Meet the expert: Matthew Phillips to speak at #RISK London

Matthew is Group Data Protection Officer at Rentokil Initial, and has a wealth of information law experience accrued in both the private and public sectors.  

Matthew will be among experts at #RISK London discussing the current risk landscape and what businesses can do to prepare for the future.

We spoke with Matthew about his career so far, and to learn more about evolving privacy threats for organisations to look out for.

Could you describe your career pathways so far?

My career has been quite diverse. I’ve worked for different types of organisations of varying sizes and structures. I started out in the public sector 20 years ago with the school inspectors in Wales, then moved to a university for eight years where the remit in both roles was much wider, and included other legislation such as the Freedom of Information Act, the Data Protection Act along with other related legislation around Information Law and governance.

Then I started to specialise more in data protection, when I began to work in the private sector and the employment of a global financial company. After a few years, I joined a security-as-a-service (SaaS) business. This was a US company that had expanded into Europe and I became their DPO.

Two years later I moved onto an international data company, where I’ve worked in different roles, from Data Protection Manager to DPO, to global DPO, before starting in my current role as a global DPO with Rentokil Initial.

What privacy and data protection threats are dominating the threat landscape in 2022?

From my perspective, this question concerns risk impacts more than threats. There are so many different things that can impact different organisations – external factors; regulatory action; court cases; campaigns – especially in privacy.

So much of how we tackle these issues is changing also, as technology and how organisations want to use personal data evolves so rapidly – there’s always something new trending for privacy and data protection professionals to tackle. We’ve seen a lot of court cases and regulatory action taking place that have wider impacts on the ways businesses operate.

There’s so much going on in privacy and data protection that it can be difficult to isolate individual threats. Ten - fifteen years ago, for example, social media brought about a huge impact on the landscape, and so a big conversation has been around how different social media platforms as well as organisations who utilise social media are using our data for various purposes.

The pandemic brought so much change for the security landscape, from remote working, hybrid working and working from home – so many things that people didn’t have to consider before. I’ve heard suggestions of risk assessments being made in peoples’ homes, but obviously there’s a very fine line between privacy and encroaching onto one’s personal life.

How we’re using personal data is at the forefront of this issue, and risks will vary according to organisation, who clients are, etc. The big concern for me is how these risks impact on your organisation and the data subjects whose personal data is being processed – we have to continually communicate, test and ensure we have processes and controls in place, and that has to become part of business as usual.

What tactics are protection and security professionals employing to combat these threats?

If you have a robust privacy or data protection programme, if you have controls in place and you have skilled and knowledgeable teams, then you can prepare for a lot of the threats that your organisation faces.

Ultimately, preparation is key – understanding your own position and what will happen when things go wrong – it’s about having risk assessments in place and knowing what the different outcomes might be for your business.

A lot of change has taken place, with GDPR coming into play, with new protocols under the transition of Brexit, other obligations and the uncertainty through the UK Data Protection Act and Digital Information Bill. But I think you need to not panic, just take the time to assess existing controls and put new mechanisms in place to main message is to keep calm and prepare.

In terms of internal security, I think people are the foundation of upholding a strong security culture – it’s only as strong as its weakest link. I think organisations are improving generally in this area – there have been more headlines about data breaches and this has had a major impact upon how people think within an organisation. From businesses, to clients, customers, employees and the public in general, there are so many stakeholders involved that organisations simply can’t afford to be irresponsible in their data handling.

What are the major regulatory changes coming over the horizon that UK organisations need to start preparing for?

For me, it’s the UK Data Protection and Digital Information Bill. That’s going to be big for UK organisation and could bring about a lot of change. A lot of people are concerned, especially those working with European organisations in terms of adequacy within data transfers. However, this appears to have fallen down the priorities of the government, so more uncertainty for data protection and privacy professionals.

But again, if you have a strong enough framework in place, based on adherence to GDPR and the Data Protection Act, then you’re going to be in a strong position to deal with the forthcoming law changes and any changes that you make may be quite minimal in the long-run.