Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Video RSA: Learn About the International Association of Privacy Professionals (Video) 23

Today's video is an interview with the Corporate Alliance Director and the Chief Technology Officer of the International Association of Privacy Professionals (IAPP), a non-profit organization that claims it is "...the largest and most comprehensive global information privacy community and resource, helping practitioners develop and advance their careers and organizations manage and protect their data." In other words, it's not the same as the much-beloved Electronic Privacy Information Center (EPIC), but is -- as its name implies -- a group of people engaged in privacy protection as part of their work or whose work is about privacy full-time, which seems to be the case for more and more IT and Web people lately, what with HIPAA and other privacy-oriented regulations. This is a growing field, well worth learning more about.

Wills: I am Wills Catling with the IAPP, the International Association of Privacy Professionals. I am the Corporate Alliance Director for the IAPP.

Tim: Now what is that organization all about?

Wills: The IAPP is a not-for-profit association for individuals that are working with data privacy and information privacy on many different levels, whether it is within the US or globally, but they all face different challenges and these challenges continue to evolve and change on a regular basis. In the IAPP, our mission is to design, enhance and grow the privacy profession and to provide education, networking and certification to people in this profession, to help them stay current with what is going on, and to help them understand the fast moving landscape.

Tim: What are some examples of people who are going to be in that category? You mentioned that there are lots of different levels. What are some of those levels?

Wills: Yes, from an individual perspective, it could be usually the highest position is the chief privacy officer, and then there are layers below that, you’ve got privacy managers, you have privacy analysts, and just general staff who work in a privacy team. There are also a lot of individuals who work in legal departments, general counsel, and then also we are finding that within the IT world and the infosec world, there are definitely individuals now that are starting to find privacy that is becoming in data privacy, is becoming one of their, not necessarily their core duties, but it may take up 25% to 50% of their time.

Tim: Now you operate internationally. Are there different challenges that is faced in the low privacy, things that are different in say, the European legal climate versus American?

Wills: Yeah, I mean, America has a very different legal system, and privacy is driven very differently in the United States than it is in the European market and the Canadian market, for example, so if you are a global organization and you’ve got data that’s in multiple countries, and multiple jurisdictions, you need to be aware of the challenges that are presented to you by what’s going on in Europe, and if you want to move data around Europe, obviously within Europe there are multiple countries, and the way that the English view data privacy and how data is handled is slightly different from how the French or the Germans view it, and therefore there is also an European overview that sits around that as well. So there is a lot of different legislation that a privacy professional needs to be comfortable with, to make sure that they are handling that data, storing that data, moving that data, or in any way touching that data, making sure that they are compliant with what that jurisdiction wants and requires of them.

Tim: Can you give some examples of things that are different between any two of these various places in the world? What sort of things does a professional in this world need to know?

Wills: Wow, there is a lot of difference, the fundamental difference, I mean in the United States privacy is driven more in a sectorial fashion, so we look at privacy from we have legislation

Tim: Like HIPAA?

Wills: HIPAA governs the healthcare industry, HITECH is in healthcare industry, and you’ve got GLBH, Gramm Leach Bliley which is applicable to the financial services side of things, whereas in Europe privacy is more of a fundamental right that sits over the whole of the country. So they don’t break it down sectorially, and say, well in the financial field, we are going to treat data differently, we will have different requirements than we do in the healthcare industry.

Tim: Do American companies end up trying to shift to a wider view of privacy to comply with European law?

Wills: It would be difficult for me to comment on what American companies do, because they are all going to have different viewpoints, and they are going to look at things from what their legal departments tell them they can and cannot, and should do. Obviously, you have to, as a privacy professional, understand what the US requires you to do, and understand what the European countries and nations and members require you to do, and understand that those requirements are different for both countries, and you are going to have to make sure you are compliant with both of them, so that you don’t fall afoul of the legal bodies within those countries.

Tim: So one of the things that IAPP does then as an educational source is it serves as a clearing house for that sort of information?

Wills: Yes, we offer educational certification and training to our members and to nonmembers. And we certainly try and reach out and use our bodies of knowledge which live within our certifications and we try and use that to help educate members on what are the common practices within these different jurisdictions and what the legislations are that they should be aware of, because obviously somebody who is working in an actuarial position, or somebody who is working in a financial position is going to have different challenges than somebody let’s say who works in a HR team.

So we try and make sure that we cover all of the different industries and all of the different regulations so that somebody would understand what they can and cannot do, and raise their level of knowledge. They are not always going to want to be a privacy professional because they might sit within a different vertical, but they are going to want to have enough knowledge so that they can do their job to a higher degree, and also make themselves give themselves a greater understanding of what they should and shouldn’t be doing maybe ethically as well as professionally.

