At Utah’s second Data Governance Summit at UVU, officials said the state’s privacy agenda has shifted from legislation to implementation, highlighting digital identity, local-government support, shared services, deadlines, and the challenge of building public trust.
Orem, Utah — May 22, 2026
Utah officials used this week’s second annual Data Governance Summit at Utah Valley University to deliver a clear message: the state’s privacy agenda is no longer centered on passing laws. It is now focused on making them work.
At the second annual summit, held in the Grand Ballroom of UVU’s Sorensen Student Center, lawmakers, privacy officials, local government representatives and technology leaders said Utah has entered a more operational phase of data governance — one defined by compliance deadlines, digital identity infrastructure, shared services and the practical challenge of helping public entities build sustainable privacy programs. The second annual summit followed Utah’s inaugural Data Governance Summit on May 29, 2025, which TechBuzz covered here.
“The policy is the easy part,” Rep. Paul Cutler said during the morning keynote panel. “The hard part is implementation.”
That theme ran through nearly every session. Utah’s Government Data Privacy Act set a Dec. 31, 2025, deadline for government entities to implement privacy programs, and that deadline has now passed. Meanwhile, the state’s State-Endorsed Digital Identity program, or SEDI, has moved from concept to statute. The legal framework is increasingly in place. What comes next, summit speakers said, is execution.
The summit was sponsored by the Gary R. Herbert Institute for Public Policy, Varonis, Optiv, Amazon Web Services, Lincoln Hill, Spruce, ObservePoint and the Utah Office of Data Privacy.
A governance agenda framed around public trust
Christopher Bramwell, Utah chief privacy officer and director of the Office of Data Privacy, opened the summit by tying Utah’s privacy work to broader civic principles, using the nation’s 250th anniversary as a frame for discussing life, liberty and the pursuit of happiness.
Bramwell mapped those ideas to key parts of Utah’s strategy, including digital identity, governance models and oversight of high-risk data uses. His central warning was that government should resist adopting systems that flatten people into abstract scores or predictive categories.
“Resist the temptation to turn people into scores,” Bramwell said.
He said public agencies are increasingly being pitched tools built around profiling, scoring and predictive analytics, often assembled from fragments of personal data collected over a lifetime. In his view, government should use data in a way that preserves agency and autonomy, not one that narrows a person’s opportunities based on algorithmic assumptions.
“There is no optimal or best life pattern,” he said.
Bramwell was also blunt about the pace of the state’s work. “We are building the ship while it’s already left the harbor,” he said.
Officials say the next phase is execution
The morning keynote panel underscored how much the conversation has shifted in a year. Joining Bramwell were Sen. Kirk A. Cullimore, Utah Senate majority leader; Cutler; and Marvin Dodge, executive director of the Utah Department of Government Operations. The discussion was moderated by Justin Jones, senior director of the Gary R. Herbert Institute for Public Policy.
Cullimore said Utah’s privacy strategy has been to establish broad principles first and refine them as technology and administrative realities evolve.
“In government, there is no way that government regulations or laws can stay in front of technology,” he said.
Dodge said the state is trying to align policy and implementation across the agencies now housed within Government Operations, including the Office of Data Privacy, Archives and Records, Technology Services and the state’s digital identity effort. He said those groups meet regularly to coordinate work and improve how state systems and records are managed and accessed.
“We don’t sit around trying to think of what we can take away from cities or counties,” Dodge said.
Cutler emphasized that legislation alone will not determine whether Utah’s privacy push succeeds.
“We need your help to make this part of our society,” he said, urging government employees to treat privacy and data literacy as part of their everyday work.
Together, the panel’s message was straightforward: Utah has spent the past several years building the legal and policy architecture for data governance. The next test is whether that framework can be translated into repeatable practice across state and local government.
SEDI moves closer to rollout
One of the clearest signs of that shift came during the summit’s session on State-Endorsed Digital Identity.
Speakers said SEDI has advanced substantially since last year, with SB 275 passing in the most recent legislative session and taking effect May 6. According to speakers, the bill added enforcement guardrails to principles established in SB 260 and formally authorized the program.
