Episode 20: How GDPR Changed Compliance Programs For the Better

00:01

Intro: Welcome to InConfidence, the podcast for data ops leaders. In each episode, we asked thought leaders and futurists to break down the topics and trends concerning it and data professionals today, and to give us their take on what the data landscape will look like tomorrow. Let’s join the data conversation.

00:20

Paul: Thank you. And welcome back to another episode of InConfidence. I’m Paul McCormack and the Vice President for privacy law innovation at Privitar. Today, I’m delighted to be joined by Cameron Craig, the Head of Privacy and Legal at HSBC. Someone I’ve known for many, many years. Perhaps we can just hear from you about your journey life pre-law into international legal practice.

01:00

Cameron: Thank you very much for inviting me along to this Paul, it’s great to be here and take part in this podcast. So I did have a previous life. As you know, before becoming a lawyer, I worked as an engineer for seven years, systems engineer in quite a variety of areas from steelworks and car manufacturing, and actually spent some time on a nuclear powered submarine and in fact, on an aircraft carrier. So after seven years, I made the change over to law for various reasons, and retrained as a, an IP/technology lawyer with with Linklaters. And that was really my route into privacy. And then from there, I joined DLA Piper, as a partner where our paths crossed Paul, in 2004, as Co Head of the global data privacy practice, and then from there, I joined HSBC in my current role, about 10 years later in 2013. So that’s me in privacy now.

01:58

Paul: Fascinating, fascinating, I guess, that transition from engineering to privacy, particularly at a time where privacy was not really a strong discipline in the legal sector. And I guess, have you found that that has helped to shape your perspective on actually joining those dots in privacy and thinking about the mechanics of how data moves? 

02:19

Cameron: Yeah, very, very much so. Paul, I often think that there are a lot of synergies between the skills needed to be a lawyer, and the skills needed to be an engineer. Just for example, I often equate writing software to writing contracts with sort of logic and flows, etc. the only the only differences of course, in engineering, you can actually test if it’s working before you finalize it unlike contracts. But I mean, I’m at the sort of generation where people didn’t tend to initially specialises data privacy lawyers, they would be technology, lawyers and do data privacy as part of that work, which I think is actually personally I think for data privacy law is quite a good way into it. Because I think to to be an effective data privacy lawyer, I think you need to understand the broader issues surrounding as deals basically how the contract fits together, what the commercial reality is. And increasingly, you’re right, Paul, I think there’s a need to have a good understanding of how the tech works, as well to be able to to really grasp what’s going on in the real world.

 03:30

Paul: Fantastic. And I guess, thinking about that journey, then from going from Linklaters, DLA to then becoming the head of privacy at the world’s largest bank, I mean, fast forward or cast your mind back to 2018 and 25th. of May, big milestone for for most companies out there. What was it like? What are you doing around that time?

04:00

Cameron: Yeah, it was. The GDPR was quite a seismic change in some ways, particularly in the way that people viewed data privacy, the way that people outside of privacy viewed it, senior management or via public at the public at large. Whereas those of us we were talking about GDPR for many years, although it came into force in 2018. I think the first draft was in 2011, or 2012. So just, you know, never ending conversation about the GDPR, which was great. But the but those of us that looked at the time said the actual principles, what you need to do is actually quite similar to under the old law, it’s quite similar to what’s needed under the GDPR. I think the key differences were really around the fines, big difference between £500,000 and 4% of global turnover, particularly for some of these, an organization like HSBC, which meant that the senior management looked upon the risk in a very different way to how they had to the way they’d looked at previously. And then the other big change was what we call accountability, or the need to put in place proper documented processes to be able to verify the decisions that you’ve made, such as the record processing, privacy impact assessments, the introduction of data privacy officers. So there’s this big machine that you had to put in place, which, which meant that you needed to do to educate and inform a lot of the people doing that stuff. Whereas previously, a lot of the data privacy thought was really done within the legal or potentially the compliance team. So it was really educated. And embedding those processes was one of the biggest, biggest challenges, I think.

