Rob Masson is founder and CEO at The DPO Centre, an organisation that outsources data protection officer resources. He is also strategic advisor and NED of regional enterprise agency, Menta.
Exclusively at #RISK London, Rob will be joining a panel of experts to discuss the current data protection landscape and to look into what organisations can do to enhance data protection and privacy for the future.
Prior to his appearance at #RISK London, Rob provides insight into these issues and gives us the lowdown on his professional pathway to date.
Could you describe your career pathway so far?
My career started in 1989, aged 18, when I founded a software company with two fellow computer studies students. The company designed an analysis and media planning tool for the advertising and market research sector that we franchised to various large research companies globally.
I completed an exit from this organisation in 2011. In 1998, I founded an ecommerce agency, which was subsequently acquired in 2016. I also founded a further software company in 2005, which developed a multi-channel retail management platform, which I describe as my ‘successful failure’, but was the experience that taught me by far the most.
I have been CEO of The DPO Centre Ltd since it was founded 2017. Over that time, we have worked with over 650 clients globally, and built the largest team of outsourced Data Protection Officers available, across our UK and EU based teams.
Our continued success is down to our #oneteam philosophy and our mission to “inspire and develop one remarkable team, that delivers the extraordinary.” Our focus on consistent growth is however, not because we aspire to be the best or the biggest or the most profitable, but because we recognise that we must grow in order to deliver ever-higher standards of expertise and customer service, and to continuously deliver on the dynamic and evolving career development needs of our motivated and ambitious team.
What privacy and data protection risks present the biggest challenges to organisations in 2022?
Every quarter, since July 2020, The DPO Centre has surveyed the now 500+ data protection professionals from all over the United Kingdom, to gather their opinions on the ever-changing data protection landscape. These opinions are used to create the UK Data Protection Index, which provides detailed insight into the risks and challenges organisations are facing.
In the most recent survey, data retention ranked as the biggest GDPR concern, with 28% identifying this as their biggest challenge. This is down to there being little legislative guidance on what appropriate retention periods are, aside from GDPR Article 5(1)(e) that states “…for no longer than is necessary for the purposes for which the personal data are processed.”
In a close second, comes International data transfers. The Schrems II decision from June 2020 caused turmoil for DPOs when the Privacy Shield was invalidated. Since then, the sector has (and to a degree, still is) trying to work out the best way forward, not helped of course by the fact that many third countries (including the US) lack sufficient data protection laws to be awarded Adequacy by the EU commission, and the fact that the UK has left the EU and has devised its own method for legitimising transfers.
Accountability, or the GDPRs 7th principle, is the third identified area of risk. This requires organisations to ‘demonstrate compliance’ with the other 6 principles. Organisations therefore need to ensure that they implement appropriate technical and organisational methods to demonstrate they are processing personal data lawfully, minimally, accurately, securely and confidentially.
How are privacy professionals mitigating these risks?
There are multiple steps DPOs must take to mitigate these risks:
Detailed policies and notices, in an easy-to-read format, are required that explain to data subjects (so customers, employees, suppliers, stakeholders etc) how their data will be processed and how long it will be retained. Organisations must ensure that staff are well trained on these retention periods, the importance of deleting data and the processes implemented to ensure deletion of data in accordance with the schedule.
International data transfers
Mapping where you are exporting personal data to is the first step. Data exported out of the European Economic Area (EEA) to a country not deemed ‘adequate’ by the EU Commission, will require the implementation of the new EU Standard Contractual Clauses (SCCs). SCCs are designed to ensure that data subjects are given the same rights and protections afforded to them when the data resides within the EU.
If organisations are exporting personal data from the UK to a non-adequate country (the UK deems the EU adequate, and vice versa), then either the Addendum to the EU’s SCCs or an International Data Transfer Agreement will need to be implemented. Organisations, regardless of where they are transferring data from, are required to conduct a data transfer impact assessment, to assess the suitability of data protection regimes of third countries.
For organisations to demonstrate accountability, they must ensure that data protection is at the heart of everything they do; this is often described as ‘Privacy by Design’. Data protection training is key to ensuring that your organisation is accountable, as well as your staff.
Organisations should also complete vendor due diligence before transferring personal data to a new vendor. This will help organisations understand how compliant the vendor is and ensure they also maintain a high level of data protection.
Conduct Data Protection Impact Assessments (DPIA) and maintain a Records of Processing Activities (RoPA). These documentations ensure that organisations understand their personal data and the impacts and risks associated with its processing.
What are the major regulatory changes coming over the horizon for UK organisations?
The major change coming in the UK is the new Data Protection and Digital Information Bill. This bill follows on from the “Data: a new direction” consultation issued by the Department for Digital, Culture, Media and Sports (DCMS) in September 21. The draft law proposes a range of changes, including the replacement of the DPO role with a “Senior Responsible Individual”.
Although this person’s responsibilities look somewhat similar to the current DPO role, and their duties can be delegated to someone else, many have questioned whether the same level of independence, currently required by the GDPR, will remain.
When we asked our panel of data privacy professionals, the overwhelming majority view the proposed changes with scepticism. Many suggested that this would lead to a lack of independence and a “potential fall in trust and reassurance to data subjects”. Those that support the move suggest that it could be beneficial to small organisations and those who do not process sensitive personal data.
The rules around Data Protection Impacts (DPIAs) will also change and instead controllers will have to produce a record of compliance. A lot of questions remain over many of the proposed changes, especially these two, as many respondents to the initial consultation were against the change. This was reflected in our latest DP Index report where many of the responding DPOs agreed that these changes would not benefit the data subject or be beneficial to organisations.
The Bill was pulled from its second reading in Parliament pending further review by the new Truss government. It may be therefore be that even further significant reform of the UK GDPR may be coming.
The event unites thought leaders and subject matter experts for a deep-dive into organisational approaches to handling risk. Content is delivered through five content hubs, each featuring insightful sessions, case studies, networking, high-level thought leadership presentations and panel discussions.
→ Session: The Data Protection and Privacy Risk Landscape
→ Time: 10:00 – 10:45 GMT
→ Date: Wednesday 16 November 2022
→ Venue: ExCeL London