RSA: Learn About the International Association of Privacy Professionals (Video)

Video no longer available.

Today's video is an interview with the Corporate Alliance Director and the Chief Technology Officer of the International Association of Privacy Professionals (IAPP), a non-profit organization that claims it is "...the largest and most comprehensive global information privacy community and resource, helping practitioners develop and advance their careers and organizations manage and protect their data." In other words, it's not the same as the much-beloved Electronic Privacy Information Center (EPIC), but is -- as its name implies -- a group of people engaged in privacy protection as part of their work or whose work is about privacy full-time, which seems to be the case for more and more IT and Web people lately, what with HIPAA and other privacy-oriented regulations. This is a growing field, well worth learning more about.

Wills: I am Wills Catling with the IAPP, the International Association of Privacy Professionals. I am the Corporate Alliance Director for the IAPP.

Tim: Now what is that organization all about?

Wills: The IAPP is a not-for-profit association for individuals that are working with data privacy and information privacy on many different levels, whether it is within the US or globally, but they all face different challenges and these challenges continue to evolve and change on a regular basis. In the IAPP, our mission is to design, enhance and grow the privacy profession and to provide education, networking and certification to people in this profession, to help them stay current with what is going on, and to help them understand the fast moving landscape.

Tim: What are some examples of people who are going to be in that category? You mentioned that there are lots of different levels. What are some of those levels?

Wills: Yes, from an individual perspective, it could be usually the highest position is the chief privacy officer, and then there are layers below that, you’ve got privacy managers, you have privacy analysts, and just general staff who work in a privacy team. There are also a lot of individuals who work in legal departments, general counsel, and then also we are finding that within the IT world and the infosec world, there are definitely individuals now that are starting to find privacy that is becoming in data privacy, is becoming one of their, not necessarily their core duties, but it may take up 25% to 50% of their time.

Tim: Now you operate internationally. Are there different challenges that is faced in the low privacy, things that are different in say, the European legal climate versus American?

Wills: Yeah, I mean, America has a very different legal system, and privacy is driven very differently in the United States than it is in the European market and the Canadian market, for example, so if you are a global organization and you’ve got data that’s in multiple countries, and multiple jurisdictions, you need to be aware of the challenges that are presented to you by what’s going on in Europe, and if you want to move data around Europe, obviously within Europe there are multiple countries, and the way that the English view data privacy and how data is handled is slightly different from how the French or the Germans view it, and therefore there is also an European overview that sits around that as well. So there is a lot of different legislation that a privacy professional needs to be comfortable with, to make sure that they are handling that data, storing that data, moving that data, or in any way touching that data, making sure that they are compliant with what that jurisdiction wants and requires of them.

Tim: Can you give some examples of things that are different between any two of these various places in the world? What sort of things does a professional in this world need to know?

Wills: Wow, there is a lot of difference, the fundamental difference, I mean in the United States privacy is driven more in a sectorial fashion, so we look at privacy from we have legislation

Tim: Like HIPAA?

Wills: HIPAA governs the healthcare industry, HITECH is in healthcare industry, and you’ve got GLBH, Gramm Leach Bliley which is applicable to the financial services side of things, whereas in Europe privacy is more of a fundamental right that sits over the whole of the country. So they don’t break it down sectorially, and say, well in the financial field, we are going to treat data differently, we will have different requirements than we do in the healthcare industry.

Tim: Do American companies end up trying to shift to a wider view of privacy to comply with European law?

Wills: It would be difficult for me to comment on what American companies do, because they are all going to have different viewpoints, and they are going to look at things from what their legal departments tell them they can and cannot, and should do. Obviously, you have to, as a privacy professional, understand what the US requires you to do, and understand what the European countries and nations and members require you to do, and understand that those requirements are different for both countries, and you are going to have to make sure you are compliant with both of them, so that you don’t fall afoul of the legal bodies within those countries.

Tim: So one of the things that IAPP does then as an educational source is it serves as a clearing house for that sort of information?

