And welcome back, my name is Ralph O'Brien and it's a pleasure [LAUGH] to be talking to you about privacy governance today. Because really once we've established ourselves in the organization such as MedforceOne. The first thing we really need to think about is how are we going to manage it? What does your privacy team look like? What's the next steps to creating, and what sort of person are you? What is privacy leadership, and at what position does it land in the organization? You want to deliver a lot of information security training courses and a lot of data protection training courses. And individuals often are there because they just didn't dodge the bullet fast enough. It could be there. I see a lot of people who have been nominated as an EU data protection officer. Why? Because the organization says, you are the person I want to deal with privacy without really any previous understanding of the role. I mean certainly, when I first became a data protection lead back for UK local government, I had no understanding. At least, they sent me away on a training course. So who is the privacy leader? What sort of person are they? Where do they sit at the organization, are they global or local? Do you have the right industry sector knowledge? If you MedforceOne here, there's going to be all sorts of legislation specific to the medical sector that you're going to need to understand and know about. What is your level of understanding of data protection law and practice or global law and practice perhaps depending what the scope is. Are you even if you do know the law Juno solutions, are you a practitioner? Are you living in some sort of data protection, puritanical land as an evangelist of data protection rights or do you actually understand the business? Do you understand the individuals and their rights? A number of things to think about here is as a privacy leader. So we really have to understand and ask ourselves what sort of skills we need. What sort of person are we, what sort of privacy leadership does the organization need and what sort of structure is it going to have? So in terms of your roles and responsibilities at the end of the day, you could be a representative of the organization. Performing assessments, performing conformity assessments, performing risk assessments. Filing things with the regulators, setting policy and procedure, giving the management and assurance that things are managed. Assisting the organization in completion of DPIS, their data protection impact assessments, assisting rights requests, advising on what the law says. Or what the organization's policy and procedure is monitoring and improving. That's a lot of different things, a lot of different roles. And we have to actually ask yourselves how much is done by the organization? How much is done by the business compared to how much is done by the privacy office? I mean, realistically we almost want as much done by the business as we can. You want local implementation, so how we structured to do that, how are we structured to do that? What sort of roles do we need within the organization to help? So everybody talks about privacy, leadership role, does that sit on the board level? Are they more of a CPO as we say in the USA Chief Privacy Officer? And where do they sit within the organization? What sort of area are they within? Are they in some sort of compliance area? Are they in some sort of legalistic area? Are they in some sort of business focused area? Are they in IT or data protection and security is its own division? Some really interesting things to talk about where you situated and they're only right or wrong answers here. I mean personally I like business alignment. We see a lot of different data protection job descriptions. Those job descriptions can involve can include data protection auditors. We will check data protection analysts, legal advisors, external consultants, trainers, advisory roles, more technical IT roles. People who deal with disclosures almost like subject access requests or the requests, the data protection officer. That's a EU mandated role, privacy managers, privacy assistance. We're starting to see an awful lot of roles. An awful lot of roles and I'm not going to say what's right or wrong for your organization. It's obviously up to your size and scale and your industry sector, how many of these roles you need. I see in smaller organizations, one individual trying to do it all. Now clearly we're also not on our own and I find that data protection works best. Not when handled completely by the privacy office, but when it's embedded and slid in across the organization. So above and beyond you was the privacy leader. What do you need? How big is this issue going to be? We're going to need separate legal advice. Probably, we're going to need separate audit assistance. Probably, we're going to separate it and technical assistance. Probably, are we going to need external advisory? Probably, are we going to need a network of managers and assistance? Well, I think that depends on the size and scale of your organization. You haven't worked from the very small to the very large and I've seen every implementation. So I think, the words we're looking for here is appropriateness. However, if you are in the EU and you might be possible, you need a data protection officer. So let's just talk to data protection officers for a moment. So data protection officers. The trick of having one in the EU is that you are republic authority, you are monitoring people on a large scale, okay? Or your operations have a lot of special category data. So that's an interesting little trigger to begin with. What is the large scale special category data, we know what that is. That's health and medical and religion and race and ethnicity and trade union membership and sexual activity. So if you're processing those, you're going to need a DPO If your computers are making decisions or are monitoring individuals, Internet, ad tech CCTV computer based decision making, definitely public authority