For our premium content subscribers

Scott David, J.D., Principal Consulting Analyst
Scott David, J.D., LL.M. Principal Consulting Analyst
Scott David is a Principal Consulting Analyst with TechVision Research and will focus on the intersection of law, technology, and networked information systems, including those affecting traditional IP areas (copyright, patent and trademark) and emerging areas involving data, information and identity issues. Scott is a J.D., LL.M.,and the Director of Policy at the Center for Information Assurance and Cybersecurity at University of Washington.

1 1

He was formerly the Executive Director of the Law, Technology and Arts Group at UW School of Law, is an active member of the World Economic Forum’s Global Agenda Council on Data Driven Development, the MIT/KIT Advisory Board, and the Open Identity Exchange Advisory Board. Prior to joining the University of Washington, Scott worked as an attorney for 30 years focused on counseling commercial and governmental entities worldwide in the structures and transactions of technology and business networks with an emphasis on online commerce, data security, privacy, digital risk, standard setting, and emerging intangibles value propositions. Scott was a partner at K&L Gates (formerly Preston, Gates & Ellis) from 1992 to 2012.

1 1


Key Focus Areas:

  • Governance, Risk and Compliance (GRC)
  • Privacy Beyond Compliance (PBC)
  • Security information intelligence and sharing

Recently Published Research

Privacy Beyond Compliance
Privacy is broken, and people and businesses are paying the price. The costs of privacy compliance keep going up, while the real benefits to individuals (such as customers, employees and independent contractors) keep going down. This foundational research report helps IT executives frame the already-too-broad “privacy” discussion to more cost-effectively deal with compulsory privacy compliance issues. This report explores how companies may get maximum leverage from their privacy compliance costs, and deliver more benefit to their customers, partners, shareholders and employees. “Privacy beyond compliance” is an invitation to embrace privacy compliance costs and even to incur additional costs in those organizational settings where an ounce of privacy prevention may be worth a pound of security or potential liability cure. In the proper circumstances an ROI is possible that potentially converts privacy from an isolated regulatory cost center into an integrated profit center for the well- managed enterprise. In this report, TechVision Research explores the ways in which privacy-related sunk costs can help to improve overall enterprise information system integrity. This report suggests that the ROI from privacy expenses can be improved by thoughtful leverage of unavoidable privacy-related costs, and the report identifies more than a dozen examples of situations in which privacy-related costs can be reasonably managed as a “leveraged investment” toward improving security and/or mitigating other enterprise risks. In this report, we also suggest that “privacy” challenges are a symptom of the underlying illness of enterprise information “leakiness” caused by network complexity. Plugging these leaks requires expenditures directed to improve the reliability of both the technology, the people and the processes in a given enterprise network system. We believe enhancing this “socio-technical” system reliability yields additional benefits by improving security and mitigating a multitude of enterprise risks. This report covers:

  • The relationship between privacy-related sunk costs and overall enterprise information system integrity
  • The value of looking at privacy issues through the broader enterprise risk lens
  • The opportunity to convert privacy costs into positive business outcomes
  • The value of focusing on socio-technical system reliability
  • Integrating privacy costs into the overall enterprise risk planning

New European Privacy and Data Protection Regulations
The EU wants to build a single market fit for the digital age by tearing down regulatory walls and moving away from 28 national markets to a single one that supports the free movement of persons, services, and capital.

Updates to the rules relating to data protection and privacy in Europe are long overdue, and are even more so in the rest of the world. New European legislation will replace the current chaos in which each EU Member State has its own separate directive with a brave new world in which there will be one law across all of the EU, implementing stiff penalties for violations. The new legislative landscape will require any business operating in Europe including US multinationals to make considerable changes to their data protection policies and strategies within the next two years in advance of the legislation coming into full force in 2018.

To complicate matters, in October 2015 the European Court of Justice ruled in a landmark case against Facebook that the 15-year-old Safe Harbour agreement between the EU and the US is no longer valid because it does not offer sufficient protection to the fundamental rights of Europeans. Consequently, every national data protection authority is currently empowered to examine any US-bound data transfers on a case-by-case basis.

In the absence of clarity about the proposed EU-US Privacy Shield, the current limbo — whereby the old rules have been torn up and data monitoring and enforcement is in the hands of individual national data protection authorities — is a potential minefield for US multinationals as well as US-based cloud service providers who are seen to not be supporting European privacy laws.

This document examines the current set of rules, the proposed new legislation and what this will entail for European and US businesses responsible for any data relating to EU citizens.  In it we present a five step process to best position organizations to address both rapidly evolving European data protection and privacy directives and the ever growing challenges of protecting enterprise data assets.  These steps include:

  1. Getting started and understanding what is new including the need for data protection or privacy impact assessments (DPIA/PIA) and a data protection officer (DPO)
  2. What data subjects will expect of data controllers including assessing and defining valid consent, limited right to erasure and data portability
  3. Being prepared for when something goes wrong and how best to position for a data breach
  4. What to do next including conducting a formal PIA in the brave new world of the General Data Protection Directive (GDPR)
  5. Informing stakeholders and raising awareness including employees, business partners, suppliers, technology partners, cloud service providers and supervisory authorities

Upcoming Research



© 2019 All Rights Reserved

We can help

If you want to find out more detail, we're happy to help. Just give us your business email so that we can start a conversation.

Thanks, we'll be in touch!