Robert Grosvenor is a Managing Director with Alvarez & Marsal in London. He leads global privacy and data compliance services and brings more than 20 years of experience advising on global and cross-border privacy, data governance, records management and related data regulation requirements.
Mr. Grosvenor has significant experience designing, delivering and maintaining global privacy programs involving strategy, governance, risk management, operational compliance and project management. He has supported clients with the compliant management of data as part of their digital transformation and data strategy initiatives including AI governance and data ethics and compliance across the global digital supply chain.
Recently, in an exclusive interview with Digital First Magazine, Mr. Grosvenor shared his professional trajectory, insights on why data privacy is more important than ever in today’s AI-driven age, the two key skills required to be a successful data privacy leader, future plans, pearls of wisdom, and much more. The following excerpts are taken from the interview.
Mr. Grosvenor, could you please tell us about your background, your career path, and how you got to your position today?
I studied English and European laws at university but early on in the course I knew that I did not want to be a typical corporate lawyer. I did enjoy learning about intellectual property and competition law where there were strong overlaps with technology, economics and business strategy. I also really enjoyed the opportunity to study abroad under the Erasmus scheme, spending a year at the University of Nijmegen in The Netherlands where I was able to focus on European and international comparative laws.
After graduating I was fortunate to be selected for an internship at the European Commission in Brussels in the Directorate General for Competition where I worked on some major infringement actions involving abuse of dominant positions in the automotive sector.
Whilst I was in Brussels, Deloitte Belgium was creating a new legal department focused on Technology, Media and Telecommunications. I was always interested in computing and technology, so I thought this might be something interesting to do for six months before deciding what to do with the rest of my life. In reality, this was the start of a 13-year career with Deloitte, spending seven years in Brussels initially working with companies during the dot com boom of the early 2000s including working on some of the first pan-European internet-based trading and banking platforms and ecommerce initiatives. I really enjoyed working in an area where there was no clear rule book and often involving a complicated web of different European, national and sectorial laws and regulations based on bricks and mortar business models and new emerging ecommerce rules. Working with business leads, developers and lawyers in real-time was exciting and I got to learn a lot about not only the technology platforms being developed but also the business models supporting them. The bursting of the dot com bubble coincided with the rise of data protection laws in Europe and, in particular, implementation of the EU Data Protection Directive. I subsequently moved into Deloitte’s enterprise risk area, where I learnt a lot more about risk management, auditing and information security. Combining legal, compliance, and risk management, I was again fortunate to be in the right place to find myself involved with some of the first European and global privacy programs for major companies in the life sciences and financial services sectors.
In 2006, I moved back to the UK and helped build out privacy and data protection services at Deloitte in London within their financial services audit and advisory practice. Again, I had opportunities to work on a range of projects across industries and also in the public sector.
In 2011 the opportunity arose to join Promontory Financial Group (now part of IBM), where I had the chance to continue working with a small number of colleagues who also moved over from Deloitte. I helped to support building out this team, focusing on global and multi-national privacy and data related regulatory challenges for organizations across financial services, life sciences, technology and media. At Promontory we were able to build a team of experts dedicated to privacy and data protection where we could serve the real-world challenges of corporations seeking to deploy global technology and business strategies across, in some cases, hundreds of jurisdictions. Whilst many of the team had legal backgrounds, I think the key value we developed was the ability to engage a range of key stakeholders across the organization including business, technology, cyber risk and the internal control functions. Often, we were able to help the General Counsel and their team align their needs and concerns with the business challenges, allowing senior management to understand their options and make informed risk-based decisions that also allowed them to explain to regulators and investors how they were addressing their key corporate values, regulatory obligations and risk management priorities.
2020 brought an opportunity to move to Alvarez & Marsal, and with it the chance to work for Phil Beckett, a friend that I have known since we were about eight years old. Phil leads A&M’s Disputes and Investigations practice in EMEA, and had established a highly regarded digital forensics, e-Discovery and cyber risk department. This expertise and experience align well with our privacy and data compliance consulting services – particularly as clients look to address holistic data governance and enterprise-wide data strategies. Companies are facing challenges around increasing global pressures regarding data governance and risk management, and our services provide them with a single team that offers a combined skill set across privacy, data compliance, cyber risk and data management.
What is your favorite part of working at Alvarez & Marsal, specifically covering privacy & data compliance services?
Every day is different, and I really enjoy working with other parts of the A&M firm. For example, we may be pulled in to support a major insolvency matter where we assist the administrators in managing GDPR compliance obligations or challenges around the management of large or sensitive customer data sets. Another day we may work with a Private Equity firm to assess the privacy and data compliance risk of a target acquisition or investment. I enjoy the variety of work, ranging from working with the advisory board and senior management looking at corporate governance for data, building a target operating model for a new privacy or AI governance function, or getting our hands dirty designing and deploying privacy compliance-related controls into specific business processes. I also really enjoy learning and adapting to changes in global data laws and regulations, through the adoption of new data strategies and technology innovation by our clients.
Do you observe fundamental changes and evolutions in the domain of personal data protection and its perception?
