An Interview with Sheila FitzPatrick, a Leading Expert on Data Privacy and Sovereignty Laws
Do you remember when you first took a vaccine as a child?
Maybe not, but do you recall the recent Covid-19 vaccination you took when the global health crisis engulfed the world?
Yes, you do!
First, you created an account on the government app for booking the vaccination slots. You entered your name, age, address, blood group, social security number, etc. Based on your chosen pin code, you searched for open vaccination slots at different hospitals and booked them. The vaccination day came, you visited the hospital, and the nurse asked you about your details. This was to update your vaccination status in the government and the hospital databases, which, in turn, got reflected in your booking app.
Did you know that your social security number and other personal information can now be located on a hospital and government database accessible to several stakeholders who can manage these databases?
- What is the number of records that contain your personal information?
- Where is your data located?
- Who has access to your data?
- How do different entities use your data?
This is just one of the many everyday life situations where we share our personal information across different platforms without paying much attention to data privacy.
So why is data privacy important, and how does it affect us as individuals and enterprises storing personal and sensitive data?
Data privacy is the handling of personal data to comply with data protection laws, regulations, and general privacy best practices.
Having gotten a bird’s eye view of data privacy, let’s dig into its various components. As part of a series on Executive perspectives on Data Privacy, Piyush Mehta, CEO of Data Dynamics, interviewed Sheila FitzPatrick, a leading expert on Data Privacy and sovereignty laws, GDPR expert, and chief privacy officer.
Here are some of the highlights:
Piyush: You are one of the most passionate people when it comes to privacy laws, so what triggered that passion in you? Was it something specific, or was it always there?
Sheila: I think deep down, it has always been there. I started my career many decades ago at the age of five because I have been doing this for 40 years. I started in international employment law, and one can’t deal with employee data, especially on a European basis, without getting into the privacy side. I fell in love with data Privacy because I have always been one of those people who have questioned why certain organizations are asking for my data. Even when I had joined organizations or even when I was in school and was asked for certain pieces of personal information, there always used to be a question on ‘what does this have to do with anything that I will be doing for you or any of my schooling.’
And so, being in Europe for so many years, my focus went to Privacy, and I am overly passionate about it. I want more and more people to care about privacy, so I think it’s built into my DNA.
Piyush: Can you highlight the top 5 considerations people need to consider in terms of privacy risks that are not being considered today when considering data privacy and exposure risk?
Sheila: I combine risks with concerns and issues that companies need to think about because it seems that 99.5% of companies, when they start to talk about Privacy, they are talking about security, and they are talking about locking down data, making sure that there are right tools in place and the right infrastructure in place to protect that data from unauthorized access and use. They are talking about encryption, password control, and access control which are very important, but they are not Privacy.
So, I think there is a lack of understanding about Privacy, which probably is the biggest concern. Because Privacy is the entire life cycle of the data from the time you collect it to when you destroy it. It is all the laws, regulations, and ethics around what you are allowed to have and what you can do with that data. It is about the fact that you can never own personal data as an organization. The individual always owns it. You are stewards of that data but not the owners of the data.
I think the
- lack of understanding of what privacy is combined with,
- the lack of understanding of the difference between privacy and security,
- the lack of understanding of what constitutes the personal data and
- the last one is not considering privacy when the new technologies are coming up. For example, AI is great, but if you use it to gather information without transparency and without going through a lawful basis, you can have many problems.
These are the concerns and risks that I look at.
Piyush: As we continue to see Privacy become a hot topic not just in the US but across the global footprint, we are starting to see more and more regulations come into play around data privacy laws and data sovereignty laws. When you think about these laws, is there any approach you feel that an enterprise having a global footprint should use, especially considering that these are state-specific laws but are complex in themselves depending on which country and state you are operating in?
Sheila: If you look at the US, for example, everybody has been talking about CCPA and its comparison with GDPR. It is, in fact, so far from GDPR. Because in the US, you look at Privacy very differently. Privacy is around the user consumer data, but the laws in California and elsewhere don’t have to have a lawful basis for processing the data in the US. And the default is you opt-in unless you are forcefully opted out. When you look at the rest of the world, particularly in Europe, the Asia Pacific, and even Canada, the default is opted out until you specifically opt-in, which goes back to who owns that data. Believe it or not, everyone always talks about GDPR in Europe. Still, the fastest-growing region in the world with respect to new data privacy laws is the Asia Pacific region. It is growing at a tremendous rate. You look at what Japan and South Korea have done. South Korea has always had the most restricted privacy laws globally, which most people don’t realize. Even what China is doing. Although China is more about cybersecurity, acts that have the privacy components are really to protect government data than individual data. But the Philippines, Singapore, Australia, and New Zealand are all growing rapidly.
So as an organization, I think you need to step back and think about questions like whether you are a US-based organization or a UK-based organization where you operate. You say that we only operate in the US, so what does that mean. Does that mean you only have entities in the US, or do you have customers, employees outside the US, or do you provide the sources to the organizations outside the US, or do you have a website that tracks visitors from outside the US?
So, it’s more than just where you are located –
- Where you are physically operating,
- Where do you have your presence,
- Where you have a global footprint
And that means you need to consider the laws in all the jurisdictions in which you operate.
But how do you manage different countries and their different laws?
My approach with my clients is always to say you build one global data privacy practice and base it on the most restricted laws, and then you can tailor it as needed.
You don’t want separate privacy programs for the US, Europe, the UK, and each region separately. You want one program that is easier to manage. And as the laws started to develop, we started to see other countries adopt some of the components of the more restricted laws. Asia Pacific countries are following the GDPR law, but they have enhanced it, and, in many cases, they are more restricted. So, you need to take stock of your entire organization and the data you use, how you store that data and how you manage that data, etc.
As Piyush discussed global footprints and how organizations can abide by data privacy, he explained that most enterprises are concerned with their physical locations and don’t consider the digital side of it when considering privacy impact. However, as the world is transforming into a digital society, considering where those footprints exist outside of just an enterprise’s physical footprint becomes increasingly important.
Piyush: The words trust and Privacy seem to go hand in hand. If I want to trust you as a website that I use, as a bank that I bank with, or as an insurance company that I work with, your protecting my privacy is very important to me. More consumers are considering the people they interact with, meaning the companies they engage with are directly tied to their ability to feel comfortable about their privacy.
Sheila: I think that’s a true statement, and you can tie ethics into it. So, it is all privacy, trust, and ethics. It’s about how transparent you are about what you are doing with my data If I ask a question about what you are capturing and how you are using my data, can you provide that information to me? But if you can’t, that will ship away from the trust factor. You look at some of the social media companies and the substantial fines they have received, and hence many of these companies have started to lose consumers that are moving to different platforms. What amazes me the most is that the younger generation that never has cared about privacy are the ones who are moving away from one of these social media platforms.
Watch the complete interview here.