Meet the expert: Caro Robson to speak at Last Thursday in Privacy

Broadcasting on January 26, Last Thursday in Privacy is a livestreaming experience that takes international audiences to the core of today’s digital landscape.

Leveraging over 14 years’ sector experience, Caro Robson has worked with governments, international organisations and multinational businesses on data and technology regulation. She is currently the Director of Regulatory Strategy for the Jersey Office of the Information Commissioner.

Caro will appear exclusively at Last Thursday in Privacy to discuss best approaches to instilling a company-wide culture of data protection, security and compliance, and – crucially – how to get Board buy-in so that appropriate budgets can be secured.

We spoke with Caro to learn more about her professional journey, and for an introduction to the themes governing her Last Thursday in Privacy session.

Could you outline your career pathway so far?

I’ve worked in privacy, data protection and digital for 14 years now. I started in the field working for part of the UK Government, and since then I’ve worked with the international community, built the global privacy programme for an international aviation group in Abu Dhabi, and led the privacy function in the Middle East and Africa for a multinational payments company. 

More recently I led the data protection and digital practice for a consultancy in Brussels, consulting with the EU institutions on some really cutting-edge privacy issues, and I’m delighted to have been appointed as the Director of Regulatory Strategy for the Jersey Office of the Information Commissioner. So, a “privacy globe-trotter” as a colleague once said!

How big a problem is it to get C-suite and senior management to take data protection, security and compliance culture seriously?

Compliance culture is absolutely crucial for data protection and security, at all levels of an organisation. Speaking from my previous experience, it can be difficult to get buy-in from senior management and the C-suite if they don’t understand the business risks and opportunities from data protection or information security. 

I think it’s important for privacy and security professionals really to stress the links between compliance and the business’s strategic objectives: both in terms of risks to those objectives, and in terms of competitive advantage. But I think the attitudes of boards and senior management are changing, as more organisations are seeing the benefits of strong compliance in creating competitive advantage, not just the cautionary tales of some of the litigation we’ve seen.

Could you summarise best approach strategies when it comes to building a company-wide culture of data protection?

From my experience, I’d say start at the top. The buy-in of the board is absolutely essential. It’s important to speak the board’s language and understand their real concerns. Usually this will mean giving punchy, attention-grabbing presentations that talk about privacy in terms of enterprise risk and competitive advantage. 

I think it’s best to give the board a clear understanding of the financial, legal, reputational and business risks of non-compliance; but also of the competitive advantage to be gained from showing customers your privacy and security credentials.  

You could also reach out to your local privacy regulator, who may be able to help. In Jersey, the Jersey Office of the Information Commissioner (JOIC) has a “Board Support Squad,” where members of the JOIC can come to your board meeting and help its members understand the importance of privacy. It’s been really successful so far, so researching whether your local regulator has a similar programme could also be a useful way to get support.