Tim: One more thing. What does it cost to be involved as a member, as an individual or corporations, do they get a full corporation discount, how does it work?

Wills: Yes, we have different levels of membership. We have everything from students and government members, they can join for $100 a year. A professional can join for $250 a year. And then we do reach into the corporations. Corporation memberships start at $3000 and they can go all the way up to $25,000. And the biggest difference is that the higher the level of membership that you purchase, the more individual memberships that come within that group membership. So it is discounting the numbers, it is enabling a large organization to offer those membership benefits to multiple individuals not just in maybe one office but around the world.

Jeff: I am Chief Technology Officer at the International Association of Privacy Professionals.

Tim: Okay. Now what does that mean you do?

Jeff: So, I oversee all the IT functions of the organization, as well as do public outreach to the IT and information security community, supporting what we do.

Tim: Okay. We just talked with somebody else in your organization but that was more about what the organization does on a broad scale. Let me ask you a little bit about the importance of privacy. We heard organizations rather a lot of things have to do with privacy, they touch on personal data, and indemnity, privacy, what is the big picture right now? What does your group have to do with it?

Jeff: So the big picture of privacy and why it is becoming such an important topic is there is a tension in the marketplace. On one side, you have people who are sort of discomfited or uncomfortable with the secondary uses of the data they are giving out. We give out thousands of points of our personal data all day long every day. We’re happy to do it through social media or search providers, or talking to a doctor, or using credit cards. They help improve our daily life, but it is the secondary uses of the data. Who else has the data? Where is it being stored? How else is it being used? And do I have control over it? It makes people uncomfortable. That’s one side.

On the other side, you have the emergence of technology where the current evolution of data analytics, data mining, and data collection techniques or big data is driving innovation, it is bolstering our economy. It is improving our quality of life in any number of ways. But the fuel for that technology engine is the same personal data that people fear of divulging too much of. They fear the secondaries. And that is causing a great tension. And right now, what we are seeing is industry regulators and lawmakers are working to reduce that tension. But it is a tremendous challenge. How do you reduce the uses of secondary information, or prevent the uses of secondary information without stifling innovation.

Tim: Now there are groups out there like EFF and like the ACLU that are I think using public attention and even legislative moves, court moves sometimes to address some of these issues? How do you contrast this professional organization with groups like that?

Jeff: Sure. You have organizations like the EFF and the ACLU that are working to support the desire for the public to remain anonymous. You have certainly corporate influences that are working to show the benefits of the uses of personal information for that technological evolution, and the tension that they are fighting, and we the IAPP is a non-advocacy organization, so we love them all, we support them both, and work to educate the public on the tension that is out there, and promote the people that are working to reduce that tension in reasonable ways.

Tim: One thing that has come to the fore in the last year, a couple of years actually, is deep packet inspection. And the privacy to that can often destroy it. So is there a particular thing that you tell people when it comes to deep packet inspection? What is the biggest message to give about that?

Jeff: I am not going to say, I am not going to talk about deep packet inspection. It is a very sensitive... and again there are two sides of the deep packet inspection, and I can’t support either of them.

Tim: Understood. All right. Well, Jeff thanks very much for talking to us. I appreciate it. Thanks very much.

Jeff: You’re welcome, Tim or Timothy?

Tim: It doesn’t matter, it is all the same.

This discussion has been archived. No new comments can be posted.

RSA: Learn About the International Association of Privacy Professionals (Video)

Comments Filter:
  • There's privacy? (Score:5, Informative)

    by simplypeachy ( 706253 ) on Tuesday March 05, 2013 @04:03PM (#43082651)
    A visit to their homepage helpfully tells Comodo, Twitter, UserTrust and Google about your visit and drops several cookies, some lasting one or two years. But it's OK - it all goes via SSL so it must be good for privacy.
    • by Dins ( 2538550 )

      The "Platinum Members" listed at the bottom of their site include: Accenture, AstraZeneca, Capital One, Deloitte, Ernst & Young, Edelman, HP, Intel, KPMG, LexisNexis, Microsoft, Ponemon, Promontory, and PWC.

      Now in the great /. tradition, I did not read TFA nor watch TFV, but I doubt the listed companies truly have our privacy best interests at heart.

      • They are essentially pimps with respect to privacy: It's not that they have your good at heart; but they have a very strong interest in making sure that only paying customers get access.

    • A visit to their homepage helpfully tells Comodo, Twitter, UserTrust and Google about your visit and drops several cookies, some lasting one or two years. But it's OK - it all goes via SSL so it must be good for privacy.

