As part of our 2-minute interview series, we sat down Eric Bedell, Chief Privacy Officer EMEA/Luxembourg at Franklin Templeton Investments in preparation for the Benelux Virtual Cyber Security Summit! With over 20 years of experience in the Privacy and Security field, Eric leads a global team of privacy professionals to create a holistic privacy program that can be blanket applied across his entire organisation.
Read on below to see what he thinks about the current state of data privacy, how the threat landscape is affecting Benelux corporate entities, and how his work remit has evolved over the past few years.
In a nutshell, tell us a bit more about your current role at Franklin Templeton?
I am the Chief Privacy Officer for Franklin Templeton, leading the Global Privacy Office, in charge of creating, deploying and managing FT’s Global Privacy Program.
We are reusing all privacy laws requirements (GDPR, CCPA, etc.) to build a common set of elements, fulfilling privacy principles, and expend them globally instead of implementing one-off local ones.
What are your main security concerns and what are you prioritising at the moment?
The main priorities for the moment are:
- The development of our global ROPA (record of processing activities), listing all FT practices using or collecting personal data, and risk rank them using PIA (privacy impact assessments)
- The creation of global privacy documentation (privacy policy and notices)
- The automatic scanning and detection of personal data in all our systems and unstructured data
As for the security concerns, the main one would be our vendors and third parties risks management.
Have you seen any recent shifts in the cyber threat landscape? And, how is this affecting the Benelux corporate entities?
We have seen more targeted attacks (less out of the box ones). We have not directly suffered from such attacks recently, but some of our vendors or peers were.
What are the 3 main cyber challenges to tackle in Luxembourg today? From your finding do you think enough is being done to properly address these issues?
This is no more my daily job (being in privacy now) but I would say:
- Vendor chain, as the system is as strong as its weakest point
- Phishing remains still very highly used
- And because of the 2 first, the employees training is key, but not always easy to deploy.
I think the Lux based companies having a CISO are addressing that properly, but we still see companies thinking about Cybersecurity as a second thought (usually were not CISO is appointed)
What have been the main challenges associated with the spread of the COVID-19? How did your organisation respond to them?
To be honest, our company did great (working from home being in its DNA for a long time).
The main challenges were mostly to make sure all remote connections were supporting the load, which they did.
Has the transition to a remote work environment affected the process of personal data?
Not really, again, all processes where design to offer the “work remotely” possibility.
Have you seen the role of the DPO evolve and if so- who / what is leading this shift?
Clearly, the DPO is now embedded into main other areas, like marketing strategies or HR diversity monitoring program.
Even if the DPO is supposed to be just advising, more and more they have to give sign-off or approval on plans.
I think many companies realised that adding data protection after the project is deployed is very costly and not always efficient, so DPO is involved more sooner now.
Also, the global privacy landscape is evolving so fast, that plans need to be made considering principles knowing many will still pass in the next years.
Has the relationship between the CISO and DPO changed over the past 2-3 years?
Not that I have seen myself. Maybe the distinction between 2 roles/teams become more obvious nowadays.
In which areas should CISOs and DPOs increase their collaboration in order to address tomorrow challenges?
As a light motive, I think cooperation could be increased in the vendors/third parties management.
There are numerous challenges when appointed a data processor and one of the biggest is definitely the cybersecurity aspects.
One of the most important steps would be to have common questionnaires to perform due-diligence and maybe add information security clauses in the contract on top of the privacy requirements.
Eric will be joining us on day 2 of the Benelux Virtual Cyber Security Summit for:
- A Live Panel Discussion at 10:50: ‘GDPR 2-Year Anniversary – A Look Back and Ahead’ with other experts from Hôpitaux Iris Sud and Quintet Private Bank
- A Fireside Chat at 14:00: ‘Data Privacy as the New Strategic Priority, a DPO and a CISO in Conversation’ alongside Alain de Maght, CISO/DPO, Hôpitaux Iris Sud.
Learn more about his session and the many more at the summit by viewing our detailed agenda here.
Join Eric and other leading cyber security experts at the Benelux Virtual Cyber Security Summit on 22nd – 23rd September for actionable insights on: cyber resilience post-pandemic, aligning digital transformation & cyber risk, promoting a cyber-aware company culture, how to approach security-awareness training, and more!
View the full speaker line-up here and secure a complimentary pass with code: BENELUXVIP at benelux.cyberseries.io/register/
