Taking place on March 12 and 13 at Park Plaza, Riverbank, London, PrivSec & GRC Connect London provides a platform for organisations to address the cumulative nature of risk. 

PrivSec & GRC Connect London’s comprehensive agenda is led by subject matter experts, business chiefs and industry leaders, giving attendees a deep-dive into challenges and solutions on the rapidly evolving GRC landscape.

Event speaker, Erin Francis Nicholson is DPO and Global Head of Privacy at Thoughtworks. She has 10+ years’ experience in data protection and compliance. In addition to consulting on data protection for a number of organisations, Erin has delivered influential data protection change programmes in local government and the civil service, as well as the tech, energy, and finance sectors. Erin will be at PrivSec & GRC Connect London to discuss opportunities and threats that businesses face when it comes to sharing data in the public sector.

Below, Erin answers questions on her professional journey and introduces the key issues of her PrivSec & GRC Connect London session.

Could you outline your career pathway so far?

After leaving university, I went straight into a job as an admin assistant in local council social care, and helped with their records management. From there I was poached by the data protection team. This was pre-GDPR, and I was working on things like Subject Access Requests, elements of policy and Freedom of Information Requests.

I had a taste of data protection and really enjoyed it, so from there I did an LLM in Information Law and Practice at Northumbria, and then went into a job at NHS Digital.

Following this, I set up my own consultancy, working with clients such as Scottish Power. I subsequently took up a consultancy role with Thoughtworks, where I’m currently employed. I had worked with Thoughtworks before, on a project in Stockport Council, and so when Thoughtworks needed a Data Protection Officer, they got in touch with me as I had the necessary experience, and that’s where I find myself today.

I’ve been in the industry for around 12 years now, and I’m currently undertaking an MBA specialising in Information Systems Strategy and Governance. When I complete this, I’m thinking of taking on a Computer Science degree just to round off my knowledge and skills base to add to my legal background.

What are the primary privacy, security and ethical challenges that organisations currently face when data sharing in the public sector?

There are three major problems with data sharing in the public sector; the technical issues of sharing data without creating huge onerous data repositories, with different levels of security requirements; public trust in the reasons why an organisation is sharing data; and costs involved in such a project. The impetus to share and the consequences of not sharing are also an important backdrop to these issues.

We now have more technologies at our disposal in order to share data without it leaving the trust boundary of an organisation, meaning that we can share only the data which is needed, reducing or eliminating the need of creating those data repositories, and the costs associated with them.

This also helps with public trust, as people know that their data won’t leave the organisation they have the relationship with unless it is necessary. This data sharing is already happening via phone calls and emails, and doing this instead via secure multi party computation or private set intersection speeds things up and reduces burden on individuals to make complex data sharing decisions.

What major impacts will emerging technologies have on data-sharing ecosystems?

I think things like secure multi party computation, private set intersection, edge computing, data mesh, and federated learning, will oil the cogs of data sharing, making it easier for organisations and less stressful for individuals working there.

It’s more cost effective and secure as there is now no need to create large expensive honey pots of data, which are a target for hackers, and are high effort to maintain. These projects, as we’ve seen time and time again, are also doomed to fail (and fail expensively and in a high-profile manner).

There is a moral impetus to sharing this data, and I think the public understands that, we cannot however, be cavalier with people’s privacy, and so utilising these emerging technologies will ensure that we increase utility of the data and also increase people’s privacy. It’s a win-win.