Meet the expert: Rishi Maharaj to speak at #RISK London

Taking place on October 18 and 19 at EcXel London, #RISK London addresses the issues impacting organisational risk today, from Governance, Risk and Compliance (GRC), to Environmental, Social and Governance (ESG), organisational culture, and much more.

The event builds on the success of #RISK 2022, allowing organisations to examine the cumulative nature of risk, unite GRC specialities and share views with subject-matter experts.

Rishi Maharaj is founder and Executive Director at Privicy Advisory Services, a boutique consulting firm delivering expert data protection and privacy advice and outsourced services to organisations within the Caribbean and global-facing entities that focus on the Caribbean Market.

Rishi also helps organisations to establish and maintain robust privacy frameworks in line with the General Data Protection Regulations (GDPR) as well as recent data protection legislations in the region (Jamaica, Barbados, Cayman Islands, Bermuda, Bahamas etc.) He is a member of the Canadian Institute of Access and Privacy Professionals and the International Association of Privacy Professionals.

Rishi will be in conversation at #RISK London to discuss key updates within global data protection law.

We spoke with Rishi to hear more about his professional journey to date and for more on the issues up for debate in his #RISK London session.

Could you outline your career pathway so far?

My journey in data protection began in 2008 in Trinidad, where I served in the government as the head of the Freedom of Information unit. During that time, the government was striving to introduce electronic government services to the public. As a crucial aspect of this initiative, we needed to develop laws to safeguard individuals’ personal data.

Consequently, we initiated the drafting process for the data protection law as early as 2007/2008, adopting the UK’s model, which combined data protection and freedom of information under a single regulator’s oversight.

Due to its direct impact on my work, I actively participated in the early drafts and eventual passage of our Data Protection Act in 2011, which predated the GDPR.

Since then, my focus has shifted to assisting private companies in the Caribbean in ensuring their compliance with the growing number of data protection laws. Since 2018/19, several Caribbean countries, including Barbados, Jamaica, and the Cayman Islands, have implemented data protection laws inspired by the GDPR. 

My role involves collaborating with different companies to bring their compliance practices in line with the requirements of these laws.

What are the key themes driving regulation on the global data protection landscape today?

Technology plays a pivotal role in shaping the Global Data Protection Regulation (GDPR). Initially, even before the GDPR era, data protection measures were driven by the surge in technology, as companies amassed vast collections of personal data sets to gain insights into human behaviour.

Subsequently, the rise of social media over the past two decades has amplified data collection and exposed the abuse of data for influencing global democracy. However, the focus has now shifted towards the burgeoning trend of artificial intelligence (AI) and its potential implications. AI’s ability to gather and analyse vast amounts of metadata about individuals poses both promising opportunities for organizations and concerning risks of abuse.

The European Union (EU) has adopted a risk-based approach to govern these evolving technologies, as they recognize the perpetual advancement of technology outpacing regulations and laws, especially within the private sector.

From a Caribbean perspective, economics also drives data protection efforts. Developing countries seek to align their laws with those of established Western democracies (Europe, US, Asia) through trade agreements that involve reciprocity. For these countries, implementing data protection laws becomes essential to foster economic growth and trade with the rest of the world.

What are the biggest challenges that organisations face as they bid to balance compliance and growth in 2023?

One of the most significant challenges companies face today is navigating the complex framework of different laws and compliance requirements.

This is especially true for Caribbean companies heavily reliant on tourism, where data collection from EU nationals is common. The multitude of existing laws and their unique compliance demands pose a major hurdle in developing effective frameworks and compliance programmes.

A silver lining is that many of these laws are influenced by GDPR, creating some synergy and easing the process. However, each law still comes with its distinct requirements, adding to the complexity for organisations.

Another pressing challenge, particularly in the Caribbean, is the growing desire to leverage technology and data in various ways. Large companies in the financial services sector, for instance, recognize the value of data and its impact on their bottom line. Striking the right balance between meeting business needs and complying with diverse regulations remains an ongoing investment and understanding the guidelines is essential.

This cultural shift is evident not only in the EU but also in the Caribbean, where companies have never been accustomed to stringent data collection rules, consent practices, or data sharing with third parties. Adapting to data protection requirements has forced companies to rethink their operations, processes, and systems, leading to a profound cultural transformation. 

Structurally, companies in the region have discovered duplications in data collection points, leading to a lack of coherence and communication within the organisation. Conducting data mapping exercises has been eye-opening, revealing the need for better coordination and synergy to ensure efficient data collection and use within the organisation.