definitely. And what do they do? So their job is to not to do really. And I think this is a key thing about data protection officers. I think they work best when they're not part of the privacy team. They're more of an audit and an oversight role as opposed to be someone who actually does the data protection. Because the tasks of them are to inform advise and monitor but not to do, yeah, but not to do. They're really there to represent the supervisor authority. They are there to represent the individual and to inform the management of their compliance responsibilities. To almost be that fawn in the management side saying, you're not doing this right and they don't necessarily agree with the way you're doing this. And these are the improvements that we think you should take. So they are not really the same as your privacy team, right? So the management then has some responsibilities in terms of data protection officer to give them access, to give them the resources, to maintain their expert knowledge base. To not tell them what to do or get rid of them for doing it. Make sure they report to the highest level of management and make sure that data protection officer becomes accessible so that data subjects can express their views to them. And most importantly, and we've seen actually some fines in the regulators not have a conflict of interest. Now because they're an audit role, because they're an observation role, I think to have no conflict of interests. You really shouldn't be anyone operational, definitely not a legal advisor in my mind, definitely not somebody who delivers the operational privacy program. So to me the data protection officer is more of a side element rather than part of the team actually delivering your privacy functionality. So how big is that privacy team? How big is that privacy team? And the answer of course is well it depends, [LAUGH] it's going to be appropriate to the size and scale the organization. If you ever see any exam questions around this, it's normally about, is the team appropriate to the size and scale of the organization? Large team requires a large organization. Small organization might be one individual or even someone external, so it really depends on the size of the organization. Apart from having data protection officers, there's no actually obligation in the law to have a privacy team of any size. It could be co located within other roles. But it's always the management's responsibility, always the management vicariously responsible for the way the organization does it. So it's important to say, even if you haven't got a privacy team, even if you have got a data protection officer, the management can disagree. The management can go their own sweet way, can take their own risks because it's on their heads. It's not on the privacy teams heads, it's not on the data DPO's head. I mean obviously you want them to deliver accurate advice. Obviously you want them to fulfill their contracts. But at the end of the day, the compliance is ultimately on and responsibility is ultimately on the heads of the audit organization. So if they decide to go to a different way than the privacy team or the DPO says it's fine, you just have to document that disagreement. Make sure that as a DPO or a privacy manager, you've kind of major or opinion official. And let the management or the business decide if they want to go a different way, really way today. So, what you do have to understand for the exam though is the difference between where you might place your data protection staff. And what the pros and cons are of each approach. So, with that sort of team placement, I mean imagine this is your organizational structure. Management at the top and your staff at the bottom there, sort of that's your organizational charts. And the first thing to consider is you're having a Data Protection Officer in your headquarters. We've gotta call this the centralized approach or a headquarters approach. And we have to understand what the pros and cons of this are. So pros, well, you've gotta have a two system approach. You're going to look at the cons, you're not going to have a very good idea what happens at the ground level. People can feel like they're having orders backed at them from the top. You're not going to have that great sense of assurance of what's going on especially if you're a large global organization and you're trying to manage it all remotely. You have not going to have a real clue what's going on, so that's your sort of centralized model. Where you've got one central privacy team or one central privacy person very good at being close to the management, very good. You're having the management here, but not so good at understanding what's going on in the organization. So let's look at the contrast then, and the contrast would obviously be a decentralized or local model. Where you have various members of the organization responsible for data protection locally. So you're going to have a much greater opportunity to understand what's happening on the ground floor. You can have a much greater opportunity to understand perhaps in the local variation. You can vary your program much more to make sure that your local legislation or local data flows are dealt with in their own special way. But then you're not going to have the centralization, you're not going to have the ear of the management, you're not going to have your coordinated approach perhaps. So then we'd call this model where we combine them both as some sort of a hybrid approach or a mixed approach. You need to know these terms for the exams, we have centralized, localized hybrid or decentralized hybrid. The hybrid will probably give you the best of life world, so how you got the centralized privacy team that you've got local representatives as well. Now, they may not give me full time. Sometimes organizations choose to have a sort of a more localized data protection champion or more localized sort of data protection representative of in divisions. Might not even be a full time