From what we heard at the PrivSec London conference this week, it was clear that a culture shift is needed in many – maybe most – companies coming into the new decade. Our thanks go to the guest speakers who provided these insights – you can see a full list of those whose talks we attended at the end of this article.
Here are some culture shifts that companies need to be making in order to keep up with changing legislation and guidelines:
CULTURE SHIFT #1: Have a plan for privacy and cybersecurity, with people and budgets allocated to it.
CULTURE SHIFT #2: Don’t assume that privacy = cybersecurity, you’ll fail if you assume it’s a tech matter. Do a dummy run of a data breach at your organisation – it’ll probably throw up some significant issues.
CULTURE SHIFT #3: To get buy-in across the organisation, explain Privacy and Cybersecurity matters in the business terms of each department or stakeholder group’s business goals, such as making money, reputation protection, and so on.
CULTURE SHIFT #4: Getting your data into one place (e.g. the cloud) makes it more controllable in one place with a lot of access but is also where the biggest risk lies. Work out what you’ve got and what you are moving to the cloud – delete as much as you can of your data set defensively, use the infrastructure and systems there to look after every piece of information in one system and apply policies across everything.
CULTURE SHIFT #5: Get tighter on checking, stating and enabling opt-outs for all the cookies working on your website(s), such as trackers: many of these may be coming from your third-party hosting provider rather than your own web developers and plugins! ‘Continued browsing’ or browser settings aren’t adequate to demonstrate consents anymore under the latest government guidances.
CULTURE SHIFT #6: For businesses, ethics ARE sustainability. They’re about only using data for transparent, legitimate reasons that genuinely improve the user experience and give users control over the data held about them and how it is used. They’re about not ruining trust or making customers uneasy about using your business or website or platform.
Our thanks to the following guest speakers at PrivSec London 2020:
- Steve Wright, Partner, Privacy Culture Ltd, previously DPO for Bank of England, also John Lewis and Unilever previously
- Baroness Neville-Rolfe, EU Committee member
- Sheila Firtzpatrick, Fitzpatrick & Associates
- Dave Horton, Solutions Engineer at OneTrust
- Shaab Al-Baghdadi, OnlineDPO; Emily Johnson, Microsoft, Bill Karazsia, Fortive; Joao Torres Barreiro, Wills Towers Watson;
- Charlie Wijsman, Accenture Global Data Privacy Lead
- Damine Larrey, Microsoft; Dominic Johnston, Epiq Global; Damian Murphy, Lighthouse Global
- Alberto Quesada, Global Head of Group Data Management, BNP Paribas
- John Richardson, DMA, and formerly the Telephone Preference Service; Giorgia Vulcan, EU Privacy Counsel for the EU DPO Office, Coca-Cola; Or Lechner, Luminati Networks; Marie Bradley, Adam & Eve; Magali Fey, Anonos
Ben Hawes, Benchmark initiative
- Joan Keevil, Professional e-Learning Expert, SAI Global
- David Clarke, Founder, GDPR Technology Forum; Beth Brookner, Privacy Counsel and Data Protection Officer, GVC Ladbrokes Coral; Steve Windle, Incident Response Lead for Europe & Latin America, Accenture; Cosimo Monda, Director, Maastricht European Centre on Privacy and Cybersecurity; Simon Hall, Privacy Consultant & DPO Coach, AwarePrivacy
- Stuart Aston, National Security Officer, Microsoft
- Greg Van Der Gaast, Head of Information Security, University of Salford
- Meera Narendra, Journalist, Data Protection World Forum; Dr Shavana Musa, Legal Consultant and Academic, The University of Manchester; Victoria Guilloit, Partner, Privacy Culture; Ally Pinkerton, Group Head of Information Security Governance & Assurance, Group Information Security Office, Bupa