George McEwan, privacy architect in the Utah Office of Data Privacy, said Utah deliberately chose not to follow the mobile driver’s license model adopted in some other states. He said the ISO standard used in many of those systems can include telemetry that reports information such as location and IP address when a credential is used.
“That was just not what we thought was an American value,” McEwan said.
Rep. Kristen Chevrier said hearing the SEDI concept explained several years ago reshaped how she thought about the relationship between privacy protection and government data use. Steve McCown noted that SB 275 passed both chambers unanimously, signaling rare bipartisan agreement in an area that touches civil liberties, security and administration all at once.
“Security is a process and not a product,” McCown said.
McEwan described SEDI as a way for people to gain more control over the “digital twin” created through records and transactions they do not fully manage today. Summit speakers said the program is targeting small beta releases in early 2027, with a broader rollout expected in late 2027 and 2028.
Smaller governments face the same obligations with fewer resources
If one issue surfaced repeatedly throughout the day, it was the gap between statewide expectations and local capacity.
That question drove an afternoon panel on shared services featuring McEwan; Barclay Burns, assistant dean in UVU’s Smith College of Engineering and Technology; Katie Miner, legislative policy analyst at the Utah Association of Counties; Andy Pierucci, a Riverton City Council member; and Will Sego.
Burns argued that the challenge is not merely technological. Effective shared services, he said, require common language, shared standards and a recognition that data systems affect people in direct, tangible ways.
“These things really matter for human beings in real ways,” Burns said.
Miner said Utah counties have a long history of collaborating to solve practical problems and share expertise. What is changing, she suggested, is the scale and complexity of the privacy work now expected across government.
Pierucci said shared services should be understood as a way to support local control, not weaken it.
“Local control doesn’t mean you have to go it alone,” he said.
He also warned against waiting for a major breach or operational crisis before acting, arguing that even smaller communities now face a more exposed and complex threat environment.
McEwan brought the issue back to basics with an example from his time as IT director at the Utah Department of Health. After an eligibility system outage, he initially saw the problem as a technical malfunction. A Medicaid official, he said, reminded him that the failure had immediate human consequences — including for a mother who had already made the trip to a pharmacy only to be turned away.
“That data error is a person,” McEwan said.
Leaders were candid about the capacity gap
The summit’s tone was more practical than aspirational, but it was also notably candid.
Don J. Wood of the Utah Privacy Commission was asked whether his county currently does data privacy well. His answer, by attendees’ accounts, was simple: not yet. The challenge, he said, is changing organizational culture deeply enough that privacy becomes part of how government operates, not just another requirement layered on top of existing work.
Bramwell also emphasized the limited size of the office leading much of the state’s privacy effort. The Office of Data Privacy, he said, has six staff members and relies heavily on partnerships with the Utah Privacy Commission, the Herbert Institute, UVU students and government entities across the state.
That theme — scaling through coordination rather than bureaucracy — surfaced throughout the day. Speakers pointed to workshops, commission meetings and training initiatives such as “Privacy in Motion” as ways to expand expertise without building a large new administrative apparatus.
What comes next
Several initiatives discussed at last year’s summit appeared more concrete this year.
Speakers said Utah is helping lead a multi-state effort around state-endorsed digital identity. Cooperative contracts are being expanded to build privacy and records requirements into pre-negotiated agreements. A privacy maturity model is also moving closer to operational use.
Another likely area of future debate emerged during audience discussion: stronger retention requirements for private-sector actors that handle government-related data. Chevrier said that issue could become part of a future legislative discussion.
But the dominant message of the summit was not about a major new bill waiting in the wings. It was about the less visible, more difficult work that comes after legislation passes — training staff, standardizing practices, aligning systems, supporting local governments and building enough public trust for all of it to hold.
Asked what every government employee should be doing now, Cutler’s answer was direct: become more data literate and treat privacy as part of the job.
See the full program and summit information at www.uvu.edu/herbertinstitute/events/2026-events.