making, innovation and revenue growth, or while ensuring that privacy, security, resilience and ethics concerned are effectively managed at all times in 2022. We ex privacy, we expect privacy to become even more central to the data agenda. But what do we expect this data agenda to look like? Well, it's going to depend on the industry, but we see a number of privacy related data topics bubbling up to the surface and I'm just going talk about a couple of them now.
One of these is, is data sovereignty. We, we all know about the the great firewall China and others, but there are increasing sovereignty requirements from new laws in Africa to to France, Germany, and the Nordics and even some proposals of localized internet solutions in the us. This is a trend which is increasing but also causes a fair bit of conflict with the way global organizations are architected from their infrastructure. It may not come naturally to a number of organizations and and it may require a lot of work and a lot of understanding of what the sovereignty requirements are before implementing that into the actual infrastructure that an organization has in place. Another trend we're seeing is around data tagging and permissioning. This really drives at how you can tag data with directly with the compliance and privacy requirements to better control it's used retention and disclosure throughout the organization.
A promising feature that allows you to to port requirements through with data so that you know, we bring those two closer together. Development and synthetic data and tokenized data spaces potentially offer new and innovative privacy enhancing ways organizations can retain the utility of data whilst enhanced privacy. So another development that potentially can support privacy whilst also having a number of complications from you know, how it works to how regulators pushed up putting out guidance to issues around privacy and security being managed appropriately, this developing area. And so again, another area which needs to be kept on top of ultimately the conclusion we can draw from all of this is that it's definitely not quieten down since the advent of the GPR and it doesn't look like it's going to quieten down anytime soon either.
So if we think about privacy and resilience, a question comes to mind. Is it privacy versus resilience or privacy and resilience? Well, let's break this down a bit further. Organizations are becoming increasing vulnerable to change and uncertainty as they become more complex virtual and interdependent with further pressures exerted by cost reduction programs and aggressive streamlining. We know that an effective enterprise resilience strategy can give the organization an ability to spot, recover and react from short term disruptive challenges and most importantly adapt and evolve in response to more significant structural changes. Essentially it's about continuous survival and evolution in the face of adversity. We also know that given recent tests of resilience, those organizations like whether those disruptions can ultimately gain a competitive advantage. So from a commercial perspective it starts to make sense too. We, we also see companies profiting through more comprehensive process of managing risk across the extended enterprise in an increasingly complex global economy.
And in doing so, that's where they establish greater enterprise resilience. Let's step back. How does privacy fit in? Well, let's look at this for a second. From the lens of an organization that might be taking right steps. An organization that's got the privacy and resilience from mixed right effectively aligns its corporate strategy operations, governance structures and decision support capabilities. So that can identify and manage continually changing privacy risks is also ready for disruption from those privacy risks to primary earnings drivers and ready to take advantage over less adaptive competitors. It might have established transparency and put in place controls to address privacy risk across the standard enterprise and it can withstand privacy breaches, increased volumes of privacy requests from individuals, continue changes in regulations, increased risks presented by new and novel uses of technologies to process personal data and the myriad of challenges that companies face today. Let's go back to the exam question for a second. Is it privacy versus resilience or privacy and resilience? Well, hopefully it's clear that you really can't have one without the other and privacy regulation certainly thinks so with the GDPR requiring implementation of appropriate technology, technical and organizational measures that ensure level of security appropriate to the risk, including the ability to ensure resilience and processing systems and services and restore availability and access to personal data in a retirement manner. A bit of a mouthful, but resilience is important from privacy perspective.
So if you move on, how can privacy help build enterprise resilience? Well, we can look at this from the perspective of how management of privacy risk helps contribute to enterprise resilience and secondly of how enterprise resilience itself can learn from privacy risk management. So let's start with the first privacy risk management. While there's a need to tackle privacy risk in a sustainable way that allows you to remain resilient as the external environment continues to evolve. Right now the external environment is particularly challenging given the motivation of threat actors what also new regulations and the continued development and understanding an application of existing regulation. The one case scenario here is for an organization to remain st segment and unable to proactively plan ahead or even be reactive enough to respond to changes. There's therefore a need to balance between effectively defending and managing an organization critical assets, whether that's to people, customers, technology, information systems and processes.
