Bev is Data Protection Officer at Crisis and has over 20 years’ experience accrued in the public, health and non-profit/charity sectors. An engaging and empathetic privacy, governance and compliance professional, Bev has motivated and inspired countless professionals through her collaborative and facilitative management style.
Exclusively at #RISK London, Bev participates in a panel debate to explore a risk-based approach to data protection and compliance. The session will examine situations that merit the risk-based approach and offer guidance on tools and knowledge required to make the approach work.
Prior to her talk, Bev answers questions on this crucial topic and gives us the lowdown on her professional pathway to date.
Describe your career pathway so far
I fell into data protection compliance around 2000. The organisation I was working for at the time started getting subject access requests, and didn’t know what to do with them. So, I was put on a course and had my first introduction to how data protection worked in that organisation.
At that time, HRMC had lost a set of disks containing the personal details of 25 million individuals. I worked in the building where the disks should have arrived, so my first encounter with data protection involved seeing 50 police officers ransacking our building looking for the missing disks.
The government introduced the security policy framework following this incident and this lead to my first introduction to security. I stayed in this role until around 2011, since when I’ve been mainly in the charity sector.
I have over ten years’ experience in the charity sector, but I’ve also worked with the NHS and headed up an information governance team in an NHS trust. In summary, I have quite a broad, varied base of experience in data protection, privacy and security.
What are the fundamental principles behind risk based data protection?
In my organisation, we’re actually engaging with senior leadership and trustees, and starting to understand the organisation’s tolerance to risk in a data protection context.
Obviously, it’s fine to have a risk-based approach, but its definition is always going to be unique to each organisation. You need to have a conversation with your senior leadership and make sure they understand what risk means, and what the consequences of taking those risks could be.
So, what is your organisational risk appetite? To understand this, you need to talk to the rest of your organisation and try to balance risk against your budget and the organisation delivering results.
The organisation’s risk appetite will also change according to what type of organisation it is. You might have a start-up, entrepreneurial style framework with a higher tolerance to risk. I work for a charity, so the public and the Charity Commission would have an anticipation of how high our values are, as we deal with a lot of highly sensitive data.
What tools and technologies are available to underpin organisation’s risk-based approach to compliance?
Having come from the public sector and going into the charity sector, I’ve seen so many tech solutions out there to help with compliance. But in my experience, the budget isn’t always there to support those.
The ICO has introduced an Accountability Framework – a free tool that is excel-based. It asks a series of questions concerning leadership policies, records, management, security and many more, and presents the results on a dashboard. For organisations that do not have a huge budget to invest in technology, this is a great starting point to understanding where your risk areas are. I think it’s one of the best tools that a small business or a charity sector organisation can use as a starting point.
What challenges do organisations face as they bid to implement risk-based approaches to compliance?
I think this issue comes back to the culture of the organisation. I’ve had many company proposals put to me that I see as achievable, but then there are risk points too.
I have to let the senior manager know of the kinds of risks that the proposal opens the company too, and they have to accept that level of risk. Some people might think that risk tolerance and acceptance sits with the DPO, but that’s not the case. Individuals within the organisation need to learn what risks are and start being able to judge their own comfort zone with those risks.
It’s about finding a balance and accepting that you’re not always going to get everything right. There will always be red lines that you don’t cross, and success as a DPO involves educating other people so that they understand where those red lines are.
You try to maintain privacy by design and connectivity, so if you’re going to take a risk-based approach, things like data flows can get lost – it’s so easy at the moment for an organisation to sign up to a platform online without doing due diligence checks. They may sign up to terms and conditions without looking where the data flow may be going, to see what the lawful basis for data processing is. This is especially important if data is going outside the EU.
We have to get privacy by design right, get data flows right and ensure we’re being transparent with the people whose data we may be using. We use programmatic advertising as part of our marketing strategy, and getting people to understand what happens with data in programmatic advertising environments is incredibly complex.