05:48

Paul: Interesting. I guess, you know, that sort of shift or evolution from perhaps, you know, to some extent, paper compliance, or actually, yeah, fully embedding compliance into organizations was that what you see as the big change?

06:04

Cameron: Yeah, I think that’s, I mean, I think that’s the biggest change or one of the biggest challenges that big organizations have had. You know, it’s one thing writing the writing the procedure and writing the policy, and writing the controls that actually make getting people to understand those in practice and actually embed and thank privacy – the word which is increasingly coming to the fore is privacy culture these these days, which, which I think is a really good aspiration to have so that people think privacy all the time, the the understand what they’re trying to do the understand the risks that they’re trying to address. And I think that’s, that’s almost moving on to the next level of maturity.

06:44

Paul: Interesting, really interesting. I think, that sort of concept of you mentioned maturity, I think, were way where you were, at the time that you’re building, the relevant looking at the sort of gaps of what you had implementing those gaps. And I guess fast forward now to 2023, we’re almost five years on from GDPR, what were the the key, suppose, looking back now and casting your mind back? What were the biggest challenges? And where do you think that suppose the biggest successes he also had in that maturity curve, implementation, and now to the sort of, you know, the steady state of where the company’s at?

07:29

Cameron: I think, I think I think the biggest challenges were probably, you know, maybe think about four things, possibly one would be initially just getting the right balance of knowing when to stop on the on the detail, if you like getting the getting the descriptions of data at the right level, or getting the records of processing that the you know, the what, at what level? Do you stop that, that that level of grand granularity. The second challenge, which probably alluded to already was getting people to understand what privacy was all about. I think you’ll remember as well, at that time, Paul, that there were a lot of new entrants to the privacy advisory space, creating a lot of unhelpful Myths at the time, and quite a lot of legal legal teams time spent actually putting out fires where you know, somebody in somebody read in the paper, you need consent for every use of data, all of this stuff that was such a, everybody was trying to do the right thing. They’re getting a lot of the wrong messages. So trying to bust those myths was one of the big things we have to do. And then I think the other challenges, obviously, somewhere like HSBC, with many different jurisdictions is getting consistency in you, that you that you embed it across all the different countries. I think it was one of the biggest, those are probably the biggest challenges we

08:51

had.

Paul: I suppose with that mind and thinking now to where you’re at, both with your team structure, and thinking about the way that GDPR has had impact on on data across the organization thinking about these data teams, the risk and compliance teams, the legal teams, I mean, how do you think that has changed and matured over the past? Sort of in nearly five years? Post GDPR? Have you seen a big impact?

09:20

Cameron: Yeah, huge, huge impacts, Paul, I mean, some sometimes it sort of feels as though you’re not making a lot of a lot of progress. It’s sometimes like two step forward, one step back, it sometimes feels like one step forward, two steps back a bit when you do take when you do take stock after two years, three years and four years and certainly looking back now as we are doing it’s a completely different environment to to the one that we have in 2018. There’s so many more people know engaged in data privacy, risk management effectively. There’s so much more more awareness of it now. There’s so many more processes which are getting really embedded. And we’re on a call now with, you know, 20/30 privacy professionals that are engaged in carrying out these, these sort of processes and really understanding and caring about the data. It’s, it’s a massive change to how it was before, where some of the conversations we were having was with business leaders saying, “why is this relevant to me?”. But you know, they really don’t really understand that. So it’s a it’s a huge change. And part of the part of the challenge as well as being trying to really identify the the different responsibilities of the different stakeholders that are involved. So that could be different models. But HSBC, for example, there’s there’s a legal team that define what the requirements of the law are, and look at forthcoming legislation and provide legal advice going forward, we then have the risk, the risk team that look at that, okay, what does this risk mean, in the context of the wider risk management framework, we have the data protection officers now as a separate, there’s a very separate function that really look upon things very much from the from the risk viewpoint of what’s the risk to the individual, whereas the risk management team and the legal team look at what’s the risk to the business, obviously, with the concern for the individual, because the two things are linked, but the DPO is very much as the rest of the individual being being addressed. And also with a close link to the, to the to, to the regulator, the ICO and in the UK. Yeah. So I think that that that separation actually works quite well in practice. And it gives you know, the independence that the DPO has, I think that’s beginning to work really well. The other stakeholder would be in the in the sort of business or the first of the first line of defense that the people actually, within this within the chief data officer team, broadly speaking, they’re the guys that are the first point of contact for privacy advice for the business, they’ve got the guidance from the legal team, and they can point the business to the right place to which process to follow. So I think they’re all working now and been a lot clearer on what their role is, which makes the whole machine operate a lot more effectively.

