Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form
The Journal of Data Protection & Privacy
A major new professional journal publishing in-depth, peer-reviewed articles, case studies and applied research on all aspects of data protection
and privacy practice across the European Union and other jurisdictions, in the wake of the new EU General Data Protection Regulation (GDPR)
and the biggest change in data protection and privacy for two decades.
Guided by its expert Editor and a distinguished Editorial Board, each quarterly 100-page issue – published in print and online – provides an international forum for detailed, practical and thought-provoking articles from leading professionals and researchers on a wide range of regulatory, compliance, risk management, and board governance issues. In addition, Journal of Data Protection & Privacy explores innovative strategies, tools and techniques and emerging trends that impact the business continuity of all private, public sector/Government and charitable/NGOs and professional bodies and associations.
JDPP publishes an in-depth analysis of new thinking and practice from diverse authors at a wide range of institutions enabling readers to benchmark their organisation. Every published article is peer-reviewed by experts drawn from the journal's Editorial Board.
Future developments in data protection and privacy in the UK in the wake of the General Data Protection Regulation by Alexander Brown and Matthew Dyer
The EU General Data Protection Regulation will apply in EU member states from 25th May 2018, bringing about fundamental changes to the data protection and privacy landscape in Europe. This paper discusses some of the changes that the Regulation will impose and the effect that these are likely to have on organisations processing personal data, with a particular focus on the legal environment-In the UK.
The General Data Protection Regulation: A myth-buster by Phil Lee and Kate Pickering
The General Data Protection Regulation(GDPR) is an undeniably complex piece of legislation. During the course of its adoption, the text of the GDPR changed many times. As a result, some provisions that were originally proposed were dropped from the final law — and this has inevitably created a certain amount of confusion. This paper explores the top 15 common misconceptions regarding the GDPR — so next time you hear any of these come up in conversation, you will be able to set the record straight!
Profiling in the Public Sector under the General Data Protection Regulation by Jakob Kamby
Both public authorities and private corporations gather and store vast amounts of data from individuals.As the needs of citizens may span the purview of several authorities and sectors concurrently, the ability to draw data from a multitude of sources and create profiles of individuals may improve both service levels and accuracy of decision making of public authorities. This paper investigates the new rules in the European General Data Protection Regulation (GDPR) balancing the many upsides of profiling and the inherent need for safeguarding the rights of the subjected individuals.
Data security requirements under the General Data Protection Regulation by Alexander Dittel
The General Data Protection Regulation (GDPR) will come into effect in May 2018 and it will afford the industry more clarity about the companies’ obligations to adopt appropriate organisational and technical measures in order to ensure the security of personal data. The objective of this paper is to give a clearer picture of the specific measures that controllers, as well as processors, may have to adopt under the new law.
Impact of the EU General Data Protection Regulation on the public sector by Peter Blume
This paper considers the consequences of the EU General Data Protection Regulation (GDPR) for public administration. It is observed that the private and public sector in many ways are treated differently. The starting point for data processing in public administration is that it should have authority in statutory law and use of consent is viewed with much caution. There are increased responsibilities related to the goal of transparency with respect to information to data subjects and also in respect to documentation of processing procedures. Data security requirements are also increased. Although the GDPR first comes into effect in May 2018, authorities should prepare for it now.
Internet of things data protection and privacy in the era of the General Data Protection Regulation by Abhik Chaudhuri
The emerging internet of things (IoT) technology has immense potential for unprecedented business offerings in various domains. To provide reliable IoT products and services that comply with regulatory demands, businesses must meet users’ data protection and privacy needs. With the General Data Protection Regulation (GPDR) coming into force from 24th May 2016 and applicable from 25th May 2018, IoT businesses must strategise privacy alignment for their products or services by incorporating in their design the privacy and data protection capabilities necessary for regulatory compliance and gaining user trust. This paper discusses the associated data protection and user privacy concerns, making reference to such IoT service offerings as smart retail, the smart home, smart wearables, smart health devices, smart television and smart toys. The three-steps to privacy alignment strategy discussed in this paper comprise the privacy inquisition (PI) analysis model, the IoT privacy impact assessment (IPIA) and the privacy state transition process through which IoT businesses pass on their path to attaining ‘perfect alignment’ with respect to the GDPR data protection requirements and user privacy needs. Privacy inquisition, IPIA, and privacy state transition should be performed on a periodic basis, preferably under the guidance of a privacy governance board with supervisory authority and representation from the organisation’s board of directors, the controller and the data protection officer.
