News Our Knowledge, your Advantage

Welcome to fourthline. Connecting Regulatory Expertise.

Job search

Advanced Search
Industry Expert Q&A: David Sinclair, Director, Free That

We spoke to David Sinclair, a market leading data protection and privacy SME and Project Manager in our network about the key challenges of ensuring a strong information governance culture.

David is an Interim Consultant with 20 years’ experience within information governance, currently contracted with various clients and Director of

​1. What are the main challenges faced by firms in relation to data protection and privacy? 

Information Asset Management – knowing what personal information is held, where it is held, in what format, who owns the asset and what the information is used for goes to the heart of modern personal information management. Both the Data Protection Act and the new GDPR require controllers to have that awareness so that there is no ambiguity over how and why they are processing information. For example, do companies know on what basis they are processing information?  Is it consent or some other condition, or a combination? Is it clear to the end user/customer how their information will be used?

Contract Management – particularly in this age of cloud computing, knowing who is handling your information and where it is going is essential if companies are to remain compliant with the territorial restrictions in the legislation. This is particularly relevant for hosting solutions where data may be switched through multiple data-centres as part of traffic management. Knowing where data resides is also essential as it will have a direct impact on the security solution employed by firms.

Secondary usage of personal information – companies looking to take advantage of their assets and increase the value of the information must be careful not to overstep the mark in terms of how that information is used. Internal secondary usage is common, but still requires at the very least, informed consent. Usage by another organisation needs explicit consent and it is too easy to miss that when considering transfers.


2. How can Information Security and Compliance teams effectively collaborate to ensure key regulatory changes such as GDPR are embedded into standard processes?

There are a number of ways in which this can be achieved and companies can use all or some to significantly improve awareness of privacy issues within the technology space.

A) The best way to ensure that these teams collaborate is to build the use of privacy risk assessments into project governance so that privacy leads can identify at an early stage what information risk issues need to be resolved. By building the assessments into governance means that project boards can be provided with the assurance that the key risks have been controlled.

B) Revisit the organisational structure. Many organisations place privacy compliance within a legal/corporate section of the organisation and information security within IT. An alternative would be to bring together these disciplines into a new team that takes responsibility for managing information governance. This allows them to work independently (to an extent) and cut across organisational boundaries when assessing and managing information risks.

C) If organisational redesign is not an option, then simply arranging regular meetings between the two teams to discuss key pieces of work so that similarities/synergies can be identified will go a long way to ensuring that major legislative requirements are factored into existing and new practices.

D) Run workshops on the legislation focusing on specific areas that impact on information security. This allows the infosec teams to identify what changes would be required to comply with the legislation and build those into current processes/protocols.


3. As a Data Protection specialist, how do you ensure you provide maximum value to clients, and ensure that a client doesn't remain reliant on you forever?

Firstly, it’s important to establish boundaries and set expectations. Usually I’m coming in to resolve a specific issue or provide cover in the absence of a permanent post. Where a permanent position hasn’t existed, it is essential to set specific deliverable's; one of which will always be establishing the permanent post. The remaining deliverable's will all have some form of constraint; be that time, budget or outcome. By setting such constraints, it enables the client to track progress and be focused on the fact that I won’t be there forever. I also set expectations around the time spent on the client and I then commit to spending that amount of time on the client exclusively. This allows me to direct all my resources for that period, thus ensuring that the client gets the best value from me.


4. When should a client move away from relying on contractors for Information Governance capability?

As soon as possible. Information governance isn’t just a discipline – it’s a culture. Whilst contractors can effect change and manage the cultural impact initially, in the long run that culture can only be effectively handled by a permanent employee. The reason for this is that for information governance to be effective, all staff must be engaged and recognise how good governance improves their work. Permanent staff have a vested interest in successful information governance – something that a contractor can never truly have other than as part of their portfolio of success.


5. What are the main advantages to using an independent interim, compared to one of the Big 4 Consultancies?

Whilst not wishing to contradict my earlier answer, one of the main advantages of using independent SMEs is that we are heavily reliant on our reputation to secure the next role. Being successful is paramount and therefore there is a vested interest in success. Another factor is that with independents, there is unlikely to be any changes in personnel during a contract, thus guaranteeing continuity for the client and making it easier to establish trust between the client and the SME. Independent contractors are also in a position to make/accept contractual changes without the need to refer back to the parent firm for approval. This allows for much faster resolutions and can get work completed more effectively.


For further information on Data Protection associates in our network or job opportunities we currently have, call 0161 457 1145. 


Share this article: