Carlos Pereira, Meta (Facebook): It's a really difficult thing because the concept of privacy is different from company to company, from team to team, from region to region – the whole GDPR and all the implications that GDPR has around the globe and it's almost a standard of what privacy should look like. The bigger your organization, the bigger the global footprint, the more challenging privacy becomes because you're now subject to a variety of different laws, rules, and regulations around the globe, not just if you are California-based or New York-based or the like.

What I've seen successfully taking place is organizations actually create task groups or cross-functional committees and working groups to address privacy questions. Privacy has many different flavors across the organization and it's important to take into consideration how those programs and those requirements are being met by all the different stakeholders.

‍

Grace Beason, Guidewire Software: Really look at the environment that you're working in looking at it by product, department, service providers, service elements, etc. of your organization. Then looking at it again when you look at the privacy regulations, they're also very similar. Yet each one has a little nuance that a department, product, or service needs to comply with within the regulations. Set your controls, standards or policies based on the commonality and then allow for changes or nuances based on the regulation of that department and make sure requirements are well understood. When you can do that through technology (AI or automation), you're going to be able to scale so much faster because they're just coming at us constantly.

‍

Michael Rasmussen, GRC 20/20 Research, LLC: We have all this change happening within the business and processes, technology, policies, controls. We have all these changes in regulations, including enforcement actions and stuff. You have California, CCPA, Canada, PIPEDA, the EU GDPR and Australia Privacy Act, South Africa’s. There are lots of developments happening, different state mandates for disclosure laws, and there's so much coming out.

How do we map and understand all these different regulations – the ones that are fairly static, the ones that are very dynamic and changing? How do we understand that impact on controls and policies of our environment to keep us current? That's absolutely what's necessary. We need technology like 4CRisk.ai to make that process more efficient, effective, and agile.

‍

Carlos Pereira, Meta (Facebook): I often compare our profession of GRC professionals to an airport control tower. We have so many things in flight we have all of this groundwork taking place, and it's that whole, I don't know, professionalism to be able to understand how to bring it all together and everything. It's actually a skill; it takes many years to start developing and understanding how to be nimble and be able to adapt to an ever-changing thing. It's similar to a control tower – you have to weather things – you have strikes, delays, everything, but whatever it is, you try to figure it out. I like to compare myself to air control traffic.

‍