Programme

 

31st Annual International Conference  

Navigating GDPR: The art of the possible

2 – 4 July 2018
St. John's College Cambridge, UK
 
 

 

Conference Programme

 
Below, in random order, are the confirmed speakers and their conference sessions as of 14 February. Any amendments, additional speakers and their sessions, and the full programme will be posted here.
 
You may register on the basis of 1, 2 or 3 days and decide on the specific days later.
You may register with specific names and change the names later.
 
 
 
Nowhere to hide: Competition and privacy regulators shine spotlights on privacy policies
  
Speakers:     

Karolina Mojzesowicz
Deputy Head, Data Protection Unit
European Commission                              
Belgium                                                     

Gail Crawford
Partner                            
Latham & Watkins
UK
Lars Kjolbye
Partner                                                                                        
Latham & Watkins          
Belgium
A session on the increased propensity for the competition regulators at EU and national levels to try and regulate privacy issues.
 
 
Finding the Data Protection ‘Sweet Spot’ – Using consumer evidence to build a risk based data protection strategy
 
Speaker:

David Cole
Managing Director and Founder                                                
fastmap
UK

It is vital for brands to persuade prospects to continue to communicate with them. But consumers are getting more cynical and less trusting of companies with their data. fastmap consumer research shows this ‘data fundamentalism’ has grown from 18% in February 2017 to 26% in December 2017. It is likely that this growth is due individuals becoming more aware of GDPR which has potentially seismic commercial ramifications.
 
This important session uses fastmap’s extensive expertise and research in consent and Legitimate Interest marketing to help you shape your ongoing strategy, including:
 
  • The evolving motivations and reasons that people want to give consent and how this differs by audience profile. How attitudes vary across Europe - drawing on the latest fastmap consumer research findings (e.g. the Spanish are more concerned about data handling than others – 48% of the public feel all organisations should be held to the same high standards, compared to an average of 36%).
  • Striking a balance between marketer needs and audience rights, and expectations for Legitimate Interest – developing evidence-based approach through interviewing a brand’s own customers to minimise risk.
 
 
Artificial Intelligence:  can machines learn how to comply with the GDPR? 
 
Speakers:          

Peter Fleischer
Global Privacy Counsel                                                              
Google
France

Nigel Houlden
Head of Technology                                                     
ICO                                                       
UK 

The challenges of complying with GDPR, such as "automated decision making" and profiling, "fairness", the role of the human, purpose limitations v serendipity.
 
 
Going for Certification: The added value of a certification scheme to achieve GDPR compliance
 
Speaker:

Philippe Jeanmart
Technical, Quality and Risk Senior Vice President                    
Bureau Veritas
France

  • Intro to BV Certification, part of Bureau Veritas
  • The need for a Technical Standard - What the Technical Standard aims to achieve (Cl.42, 43 of the GDPR) internal guidance for companies to logically implement these requirements
  • Technical Standard overview
  • Going for certification and the 3-year certification cycle
 

Demystifying De-identification for privacy professionals
 
Speaker:

Anna Johnston
Director 
Salinger Privacy                                                                      
Australia 

The GDPR is raising the profile of de-identification as a useful data protection tool, but many privacy practitioners, lawyers and regulators feel intimidated by the mysterious maths and statistics.  If you just take an IT person’s word for it when they say “don’t worry the data will be de-identified”, you are not really analysing the risks of a project properly.  For any privacy practitioner tasked with analysing the privacy implications of projects covering data analytics, data-sharing etc, understanding de-identification is becoming a necessary skill.
 
This session, by a leading privacy practitioner and the author of Demystifying De-identification, will use plain language and common sense examples to offer a practical, skills-building session for conference participants.  The workshop will explain what de-identification means (in law, and in practice), how de-identification works (and when it doesn’t), and outline the different methods, and their relative strengths and weaknesses.
 
 
 
Achieving a harmonised global privacy framework based on the GDPR
 
Speaker:

Richard Merrygold
Director of Group Data Protection                                           
HomeServe
UK

In the light of the GDPR, an increasing number of businesses and banks whose reach is far beyond that of the EU are starting to consider creating global data protection frameworks based on the GDPR to reduce the burdensome nature of working to multiple rule sets.
 