Looking at Europe from the USA: Current perspectives on data protection By Mark Webber and Trinity Car
US and EU privacy laws are very different. The USA recognises that a failure to respect privacy can cause consumer harm while noting that commercial interests also carry weight. Historical and cultural influences focus Europe’s privacy rules on citizens’ rights. While European privacy laws are not new, there are frequently some misconceptions in the USA about the EU’s approach to privacy. In addition, it is only relatively recently that EU data protection rules have started to have a noticeable impact on US commerce.
Interestingly, this impact is felt more as a result of commercial contract friction than from the bite of the regulator. US businesses nowadays must pay increased attention to compliance with EU data protection regulations. This paper focuses on the differences between the EU and US privacy landscapes and explores the EU concept of‘data protection’ and the risk and compliance hurdles it presents. How is EU data protection law viewed from the USA and how can in-house counsel evaluate and adapt to its impact?
Safe Harbor to Privacy Shield: A view from the USA – Part 1 By Daniel D. Corcoran
This paper looks at the court decision and events which brought about the abrupt fall of the 15-year old Safe Harbor, a regulatory framework which was negotiated between trade partners and the central legal basis for many of the data practices of approximately 4,500 US-based enterprises. This paper then reviews the subsequent series of steps taken to install a new international data transfer program, now known as the Privacy Shield. This paper also considers the process and impact from a US practitioner’s perspective and examines the roles of and demands from the various actors in the legislative journey to fill the regulatory void. This paper details many of the steps and concerns raised during this process and how such issues were resolved or highlighted for future action. The paper finds that although the immediately-effective nullification of a long-standing trade pact was disruptive to commerce and innovation at the time, the important goals of clarity of legal protocols and the long-term protections of European fundamental rights ultimately were achieved in large measure.
FBI v. Apple and beyond: Encryption in the Canadian Law of Digital Search and Seizure by Gerald Chan & Stephen Aylward
The stakes have never been higher in the arms race among tech companies, hackers, and law enforcement. Tech companies are continually developing measures to enhance the digital security of their users. Hackers and law enforcement agencies, while working toward very different objectives, are themselves developing new techniques to circumvent this encryption in order to access the treasure trove of information contained in digital devices and communications services. In the USA, the fight between the FBI and Apple over the encryption of iPhones has become a flashpoint for this controversy. Tim Cook, the CEO of Apple Inc., has attracted headlines with his highly publicised challenge to court orders obtained by the FBI compelling Apple to assist in unlocking iPhones. This paper examines the implications of the FBI v. Apple dispute in the Canadian context. The authors set out the legal and policy context of the FBI v. Apple debate before exploring the legal dimensions of encryption in Canada. The authors show that the state of Canadian law is unsatisfactory. Clearer safeguards are needed to protect third parties from unduly burdensome law enforcement requests and to protect the privacy of the end users of digital devices and services.
