Originally aired on October 22, 2023 @ 10:00 PM - 10:30 PM EDT
Cloudflare is recognizing Data Privacy Day 2022 with a special series of fireside chats. This session features Noriswadi Ismail, in conversation with Tilly Lang, Cloudflare Senior Counsel, Privacy.
Noriswadi Ismail is Managing Director of Breakwater Solutions, a firm that helps mitigate risk and gain insight from sprawling information by combining technology automation and human expertise.
He is an author, thought leader and experienced consulting practitioner in global data protection and privacy, data governance, data ethics, cybersecurity and emerging technologies' risks. Noris also serves as IAPP European Advisory Board Member (1/1/2022-31/12/2023).
He is extremely passionate in diversity, inclusion and belonging and has been 'informally' mentoring/coaching future leaders in this evolving space. As IIUM (Malaysia), AOTS (Japan), Strathclyde, Scotland, Chevening (U.K), Fulbright (U.S), Big4 (EY) and Oxford Saïd Business School, University of Oxford alumni, Noris has clocked and delivered more than 180,000 hours of consulting, masterclass, webinars, workshops, conferences, strategic whiteboarding business case and scenario planning sessions (face-to-face, remotely and hybrid) for Board of Directors (Independent and Non-Independent), C-Suite, Regulators, Fortune 500, FTSE 100, FTSE 250, Middle-Management, Middle-Market firms, Start Ups and Freelance Digital Entrepreneurs globally.
He has written and edited 2 books; Beyond Data Protection, Strategic Case Studies and Practical Guidance (Springer, 2013); Understanding Personal Data Protection Law (LexisNexis, 2013), contributed as one of the Subject Matter Experts in 2 leading Blue Papers: Global Data Transfer (Gold Rush Publishing, 2019) and Data Breach Accountability Framework (Gold Rush Publishing, 2021). Noris is the former International Association of Privacy Professionals (IAPP) Inaugural Asia Advisory Board (2016-2019) and former Scientific Director of European Privacy Association (2015-2017).
Happy Data Privacy Day. And thank you for joining us. I'd like to welcome Noris from Breakwater for today's session on global privacy developments and EU trends.
Noris, may I pass over to you to introduce yourself?
Sure. Thank you so much, Tilly, and your leadership and for having me on this particular global data privacy day.
I'm Noris Ismail.
I'm the Managing Director of Breakwater, leading the global data privacy consulting practice based in London, and we're operating globally in the US, Europe, and Asia.
Perfect. And thanks so much for joining. Like I said, today's a big day for all of us in the privacy profession.
There's lots going on, so I really appreciate you taking the time to speak to us today.
And I think just sort of getting started, and as it is Data Privacy Day, it'd be great to know sort of how you started your career in privacy.
Sure, Tilly. I think it goes back 20 years ago.
At the time, I was an in-house technology counsel, dealing a lot with IP technology matters, particularly software pattern, trademark, copyright.
And part of my role is very much negotiating data center contracts, network service agreement contracts.
And at the time, it was still the EU directive, and it was too many kind of a template rather than like what we have seen today.
And I thought, hey, the next 20 years, it'll be a very big thing.
And since then, my career progressed to consulting.
When I was in in which I led the EY GDPR consulting practice for five years.
And part of the role, I was also the interim DPO for EY UK and Ireland, in which at the time, there were too many questions and answers right to the GDPR.
And now in a consulting role. So I would say that the evolution is quite natural, having a legal background, having understood the market, and as well as the technology component, the market component, the regulatory component, and importantly, the risk component.
So and still lifelong learning, I'm still learning every day with clients and partners, with colleagues like you and as well as others globally.
Yeah, no, absolutely. I definitely sort of came into privacy.
I was working in legal and corporate governance. And then more and more and more, sort of around 2016, privacy was becoming more and more and more of a hot topic.
So. So yeah, absolutely. And on following on from that, I mean, what do you enjoy about working in privacy?
Yeah, I think privacy, for me, is actually part of human rights.
I mean, fundamentally, if you look into your daily life, even at home in school, within family, of course, it's part of human rights.
But when data is getting so commercial or commercialized, sometimes we overlook the importance of the data and how does it mean, you know, to us as a person.
So that actually also really triggered me, hey, we need to think something about it.
It's a right, it's not a privilege. So that's why in a context of a family setting, individual setting, even in corporate setting, in a work setting, there's all these different contexts when it comes to privacy, from one context to another.
So I can talk about privacy, hours and hours and days and days, or perhaps, you know, months and years.
But of course, there's more to be on privacy in life, right?
But there's all these privacy issues on a day to day basis. Yeah, no, absolutely.
I always say there's never a dull moment when you're working in privacy, for sure.
So I was wondering to just on today's topic, if you'd be able to kind of give us an overview of the trends and developments in global privacy laws that we're seeing at the moment, and also the impact that has on organizations.
Sure.
It's a very, very good question to kick off this informal conversation, Tilly.
I think for the past, I would say almost two and a half years since the GPL was enforced, we have seen quite a number of evolution from different jurisdictions and markets, not just from the perspective of the EEA, but also the US perspective, where the CCPA and soon CPRA by January 2023.
And there's also the PIPL China, where China enforced the law quite, you know, recently last year, and was quite, quite enforcement, so to speak, given the current landscape.
And currently, there's India bill, which is currently being tabled in Parliament and hopefully to be able to be passed by Q3, Q4 this year, which I've been informed by some of my colleagues in India.
And we've also seen the Middle East and North Africa region, GCC region, where some of the requirements are partly like GDPR, but also they do have their own persona and their own gravitas when it comes to an assumption, certain principles to make it much more identity towards the landscape in the region.
And we've seen in Asia Pacific, particularly in ASEAN, like Singapore, Indonesia, Malaysia, the Philippines, Thailand, they have reviewed their so called legislation.
And I would say 30 to 40% are very much like GDPR, even though they do have their own persona and gravitas in the respective legislation, or legislative requirements.
And because of this evolution, I would say that GDPR has given that kind of global baseline.
And at the same time, each of this region, they really want to demonstrate their distinctiveness of their own legislative persona.
And this is where the data challenge is, because on the one hand, yes, there's some elements of GDPR.
But on the other hand, when you deal with certain data subject data, or even when you transfer data outside the EU to the UK to the rest of the world, you have to look into like, okay, can I do this like ABC?
Or is there anything that I need to think about not only from the perspective of the main legislation, but also the sector specific legislation that financial services, or the telecommunications services, or even employment laws, or even taxation laws, because some of the requirements might be stricter as compared to the main umbrella of the legislation in those countries.
So in short, Tilly, I think GDPR has given that kind of positive impact.
But in my experience, observation and engagement with regulators, with global multinationals, even with startups or SMEs, and if so proprietors, they still want to understand there are too many things that they need to think about, how is that they need to like prioritise, okay, the highest risk in order for them to like move forward and operationalise their programme.
Yeah, no, absolutely. And also just moving on to Europe, I mean, what are the what are the trends that you're currently seeing in Europe?
And again, what impact does that have on organisations operating within the region?
That is a very timely question.
I mean, given the fact that we are now like two years now, within this pandemic, there are a lot of things that has been happening alongside the AI regulation, the draft regulation, the push ramps to decision which led to the transfer back assessment requirements, and as well as certain decision against tech companies with regards to cookies, and also the quality of the operationalisation activities of global privacy programme, particularly in the EU or European economy area, I would say that there are two trends that I think we still keep on continue in this year, and hopefully the next one year, the first is cookie audit.
And we've seen the approach, quite a mixed approach, especially for those countries that are dealing with the EU data, where they actually have certain cookies that are being deployed on the platform, and whenever they want to transfer this data to the US and to the rest of the world.
And then second, how exactly the organisation needs to really operationalise in the transfer, once they have done the necessary transfer impact assessment, and once they have secured the legal advice from the Privacy Council, or even the General Council, or even the law firms, in terms of what needs to be really prioritised from the risk perspective.
And this is where we see lots of the operationalisation aspect, post legal advice, okay, is still a big, you know, I would say, not say challenge, but I would say struggle.
On the one hand, you need to actually simplify the messaging to the stakeholders.
On the other hand, you need to also articulate whether is this like a must to do, or a nice to have, or perhaps, you know, is considered as a high risk in the context of the post-SRAM decision, and as well as the cookie, and as well as the AI aspect as well.
So I would say like, this would be like the ongoing trends in the context of the EU, and it might also impact, you know, the non-EU or the non -EEA market or jurisdictions like the US, Middle East and North Africa, Asia, China, and India.
Yeah. And I also was wondering if you could just give your thoughts as well, in terms of the direction that you see the UK going sort of following Brexit.
I think the UK is very ambitious. I mean, the UK is always wanting to have its own, you know, position when it comes to digital strategy.
I think recently, there's actually the Alan Turing Institute of AI Hardware, it's a very good institute, which actually really encouraged the use of AI as part of the digital strategy in the UK.
And as some of the listeners, the audience might be aware that we have a new commissioner, previously a former commissioner from New Zealand, and he's very ambitious to really to listen from the stakeholders, listen from the business, what actually they have gone through, you know, for the past few years, not only during the pandemic, but also prior to the pandemic.
And at the same time, the listening exercise will help the commissioner to shape what would be these top priorities, you know, for the UK.
Last year, the UK government and as well as the ICO actually have signed quite bilateral agreement and engagement with key markets like with India, with New Zealand, and with also the US and some of the countries in EU, just to ensure that they can really support to facilitate the data transfer post Brexit.
And it's still a work in progress.
But of course, I'm not representing the ICO. And we will see how exactly, you know, this will take place hopefully in the next six months and watch this space, there'll be more development from the new commissioner, so to speak.
Yeah.
Thank you for that. And also just sort of as we've done a overview of a kind of what's going on globally, I mean, what strategic advice would you provide organisations like to ensure that they are meeting all these global requirements?
Because as you mentioned before, there's a lot, there's similarities with a number of the legislations with the GDPR.
But there's also significant differences, which obviously organisations need to build in to their privacy programme.
So I'd love to hear your thoughts on This is my favourite question.
The common question that a general counsel asked, a chief officer asked, even a CISO asked, in my view, whether or not your whatever your governance structure is, whether it is, you know, centralised, whether it is decentralised, whether it is hybrid, or even in between decentralised and hybrid, the key question is, okay, whether there is actually support, the leadership on the top, you know, the tone, what is like the risk posture from the top?
For example, if let's say the CEO, even investors, or even the board, or non executive directors actually put data risks, which actually combine cybersecurity, data protection and privacy and data governance as part of the agenda of the conversation, then they're very clear that what is like the risk driver is, the risk posture is, then they need to cascade it to the operational function, just to ensure that A, okay, they know that this actually the activities they need to remediate to minimise the risk, and then B, to understand the impact of the risk drivers and risk postures region by region, because each of the region has its own risk posture, and then a risk lens, and then C, have a phased remediation kind of activities, because it's a journey, you can't do everything in three months.
So you have to take, you know, the remediation, which link to the highest risk first.
So I think in short, you know, that kind of leadership from the top, the tone from the top is important.
And I suppose that some of the audience today might be privacy engineers, or might be security by design engineers, privacy by design of experts, or even those professionals that are upskilling in privacy, it's important to actually align together to have this kind of risk conversation from the beginning by default, rather than you have this like, oh, after the fact.
And this is where I think that you will save a lot of time, even cost, you know, to manage or to minimise the risk.
And I think corporate culture plays a large role in that as well.
And sort of, as you mentioned, building that into the governance programme of organisations, and also, you know, speaking about that to make sure all employees understand the message.
So I was wondering if you'd be able just to give some highlights or tips in terms of advice you provided organisations to ensure that privacy is actually embedded in their corporate culture?
I mean, what three things would you say are the sort of top key things to keep in mind?
Sure. Whenever I have conversation with a global multinational, I would love to have conversation, you know, or perhaps a very honest conversation with a chief transformation officer or chief strategy officer.
Because these are the guys who really shape that kind of corporate culture as part of the digital transformation programme.
Because if you look into the global multinational nowadays, they have combined the word people plus culture, which is very interesting.
So from that point, I would love to understand, right, okay, if you are a global US multinational, or global UK multinational, or EU multinational, and you have operations around the world, in which some of the operations are in emerging markets, or even in jurisdictions that are quite advanced, yet, you know, is good for the business like India and China.
So have you done that kind of culture scanning?
What is a culture scanning means, right? How exactly the perception of privacy in that market?
Okay, they might have a very different understanding about the privacy culture in that particular market.
Because in Asia, generally sharing is caring, really, it's like, oh, you should share the data.
But if you bring that culture in EU or UK, well, no, you can't do that, right?
Comparatively, in the US, it is okay, prior to the CCP, or even other laws that all right, we just sell the data, there's a lot of data brokers, blah, blah, blah.
So again, you know, if you have that kind of cultural conversation at a digital transformation level, with the chief strategy officer, chief transformation officer, and as well as people office and bring that conversation with the CPO, with the CISO, with the chief data governance officer, data ethics officer, that kind of holistic approach will definitely will help to shape that kind of language and tone.
Okay, in order to do that kind of know your data campaign linked to the culture of the organization.
