I came to the data field just after finishing law school, when I spent a year working as a researcher at the Research Centre in Information, Law and Society in Belgium, my home country. Looking back, I think this was a pivotal moment where I realised I was fascinated by the impact that technology has on society and the role that the law plays in ensuring that technology is used responsibly. I then became an antitrust and competition attorney in a big international law firm, advising clients across various sectors. Fifteen years ago, when the opportunity came to decide whether to dedicate myself to privacy and data protection, I didn’t hesitate. Of course, back then I was convinced I was saying goodbye forever to my competition law expertise. Who would have thought that many years later it would be a valuable lens through which to assess risks relating to the use of data and technology in our digital age?
Let me mention two key career highlights. First, I played an instrumental role in creating Trūata, an EU trust, designed to provide a data anonymisation and analytics solution to Mastercard and other companies in compliance with the GDPR. Trūata enables data to be leveraged for important societal purposes like urban planning, all while protecting people’s privacy. This is a great example of how we have turned what many conceive as a compliance burden into a business opportunity.
I also led Mastercard’s efforts to implement legal mechanisms to transfer personal data across borders. In particular I spearheaded the adoption of Mastercard’s binding corporate rules (BCRs) back in 2015. We were able to get our BCRs quickly approved because we demonstrated that we apply very high privacy protections when we transfer the personal data from our cardholders, customers, partners and employees globally, which was no small feat! Shortly afterwards, Mastercard obtained certifications under the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules and Privacy Recognition for Processors systems to transfer data freely within the APEC region. Our BCRs and APEC certifications are significant external recognitions of Mastercard’s leadership as an accountable and trusted organisation, which is something of which I am very proud. I have also recently been appointed to the UK International Data Transfer Expert Council, alongside 19 other world-leading experts on this topic, to help promote trusted data flows globally.
In terms of challenges in data law, in my role I advise the company on issues that support Mastercard’s technology leadership, including privacy and data protection but also cybersecurity, data portability and open banking, data localisation, digital identity, blockchain, machine learning and artificial intelligence. It’s a long list that keeps growing!
Today, when you look across the globe, we face a patchwork of laws and regulations on data and technology. This increases compliance and technology costs and makes it confusing for everyone, but particularly for individuals trying to use digital services and businesses trying to navigate diverging legal requirements. At Mastercard, we believe global interoperability between these laws will be a critical step to reduce the burden of doing business and provide legal certainty to the benefit of all.
More generally, I think we face a major trust deficit in how governments and organisations collect, use and share people’s data. A common adage in the business community is that trust takes years to build, seconds to break and forever to repair. Guess where we stand? We’ve all lost track of the number of data breaches that have happened or the investigative journalism stories that have revealed ways our data is being collected and shared without our knowledge and permission. Re-building peoples’ trust has become a priority for many governments and organisations around the globe, but they’ve got their work cut out for them.
Organisations have a role to play to build or re-build trust in how they handle data. I advise my organisation to be proactive and incorporate privacy as part of our corporate strategy. I have helped Mastercard develop our Data Responsibility Imperative, which includes a set of consumer-centric principles that guide all our data practices globally: “When it comes to your data, you own it, you control it, you have a right to benefit from the use of your data and we’ll protect it.” Concretely, this means that wherever your data goes and flows, we’ll protect it with the highest privacy and security protections. Always. These principles have the benefit of being really easy to understand for anyone, and they apply everywhere, irrespective of the law, country, and technology. They help us instil a culture of privacy and data responsibility across the company.
To put these principles into action, we co-design our products, services and technologies to place the individual at the centre of all we do. We work hand-in-hand with our product development teams and our data scientists to ensure our innovations not only comply with laws like the GDPR but also fully align with our Data Responsibility principles. This is cutting edge Privacy by Design, it requires a lot of partnership and co-creation, but it is definitely worth it.
Let me highlight three emerging areas that I am watching very closely. The first one is cross-border data transfers. This is the lifeblood of our global digital economy and society. Today, we face increasing restrictions on cross-border data flows, including data localisation requirements. This creates enormous complexity and can result in higher costs, decreased innovation and security vulnerabilities. This harms everyone, in particular small businesses and consumers. There must be a better way to make the digital economy work for everyone, everywhere.
The second area relates to technology. Emerging technologies like artificial intelligence have the potential to bring benefits but also come with risks for people and society. This is why policymakers and regulators around the globe recognise that guardrails must accompany the deployment of AI. Promoting the uptake of trustworthy AI in a way that mitigates potential harms will require a collective effort and dialogue between governments, civil society and industry.
My third area of focus is our privacy talent. This is our biggest asset. The challenges facing privacy professionals are unprecedented. How do we equip them with the right tools? How do we upskill them to successfully navigate this new world? We expect from them not only legal/compliance skills but also a creative mindset and an ability to advise on sophisticated analytics, algorithms and technologies. They also need robust communication and persuasion skills to effectively communicate with a broad audience, ranging from IT geeks to auditors up to their company CEO and Board.
Too often we see policymakers focus on a particular area of concern, in a silo. They have perhaps missed one of the key learnings of the last decade: every sector, everyone and everything is interconnected in our global digital economy. Rules that you think might only apply to one part of the economy often turn out to have a much broader impact. We end up with a patchwork of laws and regulations that overlap, sometimes diverge or even conflict with each other. In order for our global digital economy to work for everyone, everywhere, it is critical to break silos and work together. Getting it right will require a collective effort between governments, international bodies, industry and civil society.
In addition, privacy and data-related topics have become more and more complicated – just think about the challenges we face today around cross-border data transfers or AI. There is a risk of losing ourselves in jargon, legalese and administrative complexities. We tend to overlook that this is all meant to protect people and society. We must work hard to translate legal requirements into simple concepts and pragmatic guidance, that are easy to understand for everyone, in particular for individuals.
In terms of challenges to gender equity, as the mother of 11-year old twin boys, I face similar challenges to many working moms out there. Achieving the right work/life balance is a struggle for everyone, but a different kind of struggle for women because of the societal and family pressures that can weigh on us so much more than our male counterparts. As the head of a large global team now, I try to lead by example. Last summer I took two months of parental leave to spend more time with my family, which was fully supported by my team and Mastercard’s senior management.
Regardless, I think making individual wellbeing a priority, irrespective of gender, has become even more critical since the pandemic, as the lines between work and personal life have become increasingly blurred. Finding what works best means different things to different people, but my goal is to make sure that each person on my team finds the right balance, depending on their personal needs and circumstances.
It is hard to tell whether it is gender, education, personality or all of them that give us a different perspective in a specific situation. This being said, there is some research that suggests that women are better leaders in a crisis. A study that appeared in the Harvard Business Review compared overall leadership effectiveness before and after the pandemic. One of the theories explaining the findings is that female leaders are more likely to express awareness of fear and concern for wellbeing. Essentially our strength in interpersonal skills like communication, collaboration and relationship building take on a new degree of importance when a crisis is happening. Personally I believe these sorts of skills are essential outside of a crisis too. It’s only with multi-stakeholder and multi-jurisdictional collaboration that we’ll manage to solve some of our greatest societal challenges.
The data field has definitely evolved to be a more women-friendly space than when the internet first began. I actually have a majority of women on my global team, and I am sometimes getting concerned about a women-dominated data practice… But joking aside, I work hard to promote diversity on my team at all levels, including gender but also geography, culture, race and backgrounds. This is part of the recipe to have a dream team!
A piece of advice I would give aspiring data lawyers and professionals is to bring your whole self to work: the diversity of backgrounds and experiences is definitely a plus for anyone dealing with data.