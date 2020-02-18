The OneTrust DataGuidance ‘Thought Leaders in Privacy’ interview series is filmed across the world with leading privacy professionals discussing their advice for staying ahead of the curve and how privacy connects on a wider level with businesses and society. The series captures ideas from a range of subjects including; GDPR and CCPA requirements, data security and breach notification, risk & compliance and emerging technologies.

In February 2020 we spoke to Emma Hall, Privacy Lead & Legal Counsel at Knight Frank. Founded in London in 1896, Knight Frank operates as a one of the largest estate agencies, residential, and commercial property consultancies globally. Emma talks about the methodologies she has used when implementing data protection risk management functions within the business, as well as discussing the trends she has seen with regards to vendor management.

Data Protection Risk Management

Across Emma’s previous experience in a range of industries she has developed a number of methods that she finds to work well when it comes to including data protection into risk management functions. Emma explains that it is key to embed data protection into already existing risk management processes in order to create one cohesive program, as well as noting that a good risk framework that is easily quantifiable can also be key.

“Organisations like simplistic quantification of risks that they can understand and take commercial decisions quickly and easily and understand what you are trying to say.”

Conversely, Emma has also found that lengthy legal guidance is not of interest when it comes to board level reporting and this has added emphasis in the privacy world where regulation and guidance can often be complex.

Vendor Management

In the build-up to the implementation of the GDPR, Emma explains, vendor management processes were put to one side and it is only since May 2018 that organisations have started to put these practices in place. Emma notes that it could be down to the designations of the controller, joint controller and processor roles.

“People had not defined what processing operations they were actually doing so they didn’t know the designations. So that led to a lot of negotiation and a lot of additional work. Now I’m seeing a shift towards there being more general appetite for firming up designations, agreeing stuff, joint controllership and also delivering these contracts, getting them in place, and remediating the area where it needs to be remediated.”

Watch the full interview with Emma who also discusses data protection’s relationship with the wider risk and compliance function within the company, as well as how data protection and information security inform the company’s wider business continuity management.