Today Anthony was joined by Rob Grosvenor to discuss Privacy in The New World. Rob is a Managing Director at Alvarez & Marsal in London and leads their global privacy and data protection services, specialising in international privacy and data protection compliance and risk management. He has over 20 years experience of advising on global and cross border privacy, secrecy, records management and related data regulation requirements.
How he’s chalked-off one of his ‘life-goals’ during lock-down You can connect with Rob and find out more via his LinkedIn profile – https://www.linkedin.com/in/robert-gr…
Anthony: [00:00:01] Hello there. My name is Anthony Brown. I’m a director at Clermont Search. I’m delighted to bring to you the very first episode of our new Privacy and Data podcast. We’re going to be bringing you thoughts, insight and opinion from some of the world’s leading privacy and data thought leaders. And I’m very pleased on this occasion to bring Rob Grosvenor, who’s the managing director of the Privacy and Data Compliance Team at the New York headquarters, professional services business, Alvarez & Marsal. Hello, Rob. How are you?
Rob: [00:00:40] Hi there Anthony, I really appreciate the opportunity to talk to you today.
Anthony: [00:00:45] Yeah, I wasn’t expecting to be quite as hot as it is, but we’re going to get through it, aren’t we, Rob? I think definitely. We just commented that the windows need to be shut to stop any outside noise! And of course, that brings with it new challenges. But anyway, never mind. Rob, thank you very, very much for coming on. This is actually our first one, so I’m thrilled to have you. Obviously, I’ve known you for a few years now. And and obviously, you’ve recently joined Alvarez & Marsal. You are the managing director for its global privacy and data compliance practice. So exciting times for you. Just for anyone watching Rob, he isn’t aware of Alvarez Marsal. Can you just tell us a bit about the business and what you’re essentially doing now with your team?
Rob: [00:01:39] Yeah, and absolutely delighted, Anthony. So Alvarez & Marsal is an international professional services firm in terms of the size and scope. It’s got about 60 offices, I think, in more than 40 countries. And it was originally founded in the early 80s where it was primarily focused on corporate restructuring, operational performance improvement, and so the turnaround type services. And then really since then, it’s grown to have been more than four and a half thousand professionals providing sort of a range of advisory and consulting services across regulation and risk management, tax, private equity support disputes and investigations. And, you know, I’m really delighted to bring my 20 odd years of experience of privacy and data protection consulting to a practice which already has an established and successful sort of team of about forensic and cybersecurity experts. Yeah, I guess just just to give you a little bit of my background, I way back when studied law, but quickly realized I wasn’t going to be a corporate or commercial lawyer. So I actually sort of moved to Brussels when I was fortunate to get an internship with the European Commission dealing with competition matters and competition law.
Rob: [00:03:07] Whilst I was there, I had the opportunity to then join Deloitte, focusing on I.T. in emerging Internet and e-commerce law. And then essentially when the dot com bubble burst in the early 2000s, it coincided with the rollout of the original European Data Protection Directive and lo and behold, ended up spending good 13 years with Deloitte, seven years in Brussels, and then a further six years in London, really helping them to build out their sort of privacy and data collection services and effectively combine a lot of legal and regulatory challenges with sort of more of risk management and data governance approach. Prior to joining Alvarez & Marsal in April, I spent nine years at Promontory and again I helped build the global privacy practice. If I was going to say what my sweet spot is, it’s definitely working with multinational companies really to bring together sort of various sort of stakeholders across different functions and roles to implement and operationalize privacy and data laws, often in very complex business environments.
Anthony: [00:04:23] Very good. Blimey. So, yeah. And that internship in the EU wasn’t a bad start for you and clearly got you on a great path. And obviously, as we know, privacy and all things sort of data related is it’s just the evolution over the last few years has been incredible. And you’ve been there pretty much since. Well, the beginning of the journey, really, I was going to say the beginning of time. That might sound a bit rude, but. Yeah, no, thank you, Rob. Thank you for that. And obviously, it’s really exciting times for you and no doubt Alvarez & Marsal are very happy to have you on board. And I think obviously you’ve joined an incredibly interesting time. We’ve had a very challenging few weeks, to say the least. I think it’s time for sort of dwelling too much and talking too much about what’s behind us now is maybe past. And I think all of us are trying to sort of move forward a little bit with our thinking. And obviously, we’re all hoping that life, well, is slowly returning to normal. Just looking at privacy in the new world as we know it. And, Rob, and after the sort of challenges businesses have faced over the last few weeks and months, I mean, what do you think has been the biggest privacy challenge, maybe looking back slightly here? Over the last three months for businesses.
