We’re looking forward to welcoming DPO Matthew Kay to the speakers’ roster at #RISK London this autumn.

Matt Kay headshot

Matthew currently leads the Advisory and Records Management functions for Metro Bank(UK) operating under the SMCR regime. He provides strategic leadership to a team of data protection and records management professionals ensuring the bank complies with the UK GDPR and other associated legislation.

Exclusively at #RISK London, Matthew will be among experts discussing how organisations can handle data in a way that satisfies legislative frameworks such as the GDPR, and technologies that can support a risk-based approach to compliance.

We caught up with Matthew to discuss the issue further and to learn more about his professional journey.

Could you outline your career pathway so far?

I’ve worked in data privacy for just under 10 years now. I started my career at the UK regulator, Information Commissioner’s Office, beginning as a case officer advising organisations across the board on data protection and privacy. 

I then moved into their audit department, where I used to lead teams of auditors, auditing, data protection and privacy compliance for different organisations. Following three years with the regulator, I moved to the London Borough of Hounslow where I was DPO where I led their GDPR readiness programme.

Following approximately five years in the public sector, I moved into the private sector, where I’ve spent the latter part of my career as a group Data Protection Officer (DPO) for Balfour Beatty. I subsequently moved to Thomson Reuters, and then had a short time with a health and safety organisation. Following this, I moved to Metro Bank as their deputy Data Protection Officer for approximately a year. And then I was promoted to DPO.  

I currently lead a team of data protection and records management professionals helping implement data privacy, compliance across the organisation. I’ve had an aspiration to move into financial services. So, I was grateful when the opportunity to join Metro come up; I feel like it’s been a great move. I really enjoy working for the company, it has a really nice culture and we have a strong focus on data privacy.

What are the fundamental principles behind risk-based data protection?

I think balance is probably the most important principle. The DPO is the moral conscience of the organisation when it comes to compliance with data privacy law.

I have to be a champion and an advocate for information rights and individuals in terms of their rights and freedoms on the data privacy legislation, making sure that their expectations and requirements are complied with. That’s balanced and coupled with meeting the needs of the organisation.

I think a good DPO primarily focuses on the needs and rights of individuals, and ensures those are met, but without hindering the organisational needs. There has to be a level of commercial focus in terms of enabling an organisation to meet their objectives.

You have to be prepared to challenge certain commercial ventures that might not align with individuals’ rights. I think you have to find a pragmatic, halfway house wherein individuals’ rights are not hindered and organisations can operate effectively.

You have to acknowledge and respect the high-level principles at play, but also offset interpretation by looking at situations on a case-by-case basis. There’s no one-size-fits-all approach and certain initiatives are riskier than others. It’s crucial to always stay cognizant of your organisation’s position and ensuring things stay on the right side of the law. It’s also crucial to handle data in a way that you know will uphold the organisation’s positive reputation.

How are tools and technologies helping organisations to underpin their risk-based approach to compliance?

I think it goes without saying that organisations need to be creative, and efficient in terms of their use of resource when it comes to compliance. Technology offers a great pathway to creativity – providing solutions that allow elements of processes to be automated or managed in a way that reduces human resource.

I think this approach needs to be offset by an awareness of the continued need for human thought and interaction; there are certain instances where you need the kind of case-by-case approach.

I think that it’s important and very beneficial to have tools and software in place that allow you to document your glossary of data protection impact assessments (DPIAs), Data Subject Access Requests (DSARs), etc. There are brands out there with solutions that oversee governance, offering a model to manage data protection compliance. At the same time, there are technologies and platforms available that can sit around those main governance software suites to help shore up data protection and privacy online.

Systems that facilitate tasks such as data discovery can be really useful. They’re not necessarily there purely to support data protection compliance, but they support what you’re trying to achieve with your data.

Are there common challenges that organisations face when they try to improve their risk-based strategy?

As DPO, I’m essentially the gatekeeper for the organisation, so my primary focus and objective is to make sure we comply with data privacy legislation and meet the rights and freedoms and individuals by virtue.

If you take a hard-line approach to this, it obviously makes life easier, but then you may not be considered as skilful within your profession. Organisations are looking for someone who can help them meet organisational needs and requirements too, so there needs to be a solid level of commercial understanding.

As such, the challenge is enabling the organisation to accomplish goals whilst ensuring compliance with data privacy laws. It is often useful not just to challenge a proposed initiative, but to find another way of making it happen and achieving the desired objective. I think that’s where the real skill lies – understanding the legislation and adhering to it, but being an enabler for the organisation.