It feels like my whole career has been a journey in the evolution of data protection and privacy, from a minor administrative compliance function centered around aspirational general principles, to a critical part of corporate decision making and enterprise risk management. In particular it has been fascinating to see how data laws have developed globally and how cultural and social differences have impacted their interpretation and adoption.
Why is data privacy more important than ever in today’s AI-driven age?
It feels like we are at a critical inflection point as a society with the widespread adoption of AI-based technologies and with it greater reliance on responsible data management. This is both in the sense of respect for individual and societal rights and interests, but also the significance of data quality, security and fair practices when it comes to building and using data driven tools to unlock commercial opportunities. Like the challenges I saw early in my career with the development of online services, corporations face similar challenges in mapping a path through complex and emerging competition rules, online safety and consumer rights laws, digital assets and intellectual property, corporate social responsibility and the emergence of digital ethics and AI governance that extend well beyond traditional privacy and data protection rules.
What would you describe as a robust data security strategy?
Data governance needs to address and balance often competing obligations, issues, risks and opportunities. Specifically, organizations need to move from paper-based policies that set out general intents and aspirations, to build organizational frameworks and models that are capable of defining and tracking key risk and compliance priorities that can be translated into actionable and measurable objectives and controls. This involves collaboration across the company in terms of alignment between policy objectives, control requirements and adoption and ongoing assurance monitoring across business lines and corporate functions. It is about bringing together the right policies with the right skill sets and experience, that can then leverage appropriate technology and tooling – rather than selecting a technology solution that is then expected to address all of these risks effectively.
What do you believe will be the key trends likely to emerge in data privacy over the next 5 years?
Currently we often see privacy “owned” by legal or in some cases information security. For effective privacy management, there needs to be a combination of legal and technical skills that are supported by effective operational compliance and monitoring. I see the evolution of certain groups within a privacy function that bring capabilities to the organization across different domains. This could include government affairs inputting around regulatory policy and industry standards, privacy counsel whose role is in interpreting rules and addressing claims and enforcement challenges, privacy engineers who can assist in implementing privacy enhancing technologies and embedding privacy design directly into new products and services and privacy assessment teams who can monitor compliance and recommend ongoing operational improvements. We will also see AI itself being used to greater effect in facilitating privacy compliance and risk monitoring.
One key trend is going to be increased oversight and visibility to senior management who see the impact that data breaches, enforcement and a breakdown in consumer trust can have on the business. We’ll also see business strategies that leverage the commercialization of customer profiles and the use of related data sets for the training of AI models or advanced analytics which may see significant improvements in productivity or sales. Providing relevant and accurate management information on privacy and data protection risk and compliance is going to be key to maintaining confidence with senior management and in shaping future data strategies.
What advice do you have for other privacy professionals in terms of gaining experience, knowledge, and being able to find and implement solutions for companies?
Privacy professionals should seek to position themselves as enablers rather than being perceived as a roadblock to innovation or business objectives. I think privacy professionals can play a pivotal role in terms of building key relationships across the organization. You should be there to advise the business and support appropriate risk-based decision-making, as opposed to being seen as the owner of privacy risk. I think there are also opportunities to build your own external network with fellow privacy professionals that can assist in both understanding and validating trends and developments, and also being able to build your own reputation as a subject matter expert.
What are the 2 must-have skills a Data Privacy leader should have?
Subject matter expertise and keeping abreast of regulatory and industry developments. One of the key skills is the ability to understand the devil in the detail but also the ability to step back and identify the key objective or driver. This is essential to help define options and approaches which take into account legal complexities but also appreciate risk and impact so that global and regional strategies and requirements can be defined and implemented by the business in an effective – and efficient – way.
Communication skills are key. Developing soft skills such as spoken and written communication styles for different audiences, as well as building confidence in presenting – particularly to a senior audience – are valuable for data privacy professionals.
How do you stay up to date with industry news and updates regarding data privacy?
I have a great team that is constantly monitoring regulatory and industry developments through a range of news channels and subscriptions. Attending industry events, joining webinars and talking to organizations, regulators and peers is also a useful way to level set on issues and priorities.
Where do you see yourself in the next 5 years?
A&M has provided me with a great platform to do the work I love with a wonderful mix of clients. I hope that in the next five years I will continue to develop our privacy and data compliance expertise with A&M globally. As we get to grips with the impact of AI and the implications for our clients, I also expect the scope of the AI governance services I have established will continue to expand as we see the proliferation in AI specific laws and industry standards emerge.
What is the advice you would like to share that will help small businesses protect their data?
It is essential to understand your organization when it comes to what type of data you are collecting, how it is being used across the organization and what specific challenges and issues you face in terms of meeting the expectations of customers, regulators and business partners. This way you can focus your resources and budget on the things that really matter. It is also important to consider your current and future data and business plans so that you can build in the capabilities that allow you to legally use the data for future business purposes.
Increasingly we see a lot of data processing activities outsourced to a myriad of technology and business solutions providers. It is important that you consider privacy vendor risk management both in terms of your responsibilities and liability for providers under the relevant data protection laws, but also in terms of defining key issues such as data ownership and the extent to which you wish any third party to be able to use data for their own business purposes and how this aligns with the legitimate expectations of your own customers.