Meet the expert: PrivSec World Forum welcomes Olga Phillips

Olga Phillips is Corporate Counsel, EMEA Privacy at Salesforce, and will appear on a PrivSec World Forum panel to discuss challenges and opportunities facing businesses following the UK’s reforms on GDPR.

The debate sits within a content-rich agenda of presentations, keynotes and panels at PrivSec World Forum, where leading subject matter experts and thought leaders will be providing insight into the issues driving data protection, privacy, and security today.

Sponsored by OneTrust, PrivSec World Forum takes place on June 7 and 8 at Park Plaza, Westminster Bridge, London, as part of the Digital Trust Europe series.

We spoke with Olga about her professional pathway, and to learn more about how companies can best navigate the compliance landscape, post-Brexit.

Can you outline your career journey so far?

I am currently Privacy Counsel at Salesforce, an organisation that provides customer relationship management software. As Salesforce offers a collection of apps that provides a holistic customer view and its headquarters are in the US, there are a lot of questions that come to the fore, particularly on product-privacy (especially AI!) and data transfers. As part of my role, I also cover regional developments in the UK & Ireland and have been able to engage with proposed changes to UK legislation. 

Prior to this role, I worked in private practice at Latham & Watkins in London (and in Madrid), working for a range of clients but predominantly focusing on B2C businesses and the social media space. 

Could you describe the key changes the UK has made in its data protection framework post-Brexit?

To date, there are three main changes that businesses should be aware of:

1. In 2021, the European Commission adopted an adequacy decision in respect of the UK. This means that personal data can flow freely from the European Union to the UK and benefit from an essentially equivalent level of protection to that guaranteed under EU law.
2. In respect of transfers of personal data to third countries, the ICO offers two options: (i) the International Data Transfer Agreement; and (ii) the International Data Transfer Addendum to the EU’s Standard Contractual Clauses.
3. The Department for Digital, Culture, Media & Sport are also consulting on the proposed Data Reform Bill which encourages a focus on privacy outcomes over “box-ticking” and seeks to provide a more flexible approach towards compliance. 

How much pressure is there on organisations to adjust their data protection programmes?

It depends on the organisation in question. Many large organisations have both the resources and funding to apply a “highest common denominator” approach to privacy and it is not uncommon for these organisations to apply GDPR standards across the board. 

For these organisations, there may be slight tweaks that need to be made to their existing regime to ensure compliance in light of Brexit, for example, adding the International Data Transfer Addendum to their existing DPA where UK data is in scope.

For SMEs, the challenges will be different – some organisations might even have trouble identifying resource to review these changes and assess how they should be integrated into existing compliance regimes. That said, both the ICO and DCMS have been vocal about their intention to ensure the new regime is not overly burdensome for SMEs.

What are the key hurdles for organisations to overcome when making changes to their DP programmes, in order to align with new UK requirements?

One of the initial challenges that organisations will face with respect to the proposed Data Reform Bill is working out how the new UK requirements differ from existing requirements (if at all) and then altering existing processes accordingly. 

Based on the consultation paper, it seems as though many of the requirements under the Data Reform Bill will likely be met by existing GDPR-compliant processes although the exact text of the legislation remains to be seen. That said, as mentioned above, both the ICO and DCMS are cognisant of focusing on outcomes rather than box-ticking  and so I’m optimistic that the final text of the Data Reform Bill will be pragmatic in approach.