| GMT |
25 March 2026 |
| 9:15 |
Breaking the Silo: Rewiring UK & EU Organisations for Unified Privacy–Security Governance
9:15am - 10:00am
Across the UK and EU, regulatory pressure has made it impossible for cybersecurity and data protection teams to operate in isolation. Yet culturally these functions continue to speak different languages - technical versus legal, engineering versus compliance. This panel examines why siloed structures still exist and exposes the real-world consequences: inconsistent DPIAs, misaligned risk assessments, slow breach reporting, and ineffective data governance.
Speakers will explore what “good” looks like: shared taxonomies, joint incident playbooks, unified risk registers, and governance models where CISOs and DPOs co-own decisions. Case studies from regulated sectors will illustrate how collaboration shifts organisations from firefighting to proactive resilience and trust-building.
Moderator
Panelist
|
| 10:00 |
| 10:00 |
Governing Financial Data: Trust, Visibility, and Control in BFSI
10:00am - 10:45am
Banks, insurers and financial services firms operate some of the most complex and highly regulated data ecosystems in the economy - spanning payments, open banking, cloud platforms, fintech partnerships and cross-border processing. As regulatory scrutiny intensifies, BFSI organisations are under growing pressure to demonstrate not just compliance, but continuous control over how sensitive financial and personal data moves, is accessed and is protected. This panel will explore where traditional privacy and security models break down in modern financial data flows, and why visibility and governance - not policy - have become the defining trust issues.
Panellists will discuss real-world challenges such as shared accountability with fintechs, operational resilience expectations, auditability of data access, and regulatory demands for explainability across automated decisioning. The session will provide practical insight into how BFSI firms are aligning privacy, security and risk teams to govern complex data environments, reduce regulatory exposure, and maintain customer trust while continuing to innovate.
Moderator
Panelist
|
| 10:45 |
| 10:45 |
When Contracts Aren’t Enough: Operationalising Third-Party Risk
10:45am - 11:30am
Third-party risk is now one of the most common root causes of privacy breaches and security incidents - yet many organisations still rely on static assessments, contractual assurances and annual questionnaires to manage it. This panel examines why traditional third-party risk management models no longer reflect the reality of interconnected suppliers, sub-processors and technology dependencies, and how this creates material privacy, security and regulatory exposure.
Speakers will explore how organisations are improving visibility beyond direct vendors, embedding privacy and security requirements into procurement and onboarding, and detecting risk in near real time rather than after an incident occurs. The discussion will focus on governance models that connect legal, privacy, security and procurement teams, helping organisations move from contractual comfort to operational assurance across complex third-party ecosystems.
Moderator
Panelist
|
| 11:30 |
| 11:30 |
Sponsor Session
11:30am - 12:00pm
|
| 12:00 |
| 12:00 |
UK Regulatory Crossroads: Aligning Privacy, Security and the Data (Use and Access) Act
12:00pm - 12:45pm
With the UK Data (Use and Access) Act reshaping data governance, privacy and cyber teams are being pushed closer together than ever. Compliance now requires joint stewardship of data flows, retention standards, and AI-related safeguards - yet many organisations struggle to define who owns what. This panel decodes the regulatory expectations for cross-functional coordination.
Experts will discuss the operational impact of the Act alongside the UK GDPR, PECR reforms, and increasing ICO scrutiny. Attendees will learn how to modernise governance so compliance, security and data innovation reinforce one another, instead of pulling in opposite directions.
Moderator
Panelists
|
| 12:45 |
| 12:45 |
GDPR Meets Cyber Risk: Why Security Failures Are Still Privacy Breaches
12:45pm - 1:30pm
GDPR enforcement continues to show that cybersecurity incidents are almost always privacy violations. But many organisations still treat cyber risk purely as a technical challenge - failing to appreciate that Article 32 security measures and Article 33 breach reporting are intrinsically privacy obligations. This panel brings DPOs and CISOs together to dissect the operational tension between detection, containment, and mandatory regulatory reporting.
The discussion will highlight case law, enforcement trends, and how misalignment - especially in the first 72 hours - raises regulatory and reputational stakes. Panellists will provide practical guidance on harmonising breach preparation, escalation pathways, and log retention policies to avoid ambiguity during real-world incidents.