The impact of the General Data Protection Regulation on the banking sector: Data subjects’ rights, conflicts of laws and Brexit by Lori Baker
The General Data Protection Regulation (GDPR) will undoubtedly have an impact on how businesses manage compliance in the coming years. The banking and finance sector is not immune. It does however already operate in a heavily regulated environment, because the type of personal data banks receives, while not generally fitting the definition of ‘sensitive personal data’ in the EU, is still highly vulnerable data that could see the data subject becoming a victim of fraud or other financial crime. Between the NIS Directive and the GDPR, what then will be the impact of additional toothy, large-scale regulations requiring databases full of documentation for audit-ability, transparency, and accountability on an industry already (presumably) running a very tight compliance ship? This paper will address:
- the key changes of the GDPR (and for completeness, the NIS)
- what happens when these laws conflict with other applicable regulation
- other changes in the banking in general, including the end to banking secrecy in light of certain elements of the GDPR around sharing of personal data; and
- the impact Brexit will have in the context of regulating privacy in a non -GDPR environment.
Data subject consent: How will the General Data Protection Regulation affect this? By Hana Ross
EU data protection law assumes an innate right to privacy. Current consent requirements are contained in Directive 95/46/EC, which sets the standard of consent given by data subjects as ‘freely given, specific and informed’. The General Data Protection Regulation (GDPR) is due to come into force in 2018. The standard of consent is being raised to being ‘freely given, specific, informed and unambiguous’. The current Article 29 Working Party approach to consent sets a high bar. The Information Commissioner’s Office (ICO) has a more relaxed position than the Article 29 Working Party. Obtaining consent to direct marketing is challenging. The ICO view is that consent should be given on an opt-in rather than opt-out basis.Indirectconsentisparticularlydifficulttoobtain.
Article 7(3) of the GDPR will give data subjects the right to revoke their consent at any time. The e-Privacy Directive governing electronic marketing is currently under review and will bring with it crucial changes that are expected to harmonise with the GDPR. Best practice advocates a layered approach to privacy notices. Privacy notices can be used as a tool to enhance customer engagement experiences.
A federated budget for the General Data Protection Regulation by Chiara Rustici
Reading the new Data Economy package is vital to understanding the challenges of implementing the General Data Protection Regulation (GDPR). Privacy colleagues often find it hard to view personal data in commercial terms. A digital economy, however, will require of them the ability to discern which data types can be owned and freely traded, and which data types can never be legally owned, but only handled through the data protection imperatives of the GDPR. A federated budget is an exercise in shared responsibility and quantification of the changes needed by each business function or business unit to tackle this challenge. Clear examples help understand the difference between incrementing a portion of the budget and reorienting existing budget amounts towards the GDPR goals.
Safe Harbor to Privacy Shield: A view from the USA — Part 2 by Daniel D. Corcoran
This paper looks at the recently implemented Privacy Shield, a regulatory framework which was negotiated between the USA and Europe to govern the transfer of personal data from the EU to the USA. This paper reviews the key changes from the prior regime, known as the Safe Harbor. This paper also summarises important terms and considerations under the new programme, as well as practical issues raised by the replacement of an entire digital trade framework. This paper also addresses policy and forward-looking issues, including the recent statements and actions by US President Trump, and the EU Commission’s initial responses.
Directors’ liability survey: Cyber attacks and data loss — a growing concern by Joanna Page and Madison Kaur and
The Allen & Overy LLP and Willis Towers Watson’s 2016 survey on directors’ liabilities found that directors consider cyber attacks and data loss to be two of the top three biggest concerns facing them and their company. This paper explores the results of the survey as well as recent developments in these areas, providing insight into the steps that lawmakers and policymakers in Europe have taken in recent times in response to cyber attacks and data loss. The paper identifies the increased pressure on directors to be on top of their obligations as a result of the changes in the regulatory and legal landscape in order to discharge their duties and mitigate the risk of personal liability. The paper also briefly touches on the impact that Brexit may have on European legislation.
The data protection reform and its impact on the Italian legal system: Between hopes and expectations by Rocco Panetta
The General Data Protection Regulation (GDPR) will be subject to national-level implementation over the next two years, but are we sure this will
help pave the way for the creation of a real Europe and digital single market and strengthen individuals’ rights to privacy and data protection?
