Thanks for chatting with us! How is Copenhagen today?

It’s beautiful today actually, I might go for a bike ride after this. I’ve been here for many years. It can get quite cold in the winter. This year the sea froze and people were walking half a kilometre out from the shore. 

Wow, that must have been quite the sight. What got you interested in working in privacy?

I have a governance, risk management and compliance (GRC) background, managing compliance projects and departments in global corporations. Although I’ve been responsible for privacy in various capacities, things really came to the fore in 2015 when I initiated a GDPR programme in a global emergency services company. What I find most interesting about the subject is the tension between how companies balance their business interests processing data within the law, while respecting the rights and freedoms of their customers, employees and other stakeholders. 

Do you think awareness is growing around the need to protect privacy?

We need to remember that the GDPR just builds on legislation that’s been around for decades. The old Data Protection Directive was established in 1995 so this isn’t a new topic. Some companies have gotten away with blue murder for years by ignoring the legislation, either intentionally or by not being on the ball. Unfortunately some are still doing that.

What are some of the common mistakes that you see being made by organisations?

One of my major gripes is that just because the GDPR is a law, it doesn’t mean privacy has to be handled by the legal department. There are lots of other laws that aren’t driven by a legal department – financial legislation, for example, sits with the finance team; compliance with employment laws are driven by HR departments and so on. The problem with taking a very strong legal perspective to privacy is lawyers aren’t usually experienced change practitioners, or able to fully understand the nuances of processing in the trenches. They tend to focus on protecting the interests of the company rather than balancing the interests of individuals. Understanding risks to the rights and freedoms of individuals requires knowledge beyond legal risk and security risk frameworks. It really is a team sport.

That’s an interesting point about the need to be change practitioners – can you tell me more about that?

If the focus of the legal department is on avoiding fines or being compliant, that can mean opportunities are missed. Others in the digital marketing and product teams, for example, are the ones handling this data and will have ideas about what to do with it. Compliance is a bit like having brakes on cars – they’re not just there to make you stop, they’re there to help you drive faster. You’d never drive 70 miles an hour on the motorway if you didn’t have brakes, or your seatbelt on, or if your speedometer isn’t working. All of these mechanisms give you assurance and confidence. There are so many opportunities to see privacy as a business imperative rather than a necessary evil, and thankfully those are beginning to be realised. 

Do you see that as a more effective approach than the threat of fines?

Absolutely. There have been a few big fines for the tech companies – Google and Facebook in particular – but that’s just a drop in the ocean to them. As well as the potential for innovation, the other key consideration is the risk of losing trust. That’s more likely to keep CEOs awake at night – loss of trust of customers, of employees and of other stakeholders.

How do you bring those other departments to the table to engage with this?

You do have to be a bit more creative in terms of thinking and application. A generic 10-page brochure in legalese might work with some finance, legal or HR teams but the culture is totally different in a department like digital marketing, product development, or UX (user experience). It’s a totally alien language to them. The initial effort and expense may be slightly higher but the impact will be more sustainable. That’s more important than ticking boxes after a generic set of policies and procedures have been circulated.

I’ve seen the illustrations on your LinkedIn page, they’re great! Is that what you mean?

Oh thank you, I sketch those myself. Yes I think colourful, visual representations of these ideas can help, as can humour. I like the Privacy Guy on the Privacy Compliance Hub. That sort of approach really helps with engagement and understanding.

Thank you very much, he has terrible taste in ties though. You’ve written before about the importance of being choosy when it comes to privacy tools, how can organisations pick the one that’s right for them?

There are lots of tools out there, some of which use high pressure sales tactics. But a tool in itself is not going to make you compliant. A lot of money has been wasted by companies that buy into these solutions, only to find they don’t deliver. Start by documenting exactly what your requirements are. You may already be using other tools that are fit for purpose with a bit of adaptation.

How about the people side of change? Does that also have to be factored in?

Definitely and there’s also much room for improvement by many companies. Privacy is all about people and everyone needs to be involved. Top to bottom and across all departments, even among those who may not be handling data. Senior execs who are involved in decision making can make or break a privacy programme; an overly helpful receptionist can be a risk. That’s actually what I like about the Privacy Compliance Hub. It’s focused on the people side and has a step-by-step programme that provides guidance along the way. It’s not a tool that you have to figure out how to use by yourself. My view is data protection should be run like a programme. It’s an ongoing, continuous journey.