Security Management

Have you considered a Virtual Privacy Officer?

Author: Phillip Davies
Blog Hero 1

Data is one of the most important assets we have. Perhaps second only to its people? Not surprisingly many businesses are unclear whether they need a Data Protection Officer (DPO). Many appoint part-time DPO's, people doing 80% elsewhere in the business and 20% ‘looking after’ Privacy. What is right for your business?

A man sitting on a computer and  working on securing company data

We are providing virtual DPO services for clients, supporting the in-house part-time DPO's and in some cases being the DPO for the client. Are you confident managing Privacy with breach notification requirements, Privacy Impact Assessments, adapting privacy to support changing working practices, and of course keeping your colleagues up to date on what’s new, delivering regular training and awareness?

Privacy is a busy and growing space. Many of our clients and contacts are subject to General Data Protection Regulation, UK Data Protection Act and the California Consumer Privacy Act. All three impose access requests as a consumer right, but how are clients complying with these obligations? The European legislation allows 30 working days to respond, the Californian 45 days. Where businesses don't respond they can be hit with sizeable fines, European sizeable; California up to $7,500 a case.

We have seen the flow of data governed significantly with data frameworks, and in recent years we have seen these frameworks become international. In 2018 the European Union introduced the General Data Protection Regulations(GDPR), adopted and enshrined in local law across Europe. This set the standard with rights and obligations imposed.

Whilst today, the EU GDPR and its harmonisation is being challenged with respect to what we used to call Safe Harbour arrangements. Business in the EU and businesses beyond the EU could transfer data for business use with safeguards in place. This is now challenged with the Schrems and Schrems II cases brought by Austrian Privacy campaigner Max Schrems arguing that safeguards beyond the EU are not good enough to allow these data exchanges to occur. More to be heard in the New Year as the European Courts come back with their thoughts.

Beyond Europe, many countries are taking lessons learned from GDPR. Five African countries, including Nigeria, have formed a coalition to develop an African privacy framework, adopting GDPR best practice, including the enhanced role of the Data Protection Officer, consistent privacy laws and regulation. As with GDPR, the secure flow of data will support economic development in the region. And let’s not forget the Chinese. Last week they published their much-awaited Personal Information Protection Law, with significant learnings from the GDPR, including obligations for data controllers and informed consent.

Phillip CISO

Phillip Davies


Phillip led Cyber Crime for a UK Law Enforcement agency until 2005. Since then he has led privacy, risk & security for a variety of businesses, as Chief Security Officer & Advisor to boards. He holds an MSc in International Criminal Justice, is a Certified Information Security Manager, Fellow of The Security Institute, Fellow of the British Computer Society & Chartered Institute of IT, member of the International Association of Privacy Professionals. In 2017 was awarded the Freedom of the City of London.​

Recommended for you