To tackle this challenge, we have drafted, approved and are now implementing a group privacy framework that uses the GDPR as a basis while also allowing for each business to abide by their member state and international laws. We have achieved buy-in from all boards in all countries, including buy-in from the PLC Board and PLC audit and risk committee.
 
This session will look at how the framework has been created, from initial thoughts through to the final implementation including how we sold the business benefits to each board along the way.

 

Risk-based GDPR training 77,000 staff in multiple languages and countries
 
Speaker:

Bruno  Silveira
Group Head of Compliance                                                                 
Kingfisher plc
UK

One of the greatest challenges for a company to be compliant with the GDPR is to provide adequate training to its employees. This task becomes particularly challenging when you have around 77 thousand employees across Europe and Asia and nearly 6 million customers shopping in our stores and through our digital channels every week. This session will be focused on Kingfisher`s GDPR programme and particularly on how a tailor made GDPR training was designed from scratch and delivered within the organization.
 

Building bricks rather than ticking boxes
 
Speaker:

Steve Wright
Data Protection & Information Security Officer                        
John Lewis Partnership
UK

  • Trying to embed the new data protection practices
  • Changing hearts and minds
  • Building repeatable processes
  • How to measure success
 

EU e-Privacy Regulation Update: Double toil and trouble?
 
Speakers:

Peter Church
Counsel
Linklaters        
UK

Georgina Kon
Partner
Linklaters                                                                 
UK 
  • Does the higher standard for consent in the GDPR mean we are already at ePrivacy 1.5?
  • When will the new ePrivacy Regulation arrive?
  • Key implications of the ePrivacy Regulation for businesses
  • Key challengers for online behavioural advertising and OTT players
  • Implications for Brexit and UK adequacy
 

GDPR: The unintended consequences
 
Speaker:

Paul Lavery
Partner, Head of Technology & Innovation Group                    
McCann FitzGerald
Ireland

This session will focus on any potential unintended consequences/glitches with GDPR including potential issues with anti-bribery enforcement, issues with processing biometric data and other special categories of data, Article 29 guidance on consent which impacts on consent for marketing purposes under GDPR and potential data transfer issues for entities subject to GDPR but based outside the EU.
 

Blockchain Demystified: what it is, how it works, and data protection implications
 
Speakers:  

Nigel Houlden
Head of Technology
ICO                                                    
UK 

Peter F. McLaughlin
Partner
Burns & Levinson LLP
USA    

Christopher Millard
Professor of Privacy and Information Law
Queen Mary, University of London
UK

Jatinder Singh
EPSRC Research Fellow
Computer Laboratory, University of Cambridge
UK
  • Understanding blockchain: the technologies and services behind the hype - Jatinder Singh
  • Making sense of data protection obligations and rights: who is responsible for what, and is compliance possible? – Professor Christopher Millard
  • Blockchain as a data protection and security tool - Peter McLaughlin
  • A data protection regulator’s perspective - Nigel Houlden
 

Data Compliance for Innovators and Disruptors
 
Speaker:

Rob Sumroy
Partner
Slaughter and May                                                              
UK 

Every market and sector is being disrupted by technology innovators.  fintech, healthtech, regtech, edutech, cyber, sporttech, retail, utilities and telecoms, to name but a few.  The typical disruptor is a start-up or early stage tech-innovation company bringing new processes and technology to bear against established but relatively slow moving market leaders.  Technology is key; digital is the future and data is the new currency.
 
Against this innovation backdrop sits the ever evolving and increasing layers of data regulation.  Data regulation is designed to protect the rights and freedoms of individuals, but not intended to prevent businesses from pursuing legitimate and lawful operations.  So how can innovators achieve data compliance without killing the agile nature of their business? 
 

The first big fine: Who will get it and how to avoid it'
 
Speaker:
Eduardo Ustaran
Partner
Hogan Lovells                                                                   
UK 
 
One of the most radical and feared aspects of the GDPR is the prospect of huge monetary fines calculated as a percentage of the global turnover of a corporate group. This is major risk factor that needs to be taken into account when deciding how to comply with the law.  This session will look at:
 
  • How the new fines will be calculated.
  • What type of behaviour is likely to be targeted by regulators.
  • What data uses will increase the risk profile.
  • What steps should be taken to minimise that risk.
 

