At the beginning of the year, we welcomed Sophie Chase-Borthwick to Calligo as our GDPR Global Lead.
In four key questions, here’s a rundown on her role and background and some early insights on the market.
1. What does the role entail?
Simply put, to lead the GDPR Practice and deliver a consistent, expert and consultative service.
We will provide organisations with consultancy to assist with meeting GDPR obligations (where you are, where you need to be and what needs to be done to bridge the gap) and also a ‘DPO as a Service’. This is designed to support those organisations for whom a Data Protection Officer is mandated, but who do not wish to invest in a suitably-qualified internal appointment.
Crucially, this service is based on the mandated independence the regulations insist upon. As external consultants, we of course hold an impartial position within the client organisation, but we also maintain independence from our own cloud practice.
2. Tell us about your relevant experience.
In order to meet your GDPR obligations, you need to have three standard areas in line: processes, people, and technology. For each, you need an understanding of audit, risk, and security.
My career has taken me from being a process architect in service management, through audit management, to being a security architect until I have found my place in data privacy. Importantly, I have also consistently moved between some of the largest UK enterprises and cloud organisations, and therefore between being a customer and a supplier. Knowledge of the problems each side faces has already proven critical.
3. What has been particularly noticeable or surprising in client engagements so far?
What is most noticeable is that clients are consistently falling into one of two camps. Either they believe the sky is falling, or that GDPR signifies very little change. The truth, as always, is somewhere between the two. Some significant changes will need to be made in some areas of business, but the world is not going to end on May 25th.
The other theme has been that people are focusing on technology, particularly security and preventing breaches. Of course this is important, but what is often being missed is that most of the key areas – including those that attract the largest fines – focus more on the processes surrounding personal data. Not something that is quickly fixed with a new piece of technology. The positive though is that process is usually a much less expensive area to remedy, even if it can be tricky to push through.