This paper will analyse those aspects of the data protection reform enshrined in the GDPR that can be considered the most important for European
businesses, public institutions and national data protection authorities alike.In particular, the focus will be on:
(2)the new rules of consent in the marketing domain
(3)the role of data protection officers according to the new regulation.Furthermore, considering the need to contextualise such a change in the law of the EU with a more country-specific analysis, the author will also provide a general overview of the possible impact of the reform on the Italian legal system, according to its current laws and regulations and the jurisprudence of the Italian Data Protection Authority.
Private but parallel lives: National security and personal privacy in a European context by Chris Bellamy
The tension between the requirements of state government to exercise control as a guarantee of national and human security, on the one hand, and freedom and human rights, on the other, lies at the core of western political thought. In the 20th century, state security surveillance became more intrusive, while, paradoxically individuals’ expectations relating to privacy and human rights increased. This tension has become even more pronounced in the 21st century with the expansion of the internet and social media. The article summarises the recent development of EU rules governing data protection and transfer and the potential conflict with the UK Investigatory Powers Act 2016. The apparently irrevocable decision that the UK will leave the EU has thrown the Investigatory Powers Act which received Royal assent in November 2016 into direct conflict with EU norms. At the time of writing it is unclear whether the Act, which provides for unprecedentedly intrusive scrutiny of communications, will be operable, at least initially, in the face of continued EU influence.
EU regulation on data protection: One continent, one law and the impact of the new requirements by Fabio De Resta
This paper provides an overview of the new EU General Data Protection Regulation (GDPR), before analysing some of the new legal requirements in more detail. One such requirement is the one-stop shop — a new mechanism which will require much work at the institutional level as national data protection authorities will be obliged to maintain continuous communication with each other and to coordinate their decisions. With regard to the right to judicial remedy against data controllers, the principle of proximity is essential for the effective protection of data subjects’ rights. Again, however, this will require much work at the institutional level. The role of data protection officer, meanwhile, although established in a number of member states, remains to be fully considered in other member states. The GDPR gives all data controllers the opportunity to enhance their privacy awareness and thus develop a comprehensive understanding of all potential privacy risks in order to take the right countermeasures to mitigate them. In conclusion, the GDPR is to be lauded for addressing many of the crucial obstacles to creating a single digital market. Nevertheless, the complex process of applying the new regulation is only just beginning, and only with the cooperation of data controllers and the various European institutions will it be possible to guarantee its effective and consistent application.
European data protection laws: Learnings and implications for Indian business by R. Rajesh Babu and Suren Sista
India’s data protection law is grossly inadequate in terms of personal data protection and privacy. While India is contemplating a separate law on personal data protection, this subject is currently dealt with by various laws. Irrespective of the
inadequacies, laws of other countries, specifically the GDPR, have a direct bearing on the processing and handling of personal data in India given their exterritorial scope. This paper explores the implication of the EU General Data Protection Regulation (GDPR) on Indian business. The paper reviews the state of data protection laws in India, followed by a review of GDPR and the implications of GDPR for Indian business. The paper argues that since India aims to be counted among the best, it would be wise to ensure that data protection laws are in sync with the best practices from across the world to maintain business competitiveness and ensure a level of personal data protection for its citizens.
The Investigatory Powers Act 2016 by Lorna Woods
This paper provides an overview of the Introductory Powers Act 2016, outlining the types of investigatory powers available and the applicable oversight regime for each. It flags some key concerns relating to the various powers. While there are questions about the act’s acceptability from a human rights perspective, this paper concludes that the act is certainly an improvement on the predecessor regime.
Current perspectives on data protection in Italy Donato La Muscatella
The paper is aimed at privacy professionals with an in-depth knowledge of issues related to data protection and an interest in the Italian perspective on the topic. After briefly analysing the current institutional approach to the most significant concerns in the area of privacy policies, this contribution will provide a general overview of the current legal framework from the European level up to the domestic setting, also referring to the most significant decisions adopted by the Court of Cassation, the Italian Supreme Court. The study will reflect on the implications that such a legal background could have for current trends and will attempt to predict future developments — or criticalities — in the Italian data protection system.