And to balance that with maintaining compliance with the growing list of different dates and sectors, privacy and security requirements, the risks of data exposure, loss of trust and regulatory scrutiny are pressing organizational concerns that are all heightened when personal data is involved. And with this in mind, organizations are likely to have set up a governance and operating model that establishes the right roles and responsibilities for the organization to manage privacy risk sustainably. This too might be supported by a privacy risk and control framework that is aligned with broader enterprise risk management framework that helps to consistently talk about risk across the organization no matter which risk area that that you look at. Privacy teams too would've spent time understanding the business and key processing activities, all of which could contribute to understanding of important business services from an enterprise resilience perspective. And finally, if we think about perceived by design, it's helping to embed risk processes in the introduction or changes of new services and products.
The change mechanisms that have been implemented here could be used from an enterprise resilience perspective to understand how these changes couldn't impact the enterprise strategy and change that for going forward too. On the other hand, in order to build enterprise resilience, we can also look to lessons learned as organizations have taken steps to meet privacy requirements in the face of regulations such as gdpr. Many organizations here will have adopted governance structures to report on privacy risks. These mechanisms can be broadened out to support the management of enterprise resilience. We know through our work at the I A P P on the governance report that many organizations have taken steps to embed roles through the three lines of defense. So not only may they be lessons learned in operationalizing this, but also there might be opportunities to consolidate roles and responsibilities across those lines of defense to support enterprise resilience by using potentially existing risk champions. For instance, the lessons learned from these governance mechanisms and some, and these can sometimes be very painful lessons can all be used to inform and arts the approach to governance of enterprise resilience.
Now many of you here would've also had to bring your board on a journey from understanding the requirements of privacy regulations at the outset before you've set up all of these programs to actually then now hopefully being able to make decisions of potential risk owners. The board's been on a journey and they will continue to play a role, an important role in the future in directing, evaluating, and monitoring the enterprise resilience framework to hear too. There may be options to look at how this has already hopefully been successfully achieved with privacy risk management and again looking for lessons learned and synergies there. With enterprise resilience, we can't and we shouldn't underplay the importance of training and awareness either. A lot of organizations have taken steps to train whole sways of their workforce in privacy basics training as well as deliver more privacy, more specific training to key roles. This approach to training the supporting learning management systems and underlying processes can all be used to deliver a successful enterprise resilience strategy. Again, looking for synergies, lessons learned as well as kind of using the training modules to support delivery of enterprise resilience. Ultimately privacy, much like other risk factors faced by an organization can't and probably should contribute to an organization's enterprise resilience.
So what can you do next where it remains important to bring key privacy roles into relevant discussions about managing enterprise resilience. So that can contribute to it from a privacy perspective, but also from a broader lessons learned perspective as well and help you identify key issues. It also remains important to discuss privacy and data protection at senior level meetings and make sure that senior leadership understand why privacy is critical, maintaining and protecting the organization's reputation and ongoing financial viability. From a broad perspective, the policies and procedures should be well established well in advance to enable fast response in case of a data breach or other events. And depending on your maturity and scale, you might also look to existing roles and responsibilities across the three lines of defense to support enterprise resilience as well as potentially looking towards the reuse of existing tools and technologies that already have well established use cases to support optimization of enterprise resilience or even privacy processes as a whole. We've already mentioned training today and ongoing training programs can be a great way to support employees understand the role that they play in managing privacy risk as a contributor to enterprise resilience. This can really bring home the importance of managing the collection and use of personal data and the impacts of this if it's not done properly.
You might also consider having an independent third party periodically perform an independent assessment across both privacy compliance but also broader enterprise resilience and the links between the two. This can help you understand where you are now, your existing maturity as well as benchmark yourself against other similar organizations to get a broader picture too, are you middle of a pack or you a leader? Again, it could be a useful exercise. You might also consider undertaking tabletop exercises to exercise your response to key privacy related events. Here we're talking about testing resilience from a privacy perspective. Do you understand how well you might do if there's a data breach or excessive volumes of D sars or an absence of key privacy supporting personnel? The objective here is to be prepared and proactive, prioritize rapid threat detection and effective response, utilize simulations and exercises and understand the escalation process. Who should be notified about what and and when.
