Taking place March 12 and 13 at Park Plaza, Riverbank, London, PrivSec & GRC Connect London provides a platform for organisations to address the cumulative nature of risk.

PrivSec & GRC Connect London’s comprehensive agenda is led by subject matter experts, business chiefs and industry leaders, giving attendees a deep-dive into challenges and solutions on the rapidly evolving GRC landscape. 

Event speaker, Lorraine Pintér is Group Privacy Manager at Vodafone Group. Lorraine began her career in privacy in 2017, working for the Royal College of Radiologists where she helped to establish their privacy programme. She then worked at John Lewis advising on products and services, and internal business, before joining Vodafone Group in her current role, mainly advising on commercial products and services launched globally. 

Lorraine will be at PrivSec & GRC Connect London to discuss the UK’s new version of the Data Protection and Digital Information Bill, and what the revision means for British businesses and their trading partners. Below, she answers questions on her professional journey and introduces the key issues.

Could you briefly outline your career pathway so far?

I studied Law, then went on to take the Bar Professional Training Course part time whilst working full time. After completing my bar exams and whilst applying for a pupillage, I was offered by my then employer, to assist them with building their privacy program prior to GDPR coming into effect.

This was my first insight into the sphere of privacy. I absolutely loved it; the work I was doing as well as all the things I was learning, and as a result I haven’t looked back.

From there I moved to John Lewis’ Privacy team where I gained excellent experience advising within the retail industry and assisting to further build their privacy program. After a few years I moved into my current role as Group Privacy Manager at Vodafone where I advise our consumer product owners which includes reviewing contracts, drafting privacy policy, completing assessments and ensuring privacy by design. 

I also look at ways of developing and improving our processes; drafting internal policy, reviewing approaches, and promoting a good privacy culture.

How does the UK government’s new version of the UK Data Protection and Digital Information Bill differ from the first?

As stated in the Parliament publication ‘Much of the Bill is the same as the [DPDI No 1] which was introduced in the Commons on 18 July 2022’. However, there were a few changes and clarifications in the new Bill, for example:

• The structure of the ICO, namely the Secretary of State’s role in approving guidance

• Processing of personal data for the purposes of scientific research

• Keeping a record of processing for high risk activities

• Meaning of automated-decision making

What changes will organisations need to make in order to accommodate the new Bill?

In my opinion, if an organisation is multinational and is required to comply with the GDPR then it is likely that no changes will need to be made as compliance with the GDPR should be sufficient. However, organisations (or functions) that solely operate within the UK can consider the application of DPDI, which ultimately aims to reduce burden and provide clarity to organisations with its less stringent rules.

There are still some unknowns and what the effect of the Bill could be, for example whether the UK Adequacy will still stand. Such change is relevant as it could require organisations to go back to relying on standard contractual clauses.

Organisations should not compare the implementation of DPDI to the implementation of the GDPR, where organisations undertook immense work to become compliant. I do not believe that many changes (if any for some) will be required before this Bill becomes Act, because it can reasonably be assumed that organisations will already be compliant due to applying the GDPR.

However, there are new notification requirements, which organisations that fall into this category of needing to provide information will have to determine how they will be able to meet this obligation.

On the other hand, it is important to note, just as the Bill was withdrawn with the change of leadership, it is possible that the same could happen again as a result of elections. I would suggest to watch this space.