The next expert whom we had the opportunity of speaking with is Lukas Kipfer. Lukas is a Senior Compliance and Data Privacy Consultant based in Switzerland. He is also a Certified Information Privacy Manager (CIPM), and his main focuses include governance (e.g. FINMA circulars 2017/2 & 2018/3) and (regulatory) compliance, and data privacy (GDPR), and information security. In this interview, Lukas shared with us how data privacy is different from data ethics, and what changes CEOs have to make to ensure they adhere to different customer data privacy regulations that are presently in place. Continue reading and uncover his insights below.

1. Firstly, thank you for taking part in this campaign. Can you give us an introduction about yourself, Lukas? How did you venture into the data privacy and compliance world? 

Thank you for having me. I am excited to be here.

I studied management & law where I took interest in fields related to IT/technology and compliance topics.

After university, I started my career in the area of corporate and regulatory investigations. I learned the importance of effective compliance management systems. On the other hand, since these investigations involved a heavy amount of personal (sensitive) data I became curious about data protection. That is how my venture into data privacy and compliance begun.

Today I am with an international consulting firm and consulting companies mostly in the financial services sector regarding data protection and information security, governance, operational risk management, and (regulatory) compliance. What I like the most about my job, is the mix of legal/regulatory, business, and technological aspects.

2. Considering the massive increase in cyberattacks, what do you believe will be the key trends likely to emerge in data protection over the coming years? 

Indeed, there is a massive increase in cyberattacks. And it is concerning. I see three key trends:

Firstly, in Switzerland, the data protection act was revised. The revised law strengthens – inter alia – the rights of the data subjects. I believe clients will make considerable use of their rights (access rights etc.) and companies will need to answer their requests. It is possible that the increasing number of cyberattacks will lead to more requests of clients since they are concerned about their data.

Secondly, we can observe in the market that companies have an increasing interest in data privacy certifications and other assurance reports. This makes sense in my opinion. Clients want to know if their personal data is processed securely and in line with law and regulations. Hereby a certification can help, and also be used as a competitive advantage.

Finally, by now, the GDPR is three years old and some of the data protection authorities in the EU are still quite conservative when it comes to fines. However, I expect that authorities will become stricter and issue more and heavier fines. This is something that we can already partially see. In addition, sector-specific regulators will be more active in the area of data protection and cybersecurity, e.g., in Switzerland the Swiss Financial Market Authority (FINMA) has intensified its focus on cybersecurity.

3. In today’s increasingly connected world, data theft already became a big business for organised crime, which resulted in SMEs feeling overwhelmed at the danger posed. What are the 3 pieces of advice you would like to share that will help small businesses protect their data? 

There is no tailor-made solution. Companies should know their specific risks and implement solutions, which address these risks adequately. In general, my advice would be:

• More awareness: It sounds like a cliché, but it actually helps. Especially in SMEs, we find that cybersecurity and data protection do not have the significance they should have. Thus, management and the board should raise awareness of cybersecurity and data protection.

• More is less: You should have solid data governance in place. Make sure you only have applications and data you actually need. In contrast, delete data you do not need. It makes things easier and less complex.

• Risk-based approach: Like other companies, SMEs have only limited resources. And as you said, SMEs might get overwhelmed by the risks they face. SMEs should therefore apply a risk-based approach and focus on their main risks.

4. How is data privacy different from data ethics and how do regulatory bodies find a balance between the two? 

Data privacy is about processing personal data in line with laws, regulations, etc. Data ethics is more concerned about doing the right thing with personal data. It aims to minimize the negative impact on people. I think it is important that regulatory bodies’ regulations and principles regarding data ethics and data privacy regulations are aligned. Data ethics will certainly become more dominant and regulatory bodies will need to envisage the threats posed by unethical data processing. 

5. What foreseeable changes should CEOs make to ensure they adhere to different customer data privacy regulations that are presently in place? 

On an international level, data privacy regulations are on the rise. The good thing is: They do not differ completely. Many regulations are heavily influenced by the GDPR, like the Brazilian LGPD.

Companies can choose a “gold standard” (such as the GDPR) and harmonize their internal policies, guidelines, and standards. Where necessary, specific local requirements should be considered. What you should avoid, however, is to have several different standards in your company. Best practice approaches and standards (e.g., ISO Standard 27701) can help in the process of harmonization.

6. How do you stay up to date with industry news and updates regarding data privacy? 

Data privacy is exciting but also quite fast-moving. It is crucial to stay up to date with the latest developments, regulations, and best practice approaches in your sector. I like the exchange with my colleagues, peers, and clients. This helps me the most. Additionally, I use helpful free resources (mostly newsletters and webinars). Events are a great source of industry news, too.

7. What work-related hack do you follow to enjoy maximum productivity? 

I am not sure if you can call that a hack. But here we go: I think the most important thing is to take time off and to rest when needed! Simple as that.

8. Lastly, what is the single most important data privacy issue you would like to see solved in the next couple of years? 

Transfers of personal data to countries with no sufficient level of data protection are currently an issue in the EU and in Switzerland. The Schrems II decision brought uncertainties, which need to be solved.

In this regard, the European data protection board (EDPB) adopted the recommendations on supplementary measures that supplement data transfers to such countries. In Switzerland, the regulator released some guidance for checking the admissibility of data transfers to foreign countries. The mentioned recommendations should help companies to assess how they can transfer personal data to a foreign country with no sufficient level of data protection. Nevertheless, we will need to wait and see how these recommendations will work in practice. Especially for SMEs data transfers to foreign countries remain very complex in my opinion.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.