Grace Buckler, CIPP/E, CIPP/G, CIPP/US, has been an IT auditor since 2005. She's spent considerable time inside organizations over the years, studying their IT and governance and management. A few years in, she started her own consulting business called The Privacy Advocate. The name's fitting, as much of her work is a product of the realization that for an organization to succeed at its mission, it has to have a strong privacy culture. And that's something she advocates to her clients.

"If people are to be aware of privacy, if people are to recognize that as being the reality of the business and the mission, the culture has to change," she says. That's advice she's repeatedly given in her role as an auditor and consultant. 

Grace Buckler

She found she was able to amplify that message through joining data privacy and information-security organizations. In 2007, she joined ISACA, and on August 8 and 9, she'll head to ISACA's first-ever African conference in Nairobi, Kenya, to talk to information-security professionals about establishing privacy cultures at their own organizations. 

While it's sometimes assumed Africa is way behind on privacy and data protection given its still-developing economies across the continent, Buckler said Africa is the same as everywhere else. 

"Whether the U.S. or EU or anywhere else, every continent and every country is growing in the area of data protection," she says. "Nobody has completely arrived. There are issues, there are debates, there are arguments as to, 'Are we adequate, are we covering the scope we should?' In my experience as a consultant, it's a case-by-case basis. It doesn't matter the continent or country." 

Within Africa, there are numerous regulatory initiatives underway, Buckler said, including Kenya's Data Protection Bill in 2013 — and the passing of its constitution in 2010, which included privacy rights — as well as South Africa's passage of The Protection of Personal Information Act in 2014. But there have been myriad developments in countries including Ghana, Mozambique, Morocco, Tanzania, Angola, and many others.

Given that Africa is the world's second-largest and second-most-populous continent, a focus on privacy for its citizens is a big deal and a reflection of what's to come, she says. And that's why she's making the long trip overseas to speak to decision-makers and their employees. 

Her message at the August conference, a two-part talk across two days, will be aimed at encouraging more proactive data privacy governance and management as well as the importance of getting buy-ins from executives at the leadership level. The first day's talk will be to leadership, the second to lower-level employees. As such, the first talk will be high level and the second will be a drill-down. 

"I'm going to go step-by-step, almost like we're doing a workshop where we're getting our hands into the practical aspects," she says. While the strategic thinking for leadership executives is important, "that has to be backed up with some practical things. We have to say, 'We can't do the three or four things highlighted, but we can start here.'" 

Buckler believes it's the responsibility of those with privacy expertise and experience to lend their time and energy to help grow privacy in Africa. Whatever Africa becomes in its desire for data protection will be due, at least in part, to the contributions of those who've stepped up to help, she says.

"We can't just isolate our expertise to where we are stationed or located as our primary places of practice," Buckler says. "We need to think about what it is that we can change. This is one of the things we can change, using our expertise to contribute to bringing attention to the data protection concerns and the data protection potential of Africa."