Consent, its modalities, dynamics and record-keeping Georg Philip Krog
The paper provides a general introduction to consent as a legal basis for processing personal data; the definition, modalities and dynamics of consent; the data controller’s obligation to enable the data subject to exercise his or her legal power to grant, to refuse or to terminate any permission granted to the data controller with respect to processing the data subject’s personal data; and the data controller’s obligation to demonstrate consent. The paper demonstrates that, through the concept of legal power, result declarations and temporal characterisations of legal effects, one can model, engineer and design systems with actions that perform, give effect to, enforce and record a data subject’s power and declarations to grant permission, to refuse to grant permission or to terminate any permission previously granted to the data controller with respect to processing the data subject’s personal data.
(Re)quest for privacy: How to build consumer trust by Anna Aurora Wennakoski
Due to global phenomena, technical developments, and political and journalistic revelations, it has been claimed that individual data subjects are increasingly losing their faith in the privacy safeguards provided by laws today. In response, legislators on both sides of the Atlantic have been taking an increasing interest in this domain.
Nevertheless, consumers are still not necessarily better off — at least not yet. With particular regard to litigation, the challenges remain numerous. This paper examines some recent developments in the domain of privacy litigation, notably in relation to consumers and the notion of harm, as well as the associated challenges. The paper also provides a brief discussion on the Privacy Shield and transatlantic data transfers.
The right not to be subject to automated decision-making under the General Data Protection Regulation: Standard permission or default prohibition? by Lise Devloo
The right not to be subject to automated decision-making which has a legal or similar effect was originally taken up in the 1995 Privacy Directive and is thus not a new right in the General Data Protection Regulation (GDPR). The 1995 PrivacyDirective left room for interpretation of its rights and obligations, of which the EU member states have made use. Some member states have interpreted the right as a ban on automated decision-making, while other member states allow automated decisions to which the data subject can object. The GDPR is a regulation and therefore requires all EU member states to apply its rights and obligations in a uniform way. Therefore, a re-evaluation of current implementations of the right is necessary. This paper calls on the European legislators to take a clear standpoint. It also argues that the right not to be subject to automated decision-making should be interpreted as the default prohibition of automated decisions. This offers the most legal certainty to both companies and the individuals subject to said decisions. This interpretation is derived from the wording in the GDPR, the scope of the right to object to the processing of personal data, and the spirit of the law.
Pseudonymisation under the General data protection Regulation: A win-win approach? by Hajar Malekian
Under the European data protection regime, the pseudonymisation of personal data represents a prudent method of protection of personal data which tends to reduce the risk of compromising the rights of data subjects. The reduced level of the risk via this method (pseudonymisation) has resulted in a less strict regime of data protection regarding these data in Europe. Moreover, under most legal regime beyond Europe, including the USA, pseudonymised data are not considered as personal data. Of course, this does not necessarily mean that such data are not protected under these regimes.
This paper will examine the legal regime of pseudonymisation through the definition and the principles related to processing of personal data in order to show if and to what extend there is a less strict regime regarding pseudonymised data. This regime could lead to a win-win approach in respect to both data controllers/processors and data subjects’ rights and interests.
Class action and data privacy in the USA and Europe: Effective deterrent or ill-founded approach to compliance? By Joseph Srouji
and Margaux Dolhem
The class action lawsuit: a term that strikes fear into boardrooms and among executive circles in the USA, and one that provokes strong reaction in Europe, mostly as a metaphor for a litigation culture run awry. Despite the bad press, however, the class action has its backers and European policy makers have increasingly come to accept its merits, notably its potential as a way to extend the arm of government sanctioned authority and more generally to edge companies towards compliance. This paper focuses on class actions generally and specifically on data privacy class actions, which are but one litigation channel for a plaintiff to pursue when it comes to privacy violations (notwithstanding current trends for cyber security-related shareholder derivative suits). It begins by recapping the fundamentals of class actions in the USA, the historical roots, procedural aspects and current trends; it then turns to Europe, in particular to France. France offers a unique glimpse into how Europe, more generally, is attempting to leverage the benefits of class actions while avoiding the perceived negatives, most importantly by keeping lawyers at distance when it comes to initiating class actions. The paper will then cover a few other EU jurisdictions for comparison purposes and provide an overview of the most well-known class action to-date—that introduced by Max Schrems.