role, might be a sort of a job growth role where they get a chance to expand their career options by sitting on a sort of a virtual privacy team. And they might have a weekly or monthly call with the centralized privacy team acts as their eyes and ears if you like. So the idea of this is to get the best of both words here, the best of both words. You've got the centralized privacy team giving out policy close to the management but localized eyes and ears as well. But then of course we need to understand how that sits with the rest of the organization now jokingly called this allies and enemies. I mean we would hope we can be allies with all of the organization and not enemies with any of the organization really, we want to be on the businesses side. But it's important to understand how we might work with and how the different parts of the organization might view us as a privacy team. In HR there will always be staff data, right? We will always be a controller for the staff data under the EU model. Important to understand our staff data and the staff risk and all of the personal data that sits within it from employee monitoring at work to recruitment. And selection to retention of that data and external recruitment and pension and payroll and all of that kind of good stuff. So there's that sort of staff risk sitting there. In a sales division, sometimes not generally as friendly towards the privacy division because they want to get out there, they want to sell stuff, they just want to find out the data that they can. And get the most data they can in order to get the best idea of their target market and to address and get that said, get the sell by hook or by crook. So we need to understand what goes on in our selling divisions as opposed to our operational divisions wherever they might be, I haven't included them on this slide. IT, you're going to be a natural ally for us, they might deal with the technical stuff certainly, they're going to have a great idea where the data is. In these days, let's face it most of the data is electronic, we don't have a huge amount of manual data anymore. So IT will certainly be good at telling us where the data is, who technology providers are? And how they can help us in understanding our sort of our data footprint, our electronic footprint, how the data moves over the internet? What countries it lives in, really useful stakeholders. An interesting organization to deal with his marketing. Marketing tend to get out there where we deal with a lot of information such as direct marketing, email marketing, social media marketing, cookies on websites. They want to get the message out to as many people as possible. And sometimes they could be looked upon as our natural enemy because they just want to collect as much information on everyone as they can. Profile them, target them, monitor them, survey them and send as much of information out to as many people as possible, invading their privacy. However, that's bad marketing, you annoy your customers by sending the wrong things to the wrong people at the wrong time. That's actually bad marketing. So I actually work with marketing in quite a positive way and say, look, it's about getting the right messages to the right people, to a highly engaged target audience. Rather than having engaged to wants the messaging rather than just collecting information and sending it willingly. A couple of other parts of the organization, just want to talk about briefly. Legal and compliance they're going to be natural allies for us. This might be where you might have your audit divisions, you might have your lawyers in advisory role, you might have your compliance in terms of risk management. You're always going to be helpful to align ourselves to the other risk management frameworks within the organization and have the right advisory ready for us. And finally, information security. Well, we might be colocated information security, we might not be colocated with information security. Information security might be a different part of the organization, but either way we're going to need to work closely with them. Most of the data protection laws now have a data breach element on a protecting information element. In fact, they're normally quite highly advanced, your security generally speaking in most organizations is more mature than the privacy team. And what we're really seeing now is privacy team getting pulled up to get similar levels of budgets and similar levels of investment to the security teams. Who have historically been much more embedded and much more seen as much more important and visceral to organizations historically. So as privacy team begins to sort of pull their way up and even that balance with the security teams. We have to understand that their perspective is not going to be so much the same as ours. Their perspective is going to be on the security of the information and not so much in privacy terms. About how much we collect or how long we keep it or should we have it or what's the legal reason for having it or can it be transferred internationally? And what's the purpose of use, very different questions, security and privacy asks. But you ultimately we're trying to do the same thing, we're trying to protect the business from risk and data risk of that. So, we should have a very strong relationship there with that. So, now that we've sort of understood for the organization, let's go back to our case study of MedforceOne. We're going to need to find our allies, we're going to need to set up our privacy team and ask the management for the resources we needed. Perhaps growing it slowly over time, we're not going to come in with a Big Bang on day one. We need to identify our allies, we gotta need to identify and reach out to these people in a very positive way to make sure they're on site. So that's where our next session really sits, our next section is on pitching privacy. Our next section is on understanding how we're going to get those messages out to the right people, in the right teams.