We are delighted to announce privacy professional Gary Brown as a speaker at #RISK London, opening this November.


Gary is Chief Privacy Officer (CPO) at Westinghouse Electric Company. An accomplished senior executive with 20 years’ extensive experience, Gary has operated at board level in a variety of roles within a number of complex organisations across Financial Services, Leisure and Retail.

Exclusively at #RISK London, Gary will be examining supply chain privacy risks and discussing the best ways organisations can maintain visibility as the number of data subprocessors increases.


We spoke to Gary for an introduction to this important issue and to learn more about his career pathway to date.

Could you outline your professional journey so far?

After an early career in finance, I was asked to lead the GDPR implementation for a major UK bank. I found data protection and privacy exciting and quickly became passionate in this area. 

Following delivery of that program I became the Data Protection Officer for a start-up bank, though we never ‘started’ due to the challenges of raising funding as Covid was breaking out. This lead me to leave Financial Services and start as Chief Privacy Officer at Westinghouse Electric Company, a global provider of nuclear energy.

Could you describe how risk increases as the number of data processors increases?

Imagine you process all data in-house. You can write policy and procedure, train the teams on it, and monitor processing. Now imagine you depend on using other organisations that have different policies, train to different standards, operate in different countries, and speak different languages. 

The risk is far greater of something going wrong either inadvertently or fraudulently with different transfer points, connectivity and interdependency.

What practices will help organisations to maintain visibility over data handled by sub-processors?

First of all, there should be a culture of accountability. Where you make the decision to outsource processing you have delegated responsibility, and not abdicated it.

Therefore, know your supplier through due diligence, monitor with metrics and performance meetings, and audit them in line with your contract. A mechanism should be used for rating suppliers in order to prioritise the highest risk vendors. Cross organisational approaches need to be developed for all stages of the vendor life cycle.

Are there cultural changes that organisations should make to support risk mitigation in the long-term?

This of course depends where your organisation is at but usually there are changes to make. To mitigate risk in the longer term you need collaboration and an agreed working approach including Supply Chain, IT, Risk, Legal, Data Protection and Internal Audit (and maybe others.) This includes not only the onboarding diligence, but in life active management, and offboarding.