Bring on the PrivacyShield by Pulina Whitaker
This paper discusses the requirements of the new Privacy Shield for EU–US data transfers and alternative options for exporting personal data from the EU. It also considers how the UK’s exit from the EU will affect UK data transfers.
The future of the internet of things in the wake of the General Data Protection Regulation by Geoff Revill
With the General Data Protection Regulation (GDPR) soon coming into force, today’s internet business models face a question mark over their management of data opportunities. Internet of things (IoT) adopters will have to think even more carefully as they evolve any monetisation models that could target or inadvertently create personally identifiable information (PII). ‘Things’ are sensors or actuators, monitoring or operating upon the real world, mostly passively collecting data or changing the state of systems based on sensed data changes. As the IoT evolves, the automated sharing of such data will be required for efficient deployment and operation. So where does the new GDPR principle of accountability stand in a world of billions of devices autonomously conversing and sharing information? How do we approach the other nine existing, and strengthened, principles of the Data Protection Directive 95/46/EC that the GDPR represents when the new fines are so high and individuals have new judicial rights over the use of ‘their data’? If one is to execute one’s accountability role properly, it is essential to understand the underlying technology of the IoT and how it operates. In addition, corporate reorganisation to inculcate a duty of care towards PII across the organisation may be the only truly viable way forward for large-scale data processing.
Can a cyber insurance policy keep businesses ahead of information-security risk? By Simon Gilbert Howden.
There is a fine line between information individuals are happy to share and information people view as private, and it is essential for businesses to understand this. In addition, internal stakeholders must now be individually charged not only with protecting the data the firm holds, but also how the firm uses said data. Awareness of the value of data is at an all-time high, with regulators now threatening significant financial penalties and sanctions for non-compliance. Businesses procuring a cyber insurance policy must learn the necessary best practice controls and processes to help in the event of an information security crisis. This paper addresses a number of questions, such as whether the growth of the information security industry will bring new and innovative approaches to mitigating risk; whether cyber insurance will be integrated into such solutions, providing businesses with new forms of protection; and whether purchasing cyber insurance can help businesses stay one step ahead of information security risk.
Journal of Data Protection & Privacy is guided by its expert Editor and distinguished international Editorial Board who peer-review every article submitted for publication to ensure it is practical, authoritative and relevant:
- Editor-in-Chief: Ardi Kolah, LL.M Executive Fellow and Director, GDPR Transition Programme, Henley Business School and Founder, GO DPO®
- Jan Philipp Albrecht, MEP, Greens/EFA in the European Parliament
- Professor Rajesh Babu, Indian Institute of Management Calcutta
- Jennifer Baker, European Technology Policy Reporter
- Lori Baker, Data Privacy/Security Consultant
- Robert Baldock, MD, Clustre – The Innovation Brokers
- Aurélie Banck, BNP Paribas
- Roger Barker, IoD
