5 Takeaways from IAPP Global Privacy Summit

The IAPP Global Privacy Summit was held last week in Washington, DC. TokenEx had the privilege of participating in the Summit as a sponsoring vendor.  It was refreshing to get exposed to so many great people, ideas, and developments in this exciting space. But if you didn’t attend, don’t fret. Below are several key take-aways from our experience at the Summit, condensed for your convenience.

  1. GDPR uncertainty continues – particularly in the area of enforcement. Most attendees are unsure what to expect from Data Protection Authorities (DPAs) when the General Data Protection Regulation (GDPR) takes effect on the 25th of May. This uncertainty has been enhanced by the differing “tone” amongst DPAs themselves, with some officials expressing an initial latitude in enforcement and others expressing a less tolerant message. This only reinforces the significance of designating a main establishment for multinational organizations.
  2. The e-Privacy Regulation is coming – so if you’re expecting a breather on the 26th of May after the GDPR takes effect, you won’t get one for long. Birgit Sippel, a member of the EU Parliament from Germany and rapporteur for e-Privacy Regulation, spoke to conference attendees about the significance of the regulation, particularly when it comes to tracking online behavior. Sippel highlighted the importance of consent when processing personal data, as well as the fact that “legitimate interest” as a basis for processing is presently ambiguous. If your organization is expecting to rely on legitimate interest under the GDPR and the e-Privacy Regulation, tread carefully.
  3. GDPR is forcing changes to ‘ad tech’ – but how much change is truly required is still up for debate. The ambiguity around legitimate interest is fueling the debate in part, particularly amongst those advertisers attempting to defend the status quo. Those arguing that the GDPR requires fundamental changes to ad tech expect the industry to be an early enforcement target for DPAs.
  4. Blockchain – may, or may not, transform privacy. It seems you can’t have a conference any longer without at least one blockchain session and the Global Privacy Summit was not an exception. Blockchain presents some interesting challenges when it comes to privacy – or at least privacy law. There are fundamental conflicts between blockchain and the GDPR for example – cross-border data flows and the immutability of the blockchain are just two examples. There seems to be broad agreement that blockchain is a transformative technology, but it’s ultimate impact on privacy remains unclear.
  5. It’s not all about GDPR – privacy laws continue to mature in other jurisdictions. The IAPP released a new version of their U.S. privacy book, “U.S. Private-Sector Privacy” at the conference and was also selling a recently updated edition of “California Privacy Law” in the conference bookstore. There were several sessions on privacy in the Asia-Pacific region with China’s Cybersecurity Law something many attendees were interested in discussing.


In summary, there continues to be frequent, significant changes to the privacy landscape. Organizations need to take a cohesive risk-based approach to data security and their data privacy obligations in order to keep up. The TokenEx Data Security platform is uniquely positioned to assist organizations address their data security and privacy challenges. If you’re not familiar with tokenization but understand pseudonymization for example, please contact us at sales@tokenex.com for an overview of our platform.

TokenEx is the industry leader in data protection. Follow us on Twitter and LinkedIn. John Noltensemeyer, CIPP/E, CIPM, CISSP, ISA, is a Privacy and Compliance Solutions Architect for TokenEx.


Topic(s): data security , HIPAA , PII , tokenization , pseudonymization , GDPR , privacy