Meet PICCASO Privacy Awards Winner, Lesley Holmes

Data Protection Officers play a crucial role in organisations, providing independent advice, liaising with data subjects and helping manage risk for individuals. The Outstanding DPO award goes to the DPO who always goes above and beyond to fulfil their duties under the GDPR.

An industry speaker and thought-provoker, Lesley Holmes is currently DPO at software providers, MHR Global and formerly an Information Management and Governance Consultant. She leverages vast experience of the practical and pragmatic application of data protection law in a wide variety of organisations.

We spoke with Lesley for reaction to her win and for her perspectives as an industry expert.

Could you briefly outline your career pathway to date?

I started my career in the late 70s, early 80s, working in local authority revenues and benefits. It was an interesting time because we had just picked up from the 1984 Data Protection Act, which meant that we had to be extra careful with personal data. In my role, I was dealing with personal data all the time, whether it was someone’s income details or just their name and address.

I continued to work in revenues and benefits for quite a long time, but eventually, I moved into management and consultancy, still mainly in the public sector. I was still dealing with personal data, but I also started to look at document process automation – document management systems and implementing them.

As I progressed, I moved into information management and governance, learning how to manage data effectively. And then I found my way into data protection. I became particularly interested in privacy and how it relates to data protection.

For the last ten years, I have been working purely in data protection, and I must say that everything I’ve done in the past has helped me to support what I do now. Data protection is not just about privacy; it’s much more than that. I find it fascinating, and I am grateful for the opportunity to work in this field. It has been a long and varied career journey.

What does winning Outstanding DPO award mean to you?

Winning an award is always a huge honour, and for me, it was absolutely massive. To be recognised by your peers is something that fills me with pride and joy. When I found out I was shortlisted for the award, I knew that I was up against some stiff competition. But I had no idea that I would actually win it. When they announced my name, it was amazing.

It’s more than just a recognition of my work. The award is validation that I do know what I’m talking about and that I have the respect of my peers and the people. Data protection is something that is important to all sorts of different people, and it’s not just for lawyers. There are different roles of DPO, and it’s important to recognise that.

As a DPO for a small to medium-sized enterprise, I have to be a jack of all trades because I’m in the weeds. I don’t just give advice; I’m involved in data retention, removing documents, looking at technology, and doing DPIAs on a daily basis. It’s a very different role from a group DPO for a big multinational organisation who needs to be a lawyer dealing with legal aspects.

But winning the award is also about recognising people like me who do grassroots data protection and cover all aspects of it. Without the support of my community, my colleagues, both internal and external, and the company I work for, I wouldn’t be an outstanding DPO. Winning the award was a recognition of everyone around me who enables me to do what I do.

What are the primary challenges coming up on the data protection & privacy horizon in your sector?

One of the biggest challenges that I see coming forward is the impact of artificial intelligence and machine learning. As someone who works for a technology company, I understand the pervasive nature of these technologies. We may not build AI, but we use it for testing and machine learning. As a practical DPO, I have learned a lot about different technologies and how they work.

One of the biggest concerns when it comes to AI and machine learning is bias. We have to be cognizant of not building new biases into our systems, and we need to be mindful of what training data we use. Even if we use real data, it still has inherent bias. As someone who understands the technology, I know that we need to consider all aspects of it and ensure that we are making ethical and transparent decisions. This is true whether you work for a large company like Experian or a small data firm. We all have the same challenge of ensuring that our AI is fair and transparent.

As a member of the data protection community, I have had the opportunity to sit down with others in my field and discuss these challenges. It is important to have a community of people who understand the nuances of these technologies and who can approach problems from different angles. By working together, we can ensure that we are making the best decisions for our companies and our customers.

Another challenge that I see on the horizon is the impact of legislation changes. As someone who works for a company that operates across Europe, I understand the complexities of working with GDPR. We must be aware of the impact of diverging legislation and ensure that we are meeting the needs of our customers while still being compliant. Even if we only need to appoint an Article 27 representative, we still need to be in control of our data processing.

As a DPO, I understand that it is not enough to just hand over responsibility to the product team. I need to sit down with them and explain what I am looking for and what I am concerned about. By working together, we can ensure that our products are ethical and transparent.

What do organisations need to prioritise within their data protection and privacy strategies in order to meet these challenges?

I realise that GDPR has been a constant companion for the past seven years. With each passing day, it’s becoming increasingly important to integrate data protection and privacy into the culture of every company.

However, it’s not an easy task. Talking to others, it’s clear that everyone finds it difficult. It’s not just a matter of creating an annual e-learning program; if no one bothers to complete it, it’s just a waste of time. It requires a shift in the mindset of an organisation, where every individual understands the importance of privacy and makes decisions accordingly.

As the head of the Data Ethics and Privacy team (DEP) in my current company, I understand how challenging it can be. We have spent the past five years educating people and being a positive force for change. We have tried to move away from the traditional approach of telling people what they can’t do and instead focusing on finding creative solutions.

For example, we look at trying to use anonymous data instead of anonymised data. We work closely with the security team to ensure that we have a consistent approach to data protection. We understand that we are here to support our colleagues and that asking difficult questions doesn’t mean slamming the door in their face.

Over the years, our company has grown by 60%, and getting our message across has become more challenging. We have to be more creative in how we communicate our ideas. Traditional training programs are no longer effective. We need to think outside the box and create eye-catching, innovative campaigns that catch people’s attention. Whether it’s competitions, poems for Valentine’s, or other innovative ideas, we are always looking for new ways to engage with our colleagues.

It hasn’t been an easy journey, but I’m proud of what we’ve achieved. We’ve managed to shift the DEP team from their ivory tower, down into the weeds and grassroots of our organisation. We’ve made data protection and privacy part of our company culture. And while there is still a long way to go, we are moving in the right direction.

About Piccaso

The PICCASO Privacy Awards Europe recognise the people making an outstanding contribution to this

dynamic and fast-growing sector—from the professionals ensuring their companies meet increasingly complex legal demands to the academics and engineers pushing privacy thought leadership and innovative protections forward.

FIND OUT MORE.