Day 1 – Monday 3rd July 2017

Privacy Laws & Business 30th Annual International Conference

Promoting Privacy with Innovation

3-5 July 2017, St. John’s College, Cambridge  

[Click on the speaker's name for their biography]
[Click on the title of the session for the slides where available]
[Please note the Audio links work best through the browser Chrome]

08.00-17.30 Registration

09.00 Chairman’s Introduction: Promoting Privacy with Innovation 
Play Audio
Stewart Dresner, Chief Executive, Privacy Laws & Business, UK

Play Audio for next 3 Sessions

09.15 Artificial Intelligence and Machine Learning: Combining innovation and privacy compliance
Peter Fleischer, Global Privacy Counsel, Google, France

  • The development of Artificial Intelligence (AI), and with it of machine learning, challenges us to apply privacy principles in innovative ways.

  • An introduction to AI, demystifying it and explaining that we already see AI at work, and already use it in our everyday lives; and explaining the relationship between AI and machine learning.

  • The work Google is doing in this field, for example with the Google Assistant, and devices in the home, and how privacy is built into these products.


09.45 Fair and lawful processing: Understanding the logic behind Artificial Intelligence algorithms
Wojciech Wiewiórowski, Assistant European Data Protection Supervisor, Belgium

  • Artificial intelligence is a reality. Individuals are increasingly disclosing, and being required to disclose, much more personal information over the Internet in order to participate in society. Digital profiles can be created thanks to artificial intelligence techniques and shared in microseconds without the individual’s knowledge, and, applying again artificial intelligence, used as the basis for important decisions. The use of artificial intelligence to predict people’s behaviour risks stigmatisation, reinforcing existing stereotypes, social and cultural segregation and exclusion, subverting individual choice and equal opportunities. Some of the basic principles of data protection systems face real challenges in the times of AI driven by self-learning information systems

  • This has serious implications for data protection as it means that we may not have the appropriate information about how our personal data is used and importantly, how decisions concerning us are taken, therefore making it impossible to meaningfully consent to the use of our data.

  • Yes, in the nearest future, data protection authorities, as supervisors of the use of personal data, will deal with cases where machine learning has been used for challenging or supporting their decision. We have now a window of opportunity to build the right values into these technologies now, prior to the mass adoption of these technologies.

10.15 Discussion
Chair: Christopher Millard, Professor of Privacy and Information Law, Centre for Commercial Law Studies, Queen Mary, University of London

10.30 Coffee

11.00 Managing data privacy risks and Intellectual Property rights in connected devices and systems
Play Audio
Giles Pratt, Partner, Freshfields, UK and Andrew Sheridan, Senior Associate, Freshfields, UK
Chair: Valerie Taylor, Consultant, Privacy Laws & Business

  • The Industrial or Enterprise Internet of Things (IIOT) is being talked about as the fourth industrial revolution. The driving force behind it is of course data. Huge pools of often cloud-based data mean that smart business assets can communicate with one another and give companies unique, real-time insights into their systems, employees and customers.

  • We and our clients see the IIOT as transforming business models and workforces. We need to understand and manage the data privacy challenges that they are facing:
      - Data protection risk allocation 
      - Optimising advanced analytics. 
      - How can businesses protect their data

11.40 Privacy by Design/Privacy by Default: Conducting an enquiry, negotiating rules and practical innovative solutions - slide links below
Play Audio
Kristin Benedikt, Head of the Telemedia Department at Bavaria’s Data Protection Authority for the Private Sector, Bavaria, Germany
Dr. Jürgen Hartung, Oppenhoff & Partner, Germany

Chair: Nick Graham, Partner, Dentons, UK

  • Kristin Benedikt, will introduce the results of a technical review and a legal guideline for Smart TVs that the German Data Protection Authorities issued in 2015, which was led by the Bavarian authority. It will show that stakeholders, such as TV manufacturers, service providers, and TV stations, at that time were struggling to meet all the requirements. Conducting an enquiry and negotiating rules on Privacy by Design and Privacy by Default for Smart TVs 
      - Insights and technical analysis of Smart TVs and findings by Bavaria’s DPA
      - How to implement the principles of data protection by design and data protection by default from the outset
      - Policies to consider the above mentioned principles using practical examples
  • Kristin's slides

  • Jürgen Hartung, will speak from practical experience on some investigated cases regarding Smart TVs how innovative solutions implementing Privacy by Design / Privacy by Default may help with some of these issues, for example:
      - The identifiers to use, such as session tokens instead device IDs   
      - How to efficiently update software
      - Requirements for smart TV applications by German DPAs
    Jürgen's slides 
Parallel Session 1 - Play Audio Parallel Session 2 - Play Audio
Chair: Nick Graham, Partner, Dentons, UK Chair: Professor Joseph Cannataci, Chair in European Information Policy & Technology Law, United Nations Special Rapporteur on the Right to Privacy, Malta/Netherlands

12.20 Operationalising PIAs and Data Mapping
Kabir Barday, Chief Executive Officer, OneTrust, USA

Belinda Doshi, GDPR Programme Lead Counsel and former Global Chief Privacy Officer, Pearson, UK


• Given the new requirements of the GDPR, companies and organisations doing business globally need to think hard about how to best implement efficient and effective data handling practices that are replicable and consistent.

