We’re delighted to announce that Data Protection Lead, Matt Collinge will be speaking at #RISK London in November.
Matt is an insightful and experienced leader within Data Privacy, Security, & Ethics, who approaches data protection challenges with enthusiasm and an appreciation of how it fits in the wider world.
Currently working as a Principal Consultant for Slalom in the UK, Matt has a particular passion for Financial Services, E-Commerce, and Technology. He has worked with teams across a variety of industries to find sustainable solutions, using his highly personable style to understand issues and provide meaningful solutions.
Matt will be among experts at #RISK London to discuss how businesses can handle data in a way that satisfies legislative frameworks such as the GDPR, and technologies that can support a risk-based approach to compliance.
We caught up with Matthew to discuss the issue further and to learn more about his professional journey.
Could you outline your career pathway to this point?
At the start of my career, I was a risk and compliance professional, which incorporated data and analytics as well. I then fell into data protection around 2017 whilst working for a railway supplier.
I just fell in love with the job and things snowballed and I got more opportunities, before moving to PwC in 2018 as a data protection consultant based out of London.
Following this, I joined the MoneySupermarket Group as their Data Protection Manager, managing their companywide Privacy Framework. I then moved to Slalom after a bit of a break in insurance. Once again, my role involves consultation – building out Slalom’s Privacy, Security & Ethics practice.
Could you outline the fundamental principles behind risk-based data protection?
Risk-based data protection, more or less, means that you have to understand and accept that the world you live in isn’t perfect. A zero-risk approach to anything in business isn’t going to work given the limited resources available to most data protection teams.
To start this, I always recommend organisations to understand what data they hold, what types of processing activity are being undertaken and what the change agenda is.
Once you have understood what those high-risk areas are, you need to be able to implement effective governance controls or processes around those areas to mitigate. The challenge is then to maximise your limited resource and be able to identify those problems where you can be most effective.
What kinds of tools and technologies should organisations be using to drive their risk-based approach to compliance?
I think it depends on what you want to leverage, which then needs to be incorporated into the risk-based data privacy programme. As previously mentioned, one of the most fundamental aspects is knowing where your data is, and knowing where risky data assets or risky data processes are.
There are a lot of data discovery tools available, and data cataloguing tools that can be used to help you identify critical data and record it, especially with cloud providers as well; it’s becoming a standard offering that you can use.
The other way technology can be used is to demonstrate your approach to governance and risk. For example, using GRC tools to outline and document your thinking and your methodology for that risk-based approach. Without these you’re essentially trying to find your way in the dark.
What are some of the primary hurdles that organisations face as they move to improve their risk-based approach to compliance?
I think the biggest key now for me is really understanding processes. So, in order to take a risk-based approach, you have to understand what your risks are and be able to fully articulate them back to the business. If you don’t fully understand what your business is doing, what upcoming changes are happening, or even what the company culture is, then you’re going to have problems.
The next challenge is being able to influence people into understanding that these risk areas take priority over the next sale item, for example, or over another risk. You have to be aware of all the competing priorities and know which is the most important.
Within the risk-based approach, I think the barriers stem from cultural issues more than structural ones, although it’s a subtle shift. My observation is that if you let organisations run amok without accountability, oversight or understanding, then that’s obviously a recipe for disaster.
The task involves being able to build a collaborative culture, get people on the same wavelength and working with one another, and get that risk-based culture to be an ally rather than an enemy. As a leader in this area, you sit between structures and you have to work out how to engage and build a culture of collaboration; understand how welcome people are to scrutiny or being challenged. A lot of organisations are resistant to accountability, but they don’t understand it’s for their own good.