Tensions between the UK and the GDPR after Brexit
 
Speaker:
Oliver Butler
Fellow by Special Election in Law
Wadham College, University of Oxford                            
UK  
 
The short and long-term effects of Brexit on the development of the public-private divide in the UK, including pressures to achieve adequacy and the likely scope for divergence should an adequacy decision fail to be achieved.
 

Genetic testing kits: Privacy, secondary use and other legal risks
 
Speaker:
Andelka Phillips
Ussher Assistant Professor in Information Technology Law
Trinity College Dublin, The University of Dublin
Ireland
 
Stored genomic data poses long term privacy risks, as it serves both as a unique identifier for an individual, but can also be used to identify family members. It is also very difficult to de-identify this data in a way that makes it impossible to re-identify and even the best encryption is only secure for a limited period. 
 
While this is not happening on a really large scale at present, some Direct To Consumer companies have already shared data with law enforcement and some prominent companies have entered into partnerships with pharmaceutical companies, which means that there is potential for wider data sharing than consumers might necessarily anticipate.
 
Contracts are important in this context as they are often linked to privacy policies and used to govern the purchase of genetic tests, so for example a term that allows for unilateral alteration of contractual terms without notice could potentially have consequences for data use, storage, and sharing.
 

EU adequacy and APEC-CBPRs back doors: A fundamental conflict?
 
Speaker:
Graham Greenleaf
Asia-Pacific Editor
Privacy Laws & Business                                                
Australia 
 
More countries are now showing interest in APEC’s Cross Border Privacy Rules system (CBPRs), although as yet only US companies have been certified under it. Japan and South Korea have also applied to the EU for an ‘adequacy’ finding. This session explains why CBPRs involvement can be an issue in adequacy assessments, and also how problems may be avoided.
 
 
Big data, purpose use limitation and the GDPR – Opportunity or Gordian Knot?
 
Speakers:  

Dyann Heward-Mills
Partner
Baker & McKenzie LLP                                                    
UK 

Diana Lopez
Country Privacy Advisor - UK and Ireland
GSK
UK     

Ellis Parry
Global Privacy Lead
BP
UK

Nick Tyler
Senior Director and Global Lead, Data Privacy
Takeda Pharmaceuticals International AG
Switzerland
 
 
 
Cloud, Data localisation and Privacy by Design
 
Speakers:

Thomas Otter
Global Vice President Product Management
SAP
Germany

Caroline Tahon
Senior Director, Legal Project Manager
SAP SuccessFactors
France
  • Characteristics of a cloud vendor: data anywhere, accessibility anytime, legal and compliance by the vendor
  • HR cloud: with more laws requiring data residency (data stored in a particular country). How does it work? For example, Russia’s Law, China’s Law. When data can be stored in different countries, and that is your business model, what is SAP’s approach?
  • Privacy by design: some SAP examples: logging (recording) any access by people who read the personal data. Blocking data/masking data. Approach to sensitive personal data.
  • What other minimum processes can be put in place? (for example, defining profiles/role, adding sensitive personal data, preconfiguring different times for retention …).
  • How do you create awareness of privacy in the teams that develop the software?
 
 
EU data adequacy decisions
 
Speakers:

Bruno Gencarelli
Head of the International Data Transfers and Protection Unit
European Commission
Belgium

Elisabeth Stafford
Senior Policy Advisor - EU Data Protection
Department for Digital, Culture, Media and Sport
UK
John Bowman
Senior Principal
Promontory
UK

Jade Nester
Senior Policy Manager
GSMA
UK

Charlotte Mullarkey
Senior PSL
Allen and Overy
UK
  • Introduction to adequacy. How is it set out in law?
  • What does adequacy mean for specific sectors?
  • What is the ambition of the European Commission in terms of promoting adequacy to the wider world?
  • What will the UK be seeking in terms of maintaining data flows post-Brexit?
  • What are the threats to adequacy?
 
