2018 Programme


31st Annual International Conference  

Navigating GDPR: The art of the possible

2 – 4 July 2018
St. John's College Cambridge, UK


Conference Programme

Below, in random order, are the confirmed speakers and their conference sessions as of 9 March. Any amendments, additional speakers and their sessions, and the full programme will be posted here.
You may register on the basis of 1, 2 or 3 days and decide on the specific days later.
You may register with specific names and change the names later.
More DPA powers, more influence: From WP 29 to the EU Data Protection Board
Andrea Jelinek                                                         
Chair, EU Article 29 DP Working Party                                     
Director Data Protection Authority
National implementation of the GDPR in the Nordic countries
Maria Holmström Mellberg                                                        
Group Driver Privacy
  • Challenges and opportunities
  • Are we in the Nordics all the same?
  • Do we all differ from the rest of EU?
France: the CNIL's perspectives
Florence Raynal                                                        
Head, European and International Affairs Department                


Canada’s law EU adequate for now but changes needed?
Colin Bennett                                                        
Professor, Department of Political Science                               
University of Victoria


Building Privacy by Design into a cloud service for the Internet of Things
Andrea Reiner                                                                       
Senior Counsel
Arm Limited
  • What does it mean to entrench privacy by design in the context of a cloud-based device management service? 
  • How to create awareness of data protection principles across engineering and product teams, complicated by the fact that they are located in different jurisdictions?
  • Examples of technical and organizational risk mitigation measures, including role segregation and hashing identifiers
  • What additional complications exist for a device management service without direct contact with end users?
Nowhere to hide: Competition and privacy regulators shine spotlights on privacy policies

Karolina Mojzesowicz
Deputy Head, Data Protection Unit
European Commission                              

Gail Crawford
Latham & Watkins
Lars Kjolbye
Latham & Watkins          
A session on the increased propensity for the competition regulators at EU and national levels to try and regulate privacy issues.
Finding the Data Protection ‘Sweet Spot’ – Using consumer evidence to build a risk based data protection strategy

David Cole
Managing Director and Founder                                                

It is vital for brands to persuade prospects to continue to communicate with them. But consumers are getting more cynical and less trusting of companies with their data. fastmap consumer research shows this ‘data fundamentalism’ has grown from 18% in February 2017 to 26% in December 2017. It is likely that this growth is due individuals becoming more aware of GDPR which has potentially seismic commercial ramifications.
This important session uses fastmap’s extensive expertise and research in consent and Legitimate Interest marketing to help you shape your ongoing strategy, including:
  • The evolving motivations and reasons that people want to give consent and how this differs by audience profile. How attitudes vary across Europe - drawing on the latest fastmap consumer research findings (e.g. the Spanish are more concerned about data handling than others – 48% of the public feel all organisations should be held to the same high standards, compared to an average of 36%).
  • Striking a balance between marketer needs and audience rights, and expectations for Legitimate Interest – developing evidence-based approach through interviewing a brand’s own customers to minimise risk.
Artificial Intelligence:  can machines learn how to comply with the GDPR? 

Peter Fleischer
Global Privacy Counsel                                                              

Nigel Houlden
Head of Technology                                                     

The challenges of complying with GDPR, such as "automated decision making" and profiling, "fairness", the role of the human, purpose limitations v serendipity.
Going for Certification: The added value of a certification scheme to achieve GDPR compliance

Philippe Jeanmart
Technical, Quality and Risk Senior Vice President                    
Bureau Veritas

  • Intro to BV Certification, part of Bureau Veritas
  • The need for a Technical Standard - What the Technical Standard aims to achieve (Cl.42, 43 of the GDPR) internal guidance for companies to logically implement these requirements
  • Technical Standard overview
  • Going for certification and the 3-year certification cycle

Demystifying De-identification for privacy professionals

Anna Johnston
Salinger Privacy                                                                      

The GDPR is raising the profile of de-identification as a useful data protection tool, but many privacy practitioners, lawyers and regulators feel intimidated by the mysterious maths and statistics.  If you just take an IT person’s word for it when they say “don’t worry the data will be de-identified”, you are not really analysing the risks of a project properly.  For any privacy practitioner tasked with analysing the privacy implications of projects covering data analytics, data-sharing etc, understanding de-identification is becoming a necessary skill.
This session, by a leading privacy practitioner and the author of Demystifying De-identification, will use plain language and common sense examples to offer a practical, skills-building session for conference participants.  The workshop will explain what de-identification means (in law, and in practice), how de-identification works (and when it doesn’t), and outline the different methods, and their relative strengths and weaknesses.
Achieving a harmonised global privacy framework based on the GDPR

Richard Merrygold
Director of Group Data Protection                                           

In the light of the GDPR, an increasing number of businesses and banks whose reach is far beyond that of the EU are starting to consider creating global data protection frameworks based on the GDPR to reduce the burdensome nature of working to multiple rule sets.
To tackle this challenge, we have drafted, approved and are now implementing a group privacy framework that uses the GDPR as a basis while also allowing for each business to abide by their member state and international laws. We have achieved buy-in from all boards in all countries, including buy-in from the PLC Board and PLC audit and risk committee.
This session will look at how the framework has been created, from initial thoughts through to the final implementation including how we sold the business benefits to each board along the way.


