PRIVSEC IN QUESTION

September 24, 2020

By

Naomi Owen

Jared Browne is Group Data Governance Officer at Fexco, Ireland’s largest privately-owned financial services firm and will be joining a panel discussion on Privacy by Design at PrivSec Global on 3 December.

How did you get into the field of privacy?

I originally qualified as a solicitor in Ireland in 2010 and would have been familiar with the old data protection regime from that time. Subsequently, I moved into financial services compliance, where data protection was always an important requirement. However, it was during the lead-in to the GDPR, from 2017 onwards, that I began to develop a deeper appreciation of privacy, as it became clearer that it was no longer going to be possible to do business without embedding privacy considerations at the very roots of the business.  Also, at the same time, I developed an interest in the complex data processing activities of tech firms such as Facebook and Google; specifically, the ways in which they consistently push the boundaries of where privacy begins and ends, and of how core privacy concepts are defined.  The key insight for me was that data is the gold – the basic raw ingredient – that these firms plan to build further products and services on the back of. Data collection is only the beginning.

What are the main challenges privacy has faced in the last six months?

I think Covid-19 has presented a significant challenge to privacy and, in ways, has almost been a vast experiment in responsible mass data processing by State organisations. Large State bodies do not always succeed in handling large amounts of personal data but, so far, broadly, I think there is a blueprint forming for how this kind of processing can happen in a way that respects fundamental data privacy rights. The big test though, I feel, will be whether or not function creep seeps into the Covid-19 monitoring of data subjects. It was very positive that the European Data Protection Board issued guidance so early, on the development of tracing apps, but it will be important that this technology goes away when the threat dissipates. It will be a real privacy failure if we somehow normalize this kind of monitoring technology, and then it allow it be used for additional purposes, that were never initially intended.  

What are the anticipated challenges in your line of work over the next six months?

I think the biggest challenge is probably the most obvious one: it will be harder to get resources and sufficient budget for privacy and data protection departments. Many data protection officers will find themselves working with smaller teams, but facing the same legal obligations. I think smart use of technology will be important in helping to bridge the gap.

Also, navigating the complexities of the Schrems II CJEU decision will be a significant challenge. Privacy Shield has been invalidated and doubt has been thrown on the legitimacy of using Standard Contractual Clauses, especially where the third country in question has laws that may contradict the GDPR. It is encouraging that the EDPB has formed a Schrems II task force to deal with this situation, but I do think it is essential for guidance to be issued as soon as possible. Otherwise, companies face the task of trying to assess the laws of third countries one-by-one, and trying, then, to rely on that ‘homemade’ assessment for international data transfers.  

What advice would you give to people working in privacy who want to advance their career?

I would say that if you are already working in privacy and have privacy-specific qualifications, then it is a good idea to branch out and additionally complete basic cyber-security training. Many of the data breaches that happen, and will continue to happen, are cyber-security breaches, and when that discussion starts, as a privacy professional, you need to understand some of the core terminology of IT security. You certainly don’t need to be an expert, but I think the critical thing is that you know enough to know which questions need to be asked? Otherwise, you may not even know if a breach has happened because, on the other side, your IT colleagues may lack the terminology to explain the technical problem in privacy terms.

Also, stay up with major technological developments: things like Block Chain, A.I. IOT – all of these are going to be in your in-tray in the next few years.

Jared Browne will be joining the panel on Privacy by Design in an age of accelerating technical development, which is part of the four day PrivSec Global virtual conference on 30 November to 3 December. To pre-register for this event and find out about more than 70 other sessions taking place, go to https://www.privsecglobal.com/