Rob: [00:05:43] Yeah, that’s a good question, Anthony, and I think, you know, we’ve got to acknowledge the overall impact of the pandemic, both in terms of sort of individual impact as the sort of societal impact, you know, what it’s meant for our families and also for businesses, as well as obviously sort of public services. And I think for most of us, this is probably one of the biggest challenges of our lifetime. So I think in many ways to put privacy into perspective. But at the same time, I think it’s also sort of shown to a lot of people sort of the significance of data and the importance of protecting and securing information. And, you know, it sort of happened to a sort of strange time in terms of I think most organizations were feeling that they were were still sort of getting to grips with the GDPR business as usual when we sort of entered the lockdown. And a lot of sort of privacy functions and privacy leads are really reliant on the support from the sort of business and corporate functions type sort of contacts and a network really to support them. And obviously, sort of a lot of things have changed over the last sort of three or four months in terms of impact and pressure on the business and also just the realities of having a remote workforce, in some cases a workforce that is sort of self isolating and also having to deal with managing sort of households and then often having to also sort of care for family and and the like. So I think it’s a very unique environment. And I think it’s one also where, quite frankly, businesses and organizations have had to react very quickly in order to often save and maintain their business operations. And so in many ways, it sort of had an unprecedented impact on sort of normal working conditions. And with it comes the the challenges of how sort of privacy then supports the business in what is sort of significant changes to normal working practices. So from a privacy standpoint, I think there’s been particular challenges with just managing the business as usual. So essentially having to deal with remote working of staff and having to deal with essentially changes in operational, procedural and technical ways of working, which have created also sort of new risks around how to deal with handling of data, how to deal with identifying customers or employees when sort of dealing with their requests or complaints or issues. And obviously, that is there’s a significant impact around the likes of cyber and information security threats, because we have to work in different ways and because often decisions are being made in a real time where effectively the organisations not really understanding the full impact until they’re actually sort of seeing sort of risk emerging in in the production world.
Rob: [00:09:09] And so I think a lot of challenges for privacy in terms of keeping going and continuing the fight in terms of sort of implementing supporting the business, supporting sort of data subjects. At the same time, I think they’ve had a critical role in really advising the business on sort of real time risk based decisions on how they take forward changes in their business strategy and changes around technology, support for the cloud services, outsourcing, all of which are being critical to keeping the wheels turning. You know, and I think in many ways you I’ve seen clients and friends in the privacy community where they’ve definitely sort of stepped up to a challenge, where they’re very much seen as supporting the business, whereas, you know, going back a few years and GDPR are often sort of privacy and data protection, which was potentially seen as at the very least, being sort of a roadblock to a road hump to the business.
Anthony: [00:10:21] You could argue thank the lord that GDPR came in ahead of the pandemic. I mean, where would we be, where would businesses have been in their timelines of essentially their privacy framework, their networks? You know, how how secure are we. Imagine this if this had landed 10 years ago, it would have been a completely different kettle of fish, I guess wouldn’t it. But just moving on, Rob, in terms of more of a life sort of question or general perspective in terms of the general public, I mean, we’ve obviously all of us, I think, to varying degrees, have been involved with using Zoom’s or house parties or various apps at home over the last few weeks, quizzes all the things we’ve done. Obviously, during that time. There’s been a few news reports about maybe some of the apps that I have mentioned having potential breaches or not being as secure as you would hope. And what’s your sense in terms of the pandemic’s impact on the general public’s view on privacy and their awareness of it? Do you think it’s had? Do you think i.e. do you think the public’s general awareness now is more heightened than it was pre pandemic around privacy?
Rob: [00:11:34] Yeah, I think that’s a very astute question, Anthony. Yeah, I think in many ways GDPR was a catalyst for sort of opening the broader general public’s mind to data protection and particularly sort of privacy rights and obligations and rights to them as citizens and customers and employees. But in many ways, I think the pandemic itself has almost brought sort of aspects of privacy and data protection into sort of real life context and challenges. And you talk about some of the sort of technology that we’ve all been using. I think there’s there’s some real life challenges in general with often people sort of living in shared accommodation or having to work and live as a household where often sort of computers and laptops and iPads are being used for a range of purposes. And particularly if people have children are having to get to grips with home schooling and keeping them occupied during the day.
Anthony: [00:12:49] Let’s not forget the tick tock dances and all the tick tock video and everything that they’ve been getting increasingly interested in. And often, you know, you’ve got laptops at home that maybe are for work purposes or the companies own them. You know, people have to be very aware. I guess ultimately they are business machines. They are owned by a company. You Can’t just hand it to your child something that is for work purposes. And all of those issues that could potentially bring if they were to go onto the wrong, you know, the wrong area of the phone or share something they shouldn’t or click on something they shouldn’t. And I think I’ve heard a few of my friends actually have had issues where they had to be very, very careful because they’ve come very close to that.
Rob: [00:13:37] So, yeah, you know, to be honest, I’m probably not the only one that has spent exponentially greater amount of time using Internet and definitely sort of using social media and the range of platforms to keep in contact with sort of friends and family as well as work colleagues. So I think it would be very hard to see how we would survive and function without these technologies. But you raise a very good point, which is what’s our individual responsibility for making sure that the security settings are there, that there’s the rights of disciplines around how these devices are being used. And it’s like with everything, you know, I think it comes with a balance. But certainly I think there’s definitely awareness around really that the challenges of how you provide access to the right content at the right time in sensible ways. I think from a commercial standpoint, it’s also interesting to see, you know, concerns if you are operating in financial services. The FCA’s concerns around sort of how we’re having to operate from home and in these sort of contained households around risks that also has to things like market abuse and people just having access to sensitive information. So I think on all levels, there’s both the risk and harm to limiting access to appropriate content. But there’s also issues when it comes to how you manage confidential information and sensitive personal data where there is this sort of overlapping of sort of private and personal and work life at the moment.