Risk-based GDPR training 77,000 staff in multiple languages and countries

Bruno  Silveira
Group Head of Compliance                                                                 
Kingfisher plc

One of the greatest challenges for a company to be compliant with the GDPR is to provide adequate training to its employees. This task becomes particularly challenging when you have around 77 thousand employees across Europe and Asia and nearly 6 million customers shopping in our stores and through our digital channels every week. This session will be focused on Kingfisher`s GDPR programme and particularly on how a tailor made GDPR training was designed from scratch and delivered within the organization.

Building bricks rather than ticking boxes

Steve Wright
Data Protection & Information Security Officer                        
John Lewis Partnership

  • Trying to embed the new data protection practices
  • Changing hearts and minds
  • Building repeatable processes
  • How to measure success

EU e-Privacy Regulation Update: Double toil and trouble?

Peter Church

Georgina Kon
  • Does the higher standard for consent in the GDPR mean we are already at ePrivacy 1.5?
  • When will the new ePrivacy Regulation arrive?
  • Key implications of the ePrivacy Regulation for businesses
  • Key challengers for online behavioural advertising and OTT players
  • Implications for Brexit and UK adequacy

GDPR: The unintended consequences

Paul Lavery
Partner, Head of Technology & Innovation Group                    
McCann FitzGerald

This session will focus on any potential unintended consequences/glitches with GDPR including potential issues with anti-bribery enforcement, issues with processing biometric data and other special categories of data, Article 29 guidance on consent which impacts on consent for marketing purposes under GDPR and potential data transfer issues for entities subject to GDPR but based outside the EU.

Blockchain Demystified: what it is, how it works, and data protection implications

Nigel Houlden
Head of Technology

Peter F. McLaughlin
Burns & Levinson LLP

Christopher Millard
Professor of Privacy and Information Law
Queen Mary, University of London

Jatinder Singh
EPSRC Research Fellow
Computer Laboratory, University of Cambridge
  • Understanding blockchain: the technologies and services behind the hype - Jatinder Singh
  • Making sense of data protection obligations and rights: who is responsible for what, and is compliance possible? – Professor Christopher Millard
  • Blockchain as a data protection and security tool - Peter McLaughlin
  • A data protection regulator’s perspective - Nigel Houlden

Data Compliance for Innovators and Disruptors

Rob Sumroy
Slaughter and May                                                              

Every market and sector is being disrupted by technology innovators.  fintech, healthtech, regtech, edutech, cyber, sporttech, retail, utilities and telecoms, to name but a few.  The typical disruptor is a start-up or early stage tech-innovation company bringing new processes and technology to bear against established but relatively slow moving market leaders.  Technology is key; digital is the future and data is the new currency.
Against this innovation backdrop sits the ever evolving and increasing layers of data regulation.  Data regulation is designed to protect the rights and freedoms of individuals, but not intended to prevent businesses from pursuing legitimate and lawful operations.  So how can innovators achieve data compliance without killing the agile nature of their business? 

The first big fine: Who will get it and how to avoid it'
Eduardo Ustaran
Hogan Lovells                                                                   
One of the most radical and feared aspects of the GDPR is the prospect of huge monetary fines calculated as a percentage of the global turnover of a corporate group. This is major risk factor that needs to be taken into account when deciding how to comply with the law.  This session will look at:
  • How the new fines will be calculated.
  • What type of behaviour is likely to be targeted by regulators.
  • What data uses will increase the risk profile.
  • What steps should be taken to minimise that risk.

Tensions between the UK and the GDPR after Brexit
Oliver Butler
Fellow by Special Election in Law
Wadham College, University of Oxford                            
The short and long-term effects of Brexit on the development of the public-private divide in the UK, including pressures to achieve adequacy and the likely scope for divergence should an adequacy decision fail to be achieved.

Genetic testing kits: Privacy, secondary use and other legal risks
Andelka Phillips
Ussher Assistant Professor in Information Technology Law
Trinity College Dublin, The University of Dublin
Stored genomic data poses long term privacy risks, as it serves both as a unique identifier for an individual, but can also be used to identify family members. It is also very difficult to de-identify this data in a way that makes it impossible to re-identify and even the best encryption is only secure for a limited period. 
While this is not happening on a really large scale at present, some Direct To Consumer companies have already shared data with law enforcement and some prominent companies have entered into partnerships with pharmaceutical companies, which means that there is potential for wider data sharing than consumers might necessarily anticipate.
Contracts are important in this context as they are often linked to privacy policies and used to govern the purchase of genetic tests, so for example a term that allows for unilateral alteration of contractual terms without notice could potentially have consequences for data use, storage, and sharing.