Wills: Yes, we offer educational certification and training to our members and to nonmembers. And we certainly try and reach out and use our bodies of knowledge which live within our certifications and we try and use that to help educate members on what are the common practices within these different jurisdictions and what the legislations are that they should be aware of, because obviously somebody who is working in an actuarial position, or somebody who is working in a financial position is going to have different challenges than somebody let’s say who works in a HR team.

So we try and make sure that we cover all of the different industries and all of the different regulations so that somebody would understand what they can and cannot do, and raise their level of knowledge. They are not always going to want to be a privacy professional because they might sit within a different vertical, but they are going to want to have enough knowledge so that they can do their job to a higher degree, and also make themselves give themselves a greater understanding of what they should and shouldn’t be doing maybe ethically as well as professionally.

Tim: One more thing. What does it cost to be involved as a member, as an individual or corporations, do they get a full corporation discount, how does it work?

Wills: Yes, we have different levels of membership. We have everything from students and government members, they can join for $100 a year. A professional can join for $250 a year. And then we do reach into the corporations. Corporation memberships start at $3000 and they can go all the way up to $25,000. And the biggest difference is that the higher the level of membership that you purchase, the more individual memberships that come within that group membership. So it is discounting the numbers, it is enabling a large organization to offer those membership benefits to multiple individuals not just in maybe one office but around the world.

Jeff: I am Chief Technology Officer at the International Association of Privacy Professionals.

Tim: Okay. Now what does that mean you do?

Jeff: So, I oversee all the IT functions of the organization, as well as do public outreach to the IT and information security community, supporting what we do.

Tim: Okay. We just talked with somebody else in your organization but that was more about what the organization does on a broad scale. Let me ask you a little bit about the importance of privacy. We heard organizations rather a lot of things have to do with privacy, they touch on personal data, and indemnity, privacy, what is the big picture right now? What does your group have to do with it?

Jeff: So the big picture of privacy and why it is becoming such an important topic is there is a tension in the marketplace. On one side, you have people who are sort of discomfited or uncomfortable with the secondary uses of the data they are giving out. We give out thousands of points of our personal data all day long every day. We’re happy to do it through social media or search providers, or talking to a doctor, or using credit cards. They help improve our daily life, but it is the secondary uses of the data. Who else has the data? Where is it being stored? How else is it being used? And do I have control over it? It makes people uncomfortable. That’s one side.

On the other side, you have the emergence of technology where the current evolution of data analytics, data mining, and data collection techniques or big data is driving innovation, it is bolstering our economy. It is improving our quality of life in any number of ways. But the fuel for that technology engine is the same personal data that people fear of divulging too much of. They fear the secondaries. And that is causing a great tension. And right now, what we are seeing is industry regulators and lawmakers are working to reduce that tension. But it is a tremendous challenge. How do you reduce the uses of secondary information, or prevent the uses of secondary information without stifling innovation.

Tim: Now there are groups out there like EFF and like the ACLU that are I think using public attention and even legislative moves, court moves sometimes to address some of these issues? How do you contrast this professional organization with groups like that?

Jeff: Sure. You have organizations like the EFF and the ACLU that are working to support the desire for the public to remain anonymous. You have certainly corporate influences that are working to show the benefits of the uses of personal information for that technological evolution, and the tension that they are fighting, and we the IAPP is a non-advocacy organization, so we love them all, we support them both, and work to educate the public on the tension that is out there, and promote the people that are working to reduce that tension in reasonable ways.

Tim: One thing that has come to the fore in the last year, a couple of years actually, is deep packet inspection. And the privacy to that can often destroy it. So is there a particular thing that you tell people when it comes to deep packet inspection? What is the biggest message to give about that?

Jeff: I am not going to say, I am not going to talk about deep packet inspection. It is a very sensitive... and again there are two sides of the deep packet inspection, and I can’t support either of them.

Tim: Understood. All right. Well, Jeff thanks very much for talking to us. I appreciate it. Thanks very much.

Jeff: You’re welcome, Tim or Timothy?

Tim: It doesn’t matter, it is all the same.