Meet the expert: Marta Dunphy-Moriel to speak at PrivSec Global

Streaming live May 22 and 23, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today.

Marta Dunphy-Moriel is Founder at Dunphy-Moriel Legal Services Ltd. Marta is a multilingual international privacy lawyer and DPO, specialising in all areas of data protection and privacy.

Marta’s deep sector knowledge and a decade of international experience allows her to work with pan-European and global businesses to achieve compliance.

Marta appears exclusively at PrivSec Global to discuss the strategies organisations can adopt to nurture Privacy by Design and integrate data protection into organisational culture.

Below, Marta answers questions on her professional journey and the themes of her PrivSec Global session.

Could you briefly outline your career pathway so far?

Like many privacy pros, my career in privacy started by chance. I started off my qualified professional life as an M&A lawyer in a boutique firm in Seville. During the recession, I started working at Baker and McKenzie Madrid (as part of my Master’s).

The roles available were either in TMT or Employment law. Employment wasn’t a choice for me, so TMT it was. As the most junior member of the TMT team, I was assigned this thing called privacy that was very small fry. I found it very interesting and moved on to a tech and privacy role at Bird and Bird Madrid.

After spending quite some time on secondment for several clients getting very valuable on the ground experience and gaining the visceral dislike for work hotels that has stayed me to this day, I was lucky enough to be given the opportunity to join the Fieldfisher London privacy team where I fully specialized in privacy, learning from some of the top privacy professionals in the world.

I was also lucky enough to be seconded to Fieldfisher Silicon Valley for a few months and going on… you guessed it, more secondments. I was also lucky enough to be asked to lead the privacy paralegal team and be part of the core team of the DPO service - invaluable experience for my development as a privacy pro.

Years later, I had the opportunity of becoming a privacy partner at Kemp Little. I continued in that role until a few months after the firm was acquired by Deloitte because, for medical reasons, I made the decision to move closer to family and take on a slower pace and a more flexible role as a consultant. And that’s where I’ve been for the last three years - learning every day and feeling blessed for the opportunities I’ve been given.

What impact is the increasing prevalence of AI having on user trust, and what are the implications for businesses in terms of their privacy programme strategies?

AI’s privacy dilemma has many key issues, all of which impact on user trust. Take for example, AI’s insatiable appetite for extensive personal data to feed its machine-learning algorithms.

This has raised serious concerns about data storage, usage, and access. Users are concerned about where the data is coming from, what it is going to be used for and who can access it. These are questions that data protection laws are not equipped to answer and companies struggle to answer as the network of third parties doing this is ever expanding.

The second key concern for users is AI’s remarkable capacity to analyze data and make complex analyses. AI has a huge potential to infer sensitive information as well as the very realistic issue of being biased. Identity theft and unwarranted surveillance are also relatively easy to implement with AI, which also has a negative impact on user trust.

The lack of consensus on ethical guidelines and best practices to minimize privacy risks around the world have enabled an atmosphere of distrust.

The impact for businesses in terms of their privacy programme strategies is mainly about managing risk: companies are having to carefully evaluate their use of AI and how they comply with their privacy obligations, or take on an unknown amount of legal and reputational risk if they are unsure of what the AI tools they are feeding data to are actually doing (for example, in third party tools/applications).

What primary steps should organisations be taking as they push to implement Privacy by Design and Data Protection principles into organisational culture?

The 3 key steps I recommend are:

1. Have a clear and consistent procedure: Make sure you have clear policies and procedures that everyone is familiar with, so that the internal expectations are clear. These should include what criteria to take when acquiring off-the-shelf products and services from third parties.
2. Train people: Human error is the biggest risk. Take the time to train people and ensure they understand the expectations and when to reach out to the DPO and/or legal.
3. Understand your business: It is vital that your approach is in line with the risk profile of your business. Make sure you understand what the business wants to do, what risks they are willing to live with and what can be done in practice to mitigate risks.