Scott David, J.D., LL.M. Principal Consulting Analyst
He was formerly the Executive Director of the Law, Technology and Arts Group at UW School of Law, is an active member of the World Economic Forum’s Global Agenda Council on Data Driven Development, the MIT/KIT Advisory Board, and the Open Identity Exchange Advisory Board. Prior to joining the University of Washington, Scott worked as an attorney for 30 years focused on counseling commercial and governmental entities worldwide in the structures and transactions of technology and business networks with an emphasis on online commerce, data security, privacy, digital risk, standard setting, and emerging intangibles value propositions. Scott was a partner at K&L Gates (formerly Preston, Gates & Ellis) from 1992 to 2012.
Key Focus Areas:
- Governance, Risk and Compliance (GRC)
- Privacy Beyond Compliance (PBC)
- Security information intelligence and sharing
Recently Published Research
Privacy Beyond Compliance
- The relationship between privacy-related sunk costs and overall enterprise information system integrity
- The value of looking at privacy issues through the broader enterprise risk lens
- The opportunity to convert privacy costs into positive business outcomes
- The value of focusing on socio-technical system reliability
- Integrating privacy costs into the overall enterprise risk planning
New European Privacy and Data Protection Regulations
Updates to the rules relating to data protection and privacy in Europe are long overdue, and are even more so in the rest of the world. New European legislation will replace the current chaos in which each EU Member State has its own separate directive with a brave new world in which there will be one law across all of the EU, implementing stiff penalties for violations. The new legislative landscape will require any business operating in Europe including US multinationals to make considerable changes to their data protection policies and strategies within the next two years in advance of the legislation coming into full force in 2018.
To complicate matters, in October 2015 the European Court of Justice ruled in a landmark case against Facebook that the 15-year-old Safe Harbour agreement between the EU and the US is no longer valid because it does not offer sufficient protection to the fundamental rights of Europeans. Consequently, every national data protection authority is currently empowered to examine any US-bound data transfers on a case-by-case basis.
In the absence of clarity about the proposed EU-US Privacy Shield, the current limbo — whereby the old rules have been torn up and data monitoring and enforcement is in the hands of individual national data protection authorities — is a potential minefield for US multinationals as well as US-based cloud service providers who are seen to not be supporting European privacy laws.
This document examines the current set of rules, the proposed new legislation and what this will entail for European and US businesses responsible for any data relating to EU citizens. In it we present a five step process to best position organizations to address both rapidly evolving European data protection and privacy directives and the ever growing challenges of protecting enterprise data assets. These steps include:
- Getting started and understanding what is new including the need for data protection or privacy impact assessments (DPIA/PIA) and a data protection officer (DPO)
- What data subjects will expect of data controllers including assessing and defining valid consent, limited right to erasure and data portability
- Being prepared for when something goes wrong and how best to position for a data breach
- What to do next including conducting a formal PIA in the brave new world of the General Data Protection Directive (GDPR)
- Informing stakeholders and raising awareness including employees, business partners, suppliers, technology partners, cloud service providers and supervisory authorities