Again, it's important to identify the root causes of privacy failures and take actions to prevent repeat occurrences. It's also important to look at the third party supply chain. These can be a vulnerability too through shreds and in international data transfer work. The privacy function will have been on a journey over the last year or two and and really look to understand the third parties that you work with. In fact, they might actually have key insights into risk across critical suppliers. The use this insight to inform your enterprise resilience strategy. Organizations should also consider using a integrated risk function that connects cyber risk to privacy, risk to resilience and other risk factors and thinking. But thinking of these, any of these topics in isolation risk opening up yourself up and introducing inefficiencies into risk management metrics to remain important. And you might consider measuring resilience by building metrics into key performance indicators.
Think about how your existing privacy metrics may contribute to the measurement of a healthy approach to privacy re to enterprise resilience. Now I could go on but hopefully I've left you with a few few thoughts or a few, few, few next steps and hopefully you've seen our enterprise resilience and privacy are two connected topics. To summarize, if you're in a privacy role, you might be able to use the insights from a well-structured approach to enterprise resilience to drive benefits to the organization through enhanced privacy risk management. And if you're looking at this from an operational resilience perspective, then work with your privacy teams to build that connection from privacy risk management to enterprise resilience and understand what's worked well.
Well thanks very much sa. Before we go to questions, I'd just like to remind the online audience that they can put questions to our presenters by just putting in the question into the platform and then that will come through to me here on the laptop. And then I can ask our, our, our presenters and in fact we do have some questions says GDPR has undeniably driven focus on data privacy in the eu, but what about the rest of the world Is privacy being addressed in equal measure?
Wow, I think, you know, I'd have to say yes, we're seeing a number of countries developing regulations on an ongoing basis and, and you know, it's almost every week that we hear developments from the US around the state and and federal laws. So we're seeing a lot of developments in this area. It's very much not an EU centric approach at the moment moment. It it's very global and and actually what's interesting is how organizations that are global with operations in, in across different countries play and you know, react and respond to those changes in future regulations but also keep up with the ongoing developments and existing regulations, case law, the impact of those and how they impact their operations. And it continue to ensure that the way they manage privacy compliance is not only sustainable but also kind of reactive. And here I think key ways organizations tend to do this is have that horizon scanning capabilities built into their legal teams with legal teams and driving out kind of the impacts and requirements so the rest of the organization so that they can actually respond to these on a timely basis.
I have a question from this morning's discussion about the role of the cso. Couple of the panel members said that boards are becoming a lot more tech savvy, the understanding the technology a lot more. They're asking more detailed questions, just listening to you speaking now, I was just wondering if the same sort of thing was happening on the privacy side of things. Are they, are they privacy savvy? Are they asking them all detailed questions? Are they asking the right questions? Are we there yet?
I think so, and here I think it, it very much depends on, on the journey. The board itself has been on privacy and the journey that they've been taking on to understand privacy requirements that face their organizations. The more savvy board, you know, that has been on a journey is able to ask those detailed questions that isn't just the basics of, you know, what is personal's data, what is the gdpr, but it actually, it's getting to the, the crux of the matters, understanding kind of how they're cutting edge products and services that underpin their financial model, you know, what the privacy risks are and what they might be looking ahead to that impacts their strategy and how that's been defined as well. So the more informed born board are able to answer those questions and really ensure that the risks are being managed further down in their organization and they are getting on the other hand the right metrics as well coming up to them so that they, when they ask those questions, they see the data driven insights as well.
So much like a c o function, building out those metrics that might be driven by, you know, the, so you know, we're seeing privacy functions start to define metrics as well that really can provide an informed opinion. The other point that comes to mind is the link between kind of the CCP and, and the privacy piece as well. You know, when those two functions play well together, we're actually getting insights that are linked and connected and, and is very much speaking to each other as well. You know, the worst thing here is for the privacy function to be reporting one thing and the the CSO security function to be reporting another, which just doesn't represent a seamless picture of where the organization actually is or a truthful picture of that and actually causes a board to ask more questions. Really when you're at that point, you know, there, there's something that's been missed.