 
Ireland's DP Commissioner's perspective
 
Speaker:

Helen Dixon
Commissioner 
Office of the Data Protection Commissioner of Ireland    
Ireland

Or           Dale Sunderland
Deputy Commissioner 
Office of the Data Protection Commissioner of Ireland    
Ireland
 
 
 
Managing data as an asset in a digital world
 
Speaker:
Giles Pratt
Partner
Freshfields Bruckhaus Deringer                                       
UK
 
  • The future of the database right, and how to maximise (legal) value in data
  • Data localisation requirements
  • Digital taxation
  • Trends in risk allocation between controllers, processors and joint controllers in connected systems
 
 
Operationalise Accountability and Privacy by Design: What to Automate in your Privacy Programme
 
Speakers:

Ian Evans
Managing Director, EMEA                                                     
One Trust
UK

 

With impending data protection regulation requirements, global organizations will need to build the principles of privacy by design into all of their business processes and be able to demonstrate accountability. In this session, learn about the different parts of a privacy programme from PIA/DPIAs, data mapping, consent management, and cookie compliance to subject rights requests and vendor risk management. Discover how your organization can streamline privacy management through software automation, and where humans are absolutely essential.

 
 
Privacy by Design Co-operative Workshop
 
Speakers:

Stewart Allen
Senior Associate                 
Claro Partners   
Spain

Myria Solorzano
Senior Associate                    
Claro Partners
Spain
Objectives
  • To create transparent solutions that communicate to users how their personal data is used.
  • To design a privacy policy that enables users to make meaningful and well-informed choices.
A design-centered approach to transparency
  • A design-centered approach starts by understanding different types of target individuals to build solutions. It means understanding how different types of target individuals prefer to interact with data to develop new user interfaces and experiences. 
  • A design workshop is an interactive session where conference participants work on a challenging design problem and develop ideas together. By attending this workshop, you will identify with different personas to help you build empathy towards different types of target individuals. You will develop skills and address challenges in the area of trust, transparency and control over personal data. You can then use these skills in your own organisation.
Subjects
  • Workshops based on different stages of developing a new product or service or updating a current one
  • Morning workshop: Transparency for individuals when signing up for a digital service
  • Afternoon workshop: Control when managing data collected at different stages of a digital service.
 
 
DPO Dilemmas: Your strategic choices
 
Speaker:
Dyann Heward-Mills
Partner
Baker & McKenzie LLP                                                    
UK     
            
While the Data Protection Officer (DPO) is an established concept in some jurisdictions, the GDPR means that, across Europe, some companies will have a mandatory obligation to appoint a DPO, while others may choose to do so on a voluntary basis. Should the role be internal or external? What are the advantages and disadvantages of each choice?
 
 
The challenges of privacy in the connected store -The future of retail and privacy
 
Speaker:
James Leaton Gray
Director
Deloitte and The Privacy Practice                                 
UK     
        
How would customers interact with a hypothetical future online and bricks and mortar retailer? How to  help retailers get the most out of the many new technologies from changing room mirrors that change the clothes on you, through to lighting that guides your smart phone to the exact jacket you want in your size. And yet do it all in a privacy friendly way.
 
 
The GDPR: On stage or back stage?
 
Speaker:
Helena Verhagen                                                        
Co-Founder
Privacy Valley
Netherlands  
              
Shifting business models - what can be learned from the entertainment industry for other sectors?
 
Reason for business models to shift is 2-fold:
  1. The world is changing anyway (change with it or you’re out), and
  2. The GDPR is not driving but merely accelerating that change (for the ones that are slow to adapt).
 
What are the common elements of the new successful brands?
 
 
National implementation of the GDPR in the Nordic countries
 
Speaker:
Maria Holmström Mellberg                                                        
Group Driver Privacy
Nordea
Sweden  
              
  • Challenges and opportunities
  • Are we in the Nordics all the same?
  • Do we all differ from the rest of EU?
 
 
France: the CNIL's perspectives
 
Speaker:
Florence Raynal                                                        
Head, European and International Affairs Department                
CNIL
France