The past five years have witnessed unprecedented change in the realm of data privacy regulation. Since the enactment of the General Data Protection Regulation (GDPR) in Europe, jurisdictions across the globe have revisited past privacy laws and enacted new ones. While in general, the laws demonstrated a growing consensus that individuals have extensive rights over how their personal data is used, the particulars of the regulations vary widely.
As someone with a background in governance, risk, compliance, information, and cybersecurity, it is very important to keep up to date on the key trends in data privacy regulations and enforcement, best practices to ensure organizations remain compliant and avoid sanctions, and at the same time share expert perspective on the most pertinent issues in international data privacy today.
A brief introduction, My name is Hafiz Sheikh Adnan Ahmed, I am a futurist, technology, and security leader with over 17 years of record in the areas of ICT Governance, Cybersecurity and Resilience, Data Privacy and Protection, Risk Management, Corporate Excellence and Innovation, Digital Transformation, and Strategic Transformation.
Having worked with and currently working with organizations from government to semi-government and private sectors, I have seen a positive emphasis on “fair, transparent processing of personal data” over the last few years.
COVID-19 has caused a mass transfer of data to power remote work, meaning more personal data is being stored in more places than ever, and therefore, being into Data Privacy and Information Security for so many years, it is very important for me to wear multiple hats while working with these organizations at different levels of their maturity and compliance in data privacy within the organization.
Having a diverse portfolio under my belt allows me to work with multiple organizations in the capacity of a certified trainer, data privacy advisor, internal assessor, and ISO management systems Lead Auditor.
My day starts in a very unusual way when my kids, Azaan and Aabrish, wake up early morning and start jumping on our bed and leave no choice for me but to get up from bed. Since working from home for the last few years gives me the leverage to save my time on commute and my only commute is from my bedroom to my office room on the same floor in my living space.
The moment I enter my office room, I ask a question to myself: what value am I going to add to my client’s data privacy and security program, and what is new that I should expect today? And the answer is remarkably simple for me: I am not here to work to earn, but to learn and to fulfill my thirst of being the best in the field; I am here to strive for excellence and success will come to me. With this immunity booster, I start my work by checking my calendar for the day and my emails. Being an ISO geek, I strongly believe in the concept of PDCA lifecycle; Plan-Do-Check-Act. Therefore, my workday starts with the ‘planning’ phase, whereby I must plan my activities for the day, including both personal and professional activities. Collaborating with different clients based in distinct parts of the world (Australia, Middle East, and the USA to name a few) brings an especially important and critical factor of time management. It is particularly important for me to prioritize my day-to-day activities to achieve goals faster. This helps me to take on new opportunities and grow in a sustainable manner. My time management skills have improved to make me more selfdisciplined, has improved quality of work, reduced stress, has opened new possibilities, and has enhanced my decision-making ability.
As I finish my ‘planning’ phase for the day in comes the Home Minister, my wife Anam, with a delicious and healthy breakfast. She exactly knows what I need and when I need; I am least bothered about my food as that department is very well-managed by her. Part of me excelling in this field is because of her as she exactly knows what food I like and at what time, and at the same handle the kids very smartly, therefore, her continuous support as my partner has played a massive role in my success.
After a small break, I start my ‘execution’ phase. As a data privacy, information security, and risk management SME, my daily activities revolve around a constant review of the clients’ local and global data protection compliance arrangements to include updated policies and guidance, centralizing processes, and putting in place robust, timebound remedial plans where necessary. I also need to develop and maintain relevant global internal data privacy policies and training; develop and implement a robust compliance plan; partner with all key business areas including IT Security teams, business continuity, and business development teams to ensure data privacy issues are considered at the outset of new projects, products, and initiatives.
Serving as a Certified Data Protection Officer, I also function as a liaison to the client’s risk and data privacy committees in relation to information security, risk management, and data privacy issues. I must also investigate enquiries and issues relating to data privacy practices, withdrawal of consent, the right to be forgotten, and related data-subject rights. At the same time, I also need to monitor and keep an eye on the industry landscape to keep visibility on evolutions, trends, and best practices related to data privacy. Having a strong background in Information Security, Business Continuity, Cybersecurity, and respective ISO standards as a Lead Auditor and Lead Implementer gives me an added value to ensure that systematic compliance audits are undertaken, and their findings are reported and acted upon.
Another crucial element of my day-to-day activities includes training courses, workshops, and awareness sessions around Information Security, Data Privacy, Business Continuity, Risk Management, Cloud Security, etc. Most of my afternoons, and sometimes weekends, are allocated to conduct training courses under the banner of PECB as one of their prime trainers. I have been a PECB Certified trainer for the last 9-10 years and it gives me a valuable advantage to conduct training programs and to provide trainees with the knowledge and skills to perform better in their roles or positions.
I have been fortunate enough to have conducted data privacy and privacy management training programs with more than 150 candidates from over twenty-five (25) countries since the inception of GDPR. During the training programs, we discuss topics like data subject rights, principles of data privacy, roles and responsibilities of a Certified Data Protection Officer, Risk Management, Data Privacy Impact Assessment (DPIA), Legitimate Interest Assessment (LIA), adoption of technical and administrative controls to reduce data privacy issues and risks, incident management and the role of supervisory authorities, and correlation between GDPR and other standards and frameworks, such as ISO/IEC 27701 and ISO/IEC 29134.
After a long day’s work, it is particularly important to take a backseat and get out of my office room. I spend most of my afternoons and early evenings with my family and my two kids who have their own schedule and agenda for the day to keep me busy with them in their activities. My wife, on the other hand, leaves no stone unturned to prepare some great healthy snacks that works as energy boosters to prepare me for my next phase of my evening activities, “Monitoring and Improvement.”
My late evening activities involve “Monitoring, Compliance, and Improvement” for my clients based out of Middle East and the USA. Living and working in Australia gives me a time-zone difference advantage and I take maximum advantage out of it by being involved in internal and external ISO Management Systems Certification audits with different clients. Over the last couple of years, I have been able to conduct audits and assessments around GDPR and ISO/IEC 27701 – Privacy Information Management Systems, among others.
The prime focus during these audits and assessments is to examine how controllers and processors manage the collection and processing of PII (Processing Identifiable Information). Since, every organization processes PII and cooperates with other organizations regarding the processing of PII, it is particularly important to identify and understand the context of the processing of PII, as it has become a societal need, as well as the topic of dedicated legislation and/or regulation all over the world. During data privacy audits, a lot of discussions and evidence are collected around lawful basis of processing, the purposes for which the PII is processed, evidence that determines when and how consent is obtained from PII principals, understanding the need to conduct privacy impact assessment, contracts between processors and controllers covering all the confidentiality, integrity, and accountability aspects of PII, etc.
These and much other related evidence and its analysis give a reasonable assurance about the conformity and non-conformity of the privacy management system within the organization. I strongly believe that being an auditor gives a luxury and a chance to interact with new clients, understand their systems, and understand their business processes that helps me to improve my knowledge, skills, and expertise in this area. Conducting audits and training programs over the years has improved my communication skills and has given me the confidence to build better working relationships, has increased my productivity, and to listen and convey my message to the audience in the best conceivable way.
Outside of my routine activities, I keep myself indulged in different volunteer activities, as I strongly believe that if I am blessed with knowledge, skills, and expertise, I should give back to the society in any feasible way. I do a lot of volunteer work with organizations like ISACA; I have been serving as a Chapter leader, working in different working groups as an advisor and mentor, and draft articles around the topics of data privacy, auditing guidelines, AI Governance etc. Being a certified trainer has given me the opportunity to improve my communication skills over the last few years and this has leveraged me to participate in different conferences and seminars as a public speaker and panelist.
My weekends are 100% dedicated to my family as we love to do sightseeing, driving, and enjoying relaxing at staycations with my two little munchkins. I love exploring new resorts, new cities, driving down to CBD to sit and relax with a cup of coffee, spending time under the swimming pool to refresh my mind and soul, and gearing up with some innovative ideas. The pandemic has forced me to adapt to the changing business requirements of the market, to become more agile, and to focus on the contemporary trends and technologies like AI, Blockchain, IoT, cloud auditing, etc.
In the bigger picture, I recognize myself and want others to recognize me as someone who strives for excellence, so that when my kids grow up, they can proudly say, “Dad, we’re proud of what you’ve achieved in your career.”