      The very existence of 'privacy professionals' as a thing is largely predicated on a rather...tense...view of privacy: specifically, that we will generate and store a fuckton of data about you; but then we'll hire a guy to make sure that the data are only accessed in compliance with HIPAA and/or after the payment has cleared...

      They are really more 'transparency compartmentalization' than 'privacy'.

      • ... And once you go down THAT path then it becomes a Zork maze of twisty passages and onion layers that would *make you legally insane* *during* your trial for something. "So, you belonged to the association of privacy professionals, and then you sold some of your data for cash to marketers, and then after that your database got hacked... remind the court exactly what you used to do again for a living?"

        (And since that group is full of general counsels, this is commentary, opinion, and cast in a hypothetica

      • a question about units... is that a "metric fuckton" or an "imperial fuckton" of data to which you are referring?
        Of course, along with having HIPAA compliance goes two types of caveats: you can accidentally and unmeaningly waive your right to privacy by signing up with a non-covered entity such as Google health [wikipedia.org], (that link is to the privacy concerns portion). Even though Google health is kaput, others are following in the wake of privacy obliteration. The other caveat is the sharing of data w
        • by t4ng* ( 1092951 )

          Add to that, that many people mistakenly think that the 'P' in 'HIPAA' stands for Privacy. It does not. It stands for Portability. There are only vague references to data privacy and security in HIPAA. It is mostly about making data portable between organizations to make it easier for insurance companies, hospitals, doctors, lawyers, etc. to share your medical and financial information. Your local clinic could still be using unencrypted wifi. They could have a server in their closet that gets stolen a

      • I'm a bit jealous, these people were able to spin a brand new role out of virtually nothing, but there's a giant elephant in the room here, what happens when the privacy professional gets breached? I doubt they're any special, or have a crystal ball for predicting zero days, so say they get breached, your data is compromised... you're getting sued by your customers... you go to sue the privacy firm, who closes doors and goes chapter 7. I would rather throw my data in the cloud lol. At least you can then s

  • ... and the likes of stupid tech illiterate people. Look at how willingly people put their public data online on facebook and linkedin, etc. The whole idea of privacy is something that can't be put back in the box. It only takes one stupid person who doesn't understand technology to post a pic or say something on facebook to reveal something about you directly or indirectly.

    Now especially with the likes of google and others having developed techniques to identify people from non-anoymous and pseudononym

    • Reminds me of the few times that I've read of somebody "anonymously" posting a picture about a crime they committed online, but they failed to realize that the picture had embedded date/time and GPS coordinates which the police used to very easily isolate and track them down.

    • Right, I don't even know who to reply to, all the early comments are hitting useful markers in the discussion, and it's a big complicated mess. It's full of "chief compliance officers", supposedly people whose jobs do "sorta" depend on not blundering too badly.

      But then other people are remarking on the de-anon of data, "Platinum Members", cookies and web beacons "that provide functionality", a shameless admission of Google Analytics (really?! they couldn't grow their own?!) and more.

      This story and this enti

    • "Days of privacy are over with technology..."

      I think I have to call BS here. Our privacy issues are far more due to our shitty laws than they are due to technology. It would be trivial to outlaw tracking, pixel bugs, etc. if only the American people had the will to do it. Technology, per se, is not the villain here. Congress is.

      • The problem isn't with the laws, even if you fixed the laws there's no way it's enforceable. If you're not on facebook but your sister is and your sister inputs data that links back to you. It's trivial to gather more when other indirectly leave breadcrumbs. When people publicly expose themselves on the net they don't fully grasp what that means technologically. So although YOU might be careful with your data other people can expose you indirectly so it becomes unenforceable very quickly.

        • "If you're not on facebook but your sister is and your sister inputs data that links back to you. It's trivial to gather more when other indirectly leave breadcrumbs."

          The example you give is such a tiny fraction of the big issue that it can safely be ignored. If you don't like it, just don't use Facebook. End of problem.

          The big privacy invader that is done often without people knowing is tracking.

          And an anti-tracking law would be very easy to enforce. Tracking is ridiculously easy to detect. If there were an anti-tracking law, then people would know and trackers would get caught.

          Besides... it is currently against the law in the U.S. to track anybody under the ag

  • If you've heard about them, then they aren't any good at what they do.

  • I don't just want to learn about them. I want to know their names, where they work, where they live, the stuff they buy at the grocery store. Everything.

This process can check if this value is zero, and if it is, it does something child-like. -- Forbes Burkowski, CS 454, University of Washington