Meet the expert: Will Jackson to speak at PrivSec Global

Streaming live May 22 and 23, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today.

Will Jackson is CEO at C2 Risk, a firm specialising in GenAI SaaS solutions for Cyber & Privacy Risk Management. He appears exclusively at PrivSec Global to discuss the best steps to compliance when using Privacy Impact Assessments (PIAs).

Below, Will answers questions on his professional journey and the themes of his PrivSec Global session.

Could you briefly outline your career pathway so far?

My journey into the risk management industry was certainly unconventional. I spent more than two decades in the technology and services industry, establishing myself as a well-known and respected figure within the enterprise business space. 

I have held C-suite and senior management positions in large international organisations, both as a supplier and a consumer of technology and services. My professional experience has predominantly been in consultancy, software and technology, and business and IT services across various industry verticals such as oil and gas, banking and insurance, manufacturing and engineering, retail, government, healthcare, distribution, transportation, and higher education.

My transition into risk management wasn’t a direct leap but rather a gradual evolution. While working in the HR and payroll infrastructure for a multinational HR & payroll software and outsourcing company, I was deeply involved in managing sensitive data belonging to large international enterprise clients, and ensuring its security was one of the top priorities. This experience laid the groundwork for my eventual pivot into risk management. I saw an opportunity in the market for what C2 were solving and most importantly, how they were solving it.

What are the main challenges that organisations face when mastering Privacy Impact Assessments?

Privacy Impact Assessments (PIAs) are crucial tools for organisations to assess and mitigate privacy risks associated with their operations. However, mastering PIAs comes with its own set of challenges typically listed below:

Complexity of Regulations

Privacy regulations such as GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) are complex and constantly evolving. Ensuring that PIAs comply with these regulations requires a deep understanding of their requirements, which can be challenging for organisations, especially those operating in multiple jurisdictions.

Scope Definition

Defining the scope of a PIA can be difficult, especially for large organisations with diverse operations. Identifying all the data processing activities and systems that need to be assessed requires careful planning and coordination across different departments.

Data Mapping

Conducting a thorough data inventory and mapping exercise is essential for a comprehensive PIA. However, organisations often struggle to accurately map all the personal data they collect, store, and process, particularly in complex IT environments with interconnected systems. 

Risk Assessment

Assessing the privacy risks associated with data processing activities requires expertise in privacy and data protection principles. Organisations may find it challenging to accurately assess risks such as data breaches, unauthorized access, or non-compliance with privacy regulations.

Resource Constraints

Conducting PIAs requires time, expertise, and resources, which can strain organisations, especially smaller ones with limited budgets and staff. Allocating sufficient resources to PIA activities and integrating them into existing business processes can be challenging.

Stakeholder Engagement

PIAs involve multiple stakeholders across different departments, including legal, IT, HR, and compliance. Coordinating and obtaining buy-in from these stakeholders can be challenging, particularly if there are competing priorities or lack of awareness about privacy risks.

Documentation and Reporting

Documenting the PIA process and findings in a clear and concise manner is essential for accountability and compliance purposes. However, organisations may struggle to maintain comprehensive records and produce meaningful reports that demonstrate compliance with privacy regulations.

Continuous Monitoring and Review

Privacy risks are dynamic and can change over time due to factors such as technological advancements, organizational changes, or regulatory updates. Therefore, organisations need to establish mechanisms for continuous monitoring and review of PIAs to ensure they remain effective and up-to-date.

Addressing these challenges requires a proactive approach, ongoing commitment, and investment in privacy governance frameworks, training, and technology solutions to support PIA processes.

In what ways do PIAs expedite the compliance journey, and what other benefits come with getting PIAs right?

Privacy Impact Assessments (PIAs) can expedite the compliance journey and offer several other benefits when done correctly:

Proactive Compliance

PIAs allow organisations to identify and address privacy risks before they escalate into compliance issues. By conducting PIAs early in the development or implementation of new projects, products, or services, organisations can proactively address privacy concerns and ensure compliance with relevant regulations. 

Risk Mitigation

PIAs help organisations identify and assess potential privacy risks associated with their data processing activities. By understanding these risks, organisations can implement appropriate controls and safeguards to mitigate them, reducing the likelihood of data breaches, regulatory fines, and reputational damage.

Enhanced Trust and Reputation

Demonstrating a commitment to privacy through thorough and transparent PIAs can enhance trust and reputation among customers, partners, and stakeholders. By prioritizing privacy and data protection, organisations can differentiate themselves in the marketplace and build stronger relationships with their stakeholders.

Cost Savings

Identifying and addressing privacy risks early in the development or implementation process can help organisations avoid costly rework or remediation efforts later on. By integrating privacy considerations into their business processes from the outset, organisations can minimize the risk of non-compliance and associated financial penalties.

Competitive Advantage

In an increasingly privacy-conscious world, organisations that prioritize privacy and demonstrate compliance with relevant regulations can gain a competitive advantage. By leveraging PIAs to assess and communicate their privacy practices, organisations can differentiate themselves from competitors and attract customers who value privacy.

Legal and Regulatory Alignment

PIAs facilitate alignment with legal and regulatory requirements by helping organisations understand and address their obligations under relevant privacy laws and regulations. By documenting their compliance efforts through PIAs, organisations can demonstrate accountability and due diligence in the event of regulatory scrutiny.

Improved Data Governance

PIAs promote good data governance practices by encouraging organisations to document and assess their data processing activities, data flows, and data protection measures. By establishing clear processes for managing personal data and conducting PIAs regularly, organisations can enhance their overall data governance framework.

Innovation Enablement

While PIAs are primarily designed to assess privacy risks, they can also support innovation by identifying opportunities to enhance privacy and data protection measures in new projects, products, or services. By integrating privacy considerations into the innovation process, organisations can foster a culture of responsible data stewardship and ethical use of data. 

In summary, PIAs expedite the compliance journey by proactively identifying and mitigating privacy risks, thereby helping organisations avoid costly compliance issues and reputational damage.

Additionally, getting PIAs right can lead to enhanced trust, cost savings, competitive advantage, legal and regulatory alignment, improved data governance, and enablement of innovation.