Name: J. Trevor Hughes
Title and company: President & CEO, International Association of Privacy Professionals (IAPP)
Number of years in the information security industry: 25
RSAC: What was your first job in the privacy industry?
Hughes: My first job out of law school involved advertising and ecommerce issues for a large insurance company. So I have been working in and around privacy for almost 25 years.
RSAC: If you weren’t working in the privacy world, what would you be doing?
Hughes: I have always leaned towards tough tech policy issues. So I imagine I would be working on some of the complex problems in the tech policy space – content moderation, algorithmic transparency, data ethics.
RSAC: What does the RSA Conference 2019 theme of “Better” mean to you?
Hughes: Continuous improvement. RSA Conference will be better this year. But so too will the professionals in the information security field. The global call for better infosec solutions and broader awareness and engagement has never been louder. “Better” is a rallying cry for information security pros to take on that responsibility.
RSAC: What is the biggest challenge facing the privacy industry right now?
Hughes: Complexity. The field of privacy has exploded in the past 20 years. And no prior year has been more complex than 2019. We have a major law in California, a number of federal bills in incubation, GDPR fines, and the instability of Brexit all creating a gauntlet of risk for organizations in the digital economy.
RSAC: Complete this sentence: 2025 will be the year of CONVERGENCE.
Hughes: We are seeing the early indicators that privacy, content moderation, trust, safety, and information security are not siloed roles within an organization. Rather, they are all part of a broad mandate to protect and engender trust in the digital economy. In 2025, privacy pros will need to know how to talk to infosec pros in a productive way. Infosec pros will need to understand the fundamentals of digital ethics. The broad array of digital trust professionals will realize that their functions only work if their skills are hybridized to include other domains.
RSAC: Which sectors/industries are more vulnerable to privacy attacks?
Hughes: Any organization using data in the digital economy is subject to privacy risks. But privacy does not always emerge in the form of “attacks.” Organizations will need to embrace the idea that privacy demands stewardship of data – that they are holding data in trust and must use it accordingly.
RSAC: Google saw the first major fine tied to GDPR compliance; do you expect more GDPR-related fines to come this year? How does Brexit complicate data protection and privacy in Europe?
Hughes: We expect many fines to emerge this year. European regulators are beginning to flex the new fining authority they have under GDPR. But don’t expect whopping numbers. Pay attention to the messages within the enforcement actions. Where are the regulators focused? What issues/practices seem to be attracting the most attention? European data protection authorities will demonstrate through their actions where the largest risks lie.
With regards to Brexit, the data protection issues are again complex and the ability to predict all of the possible outcomes is limited. We certainly see data transfers between the UK and Europe as a hotspot. But so too are the issues of unwinding the regulatory relationships in the UK. Many organizations have been using the UK data protection authority as their primary privacy regulator in Europe. After Brexit, those companies may need to migrate to a new EU regulator.