Great. That's really encouraging to hear that. Another one of the points that came out this morning session was that one of the CSOs felt that things were moving more to a situation where more organizations would have a chief trust officer. Is that something you're seeing at the I A W P
Potentially, yes. And again, it depends, you know, the right size, the right fit, the right role depends on the organization, the size and scale, you know, that sort of role may not work for a smaller organization that doesn't have the budget or the resources, whereas a very large multinational with actually a trust department who looks at ethics across, you know, in the use of personal data and AI and models and all of these other areas, it might make more sense for them to have a specific trust function that needs it all together. So again, we're seeing mixed pictures. What we're doing at the moment is, is refreshing our, our annual governance, our governance survey, which is actually asking some of these questions. So you may start to see some of those insights coming through that, that product in the, in the future.
Okay, great. Again, just a reminder to our online audience, if you wanna ask any questions, please just put them into the platform. For example, we've got another question here which says, how well is the link between privacy and resilience understood globally and to what extent is privacy being used as a means to achieve resilience? So kind of ties a bit into your presentation, maybe just kind of elaborate a bit on that point.
Yeah, it's a great question. I think in terms of the first part in terms of how well it's understood, I think again there, there might be work to be done here by privacy teams, by security teams, by by resilience teams to actually build out that understanding what, what tends to happen and, and we've seen it over the last couple of years with privacy teams responding to regulations such as DPR teams may tend to work in silos to respond to a regulation set up a, you know, set up a transformation program that's delivered through to kind of fruition, but actually then it's just handed over to the legal team or or a privacy team to just manage and, and then they're working in silos, but actually enterprise resilience brings it all together, right? You know, there's a need for security, for privacy, for other risk factors, you know, all look to connect together so that enterprises resilience can be insured.
You know, it's all about the continued success in of your business and, and, and all of these fit into that. So actually that brings it together in a way. So, you know, going back to question, should there be greater understanding of it? Yes, there should and should there be greater understanding of how it all plays together again? Yes, there should so that we understand, you know, what metrics, for instance here to report into the enterprise resilience function. So we can measure how healthy that is across the organization or to what extent, you know, your change processes need to be understanding, you know, which new services are using novel uses of personal data and therefore might need to actually change how we, our picture or our understanding of how resilient our organization is to regulate reaction or, you know, other factors. You know, those are also things that need to be thought about too.
Okay. There's questions come through here, I'm not sure whether it's entirely appropriate, just says regarding authentication and MFA based on OTPs and aps biometrics is fingerprinting or face recognition. What is your take on this topic? Tech technical recommendations and concerns?
Yeah, it's a really interesting development we're seeing, you know, on the other hand, a need for MFA and, and other technologies. You know, that's an obvious one I guess for, for that factor authentication to be in place. On the other hand, you know, we, we have to balance the privacy concerns and ensure that things like facial scans, fingerprint scans, you know, those are ultimately, you know, significant pieces of personal information about ourselves that we reveal for security, security purposes. And those need to be managed in the right way and whether or not that's managed in the right way, you know, that it needs to be looked at and understood. Well the worst thing that can happen here is that again, there's, there's breaches of those and losses and privacy that can't be taken back because ultimately, you know, we can't change our, our faith and we can't change our fingerprints. So there's a need for that to be, you know, to be correct here and the protections around that. So again, really interesting development really talks to the heart of balancing privacy and security concerns at the same time.
Now having attended a couple of I a P events in London, I I I know that you guys are looking at really key topics, to what extent are you working with, with organizations to kind of work with regulatory bodies and that kind of thing? Cause earlier today we heard that, you know, regulations are just kind out of, out of step with the reality. So is that also something that you look at trying to keep regulations more in step with what's actually happening in the business world out there?
The one thing we, we, we look at, we do engage with, with regulators and kind of their regulatory priorities and if we look at our website, you might see us kind of put out news stories about kind of regulators and some of the approaches that we're taking from an engagement perspective. We, you know, one of the things we look at is the technology aspect as well. For instance, you know, how understanding, for instance, developments in privacy enhancing technologies and what's going on in that world and you know, bringing that to the broader population as well so that everyone can see kind of, you know, the developments, what's coming along the pipeline and what the future looks like as well. So again, it's, it's a, you know, I'm, I'm biased here I guess, but I feel like it's a great resource for, you know, people working in privacy but also people interested in privacy to, to understand kind of key developments, what they might look out for and, and what they should do next.
Okay, great. Thanks. We don't seem to have any more questions from the online audience. I dunno if there are any questions in the room. If not, then thank you very much, sa
Thanks everyone.
