Raffaella Aghemo, Lawyer
The IAPP Privacy Global Summit is the world’s largest annual gathering of digital accountability professionals, and this year, from 30 March to 2 April, it once again brought together experts and industry professionals to analyze the key issues involved in tackling current technological challenges.
At IAPP 2026, a rather clear sentiment prevailed: the era of compliance, understood as an isolated obligation, is definitively over. The focus has shifted to governance, not as a buzzword but as a concrete framework that brings together data, risks, technology and business decisions.
What emerges most strongly is that the most mature organizations no longer treat privacy as a separate function; they integrate it into decision-making processes, operational workflows and product design. In this sense, governance becomes a common language shared by legal, IT, security and management teams. It is not so much a question of new rules, but of the ability to orchestrate existing ones within structures that actually work.
A recurring theme this year – perhaps more so than in previous editions – has been artificial intelligence within the corporate workflow. Generative models, in particular, are forcing companies to review internal responsibilities, validation processes and control systems. Those who have already established a solid data governance framework are able to move with greater agility; the others are playing catch-up, often further fragmenting responsibilities.
From the accounts of those who attended, it is also interesting to note the way in which accountability is discussed, as a demonstrable and ongoing capability. Companies are being pushed to make their decisions transparent: why data is collected, how it is used, and who is accountable for it. In this scenario, documentation loses its static nature and becomes part of a dynamic system, updated alongside the processes it describes.
At an operational level, there is a growing integration between privacy and cybersecurity. The two functions, now pillars of all technological innovation, converge under unified governance, with shared tools and common metrics. This reduces duplication, but above all allows for a more realistic view of risk. Personal data is an exposed asset and must therefore be protected through systemic approaches.
Another element, which has been the subject of much discussion, concerns the global dimension. Companies operating across multiple markets find themselves having to manage increasingly divergent regulations. The answer lies in developing flexible governance models that can accommodate differences without losing coherence. In this sense, the role of internal policies is evolving: less formal rigidity, more guided adaptability.
There is also a noticeable shift in tone in the dialogue with the business. Privacy is no longer presented as a constraint, but as an enabler. Well-structured governance allows for innovation with greater confidence, supporting the ability to integrate risk into strategy and accelerate decision-making processes.
Privacy governance thus becomes an invisible yet crucial infrastructure: no longer a supporting function, nor a mere legal safeguard, but a living system that connects data, decision-making processes and distributed responsibilities.
It is within this perspective that the so-called Governance Toolkit fits, summarised in the triad ‘Map, Measure, Manage’, previously promoted by the NIST Artificial Intelligence Risk Management Framework (AI RMF): an operational sequence that various organisations are already adopting to give substance to their strategy.
“Map” means, first and foremost, control: the most advanced companies are investing in the ability to visualise data flows in real time, not limited to traditional data mapping exercises, but as an up-to-date information layer that reflects what is actually happening within the systems. Crucial too is a comprehensive inventory of all AI systems and providers, including scoring, classification, recommendation or generative tools, where particular attention must be paid to blind spots, such as anonymous owners or outdated reviews.
“Measure” introduces a dimension that was marginal until a few years ago: measurement. Not just risk, but also privacy performance. We are talking about metrics that enable us to understand how effective controls are, how closely processes adhere to policies, and how quickly an organisation is able to respond to incidents or requests from data subjects.
“Manage”, finally, is the moment when governance becomes action. This is where operational models, responsibilities and orchestration tools come into play: transforming data and metrics into coherent and timely decisions. Here, emphasis is placed on the need to address supplier-related risk from the outset. Contracts should include restrictions on data processing, notifications of material changes, prohibited uses and audit rights. Every high-impact system requires a clearly designated person in charge who can approve, flag or suspend its use. New agent-based implementations, in particular, require greater attention: they necessitate ensuring that consent has been obtained before analyzing customer interactions, maintaining human supervision for high-impact actions, and continuously monitoring changes in performance.
Furthermore, from a more operational perspective, it was suggested that organizations should select a single active AI system and subject six elements to stress testing:
- who owns it,
- what risk level the system falls under,
- when the last assessment was carried out,
- which factors could alter an assessment,
- what rules govern it, and
- what, if any, dependencies on suppliers exist.
The most important aspects of artificial intelligence concern real-world consequences, not product marketing.
In practice, however, the application of these models is not without its challenges. The gap between the theoretical framework and day-to-day operations remains significant, and it is precisely here that strengths and limitations become clearly apparent.
Among its strengths, the first is methodological clarity. The toolkit offers a structure that is easy for management to understand, facilitating alignment between different departments. Furthermore, it fosters a culture of measurement that helps move beyond purely formal approaches, making privacy more tangible and defensible even at a strategic level. Another positive aspect is scalability.
On the other hand, the challenges are not insignificant. Continuous mapping requires tools and integrations that many companies have not yet developed, with the risk of relying on incomplete or rapidly outdated representations. Measurement, then, raises a definitional problem: which metrics are truly meaningful and widely accepted? Without clear standards, there is a danger of creating indicators that are difficult to compare or interpret. Finally, the management phase tests organisational maturity: without genuine integration between functions, the model remains on paper and results in an additional layer of complexity.
In conclusion, what the Summit highlighted is a constant tension between ambition and the ability to deliver, where the real difference – at least in the author’s view – lies above all in the financial capacity of each organisation, given that building and implementing such complex systems will require investments that are not exactly within everyone’s reach.
For those wishing to view the speakers from this latest edition, the IAPP website can be found at the following link: https://iapp.org/conference/iapp-global-summit.