Anthony: [00:15:38] Yeah. So also, you know, moving forward Rob, Obviously, since GDPR came into play, there’s been a few very high profile breaches, as we know, and only, I think, correct me if I’m wrong, but a very small handful of fines, albeit very large ones, were obviously not going to mention the company names. I think some of them are still in discussions around fines and ties with them etc but moving forward, do you believe that there’s going to be increased, perhaps for somebody like yourself or other lawyers sort of contentious work on the litigation piece i.e. are we going to start to see a more steady flow of high profile breaches coming through the system.
Rob: [00:16:24] Yeah, you know, I think Anthony it’s going to be interesting to see how this plays out and in terms of timings around sort of entering the new normal, obviously the ICO and many of the other data protection authorities and supervisory authorities around the world, you know, they have their own challenges at the moment. And often they’re having to manage their staff but also deal with a lot of government and big policy level issues that covid-19 has raised. And obviously so we’re familiar with sort of issues around the track and trace and and data sharing to support the efforts to manage control and hopefully eradicate this virus. So I think at the moment, obviously, it’s impractical for them to be ramping up or even undertaking enforcement action and particularly investigations at the moment. But clearly, they will be looking to see once things settle down, what that means around sort of high risk, high profile, key areas of focus for those investigations. So very much don’t see things changing once effectively. They’re able to sort of re prioritise their focus. And I think it also dovetails around what we’re seeing in general, which is an acceleration in digital readiness and technology transformation that a lot of companies are now going through, which in many ways will potentially give rise to potentially greater risks around sort of privacy and data management.
Rob: [00:18:15] I think the other aspect that we’re seeing and is, is what role effectively litigation and class actions is going to play. And certainly I’ve seen far more or a greater increase in the number of law firms looking to support members of the public who have been impacted by data breaches or data incidents. So, again, I think alongside any sort of regulatory investigations and enforcement, the role of the courts is going to be important over the next few years as we understand effectively threshold’s around things like compensation levels and how in practice some of these larger class actions are going to work and how they get brought. So definitely something that I think is going to be in the mind of a lot of sort of companies as they’re evaluating effectively their risk profile in the new world and what that means in terms of privacy and data compliance.
Anthony: [00:19:28] Ok, thank you, Rob. Well, I mean, just to sort of perhaps, you know, finish on a lighter note, I really enjoyed hearing you talk, Rob, and I hope listeners have too some great insights there from somebody who’s right in the center of this privacy community that we’re part of what do you think you’ve learned about yourself during lock down? You know, perhaps on a personal level, if we’ve all had our own challenges, particularly if you’ve got children at home.
Rob: [00:20:00] Yeah, you know, I think I think there’s been a lot of change, I guess, you know, one of the things I’ve realized is that when we’re in this sort of situation, I think there is a risk that things just generally are put on hold. And you also almost get into a routine where it’s almost a little bit like Groundhog Day. You know, particularly because everyone is either working or home schooling or spending a lot more time physically at home, but also in the household, I think you’ve got to really make an effort to try and at least encourage yourself to go and do different things, get out and about now and enjoy the fine weather we’re having. I guess the one thing I’ve learned is I’ve actually managed to fulfill one life ambition, which was to grow a beard. We’ll see how long it lasts. But in this hot weather, I’m not sure. But, you know, I think it’s been interesting, you know, Alvarez & Marsal have been running a series of courses on mindfulness and ways of engaging with staff whilst we’re in lockdown. And I think that was interesting to reflect on appreciating the now when I think we spend a lot of our time sort of looking back and also sort of worrying about the future. So, yeah, it’s a strange time. So I think it’s also a time for innovation. And, you know, I think the opportunity to sort of try and try and do new things.
Anthony: [00:21:38] Yeah, that’s great, Rob. And I think we’ve all we’ve all had a lot of time self evaluate haven’t we and I think, you know, there’s been a huge surge as we know in people actually taking up new hobbies or running. I’ve never seen the general public so active and with such great talent, frankly. And yeah. And I’m glad you mentioned the beard, because when we first started the interview, I wasn’t sure that I had the right guy for a minute because I hadn’t seen the beard. But now it’s good work, Rob. I’m sure it’s a little bit warm during this time So it’ll be interesting to see how long, how long you persevere with it. But fair play for chalking on off in life anyway. But listen, Rob, thank you so, so much for your time. It’s been superb and I hope everybody has had some real insight from Rob. And moving forward, I’m going to be speaking to some very exciting guests as well in the very near future, actually. So watch this space. But, Rob, thank you. I hope you get a chance to enjoy some sunshine today. And we will we’ll catch up very soon. All the best.
Rob: [00:22:54] Great. And I really appreciate Anthony, good talking talking to. Take care of. Take care. Bye now.