- Christopher Bellamy, Professor Emeritus of Maritime Security, University of Greenwich, former Director of Security Studies and the Resilience Centre the UK Defence Academy
- Joanne Bennett, Vice President, Associate General Counsel - Commercial & Global Compliance, Hitachi
- Steven C. Bennett, Partner, Park Jensen Bennett LLP
- Nora Boukadid, Senior Manager and EMEIA lead, Cyber Security & Data Privacy Services, Ernst & Young Nederland Accountants LLP
- Alexander Brown, Partner, Head of Data Protection and Privacy Group, Simmons & Simmons LLP
- Cameron S D Brown, Independent Cyber Defence Advisor, Information Security Strategist, International Legal Practitioner and Digital Forensic Investigator
- Ann Cavoukian PhD, Executive Director of The Privacy and Big Data Institute, Ryerson University
- Dave Chaffey, CEO, SmartInsights.com
- Abhik Chaudhuri, Chevening Fellow and Domain Consultant in Cyber Security, Privacy and Policy, TATA Consultancy Services
- Roberto Colizzi, Senior Counsel, Turner Broadcasting System
- Philip Coppel QC, Barrister, Cornerstone Barristers
- Fabio Di Resta, Attorney at law, Di Resta Lawyers
- Andrew Dyson, Partner, DLA Piper UK LLP
- Dr Pierre el Khoury, La Sagesse Law School, Beirut
- Dr David Erdos, University Lecturer in Law and the Open Society WYNG Fellow in Law, Trinity Hall, University of Cambridge
- Dr Detlev Gabel, Partner, Chair of the Global Data, Privacy and Cyber Security Group, White & Case LLP
- Dennis Garcia, Assistant General Counsel, Microsoft Corporation
- Ben Gerber, Head, Data Governance & Strategy/Head, Privacy/Head, Security Strategy, DBS Bank Ltd
- Mark Gleeson, Partner (Barrister) and Head of Data and Privacy, Browne Jacobson LLP
- Sue Gold, Senior Counsel – Global Privacy EMEAI, Wyndham Worldwide
- Eduard Goodman, Chief Privacy Officer, IDT911
- Bernard Gorrill
- Hazel Grant, Partner, Fieldfisher LLP
- Ian Hamilton, Senior Partner, aSource Global Ltd
- Dr Jaap Henk Hoepman, Privacy & identity Lab, Radboud University
- Mark D Hughes, Executive Director, Institute for the Study of Privacy Issues (ISPI)
- Paul Jordan, MD Europe, IAPP
- Denis Kelleher, Data Protection and privacy lawyer, author & lecturer
- Paul Lanois, Senior Legal Counsel, Credit Suisse
- James Leaton Gray, Director, The Privacy Practice, Kemp Little Consulting LLP, Deloitte
- Michael Lester, CISO, Magenic Technologies Inc., Chairman, SecretValet LLC.
- Michael Lewis, Group Data Protection & Privacy Officer, The Admiral Group plc
- David Melnick, CEO, Weblife
- The Honourable Mr Justice Graeme Mew, Superior Court of Justice, Ontario
- Simon Morrissey, Partner, Media, Brands and Technology, Lewis Silkin LLP
- Steve Nash, CEO, Institute of Motor Industry
- Dr Phil Nobles, Lecturer, Cranfield University at the Defence Academy
- Rocco Panetta, Partner, NCTM
- Antonis Patrikios, Partner, Privacy, Security and Information Law Group, Fieldfisher
- Alexandre Pinheiro, Universidade Federal do Estado do Rio de Janeiro (UNIRIO)
- Chiara Rustici, Independent GDPR Analyst
- Samantha Sayers, Senior Associate (Solicitor) in Cyber Security & Data Protection Legal Team, PricewaterhouseCoopers Legal LLP
- Suresh S.Srinivasan, Head - Technology Security & Privacy, Vodafone
- Professor Merlin Stone
- Nick Taylor, UKI Strategy Lead,Accenture
- Martijn ten Bloemendal, European Regional Privacy Counsel,AbbVie
- Roslyn Vadala, Senior Legal Counsel – Data Privacy, Nestlé Legal, Nestec Ltd
- Fokke Jan van der Tol, Data Governance Expert
- Christian Wiese Svanberg, Chief Privacy Officer & Head of Data Protection Unit, The Danish National Police
- Chris Wood, Head of Business Compliance, HSBC