Kirsten Mycroft, CIPP/E, CIPM


BNY Mellon

Global CPO

Kirsten Mycroft is the Global Chief Privacy Officer for BNY Mellon, an investments company operating in 35 countries. She leads the company’s enterprise privacy program and manages a team of privacy specialists in the Global Privacy Office. Her responsibilities include setting the enterprise privacy strategy, establishing effective governance, policy and procedures, and implementing an enterprise-wide accountability and management framework that’s responsive to the evolving global privacy regulatory landscape, supports business strategy, and maintains client and employee trust. The operational aspects of Kirsten’s role include enabling enterprise transformation and process/system change with privacy impact assessments, individual rights request tracking and quality review, incident management and metrics.

Kirsten has over 20 years of experience and deep knowledge of global privacy, cybersecurity and technology risk. Prior to joining BNY Mellon, she was the Group Head of Data Privacy and Records Management at Lloyds Banking Group, a financial institution with over 30 million customers across retail and commercial banking, insurance and consumer finance. Her career began in consultancy, where she spent 15 years working with global clients of EY and KPMG in roles spanning advisory, assurance and operations.

Kirsten holds a B.Com (Hons) in Information Systems, the IAPP’s CIPP/E and CIPM certifications, and the CISSP and CISM certifications. She serves on the IAPP’s European Advisory Board and the Future of Privacy Advisory Board, regularly speaks at conferences and has authored/contributed to several thought leadership articles. Kirsten was featured in the 2019 DPO200 list which recognises individuals who have made a significant contribution to the privacy and security sectors.


Contributions by Kirsten Mycroft

  • Privacy Enhancing Technologies as Collaboration Tools
    Speaker at IAPP Data Protection Intensive: UK 2022
  • Member of European Advisory Board 2020 - 2021
  • How to Build an Operational Breach Response Programme
    Speaker at IAPP Data Protection Intensive: UK 2019
  • GDPR: 72-Hour Notification: Is Your Breach Response Plan Operational?
    Speaker at IAPP Europe Data Protection Intensive 2018