In this Volunteer Spotlight, The Privacy Advisor chatted with Emma Butler, CIPP/E, CIPM, FIP, data protection officer at identity-system developer Yoti in London. Prior to her time with Yoti, Butler spent three years as DPO and senior director of privacy for LexisNexis and RELX Group. She's also well versed in U.K. regulatory standards, having spent seven years as the senior international policy officer for the U.K. Information Commissioner's Office.
In this conversation, Butler details her privacy background and some of the troublesome areas she sees in privacy.
The Privacy Advisor: You've volunteered for the IAPP as KnowledgeNet co-chair, speaker and author. What's most rewarding about the volunteer work you do?
Butler: With the EU Advisory Board, I enjoyed being able to influence the conference agenda, and I always advocated for sessions that were practical and informative. I used my experience as a delegate at many conferences and events over the years to push for sessions that focused on the difficult topics rather than privacy 101. Sessions that would give delegates something tangible to take back to their jobs. I also championed panel diversity and new faces over the same speakers talking about the same topic and just telling people what the law says. I didn't always succeed ...
With KnowledgeNet, I enjoyed meeting new people and putting together interesting sessions on topics that many privacy pros were wither struggling with or had experience that they could share. The best sessions for me were when privacy pros shared how they approached things, what worked and what didn't, and provided practical tips. If attendees went away with either something new to try or with reassurance that they were on the right track, that was a successful session.
The Privacy Advisor: What was the driving force behind your decision to work in privacy?
Butler: I fell into it by accident. I did French, Italian and linguistics at university, then qualified to teach English as a foreign language. I saw an advert in the Manchester Evening News for various jobs with the Information Commissioner's Office. They were recruiting for several positions in both data protection and freedom of information. I didn't know anything about either, but it sounded interesting, and the ad mentioned it was working in human rights. I applied and was offered the role of head of the international team in the policy department. It was a massive learning curve, but I was able to develop the role over the seven years I was there.
The Privacy Advisor: What privacy issue — current or past — keeps you up at night, and why?
Butler: I am old enough and long enough in the tooth as a privacy pro to not let privacy matters deprive me of sleep. But many things continue to incense me, such as organizations conflating terms and conditions and transparency requirements and asking you to accept a privacy notice. Or telling you that using their product or service means you consent to everything in the privacy notice.
I also get frustrated that the misinformation or lack of information from official sources in the run up to the [EU General Data Protection Regulation] has led to lots of individuals thinking they have rights they don't have, especially as regards deletion.
The Privacy Advisor: What light can you shed on that data-deletion scenario?
Butler: Data protection officers are now often on the front line of angry and sometimes abusive individuals who go from zero to aggressive in an instant, demand their right to deletion, and try to intimidate you with threats of lawyers and the ICO. Any attempt to explain the nuances of the right and why it might not apply in their case just leads to more anger and accusations that you are trying to hide behind the law or shirk your obligations. Fortunately, I don't have to deal with too many of these types of people these days, but from what I hear anecdotally from other DPOs, it's on the increase.
The Privacy Advisor: Is there a way to correct people's misconceptions regarding certain rights and data privacy laws in general?
Butler: My biggest concern is how new and revised privacy laws are in practice leaving the individual behind. The GDPR is a good example of this, as it has led to a focus on the minutiae of technical compliance rather than a focus on the best outcome for and interests of the individual. So I am constantly figuring out how to reconcile these things as they are not always compatible, and I strongly believe in a principles-based approach that puts the individual first.
The Privacy Advisor: You’re well versed in the GDPR, having gone through compliance with Yoti. In your opinion, what was the greatest compliance challenge with the GDPR, and how did you overcome it?
Butler: I am lucky enough to work for a company that has privacy, security, transparency and accountability as part of its core founding principles. This ethos meant that they had already been doing many things, such as privacy by design, before I joined, even if it wasn't identified in that way. In a fast-moving, agile development company, the hardest challenge was the documentation requirements and getting people to write more things down. I built on what was already in place by adding privacy checklists, questions and trigger points into existing development and decision-making processes.
The Privacy Advisor: Finally, what’s the best professional advice you’ve ever received?
Butler: Am I allowed to swear?! If so it's probably "Keep swinging, and don't let the b******s see you bleed!" But in the interests of ending on a more positive note, it's also "Be confident, be honest, be decent."
If you want to comment on this post, you need to login.