Thanks for chatting with us! Can we start with a bit about your background? How did you get into privacy?
My first exposure to the privacy world and data protection was probably in the 1990s, when I was developing and implementing CRM (customer relationship management) contact tools and platforms for Fortune 500 companies. As a service provider, we were processing huge amounts of data for these big clients, running everything from marketing campaigns, lead generation campaigns, customer services, technical support, and more. In hindsight some of the industry practices in those days were quite shocking. Thankfully, we’ve come a long way since then.
Was the GDPR the tipping point in changing that sort of behaviour?
The GDPR was six years in the making so awareness grew before it came into force. I remember over that timeframe seeing swathes of American lawyers pounding the streets in and around the European quarter of Brussels. You could tell that something big was coming. Initially, at least, most companies were somewhat reticent. We’re all resistant to change to a degree. And it’s impact has been quite daunting for a lot of businesses, particularly smaller organisations.
Has the IAPP seen a growth in membership because of that growth in awareness?
Definitely. When I joined six years ago, we had around 2,000 members in Europe, now it’s close to 20,000. That’s largely thanks to the GDPR but there’s also a lot of movement within Europe around other legislation such as e-privacy that will impact personal data and privacy. The Digital Services Act, for example, will be coming in the future, as well as AI [artificial intelligence] legislation. New legislation can be quite disruptive.
What common missteps do you see organisations making?
I think many companies are overwhelmed with the depth and breadth of legislation that is either already in place, or is planned for the coming years. But it’s important organisations embrace this. This is where we’re heading from a digital rights and privacy perspective.
What does best practice look like when it comes to privacy?
It’s about educating organisational functions about the value of the data they hold and how they can use and process that in an ethical and trustworthy fashion. I think that takes time. But what we are starting to see is a growth in confidence. Conversations are becoming less theoretical and more about privacy by design, privacy by default, and how to embed a culture of compliance. Those that see the business enablement value of building that privacy culture are those that will see the next decades. Consumer rights will be even more significant in years to come with the expansion of digitalisation.
What do you make of the criticism that this issue is often sidelined to the legal department?
I think that’s because it’s where discussions around the GDPR began – it was very much a legal discussion when it was in its infancy. Once you get beyond that, you have to involve the HR department, marketing, sales and technology stakeholders – a whole host of people to discuss how best to adapt processes and strategy around personal data to align with the legislation and move the business forward.
What do you make of the impact of Brexit and the future of the GDPR in the UK?
For the time being, GDPR provisions are still very much in effect in the UK. We have an adequacy decision coming by June at the latest, when we’ll know whether the EU deems the UK’s data protection regime – as a third country – equivalent so that data transfers can continue in their current fashion.. I think it will be very difficult not to grant some form of adequacy. Around 12% of international data flows pass through the UK, and six out of 10 EU-based companies transfer data to the UK. There is a natural and established supply chain that needs to continue.
What happened with the EU-US Privacy Shield?
In 2020 it was struck down by the European Court of Justice. It’s complex but this was mainly due to concerns surrounding US surveillance laws. It’s an interesting time because data protection globalisation is becoming increasingly politicised. We have extensive and interdependent flows of data around the world. As we all build up data protection regimes, you would hope there is alignment. Without that, you’ll have a constant threat of data localisation which is the antithesis of global trade. Likewise adequacy status for the UK is a very important decision to be taken by the EU. Let’s hope cool heads prevail. International cooperation is key in these areas.
Do you think working in privacy has changed your own behaviour online?
It has actually. I tend not to use Facebook as much anymore, but mainly because there’s too much political opinion and news shared on there. I joined it because I wanted to stay in touch with my friends from around the world. I work off the principle – and this is what I tell my eldest son who is 21 and at university in Canada – that you have to take care about what you put online as it stays online. There’s a lot of good in social media, there’s no doubt about it. But you have to be vigilant.
Have you found the younger generation more aware about these issues?
I don’t know if it’s because I work in privacy, but my son does read privacy policies! I think the younger generation are definitely more tech savvy and aware. They have a greater understanding of the digital space and how to navigate content and data sharing. His generation will do a lot better than mine!