12:13

Paul: Amazing. Obviously, in those early days, it felt like the DPO role and bringing that in and actually embedding privacy as a, as a component of the risk framework, for example, in companies were people struggling, right, they’re thinking about where’s the DPO? Sit? Is it in compliance in security? Is it in, you know, somewhere in audit? Is it risk? It feels like perhaps now, we’re in a bit more of a city state? 

Cameron: And yeah, well, we must have been defined, as you know,

12:41

HSBC, the initial decision was to have the DPO role sit within within the legal function. And indeed, the legal function did the risk management thing. And I think possibly the reason for that was that was the only place the expert, the real expertise was at that time. So you could do all of those three roles. And we sort of the way I look at it, we sort of built the machine within the legal team, performing all those roles. But now it’s been built, we’ve got all the processes and the framework in place, the we can now allow the the operation of it to be conducted by by the different stakeholders. And that’s, that’s the way that we’re looking at it. So you knew we had to keep it quite tight to get it built in operating. But I can really see the benefit now of much more clearly than I could at the time of the GDPR, if I’m honest. Having that independent DPO role. I think it works really well.

13:35

Paul: Fantastic. Really, really good insight. Cameron, I think, I guess thinking then about we’ve sort of touched on the your, your journey into HSBC, GDPR, I guess this, this evolution of the role of the data, it function, the compliance function, when thinking about other companies navigating the complexity of moving data across borders, obviously, for HSBC, you’re moving data across border on a routine basis. It’s a big imperiment. I mean, before we talk about any advice, you might have them and what what do you think of that? What are the drivers for that? So you’ve got operations in different jurisdictions. But what are the sort of business imperatives for actually getting data from country A to Country B?

14:23

Cameron: Yeah, a number of a number of drivers. One would be efficiencies of processing, for example, if and if, for example, the risk risk management function. A large organization might want to centralize that as a center of excellence in one place so they can get an oversight of the risk and do all the AML analysis or financial crime analysis. It is very helpful to get the data into one place so you can get the big big picture view also drivers to be to be able to share it with other parts of the organization for commercial purposes for, for example, and sharing, there’s always demands to share with third party regulators, which is an increasing and increasing challenge. So it’s just those sort of those are the key reasons. I think all, you know, operational efficiencies and complying with laws has always been a problem, how to comply with the need to the eternal conflict between the obligation to provide data to a regulator one jurisdiction conflicting with breaking privacy laws, and another jurisdiction continues to be a headache, a headache these days actually,

15:37

and again, guess with that that might mean that point about breaking price laws to get that data out. Obviously, we’ve seen now this increased of laws or regulations around the world that are looking to bring data in localize it, prevent data go from different jurisdictions, obviously, for a bank, like HSBC, you’ve got additional requirements, bank secrecy, etc. to contend with, in addition to the core privacy requirements, what advice would you give to peers in the financial services sector or beyond about building the processes was the ability to actually get that data out for those different reasons?