EU adequacy and APEC-CBPRs back doors: A fundamental conflict?
Graham Greenleaf
Asia-Pacific Editor
Privacy Laws & Business                                                
More countries are now showing interest in APEC’s Cross Border Privacy Rules system (CBPRs), although as yet only US companies have been certified under it. Japan and South Korea have also applied to the EU for an ‘adequacy’ finding. This session explains why CBPRs involvement can be an issue in adequacy assessments, and also how problems may be avoided.
Big data, purpose use limitation and the GDPR – Opportunity or Gordian Knot?

Dyann Heward-Mills
Founder and CEO

Xavier Jean
Global Privacy Officer

Ellis Parry
Global Privacy Lead

Nick Tyler
Senior Director and Global Lead, Data Privacy
Takeda Pharmaceuticals International AG
Cloud, Data localisation and Privacy by Design

Thomas Otter
Global Vice President Product Management

Caroline Tahon
Senior Director, Legal Project Manager
SAP SuccessFactors
  • Characteristics of a cloud vendor: data anywhere, accessibility anytime, legal and compliance by the vendor
  • HR cloud: with more laws requiring data residency (data stored in a particular country). How does it work? For example, Russia’s Law, China’s Law. When data can be stored in different countries, and that is your business model, what is SAP’s approach?
  • Privacy by design: some SAP examples: logging (recording) any access by people who read the personal data. Blocking data/masking data. Approach to sensitive personal data.
  • What other minimum processes can be put in place? (for example, defining profiles/role, adding sensitive personal data, preconfiguring different times for retention …).
  • How do you create awareness of privacy in the teams that develop the software?
EU data adequacy decisions

Bruno Gencarelli
Head of the International Data Transfers and Protection Unit
European Commission

Elisabeth Stafford
Senior Policy Advisor - EU Data Protection
Department for Digital, Culture, Media and Sport
John Bowman
Senior Principal

Jade Nester
Senior Policy Manager

Charlotte Mullarkey
PSL Counsel
Allen and Overy
  • Introduction to adequacy. How is it set out in law?
  • What does adequacy mean for specific sectors?
  • What is the ambition of the European Commission in terms of promoting adequacy to the wider world?
  • What will the UK be seeking in terms of maintaining data flows post-Brexit?
  • What are the threats to adequacy?
Ireland's DP Commissioner's perspective


Dale Sunderland
Deputy Commissioner 
Office of the Data Protection Commissioner of Ireland    
Managing data as an asset in a digital world
Giles Pratt
Freshfields Bruckhaus Deringer                                       
  • The future of the database right, and how to maximise (legal) value in data
  • Data localisation requirements
  • Digital taxation
  • Trends in risk allocation between controllers, processors and joint controllers in connected systems
Operationalise Accountability and Privacy by Design: What to Automate in your Privacy Programme

Ian Evans
Managing Director, EMEA                                                     
One Trust


With impending data protection regulation requirements, global organizations will need to build the principles of privacy by design into all of their business processes and be able to demonstrate accountability. In this session, learn about the different parts of a privacy programme from PIA/DPIAs, data mapping, consent management, and cookie compliance to subject rights requests and vendor risk management. Discover how your organization can streamline privacy management through software automation, and where humans are absolutely essential.

Privacy by Design Co-operative Workshop

Stewart Allen
Senior Associate                 
Claro Partners   

Myria Solorzano
Senior Associate                    
Claro Partners
  • To create transparent solutions that communicate to users how their personal data is used.
  • To design a privacy policy that enables users to make meaningful and well-informed choices.
A design-centered approach to transparency
  • A design-centered approach starts by understanding different types of target individuals to build solutions. It means understanding how different types of target individuals prefer to interact with data to develop new user interfaces and experiences. 
  • A design workshop is an interactive session where conference participants work on a challenging design problem and develop ideas together. By attending this workshop, you will identify with different personas to help you build empathy towards different types of target individuals. You will develop skills and address challenges in the area of trust, transparency and control over personal data. You can then use these skills in your own organisation.
  • Workshops based on different stages of developing a new product or service or updating a current one
  • Morning workshop: Transparency for individuals when signing up for a digital service
  • Afternoon workshop: Control when managing data collected at different stages of a digital service.
DPO Dilemmas: Your strategic choices
Dyann Heward-Mills
Founder and CEO
While the Data Protection Officer (DPO) is an established concept in some jurisdictions, the GDPR means that, across Europe, some companies will have a mandatory obligation to appoint a DPO, while others may choose to do so on a voluntary basis. Should the role be internal or external? What are the advantages and disadvantages of each choice?
The challenges of privacy in the connected store -The future of retail and privacy
James Leaton Gray
Deloitte and The Privacy Practice                                 
How would customers interact with a hypothetical future online and bricks and mortar retailer? How to  help retailers get the most out of the many new technologies from changing room mirrors that change the clothes on you, through to lighting that guides your smart phone to the exact jacket you want in your size. And yet do it all in a privacy friendly way.
The GDPR: On stage or back stage?
Helena Verhagen                                                        
Privacy Valley
Shifting business models - what can be learned from the entertainment industry for other sectors?
Reason for business models to shift is 2-fold:
  1. The world is changing anyway (change with it or you’re out), and
  2. The GDPR is not driving but merely accelerating that change (for the ones that are slow to adapt).
What are the common elements of the new successful brands?