Simon Loopuit heads trust-hub, a software firm specialising in personal data management technology that protects customers and employees alike.

Ahead of his speaker session at Data Protection World Forum, our Q&A with Simon explains data governance and reveals how companies can leverage privacy by design to overcome the challenges of modern business.

After dealing with GDPR, why should organisations continue to worry about anything further?

A lot of businesses, when they put together the business case for their privacy programmes focus on compliance as a box-ticking and reporting exercise. That investment, they say, stops us incurring huge fines and keeps us compliant with the new regime.

That may be true, but it also misses the larger picture. Doing the ‘minimum necessary’ may avoid fines and keep regulators happy, but companies aren’t in business with their regulators.

Look a little beyond simple compliance and there is the prospect of a considerable ROI for this investment. For example, the business case should be focusing on strategic business issues, such as improving data security to avoiding breaches, building customer trust to strengthen the brand and driving competitive advantage by optimising the personal data ecosystem. These objectives can all be achieved by embedding Personal Data Governance into the company’s DNA.

What is Personal Data Governance

Put simply, Personal Data Governance is a dynamic, secure and transparent process for enabling the safe and compliant use of personal data. It addresses not only regulatory requirements, but also more effective engagement with the data subjects around the use of their data, better risk management both internally and through the supply chain, and appropriate cultural and digital transformation.

Why do I need it?

The transparency mandated by new regulations such as the GDPR will break down the old barriers. It will put all business practices and failings in plain sight. As that happens you’re going to need to make sure that people like what they see.

So, take the focus away from just pleasing the regulators and ask additionally what your customers and stakeholders will want. They will want a business that is proactive rather than reactive when it comes to managing data privacy. One that understands exactly where personal data resides across the entire enterprise (and its global supply chain) and has rigorous processes in place to map and manage, in real time, everything from requests for erasure to identifying surplus data.

That means far more than compliance. Successful organisations are in the midst of a cultural and digital transformation where they are moving from the ‘surveillance by design’ culture – where metrics and behavioural tracking are a central part of how digital platforms extract value from users – towards ‘privacy by design’, where they don’t. Understanding how all the relevant stakeholders benefit from the processing of this personal data is a critical starting point.

What is ‘privacy by design’?

This concept was first introduced by Dr Ann Cavoukian in the 1990s and its foundational principles cover everything from being preventive rather than remedial, to privacy being the ‘default setting’ for organisations, to ensuring visibility, transparency and a user-centric approach to data throughout its entire lifecycle.

However, the changes that have taken place over the last 20 years, such as global data supply chains, cloud computing, software-as-a-service and big data, have brought things into sharper focus. This has been recognised in recent legislation such as GDPR and California’s Consumer Privacy Act, which embrace Dr Cavoukian’s principles.

What can my business do to embrace privacy by design?

Perhaps the first and most important step is to understand that privacy by design requires business and cultural transformation. This is not something organisations can achieve by simply being ‘GDPR-compliant’.

Personal Data Governance is the practical embodiment of the principles that Dr Cavoukian discussed back in the 1990s, applied to the modern digital environment. It is about treating data privacy as far more than a box-ticking and form-filling exercise, and about having zero tolerance for any behaviour or use of data that falls outside those values. It also recognises the challenges posed by new and emerging technologies like artificial intelligence and machine learning.

At trust-hub, we’ve been working with the international business community to help them operationalise that way of thinking. The fact that it also helps demonstrate ROI, with trust and data privacy fast becoming the de facto currencies of the digital era, is an added bonus.

After all, as consumers get a better understanding of their rights and the value of their personal data, they will only want to provide it to those organisations they trust. The others are simply going to get left behind.

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.

comments powered by Disqus