RSA Conference Security Panel Isn't Worried about GDPR


SAN FRANCISCO — There are an increasing number of privacy policies around the world, including the European Union's General Data Protection Regulations (GDPR) that have the potential to cause trouble for American technology firms. At the annual privacy panel during the RSA Conference today, privacy lawyers for Google, Cisco and Microsoft detailed their views on the current state of privacy.

The privacy panel in past RSA Conference events has had its share of controversy, in particular the 2013 event involved a heated exchange between privacy executives from Google and Microsoft, but that was not the case this year. In fact, the panelists this year were quite cordial with one another and agreed on nearly every topic discussed.

Microsoft Assistant General Counsel Geoff Brown said his company has "a lot of people" working on privacy, which was a sentiment echoed by Michelle Dennedy, Vice President and Chief Privacy Officer at Cisco, as well as Keith Enright, Director of Global Privacy Legal at Google.

At Cisco, Dennedy emphasized that privacy is a full board-level discussion, and CEO Chuck Robbins takes an active interest in the topic, viewing data as a critical asset.

The intersection of privacy and security is another topic that the panelists agreed on. For Google, Enright said the company has always recognized that privacy and security are complementary disciplines. Five years ago, he said, privacy was often started as a legal conversation, but in the last couple of years, Google has driven deep integration of privacy through its engineering teams in a very deliberate manner.

GDPR regs

The upcoming GDPR regulations in the EU represent a murky area of privacy that is not yet fully defined. Trevor Hughes, President and CEO of the International Association of Privacy Professionals, said at this point, GDPR compliance is being done as a best guess, as the rules don't come into effect until 2018.

Enright said Google always wants to put the most useful information in front of users so they can make decisions. Currently, though, he noted that there is a lot of ambiguity in the GDPR, and the best thing to do right now is to have a good faith effort to protect data and privacy.

Machine and artificial intelligence is also unclear in how it might relate to GDPR compliance. Microsoft's Brown said it is incumbent upon the technology industry to explain how AI works and to emphasize that it is being used in the service of humanity.

Overall, the panelists emphasized that dealing with privacy can be complex, but it doesn't have to be overwhelming. Brown said that to manage the complexity, it's important for organizations to have strong policies in place. Enright said it's important to invest in user education and digital literacy.

"You just have to make users more sophisticated and help them to interact with technology in an intelligent and informed way," Enright said.

Sean Michael Kerner is a senior editor at eSecurityPlanet and Follow him on Twitter @TechJournalist.