Privacy Risk Summit 2017 – Highlights

More than 250 privacy professionals gathered in the heart of San Francisco this week to discuss the challenges they face in managing emerging privacy risks and share strategies for success. They enjoyed a packed day of inspiring panels, expert breakout sessions and, of course, networking to acquire new ideas and practical advice to take back to the office.

The Privacy Risk Summit brought together over 45+ speakers across 20 sessions and 4 parallel tracks. Hilary Wandall, TrustArc General Counsel & Chief Data Governance Officer, provided a captivating welcome and opening remarks.

The TRUSTe Privacy Risk Summit – Highlights


Kai Westerwelle, Partner at Taylor Wessing (US) Inc., Sooji Seo, Global Privacy Program Director at Dell Technologies, Pamela Garay, Asst. Vice President & International Privacy Officer at Assurant Inc., and Charles Nwasor, Director, Global Assurance & Advisory at Ensono kicked off the Summit with a panel about Managing GDPR Implementation in a US-owned International Company.

This year a special focus was given to the impending EU GDPR, as the compliance deadline is less than one year away.


The Conference was full of great networking opportunities too.


Our sponsors for the event were available throughout the day to provide solution demos or to have a quick conversation. High level overview of these important solutions: HyTrust – making private, public and hybrid cloud infrastructure more trustworthy; MediaPro – award-winning privacy awareness content aligned to the highest standards of the GDPR; RADAR – breach guidance & decision-support software to simplify incident response & compliance with breach notification laws; and eSentire – managed detection and response, protecting you from the threats that other technologies miss.

Lunch was sponsored by Anonos and conference partner Women in Security and Privacy (WISP) provided a lunchtime gathering where attendees and speakers came together to network and learn about upcoming events.


Our customers, current employees, and past employees all came together to celebrate a successful event.


This year was very special because after the event, Chris Babel, CEO, announced that TrustArc is the new TRUSTe. Our new name reflects our evolution from a privacy certification company into a global provider of technology powered privacy compliance and risk management solutions.  We announced this change at the Privacy Risk Summit because it coincided with our 20th anniversary of delivering innovative privacy solutions. To learn more, you can read this blog post: TRUSTe Transforms to TrustArc.

To read about future TrustArc events, visit our upcoming events page or subscribe to the TrustArc blog.


The Internet of Things and Connected Cars: Considering Privacy Issues and Minimizing Risk


The internet of things is the connection of a broad range of devices using an IP address. It can range from our smart TVs and phones, to our home security systems, thermostats … the list goes on. A popular prediction is that by 2020, the internet of things will comprise no less than 50 billion devices.

With this type of wide adoption, concerns over private data surface – how it is collected, how it is used, and how it may make your organization vulnerable to risk.

Connected cars, having an IP address, are part of the internet of things. Unless anonymized, all data that comes from a car is potentially personal, frequently behavioral, sometimes social, and now with payment systems, sensitive, financial, and reputational as well. As just one example, a connected car could have access to a credit card number, where the data subject drove before and after a purchase, and all of a phone’s contacts. It may also deduce where the data subject lives and works, how they typically drive, and whether the data subject is driving in a particularly erratic manner at a given moment.

Privacy and the Internet of Things: Understanding Risk

To paraphrase a recent TRUSTe Privacy Blog post, as the internet of things technologies advance and companies have greater monetary incentives to process the data, privacy and transparency should be considered. The more connected devices there are, the greater risk that they will be compromised. The FTC report “Internet of Things: Privacy & Security in a Connected World” indicates that fewer than 10,000 households together generate 150 million discrete data points every day.

Anticipating the need for increased vigilance in privacy protection, in late 2014, the Alliance of Automobile Manufacturers (representing almost all car manufacturers) developed and released a set of Consumer Protection Privacy Principles to be incorporated into the privacy policies and statements of car manufacturers.