• As a privacy professional responsible for overseeing these operations, what tools will you use, and how do you determine what privacy impacts your new products and services will have?

• A privacy impact assessment (PIA), in conjunction with data mapping practices to understand how data flows through an organisation, is the perfect tool to document and track these new initiatives.

12.20 Data Philanthropy: Using data for the common good
Andreas Klug, Global Head of Privacy and Group Privacy Officer, Worldpay, UK
John Benjamin, Partner, DWF, UK

• What is data philanthropy?

• How can it be used to benefit the good of society?

• Does it require individuals to rethink the sanctity of their data?

• Does it require the board of companies to rethink the value of the data they hold? (possibly where can it sit in a CSR programme)

• Are profits and data philanthropy mutually exclusive concepts?

• How do different cultures respond to data philanthropy?

• What can be done from a regulatory and legal standpoint to encourage data philanthropy?

• Some practical examples of where data philanthropy by big companies have yielded positive and interesting social benefits.

• Where has it gone wrong and what are the dangers?

• How can data philanthropy be encouraged under GDPR – do we need to see more engagement at a European level or are there good examples already.

• Will data philanthropy lead to collaboration between unusual bedfellows eg a telecoms company and a health company.

13.00 Lunch

14.00 The Trump Presidency and its impact on privacy in the US and globally
Play Audio
Robert Belair, Partner, Arnall Golden Gregory, Washington DC, USA

  • The impact of a Republican dominated US Congress

  • Privacy measures affecting companies, for example, the EU-US Privacy Shield and its administration by the Department of Commerce

  • The Federal Trade Commission’s direction in tackling privacy invasive practices

  • The significance of state laws, for example, on data breach and other areas


14.45 The EU Data Protection Regulation’s influence in the wider world
Bruno Gencarelli, Head, International Data Transfers and Data Protection Unit, European Commission
Chair: Stewart Dresner, Chief Executive, Privacy Laws & Business

  • The shift from “adequate” to “essentially equivalent”, for example, the European Commission’s discussions with South Korea, Japan and other countries, such as India, Russia and Brazil

  • The possibility of recognizing some sectors as adequate in some countries

  • The timetable and method for reviewing the status of the current “adequate” countries, such as Canada and Israel

  • The working of the EU-US Privacy Shield

15.30 Tea

16.00 Transforming privacy law hurdles into opportunities when creating new digital financial services
Play Audio
Neil Harrison, General Counsel, Group and Asia, Aviva, UK
Kevin Willis, Group Data Privacy Director and UK Digital General Counsel, Aviva, UK
Rob Sumroy, Partner, Slaughter and May, UK

  • Data protection and privacy compliance does not have to stand in the way of innovative projects.

  • A large, transformative project offered a digital and financial technology focussed intermediary exciting digital opportunities aimed to provide a significantly improved offering to its sizeable customer-base. The data protection and privacy elements of the project required some thorough planning and consideration, not least because as a long-term project it needed to take account of the evolving regulatory landscape. Among other things, we helped the client establish a contractual framework for the sharing and use of personal data within the wider group, laying the groundwork for the focused use of data.

  • We will provide examples of some of the difficulties encountered and how they were overcome, both from a practical 'on the ground' perspective and from a more legal angle.


Parallel Session 1 - Play Audio Parallel Session 2
Chair: Mark Keddie, Chief Privacy Officer, BT Group, UK Chair: Tom Cooper, Deputy Editor, Privacy Laws & Business Reports

16.45 Managing contracts with vendors and customers
JP Buckley, Partner, Shoosmiths, UK
Valerie Taylor, Consultant, Privacy Laws & Business

• Many organisations find vendor management a huge challenge.

• The GDPR introduces greater obligations on data controllers to regulate their relationships with service providers.

• This session will look at some of the key issues faced by organisations:
  - Preparing vendor checklists
  - Drafting contract templates
  - Elaborating proper escalation procedures
  - Training and awareness

16.45 Documenting consent using privacy policy software
Georg Krog, Co-founder & Chief Data Protection and Privacy Officer, Signatu, Norway

• Signatu has partnered with law firms in the EEA and EU, for review and quality assurance of the privacy policy text to be generated. The goal is to have one specialist firm in 29 EU/EEA countries.
• The Signatu system will: 
   - ensure documentation of consents and information given (not possible for lawyers to manage),
  - support most major EU/EEA languages – fast, economically and with good quality,
  - ensure updates over time, to maintain compliance, and 
  - provide output in alternative formats, such as icons.
• In addition there are several other features a future data processor will need, including a 3rd party tracker and verified identity of data subjects who request access, change or deletion of their personal data.

17.30 Close

18.00 Guided walk around Cambridge or St John’s College gardens or visit St John's College Old Library

18.45 Drinks

19.30 Dinner in The Hall

Day 2: Tuesday 4th July
Day 3: Wednesday 5th July
Click here for PDF programme of all three days
Annual Conference details