One message we heard throughout the International Association of Privacy Professionals (IAPP) Privacy Academy 2013 – which took place from September 30 to October 2 in Seattle, WA this year – is that concern around data privacy in our society is growing. In the opening keynote speech from Stewart Baker, the former General Counsel of the National Security Agency (NSA), he equated the current environment of privacy regulation to the prohibition movement at the turn of the 20th century. In the case of the latter, the restrictions placed on society were heavy handed and severe. More importantly, they didn’t work and they didn’t represent the culture or desires of society at the time.
Much like temperance, compliance regulation is struggling to keep up with the current social environment and social desires of the modern age that are driven by new technologies and new dynamics in human interaction. According to Baker, when Justice Louis Brandeis wrote the first privacy laws in the US, Brandeis was responding to his own concern about an emerging disruptive technology: the camera. The original privacy laws were a reaction to the new technology and were made in an attempt to stifle its use. Contrary to his attempts, photos taken by cameras increased at an exponential rate and the laws created to counter their use were applied in counterproductive ways.
The lesson of history is that when popular disruptive technologies appear, the laws need to guide those technologies to the benefit of society instead of futile attempts to ban them. Today, we have many laws that protect citizens who imbibe alcohol. We have age restrictions and prohibitions on driving under the influence. We have clinics to help people with addiction and campaigns to help society manage the potential dangerous aspects of alcohol consumption.
This sober approach to regulation is the answer to balancing the interests and passions of society with the need for control and security. The transition from one technological shift to the next initially instigates the creation of laws, regulations, and subsequent behavior that is severe but eventually stabilizes to reflect the new order as well as the needs and desires of its citizens.
Today, data privacy is on the cusp of a technological shift. This was evident at the conference itself. IAPP has 14,000 members this year, up from 10,000 in 2012. This rapid yearly increase is an indicator that business is training and hiring more privacy and compliance officers to address the mounting regulations from industry and government. As organizations build their resources and human capital to response to these regulations and internal controls, processes and programs need to be measurable and verifiable (M&V) to show success.
Organizations have traditionally run their programs using a two-legged stool: Policies are authored and training is provided to employees. The missing third leg is the means for M&V. Compliance managers need a way to determine if the policy is effective and there is adherence within the organization. Companies need to be able to track the adoption of training. They need a way to measure if training is working.
Technology and tools provide this measurement and verification, streamlining compliance programs and shielding companies from the cost of failed and flawed practices. Implementing systems such as AvePoint Compliance Guardian adds a third leg to the stool, bringing stability and a feedback loop to traditional compliance practices.
As we move through this technological shift, enforcement of regulations and privacy law will seem sometimes cumbersome and ineffective. Like the temperance movement, our society will eventually find a healthy balance and navigate through this brave new world using a combination of process, tools, and training to weather the storm.