Now, regulators are increasingly weighing in. When it comes to connected automobiles alone, privacy laws and enforcements are growing. In a keynote presentation at the 2016 Connected Cars conference, FTC Commissioner Terry Sweeney stated that the Commission was watching to ensure that automobiles protect the security and privacy of consumers. France’s data protection authority CNIL released a compliance package which provides guidelines for how to treat the personal data gathered by connected cars. This guideline is intended to be consistent with requirements under the EU General Data Protection Regulation (GDPR) when that law goes into effect next year.

IoT and Unauthorized Disclosure of Data: Incident or Breach?

Like any other privacy incident in which private, protected data is revealed without authorization, an incident involving an IoT device should be analyzed under all applicable breach notification laws and contractual obligations. When conducting a multi-factor risk assessment to determine if an incident meets a breach threshold, keep the following in mind:

  1. Understand the difference between an incident and a breach, it’s key to determining if your incident requires notification. Making this determination means answering questions such as: how was the data stored, how was it transmitted, were there adequate technical safeguards in place with respect to both… how much risk should be attributed to the recipient? Were they authorized? How likely are they to misuse the data? Are there any administrative or contractual protections on that relationship? After the incident, were there any mitigation measures taken, such as remotely wiping storage media, the changing of credentials, or other measures that could limit or remove further risk exposure?
  2. Proving consistency in your risk assessment process can help you pass audit – or even avoid coming under scrutiny of audit. Automation tools in incident response provide a consistent process for documenting and profiling the incident, scoring that incident against applicable laws, and generating incident specific notification guidance and decision-support.
  3. Track trends in incident categories and root causes. Learn from your incidents. Accurately identifying weaknesses in your systems, departments or processes can reduce the number of incidents and your organizational risk. Automation is key to ensuring proper analysis and risk mitigation.

2017 Privacy Risk Summit Session

For more on the topic of Privacy and the Internet of Things, attendees of the upcoming Privacy Risk Summit are invited to join the session “What's your Wallet? The Privacy and Security of In-Car Payment Systems” on June 6, 2017 from 10:30 – 11:30 AM. A panel that includes K&L Gates attorneys from the US and Europe, a client manufacturer connected car technology and myself will discuss challenges of implementing the new standards imposed by the US Federal Trade Commission, as well as French, German and British data protection authorities. Panelists include:

  • Jill Phillips, Sr Attorney, Privacy & Security, Intel
  • Julia Jacobson, Partner (Boston Office), K&L Gates LLP
  • Claude-Etienne Armingaud, Partner (Paris Office), K&L Gates LLP
  • Alex Wall, Senior Counsel & Global Privacy Officer, RADAR, Inc.



Privacy Risk Summit Panels Announced


Come learn about current privacy challenges, including GDPR, from the best privacy minds in the industry at the annual TRUSTe Privacy Risk Summit.

This year our event will be held at the Bespoke Event Center in San Francisco, California on Tuesday June 6th.

The Summit builds on TRUSTe’s reputation for high quality education and thought leadership programs to bring you a comprehensive day-long event filled with learning and networking. The agenda features three parallel conference tracks and 30+ speakers focusing on risks arising from technological and regulatory change and privacy risk management best practices. Here are some of the panels:

Operationalizing Legal Theory – How to Mobilize a GDPR Program

Pete McGoff Senior Vice President General Counsel & Corporate Secretary, Box

Alexandra Ross Senior Global Privacy & Data Security Counsel, Autodesk

Mark Webber US Managing Partner, Fieldfisher

Privacy, GRC & the GDPR: A Financial Sector Perspective

Tom Widgery Senior Director of Privacy and Information Governance, SVB Financial

Rob Patchett Chief Privacy Officer, MUFG Union Bank

Security Control Frameworks for Data Privacy Governance

Andrej Volchkov Senior Consultant

What’s Your Wallet: The Privacy & Security of In-Car Payment Systems

Jill Philips Sr Attorney, Privacy & Security, Intel

Alex Wall Lead Legal Counsel & Data Privacy Officer, RADAR Inc.