Yeah. Perfect. And then sort of the sort of most logical question moving on from there, I think is sort of one of the three biggest challenges for data privacy professionals at the moment, be that sort of in the legal sector, or also in the engineering side, with kind of all of the movements in the privacy landscape going on.
Yeah. As you know, both of us are a fellow member of the IPP European Advisory Board, as you're fully aware, the IPP has been, you know, a great, you know, international non -profit organization that has been advocating and championing, you know, privacy professionals in terms of upskilling, certification, engagement, thought leadership, and as well as networking, you know, with the market.
Through my observation, Titi, I suppose you might have a similar observation as well, I would say 70 to 80% of privacy professionals have legal background, maybe more than that.
Right. So it actually, you know, gives certain impression that if you don't have a legal background, you can't be a privacy professional.
That is no. If you have a security background, if you have HR background, you have a marketing background, even if you have like analytics background, data science background, that's even better.
Because I would love to engage with these guys, you know, to understand the technicalities, you know, of the sophistication of that particular subject, and then blend it with, okay, the compliance aspect, the principles aspect, and all the legal aspect.
And this is where we really need a lot of work to do in terms of the so called resource of expertise to blend and to learn and we can learn each other in this space.
So that's the first. Second, I've seen a lot of international associations, not just like IPP, but also Specific Security Association, Data Governance Association, Sedona Conference, you know, kind of association and other association where they are very much focusing on that particular technical subject matter expert based on your certified, you know, kind of experience, it would be good to actually like have collective and collaborative kind of environment to upskill, you know, this together and learn from each other.
And this is where I think that the market needs to really react towards it.
And then the third, which is equally important is the level of investment and time.
When I say level investment in time, it might be via way of coaching, it might be by way of upskilling the current resource with training via certification, and also to learn from experienced professional, whether privacy or security or data governance professional.
And importantly, really is networking. It is like for me, right, okay, every month, I will make a point to at least network, five new network.
Because for me, I need to learn more from those who have undergone the sophistication of the technical aspects from the platform perspective, even have a legal background, compliance background, risk background, for me, it's important to understand, right, can you tell me how is this technology works?
What is the risk? In a very simple language, like telling to a school children or to a school boy or a school girl, right?
Yeah, yeah, yeah, yeah, yeah. So this is actually like the element that perhaps, you know, can help to get privacy professionals, privacy engineers, security by design engineers to really upskill themselves in the market.
Perfect.
And then just shifting back to Europe for a moment, sort of following the judgment back in 2020, I was just wondering what sort of trends you've seen come into Europe, sort of following that judgment and kind of what your thoughts are, in terms of where we're going.
And also, if you think this year is the year that we perhaps will have a new version of the privacy shield out?
I would love to answer that question if I were to be the regulator, but right, okay, so as you know, because all of this decision, you know, came during the COVID scenario.
And then, of course, a lot of organizations, or perhaps the CISO, or even the General Counsel, or the CPO, the DPO that I've had conversation with, I think similar with you, Tillie, went through your network.
So most really want to focus with the how is this decision will impact my current process activities, right?
Okay, of course, there's a limit of SCCs, and there's also those who are BCR approved, still need to continue to continue your BCR program with additional before the compliance.
There's actually more for the matured organization truly understand, you know, what they need to do from the operationalization on paper perspective, SCC, BCR, blah, blah, blah.
But the reality that we've seen on the ground today is that there are many startups, there are many small medium enterprises, where they are processing voluminous of data, even as a data, you know, data controller, but they do not have that kind of compliance operational guidance.
And partly because, right, okay, they do not, they do not have, like, a very, very dedicated DPO in the organization, partly because they actually outsource the DPO function to, you know, a consultant, or perhaps, you know, a professional.
So my point here is that, okay, when it comes to the optionalization aspect of PostRank, we've seen the diverse approach of different organizations, irrespective of the governance structure, where they started to see, right, okay, yes, there is SCC, once I've signed this SCC, what is it exactly that I need to do to manage the risk?
And this is where, you know, the question actually stopped, or perhaps, you know, they need a practical solution or practical based answer.
So that's the first challenge.
There's another challenge, clearly, is that because of this judgment, it also gives certain complexity for those companies, organizations that transfer data to countries like China, to countries which have data localization requirements, like Russia, like Turkey, even to jurisdictions that impose localization requirements in their contracts, whether it's public sector contracts, or financial services contracts, so to speak.
And because of this risk, they have to go towards the third approach, or the third challenge, or face a third challenge, which they have to decentralize the data.
Okay, because some of these organizations are actually transferring data in the cloud.
