Meet the expert: Ann McManus among guests at PrivSec: World Forum

Taking place at Park Plaza, Westminster Bridge in London on June 7 and 8, PrivSec: World Forum brings together a wide range of subject matter experts and thought leaders to explore the complexities of data protection, privacy and security today.  

The two-day, in-person event sits within the Digital Trust Europe series, providing professionals with an unmissable opportunity to network, build knowledge, and learn how organisations are enhancing protections, minimising risk and improving trust. 

Heading up data protection for the world’s oldest insurance market, Ann McManus and her team manage the protection of personal and commercially valuable data. As 350-year-old City institution, Lloyds, undergoes a programme of digital transformation, a steady stream of work ensures data protection is embedded into all changes.

Ann will be appearing at PrivSec: World Forum to participate in a panel focussing on the compliance challenges presented by Data Protection Impact Assessments (DPIAs).

We spoke with Ann about her career pathway to date, and to learn more about the role of DPIAs within the broader sphere of risk minimisation.

Could you outline your career pathway so far?

I took an off-piste career route to become a lawyer and found data protection on the way. After graduating from University of Edinburgh in Law, I wasn’t convinced I wanted to go down the typical training contract route and so I did an LLM in Law and Economics to broaden my specialism and build my language skills (as the course was split across 3 universities in Bologna, Hamburg and Haifa). 

After working in start-ups – a corporate governance consultancy and litigation funding for class actions – I decided to move back to law and started studying for the New York Bar exam at night school while taking contracting roles at BT and US law firms. 

I was offered my first fully data protection focussed role at Vocalink, a Mastercard company which is one of the biggest payment processors in the UK before moving to Lloyd’s of London, the 350-year-old insurance market and one of the “four pillars of the City of London”. Although I followed an unusual means to get to where I am now, I wouldn’t change it as every step taught me something invaluable.

How significant is the role played by Data Protection Impact Assessments (DPIAs) within the broader remit of risk minimisation?

DPIAs are an important means of finding out what is happening to personal data across your organisation and getting a say in how that personal data is managed. At Lloyd’s we take a low threshold to DPIAs and review more personal data processing than Article 35 requires for two reasons. 

Firstly, we use the DPIA process to review commercial data risks as well as personal data risks. As a B2B market place, Lloyd’s processes a lot of commercially valuable data which requires a similar level of security as personal data. Processes that involve only commercial data will be subject to security questions but not the full set of Article 35 questions.

Secondly, we use the DPIA process to identify new activities which need to be recorded in the Article 30 Records of Processing.

All in all, the DPIA process helps us stay involved with all product and service design across the business to ensure privacy and security by design are built in from the start.

Why are DPIAs such a compliance challenge for many privacy professionals?

I can see them being a challenge if a proportionate approach is not taken. If you are seeing that too much time is being spent on low-risk activities, a sensible approach is to set a tolerance level and adjust it based on the outcomes of the DPIAs and the resource available to conduct reviews.

I would also advise automating screening questions in the questionnaire the business submits their information via, and using drop-down menus and logic to filter out no- and low-risk activities.

Another challenge can be not getting buy-in which means DPIAs are not being done when they have to. To overcome this, I suggest identifying the teams where change happens and new projects come through, like project management teams, procurement and business transformation, and training them on the importance of privacy by design. 

We get so many questions on how data is being protected from our stakeholders that I am lucky that even if my training falls on deaf ears, at least the voice of the consumer will refocus attention on the importance of data protection to the end product or service.

Are there common issues that businesses have to overcome as they build target operating models for DPIAs?

Yes, working out their risk tolerances (i.e. are we going to do DPIAs for high risk processing only or should we review all processing of personal data? In the latter case, can we introduce a tier system to filter out lower risks?). 

Another is integrating with any information security reviews or processes so that you can get clarity on what technological measures will be available and the information security experts understand what data they need to protect and can tailor their controls accordingly. Lastly, but importantly, making the DPIA process as user-friendly as possible so it’s not “yet another form to fill out”.