16:18

Yeah, I mean, it’s, it’s ultimately, it’s, it’s a bit of a sort of difficult puzzle, isn’t it? You’ve got a set of set of requirements and a set of set of set of set of restrictions. So how do you marry up those two shapes to enable you what to do? And I think that, you know, the basic advice, I think, is all starts with data, I think, you know, you need to understand your data, you need to understand which processes it’s used in. And, and that includes not just the data privacy, completely the GDPR record of processing, but general good data governance processes, which I know many organizations struggle with, because of the volume and complexity of data, that good data housekeeping is really fundamental to be able to allow you to apply the rules to it effectively. So I think that’s, that’s clear. And then I think, the second thing I would say is, is to have a clear scope of what you’re trying to do, and clear accountability for the for delivery. And quite often, there’s a there’s a sort of divide as to whether or not a particular program should be accountable for delivering stuff, or should it actually be, you know, the central SMEs, or should it be the business. And it I’ve seen his work most effectively, is when you have clear accountability for delivering stuff sitting with the business within themselves, they get much more, much more engaged with it, if they know it’s their responsibility. They’re not just sitting waiting for the privacy experts to give them a solution. And I think I think as well, and all of this is important not to lose, it’s sort of very easy to get yourself on a down the path of a sort of, you know, mechanical analysis of data here giving good news. So we need to do this. It’s easy to get it into a spreadsheet or whatever other tool and then lose sight of what your fundamental key risks are. So I think I would advise every now and again, just taking a bit of a step back and say, hold on, hold on, why are we actually doing this? And what are the real risks that we’re going to get that we’re going to get into sort of trouble with what what should we really prioritize? And I think as well, the final thing would be, don’t forget the upside, you know, having good privacy compliance, it can be a real enabler. We’ve not really spoken about it yet, but a real enabler for the other theme that’s coming at the moment is organizations want to try and monetize their data and do do productive stuff with their data they have spent all this time trying to get it into compliance status. How can we use it? How can we? How can we do? How can we do better things for our customers? How can we do? How can we help our customers? How can we be more effective? How can we be more productive? How can we get better insights to data and you’re in a much better position to do that, if you’ve got fundamental groundwork of good data, good data governance, you know, you know, what you’ve got and how you use it, and also compliance and the sort of your GDPR compliance so you know, what, what your notices are, you know, what your consents are and you can actually be a lot more flexible and granular with the way that you’re responding in to be enable yourself to monetize data and that way so that big upside is something we try to emphasize a lot. So it’s not just is this isn’t just a burden for you. This can actually help you monetize the data and also very importantly, build and foster customer trust. The other particularly for bank says, you know, trust. And one of the really is HSBC. One of the big things that we always look at, which is posing the sort of ethics, the ethics agnle as well, it’s not just from a data protection perspective, can we do this? Should we be doing this? Is this the sort of thing I’ve got customers would would would really expect of us.

20:14

Paul: Interesting. So with all that you’ve got a guess, this move then or shift away from thinking about data for those specific programs around moving data for regulatory compliance purposes. But this shift now to seeing, I guess, privacy, compliance as a, as a business benefit to, unlock commercialization data, and yeah, there’s obviously value and trust, which is

20:42

and also toenable organizations to take advantage of developing technology, such as artificial intelligence, or cloud based systems, or whatever it is, or you’re moving to the moving to the metaverse or, if you’ve got a good grounding and compliance, you’re in a much better position to take advantage of these opportunities. This is setting

21:07

that strong foundation. And I guess, then thinking about that piece and where things are moving. I mean, what’s your thoughts around this post-GDPR world, when it comes to privacy, you mentioned things like, data governance, you mentioned ethics, regions. Yeah. Commercialization of data. I mean, what’s your sort of sense of how things are moving and where it’s going? Going to go? What direction? 