Julia Jacobson Partner (Boston Office), K&L Gates LLP

Claude-Etienne Armingaud Partner (Paris Office), K&L Gates LLP

Balancing Privacy & Innovation in Singapore Smart City

Steve Tan Partner & Deputy Head, Technology, Media & Telecommunications, Rajah & Tann Singapore LLP

Lauren Smith Policy Counsel, Future of Privacy Forum

ePrivacy Regulation and the GDPR: Managing Consent Requirements

Andy Dale Senior Counsel & Data Protection Officer, DataXu

Andrew Woods Senior Legal Counsel, Twitter

Mauricio F. Paez Partner, Jones Day

Ghita Harris-Newton Chief Privacy Officer, Quantcast

Partnering with Privacy, Security & IT/Ops: Hanging Together or Hanging Separately

Marty Collins SVP Corporate Development, Legal & Compliance, QuinStreet

Marissa Levinson Associate General Counsel, QuinStreet

David Garrett President, Tensyl Security

DPIAs – Analysing Benefits and Risks of Data Processing

Lynn Goldstein Senior Strategist, Information Accountability Foundation

Hilary Wandall General Counsel & Chief Data Governance Officer, TRUSTe

Privacy Risk, Compliance Risk, Corporate Risk. What Does it all Mean?

Dan Caprio Co-Founder & Chairman, Providence Group

Filip Johnssén Group Privacy Manager, Sandvik AB

Profiling and Big Data – The Reality of the GDPR Impact

Polina Zvyagina Associate Counsel, Uber

Felicity Fisher Associate, Privacy, Security and Information, Fieldfisher

Kenesa Ahmed Co-Founder and Partner, Aleada Consulting

Understanding your Privacy Risk Exposure in Asia & Latin America

Steve Tan Partner & Deputy Head, Technology, Media, Telecommunications, Rajah & Tann Singapore LLP

Juan Luis Hernandez Conde Senior Privacy Consultant, TRUSTe

Integrated Risk Management – Security Privacy & Compliance

Details to be Announced


Assessing Vendors For Privacy Risk & Compliance: We’re all in this Together

Sharon Anolik President, Privacy Panacea

Lisa Glover-Gardin Senior Counsel, Ethics & Compliance, Data Protection, Google

Hilary Wandall General Counsel & Chief Data Governance Officer, TRUSTe

Automating PIAs: How We Did It

Shankar Chebrolu Enterprise Security Architect, RedHat

Meethune Bhowmick Sr. Information Security Analyst, RedHat

Beth Sipula Senior Privacy Consultant, TRUSTe

Health Big Data Analytics Needs Data Donorship

Stephen Sharon Manager, Privacy & Data Protection, Deloitte

Certifying Compliance under APEC CBPRs and the GDPR

Krysten Jenci Director, Office of Digital Services Industries, US Department of Commerce

Josh Harris Director, International Regulatory Affairs, TRUSTe

After the panels are done, we will be having a celebration under the gorgeous dome.

With only a few seats left, be sure to get your ticket today!

Early Bird Pricing for Privacy Risk Summit Ends this Friday!


One of the best ways to mitigate risk is to know what technological and regulatory change will bring ahead of time. This risk-based approach aligns with the GDPR approach to privacy management.

The 2017 Privacy Risk Summit is set to carry on TRUSTe’s reputation for high quality education programs that help privacy professionals plan for future changes. Past events have brought together EU regulatory experts and Silicon Valley business leaders to discuss the impact of the EU GDPR and how organizations could navigate the global privacy requirements. Whenever there are sweeping changes, such as when IoT took off, TRUSTe is there to help navigate those changes.

Join the 2017 Privacy Risk Summit to learn from 30+ speakers who will be sharing privacy risk management best practices. In addition to being inspired by these keynote speakers, you will also have the opportunity to participate in interactive workshops.

See recaps of previous events here:

If you are interested in attending this year, take advantage of special event launch pricing here.