In BigIDeas on the Go, Trevor Hughes, President and CEO of IAPP, sits down with BigID to talk about the drivers behind data privacy, the growing ubiquity of privacy legislation, and how a sophisticated data privacy program can help organizations prepare for the years ahead — which are expected to be the most explosive in privacy yet.

What’s Been Driving Privacy the Past Two Decades?

In a “greatest hits list of the past 20 years,” Hughes credits everything from early data breach laws to the Snowden tapes with driving public policy innovation.

“Back in 2000, we did think we were going to get national privacy legislation. Back then, lots of people were saying it was a done deal in the United States. Of course, it never happened,” says Hughes. “Without question, the Edward Snowden revelations drove activity into our space. I think though, in the past five years, we really have to point to GDPR as the major driver in the field of privacy around the world.”

GDPR was responsible, Hughes recognizes, for moving organizations toward something more “systematic, accountability-based, and full of integrity … the operations around privacy just have a lot more stability” since GDPR, he says.

Now, It’s All About Ubiquity

“Apple has full-on SuperBowl ads that are promoting privacy — and they are differentiating in the marketplace aggressively. It’s not like the third product feature they mention; it is the basis upon which they are selling many of their products and services.”

In addition, China and India will likely pass their first national privacy laws this year, meaning this will mark the first year that 50% of the world’s population will have privacy nationally regulated. “We are seeing privacy emerge as a geopolitical power issue.”

Statewide Regulations vs. the Corporate Push

Until national privacy takes hold in the US, “state activity will increase, and we know it will increase” Hughes says, citing laws in the works in Virginia, Washington, and Oklahoma. “There are many many states that are doing a lot right now.”

In Hughes’ opinion, echoing his friend and colleague Kirk Nahra, “three to five comprehensive state privacy laws equals federal privacy legislation.” This means, even at the higher end of that range, “five major states passing comprehensive state privacy law, and I think we get national privacy legislation.”

With every new state law, industry will likely get more and more on board for a federal push. “The deal doesn’t get better for industry with every passing [state] law,” Hughes explains. “It gets worse.”

You Need A Platform

If there ever was a time to be an experienced privacy pro, says Hughes, it’s now.

“Back when I started in the field of privacy in the late 90s, we literally ran things off of email and Excel spreadsheets. We were creating charts and lists and sending emails back and forth to try and manage everything. That is absolute malpractice in today’s world.”

In Hughes’ view, “you need a platform from which you can manage a sophisticated privacy program. It needs to be scalable based on the size of your organization, based on the international exposure of your organization — but you need the tools. Start with a framework, make sure you’ve got good people in place, and make sure you give your people good tools to manage the program. Then you do the work.”

Listen to the full podcast for more from Hughes — including why he says the next 18 months to two years will be some of the most consequential in privacy and what he means by “good faith is good business.”