Insights from the US Privacy Retreat

PwC’s US Privacy Retreat on Nov. 2, 2017 in Minneapolis brought together privacy professionals from an array of organizations to discuss key risks, regulatory matters and research.

Key speakers included: Keith Enright, Legal Director, Privacy, at Google; Alessandro Acquisti, Professor of Information Technology and Public Policy at Carnegie Mellon University’s H. John Heinz III College; John Verdi, Vice President of Policy at the Future of Privacy Forum; Stewart Room, PwC’s Co-leader for Global Privacy; and other guest speakers from PwC and other organizations.

Key insights and learnings from the discussions

Privacy professionals will be challenged to keep executives focused on GDPR beyond 2018. The considerable executive attention being devoted to addressing the European Union’s General Data Protection Regulation (GDPR) compliance in advance of the law’s May 2018 deadline could be exhausting, spurring many corporate leaders to focus on other priorities once the deadline comes and goes. But companies likely will not see peak enforcement for GDPR in 2018, so privacy professionals will need to stay alert and keep their organizations focused on long-term compliance.

GDPR “enforcement” might come from unexpected places. Businesses that pursue GDPR preparation only with regulators in mind run the risk of being caught flat-footed in the event GDPR-savvy law firms target the organization. Although Europe’s data protection authorities (DPAs) have official GDPR enforcement roles, there is a risk that privacy professionals caught up in a GDPR echo chamber of sorts will view these regulators as the sole potential enforcers and therefore businesses might end up unprepared. Companies should be mindful that ambitious law firms could act as de facto enforcement agents by pursuing GDPR-related litigation in civil courts.

Enforcement actions are not always bad news for the businesses involved. Interactions with regulators or litigators arising from a mistake by the business could provide a silver lining to privacy professionals on the receiving end. Such enforcement actions have the potential to offer companies valuable chances to establish active communications with regulators in particular. Sometimes, enforcement situations are the only way companies can receive the rare opportunity to conduct face-to-face discussions with key regulators.

Businesses should not wait for GDPR to take effect before engaging with European regulators. It is best for businesses to invest in building – and some cases, repairing – relationships with European regulators now, before the GDPR goes live. Such engagement is more likely to come across as sincere now, as opposed to after regulators are in a position to impose sanctions. Further, US companies dealing with European regulators need to be mindful and respectful of transatlantic differences on privacy policy. In Europe, privacy is considered a fundamental human right – and arguing otherwise is counterproductive. US companies should respect such transatlantic differences be mindful of European regulators’ sophistication and professional commitment.

On both sides of the Atlantic, engaging with regulators is generally better than brawling. Privacy professionals in industry have much to gain by interacting with regulators in way that emphasizes hubris, humility, and informed optimism. Rather than taking an adversarial approach to compliance with privacy regulations that invites confrontation and formal enforcement actions, companies can seize the opportunity to open good-faith dialogues with regulators that feature transparency and constructive communications in the interest of achieving shared goals. Corporate leaders may not want to always be fully transparent with regulators, but privacy professionals should aim the minimize the number of times that happens.

Privacy has ancient roots--but technology is challenging it in new ways. In our increasingly digital society, defense mechanisms that humanity may have been finessing for thousands of years leave people quite unable to address privacy, according to research by Carnegie Mellon University’s Risk and Regulatory Services Innovation Center, sponsored by PwC. Our evolved abilities to detect strangers and potential foes in the physical world – for instance, when someone is staring or approaching too close for safety – do not apply in cyberspace. Computer users cannot smell electronic surveillance or feel when a company accesses data. Hence, privacy is more relevant than ever to policymakers, regulators, business leaders, and consumers.

Contact us

Sean  Joyce

Sean Joyce

Global and US Cybersecurity, Privacy & Forensics Leader, PwC US

Jay Cline

Jay Cline

US Privacy Leader, Principal, PwC US

Carolyn Holcomb

Carolyn Holcomb

Partner, Cybersecurity and Privacy, PwC US

Follow us