OneTrust is a globally leading software vendor for GDPR and privacy management. The experts of OneTrust do constant research on user behaviour and compliance issues. We asked Linda Thielova, Privacy Counsel at OneTrust, why privacy stays on the list of CIO priorities and how to support users and customers to act responsibly with their data. Meet the experts of OneTrust at the Confare Swiss CIO SUMMIT on September 11th in Zurich, with the CIO AWARD – the most important gathering for IT executives. Get your free ticket as a CIO now.
Anmeldungen zum Confare Swiss CIO SUMMIT, mit dem Swiss CIO AWARD der wichtigste IT-Management Treffpunkt in der Schweiz, sind für IT-Manager kostenfrei. Mehr als 150 Kollegen sind bereits angemeldet, sichern Sie rechtzeitig Ihre Teilnahme.
Die Teilnahme ist für CDOs, CIOs, IT-Manager und Fachbereichmanager kostenfrei.
It seems that users are likely to quickly give up their data for convenience. Why is it still important to focus on privacy issues?
I believe that maybe part of the reason why we see a lot of people giving away their data for convenience is because they do not realize the impact of their actions on their overall privacy and personal life. This is not necessarily their fault, historically organizations weren’t exactly keen on pioneering (online) privacy as a top concern for their customers, but this is fortunately changing for the better. As an important part of that new focus on privacy issues is the legal requirement to keep users informed about what is going to happen to their data, how will it be used, what will be the purposes of such use. The focus on privacy means that users get this information, but more importantly that it is presented to them very clearly – it isn’t buried T&Cs, it isn’t written in legalese. I believe that this is the real key: telling users clearly and in normal language what would happen to their data, e.g. if they consent to a certain service. When people get this type of information, they will finally be able to make informed and perhaps more cautious decisions about who they allow to use their data.
In the past few years CIOs were working hard to reach GDPR readiness. What are the main issues and risks you still find in companies today?
The GDPR readiness is a cycle of constant improvement, CIOs work is never fully done – I believe this specific message took some businesses a while to fully acknowledge and as a result sometimes companies struggle with resources (human and monetary) to keep the level of compliance high and to maintain their GDPR records up-to-date. Also, as the companies fully embrace GDPR compliance, we are seeing some of them struggling with the practical challenges: getting the DSAR requests right – making sure we provide the right amount of information to the correctly verified users in time can be a challenging, especially if more teams are involved and there are multiple requests coming in each day. Also, making sense of all the data processors and sub-processors and ensuring that they provide sufficient guarantees to data processing can be an immense ongoing task. That is why we believe that automation and privacy software are the right way forward because they help CIOs keep a 360-degree view of what is happening with the DSAR requests, vendors, incidents and other privacy-related agenda. The CIO is then much better positioned to decide on priorities for the team, or to brief the company top management on how is this agenda being handled.
In den Bereichen IT, Digitalize, Führung und Marketing immer auf dem neuesten Stand sein! Abonnieren Sie jetzt den Confare Blog.
What are the most important elements for a comprehensive privacy platform?
From my perspective, definitely flexibility and ease-of-use. The great thing about privacy platforms is that they automatically generate an audit trail of your organization’s compliance program and workflow, but this shouldn’t be at a price of the software not being user-friendly or hard to scale to your organization’s model and priorities. Nobody wants to work with software that is making their life harder, and for Privacy platform I believe this applies even more because it is absolutely critical to get business owners and other key stakeholders on board and have them engage with the privacy platform regularly and with ease, so that the records there are complete and up-to-date. The platform flexibility to me means that the platform should be easy to customize not only based on what is your organization’s size, but also what business sector you are operating in, which countries and jurisdictions are relevant to you, which teams you want to access particular portions of the platform etc. The reward for getting these elements right is massive for the company and it can contribute to employees being more engaged in privacy and compliance generally.
OneTrust does excessive research on privacy and compliance. What are the current issues your team is working on?
Last few years have seen a boom of privacy laws globally, our team is keeping tabs on the legal and enforcement trends and we’re building the requirements into easy-to-use software tools and guidance. In terms of the biggest topics, we are definitely seeing a lot of interest in the California Consumer Privacy Act (CCPA) which will become effective in January 2020. There are also other states in the U.S. which are preparing their own privacy laws, so we are watching those as well. In Latin America, we are getting a lot of questions around Brazilian LGPD which has a lot of commonalities with the GDPR. India also has their own comprehensive privacy bill in the pipeline. Finally, in Europe, we are still very much busy with GDPR: most of the Member States incorporated some sort of derogations or extra rules around the GDPR baseline and we are aiming to provide this layer of specificity in the software. Finally, the AdTech industry is still on the lookout for the future ePrivacy Regulation while the EU regulators are gradually tightening this interpretation of tracking and cookie use requirements – we are definitely picking up a lot of discussion around these. To sum up, the privacy sphere is really busy these days and it seems that the pace is still picking up.