So even though they are using different cloud, different cloud model, so they need to think about how exactly security comes in, you know, to minimize the risk, and to address this localization requirements, not only from the compliance perspective, but also the technical solution perspective.
And until today, that technical solution perspective is still a gray area, has not been seen like a perfect solution to address localization, even though decentralization is the trend, you know, by virtue of this Shrem's judgment.
And because of that, Chief Risk Officer, DPO, CPO, CISO, Chief Data Governance Officers started to think, to think about, right, let us de-risk the data based on the data sets and categories, in the event that, okay, we have to keep on, you know, transfer this data post-Shrem decision.
Again, I know there's no like concrete answer to your question, but we have to see from different risk lines here.
No, absolutely. And thank you for that.
So, I mean, the next question is, I know you don't have a crystal ball, but I was just wondering, sort of, where do you see data protection sort of moving in the next sort of five to 10 years in Europe and generally in the EMEA region?
Sure. From the BIRDS-IV perspective, Tilly, when I first read the GDPR tax, right, I was so impressed with the one-stop shop.
Wow, this is great. It's like, you know, every regulators will work together, every regulators will coordinate themselves, the enforcement, every regulators will provide the guidance, but in reality, as you have experienced or have been experiencing, like myself as well, it's not that two one -stop shop.
So, that kind of direction is a little bit drifted apart from the intent, the strategic intent or the legislative intent.
So, I anticipate that this, we should rebrand that one-stop shop to agile-stop shop.
So, what I meant by agile-stop shop is that, right, okay, because of the different approaches of regulators and the individual leadership of the regulators, right, we have to be very agile in terms of managing the regulators and likewise, from the regulatory side, to manage the businesses based on sector by sector.
So, that's the first, kind of prediction, that kind of one-stop shop to converge or potentially leading towards that agile one-stop shop, you know, kind of approach.
And then second, I would say that because of geopolitics, in my view, in next three to five years, India, China, even Russia, okay, would actually take a much more, I would say, tactical and strategic position when it comes to the enforcement of their respective laws because of the data localisation.
And this is something which, in my view, the European Data Protection Board, even the individual regulators of the European Economy Area, the UK ICO, even in the US, they need to think about, you know, this issue as part of parcel, you know, of the global data transfer or perhaps data enforcement in the next three to five years.
And the third, which is equally important, and I think from the resourcing, the upskilling, and as well as how exactly we need to tell to the world that data protection laws, privacy laws, okay, whatever laws that link to the data, whether it's actually the omnibus laws or the sector specific laws, would not undermine your business and innovation, okay.
Because the message that we receive, especially for companies that use data broking as a business model is that, oh my goodness, if this is the law, we can't do business.
And that is where, you know, the thin line is how to draw that thin line.
On the one hand, that's compliant. On the other hand, all right, we have to come up with a sophisticated and workable model, just to ensure there's a balance to be drawn.
And I know it's a very delicate debate because of the historical jurisprudence of the EU when it comes to data protection and privacy, separately as well.
Yeah. Well, perfect. Well, unfortunately, we're about out of time.
So thank you so much, Norris, for running us through all of these sort of global trends that are going on and giving us an overview of the privacy landscape.
And we'll wait to see what 2022 has in order for us.
So thank you so much again, and I hope you have a good Data Privacy Day. Thank you.
Thank you so much, Julie. What is caching? In caching, copies of files are saved in a temporary storage location, known as a cache, for quick and easy retrieval.
In the context of a content delivery network, or CDN, a website's files are cached onto a distributed set of CDN servers.
Imagine a user in Tokyo trying to access a website hosted in Los Angeles.
The user's request will have to travel over 5,000 miles to reach the web server, and the response will have to cover the same distance.
That can take a long time. A globally distributed CDN can cache the website's files in CDN servers around the world.
This way, when a user in Tokyo wants to access a website 5,000 miles away, they can minimize latency by getting the files from a CDN server close to them.
What is a WAF?
A WAF is a security system that uses a set of rules to filter and monitor HTTP traffic between web applications and the Internet.
Just as a tollbooth allows paying customers to drive across a toll road and prevents non-paying customers from accessing the roadway, network traffic must pass through a firewall before it is allowed to reach the server.
WAFs use adaptable policies to defend vulnerabilities in a web application, allowing for easy policy modification and faster responses to new attack vectors.
By quickly adjusting their policies to address new threats, WAFs protect against cyberattacks like cross -site forgery, file inclusion, cross-site scripting, and SQL injection.