Cameron: Yeah, I think,

21:33

I think I think the senses, you know, just to, just to run through what you’ve said, there, Paul, I think we are moving away from a position where we are worrying too much about the compliance, which we all shouldn’t be moving towards a position of, of compliance. Now, I think it’s, it’s really working out how does that work in the context of other developing areas, such as artificial intelligence, again, you know, how does it work in the context of that. And also, the other area is that we’re having to grapple with all the time is developing legislation around around the globe that a lot of so a lot of countries have introduced some of GDPR type legislation, others have gone a different way, there’s data localization is increasingly challenging for us to try and try and deal with that. Obviously, China footprint for us is quite a big, quite a big area with the new law that’s been that’s been introduced, they’re trying to work out what that means in practice is, is a real is a real sort of challenge for us.

22:35

Paul: Interesting. So coming this week, we’re recording this podcast in January 23. We’ve got the price week, this week, we’ve got data privacy day. Yeah. We’ve talked a lot about the evolution of regulation, the trends of patterns, but thinking about actionable steps of things that data leaders could actually take this year and beyond to unlock the most value of that data. I mean, what’s your insight into that?

23:02

Cameron: You know, Paul, I think I’d probably go back to what I’ve said previously, here, really, I think, well, it’s it’s doing the basics. Well, I think, making sure you’ve got a good fundamental understanding of what data you have, and what you do with it. And making sure that you have appropriate compliance measures in place, which provide the basic privacy, tenants of good transparency, good choice, and making sure you’ve got your, your tech and your technology platform in a way, which gives you the greatest flexibility to make to make changes in the greatest granularity over the way that you use data. So I think it would be carry on do more of the same carry on really understanding the data carry on making sure that you’ve got a good insights as to what you do with that data in your you can adapt to different uses of data by changing the notices, or you can pick the bits of data that have got the right consent to do this, or you can mass data. We’ve not really spoken about privacy by design, yet. But I think we might move we might talk about that. I think that’s something that increasingly is going to be not just a sort of good to have. But a need need to have to be honest in order to move to the next stage to the next level. And I think expectations of regulators are going to really increase in this space, but just to comply with the standard data data minimization principle. So I think, I think that makes sure you understand your data, be clear what you want to do with it to try and be flexible, probably look at how can we use privacy by design techniques to to better protect the individual data and to allow us the opportunity to use that data and in the right way,

24:51

drilling into that a bit further. We’ve talked about the role of technology you touch about touch on about privacy by design yet, what do you think is the volatility to support that unlocking of data. But to particularly support this this space here, I

25:05

think specifically would be the use of privacy enhancing technologies. To be honest, Paul, the, the that the various tech technologies that are set out in the ICOs guidance fit, for example, from from from last year that I understand that sort of general level provides an opportunity to, for a controller to do things with the data to get the outputs of the and insights that they need from the data. But while retaining the privacy of the individual, and there’s all sorts of very clever techniques that I hope you’re not going to ask me to explain, you know, differential privacy and those those sorts of things, which I think if you can make them work, they’ve got huge, huge, huge potential to unlock the

25:53

value of data. 

Paul: Fantastic. Thanks very much for joining us today on today’s InConfidence podcast. Thank you, Cameron, again for sharing your valuable time and insights today. We’ve talked a lot about different aspects of compliance, developing a robust data privacy protection team, navigating the complexities of the various data landscape and how to own you can play an important role for that. So thank you so much.

26:19

Cameron: Thank you. My pleasure.

26:20

Outro: No matter where you are in your data journey. Privitar is here to help. Privitar empowers organizations to leverage their data to innovate faster, are protecting the privacy of individuals at massive scale. Privitar is unique in combining technology, thought leadership, and expert services to help your data operations thrive. Want to learn more? Our team of experts is ready to answer your questions and discuss how data privacy can fuel your business. Visit privitar.com. Thanks for listening to InConfidence brought to you by Privitar. To hear more insights and advice on how to effectively use, manage and protect your data. Subscribe to the show and your favorite podcast player. If you liked the show, leave us a rating. Join us for the next data conversation.