Matthew Goodbun to speak at Global Privacy Day

Livestreaming on 25 January 2024 as part of Data Privacy Day, Global Privacy Day brings together thought leaders and senior industry professionals to discuss the present landscape of data protection and privacy, and the current and future challenges that professionals face.

Matthew is a Data Protection and Privacy Professional, with extensive knowledge of global Privacy compliance and Data Protection matters. A skilled and accredited practitioner, his program management, compliance expertise, and knowledge of global privacy laws mean he is well positioned to translate regulatory compliance obligations into meaningful business contexts. 

Matthew will be at Global Privacy Day to discuss the importance of measurability in effective data privacy strategies, shedding light on how organisations can build privacy initiatives that go beyond compliance.

Below, Matthew answers questions on his professional journey and introduces some of the key issues arising in his Global Privacy Day session.

Could you outline your career pathway so far?

Initially I had career aspirations to become a museum curator and have undergraduate and postgraduate degrees in Art History and Anthropology. When concluding that I was not in a financial position to pursue this due to the prevalence of unpaid/low paid work concentrated in larger cities I made the decision to build my way up in a new direction working in a local government contact centre.

I became interested in welfare reform and information governance, progressing into different roles, completing tasks and supporting projects related to compliance with Freedom of Information and Data Protection laws.

I then completed a Project Management apprenticeship and have continued to study and gain professional qualifications related to Privacy, Data Protection, and Information Security as my career has progressed.

I moved from local government to a technology company providing software to the public sector, progressing into a leadership role responsible for managing a global privacy programme. This involved developing training courses, raising awareness, implementing privacy standards, and managing the practical and operational application of requirements around governance, risk, and compliance.

In my current role as a Senior Privacy Consultant, I work at BSI, the British Standards Institution. BSI is the National Standards Body which also provides consultancy, including Digital Trust Consulting. I provide privacy advisory services to a wide range of organisations, big and small, public, and private, that operate across multiple countries, requiring compliance with different data protection and privacy laws.

Depending on the maturity of an organisation’s data protection framework, they may need support implementing additional standards and best practice, moving beyond the regulatory requirements to meet the needs of the organisation, and the expectations of their customers and consumers, where they have decided to take proactive steps to embed privacy in their culture and strategy.

I advise and guide organisations to ensure that they have the right processes, procedures, and mentality to consider the protection of employee, customer, and citizen personal data as part of business as usual. This involves translating regulatory requirements into practical and actionable tasks that can be implemented to make sure that the right controls are in place to protect individuals from harm. The right controls are also needed to protect an organisation’s reputation by minimising the likelihood and impact from an incident involving personal data that could cause an individual harm due to their personal data to being unavailable, inaccurate, or accessed by those that shouldn’t be able to see it.

What are the main challenges facing organisations as they bid to embed measurability into privacy strategies, and what does such a privacy strategy look like?

One of the key things here is the planning element. This isn’t just about setting objectives but also encompasses determining the metrics and KPIs that will gauge success. As is the case with any effective project or program, you need a clear understanding of the objectives and the quantifiable achievements. 

From the perspective of a privacy program, these achievements can be linked to privacy rights. It involves assessing factors such as the time taken to fulfil these rights and whether the statutory deadlines were met, which can vary depending on different regulations. For instance, under the General Data Protection Regulation (GDPR), the timeframe is a calendar month, while the California Privacy Rights Act (CPRA) allows 45 days. Understanding and incorporating these jurisdiction specific requirements is critical in defining effective and meaningful metrics.

Another dimension involves incidents and breaches, evaluating not only the number reported internally but also those that need to be communicated externally – to customers, clients, individuals, and Supervisory Authorities. This provides insight into the severity and volume of breaches. All these metrics need to be integrated from the start to effectively demonstrate the maturity of the privacy program.

Additionally, considerations extend to aspects like third-party risk management. The privacy program’s involvement in due diligence questionnaires, the number of these assessments going live, and the governance structures and stage gates in place are essential components. Putting in those gatekeeper elements early on will help organisations to review potential impacts on individual privacy before any implementation.

Furthermore, assessments and audits, whether internal or external, play a key role in evaluating the level of compliance and maturity. Collecting data from these various metrics should be done strategically because you don’t want to overwhelm stakeholders and senior leadership with information. It’s crucial to determine the specific metrics to collect at the outset of implementation, so you can put together those mechanisms and controls that collect meaningful data.

While there’s a need to strike a balance and avoid excessive use of metrics, if you get on top of what data to collect, what matters in relation to the strategic vision and privacy objectives of the organisation, then you can create a robust framework for deriving insights.

This, in turn, will help evidence value to the Board, stakeholders, and other decision-makers. It’s vital to demonstrate the return on investment of the privacy program, especially considering that compliance teams are not traditionally revenue-generating entities within a business. The ability to showcase this return on investment becomes paramount in highlighting the value-added by the privacy program.

Beyond compliance, what are the benefits that come with getting this right?

Compliance with regulations should be the baseline. Some regulations are stricter and are more extensive in terms of their requirements than others, but this isn’t about just ticking a box.

You need to look at what you can do to set yourselves apart as an organisation with respect to privacy, to build and maintain trust in your products and services, and then your brand. From here you need to look at how you can leverage these elements and, using these metrics, how you can evidence the subsequent benefits. An effective breach management strategy can provide damage limitation if you’ve got these metrics working for you.

When this level of commitment and understanding run across the whole organisation, a culture emerges that is committed to safeguarding personal data, preserving trust, and ethically handling personal information.

It’s then important to be able to create explainable and understandable privacy notices, starting from the point of collection, so that you are maintaining a strong connection with individuals. Privacy can then be used as a market differentiator, which is something that companies are doing more and more.

As it becomes more widespread, it raises the bar, elevating standards across industries and sectors. It not only provides users with rights and control over their data but also emphasizes privacy-preserving defaults and the incorporation of privacy by design.

The emphasis here is on ensuring that the default setting is the most privacy-preserving option, and individuals can then choose to make more of their information public or permit more extensive use, if they so desire. This shift in approach serves to reinforce user trust and contributes to an overall improvement in privacy practices.

Trust has become even more crucial as we move into the AI era, where we’re seeing greater use of large language models (LLMs) or generative AI chatbots. Transparency is paramount.

Individuals need to know what is being done with their data, whether it involves decision-making influenced by neural networks or other models. Establishing guardrails is vital, and emerging standards and regulations play a pivotal role in providing the necessary frameworks.

Privacy professionals have long advocated for practices like data protection impact assessments, evaluating risks of harm, ensuring the fulfilment of data subject rights, and communicating effectively about data handling. These practices have been ingrained in the privacy professional’s toolkit, with a significant boost in awareness and consciousness stemming from the introduction of the GDPR. The growing consciousness not only among senior leaders but also the wider public illustrates the importance of these privacy practices in society more broadly today.