Moderator
Panelist
- Vicky Owens, Interim - Senior Data Privacy and Compliance Counsel, SkyShowtime
|
| 1:30 |
| 1:30 |
Data Retention Wars: Reconciling ‘Keep Everything’ Security Culture with Privacy-Minimisation Duties
1:30pm - 2:45pm
Security teams demand logs and telemetry to hunt threats, while privacy teams push for strict minimisation and deletion. The result? Confusion, conflict, and sometimes major compliance failures. This panel explores how organisations across the EU are navigating one of the most persistent operational tensions between security and privacy.
Speakers will discuss strategies for building defensible retention schedules, aligning DPIAs with security threat models, and managing shadow IT that undermines both disciplines. Attendees will learn how to strike a balance that preserves investigative capability without breaching GDPR principles or increasing exposure in an incident.
Moderator
|
| 2:45 |
| 2:45 |
NIS2, CRA and the New European Security–Privacy Convergence
2:45pm - 3:00pm
New EU laws such as NIS2 and the Cyber Resilience Act are forcing companies to rethink how privacy and cybersecurity functions collaborate. These regulations embed security and privacy-by-design obligations directly into product development, supply-chain management, and incident response. This panel examines the expanding intersection between these frameworks and data protection requirements.
Through practical examples, speakers will explore how joint privacy–security involvement in procurement, software assurance, vendor risk, and AI governance has become non-negotiable. Attendees will leave with actionable strategies for integrated compliance across security, privacy, and digital risk.
Moderator
Panelist
|
| 3:00 |
| 3:00 |
AI Governance Without Chaos: Merging Privacy-by-Design and Security-by-Design
3:00pm - 3:45pm
AI systems expose gaps that neither privacy nor cybersecurity teams can manage alone - especially around training data, model transparency, data lineage, and monitoring for adversarial attacks. This panel explores why AI governance is the ultimate forcing function for privacy–security cooperation.
Experts will break down how the EU AI Act, UK AI guidance, and emerging corporate governance frameworks require joint reviews, joint sign-off, and shared accountability. Delegates will gain insight into operating models that enable innovation while protecting individual rights, organisational integrity, and regulatory compliance.
Moderator
Panelist
|
| 3:45 |
| 3:45 |
The CISO–DPO Relationship: Governance Models That Actually Work
3:45pm - 4:30pm
This session dives deep into the real dynamics between CISOs and DPOs across UK/EU organisations - highlighting where friction emerges, why conflict persists, and what regulatory bodies expect from these roles. Combining legal, technical, and organisational perspectives, the panel will break down common failure points: overlapping duties, unclear reporting lines, and mismatched incentives.
It will also showcase real-world models used by leading organisations - from privacy & security councils to joint board reporting - that replace adversarial posture with productive tension. Attendees will receive a blueprint for governance that aligns mission, culture, and accountability.
Moderator
Panelist
|
| 4:30 |
| 4:30 |
Sponsor Session
4:30pm - 5:00pm
|
| 5:00 |
| 5:00 |
Surveillance, Monitoring and Trust: When Security Controls Become a Privacy Risk
5:00 - 5:45pm
From endpoint monitoring and behavioural analytics to insider threat programmes and productivity tooling, organisations are collecting unprecedented volumes of employee and user data in the name of security. This panel examines when protective monitoring crosses into disproportionate surveillance - creating legal exposure, cultural damage and regulatory risk.
The discussion will explore how UK and EU regulators assess proportionality, transparency and necessity in monitoring practices, and why poorly governed surveillance often undermines both privacy and security outcomes. Panellists will share approaches for designing monitoring programmes that are effective, defensible and trusted - ensuring security controls do not become the next compliance failure.
Moderator
Panelist
|
| 5:45 |
| 5:45 |
Your Passwords Aren’t Safe: Inside the Credential Harvesting Epidemic
5:45 - 6:30pm
Billions of login credentials are circulating on the dark web, from phishing campaigns to massive corporate leaks, and no one - from executives to everyday users - is immune. Credential harvesting has evolved into an automated, industrial-scale operation, fuelling identity theft, account takeover, ransomware, and even deepfake fraud. This panel dives into the mechanics of how credentials are collected, traded, and weaponised, showing why a single reused password can ripple into catastrophic consequences across organisations and personal lives.
Experts will explore the psychological, technical, and organisational vulnerabilities that criminals exploit, from password fatigue to weak MFA adoption, and the emerging strategies defenders are using to fight back. Attendees will leave with a stark view of the credential crisis, understanding not only the scale and audacity of modern attacks, but also the broader societal and regulatory implications of living in a world where your digital identity can be harvested - and sold - in minutes.
Moderator
Panelist
|
| 6:30 |
