Building an award-winning global privacy culture

In December 2022, RX won the inaugural PICCASO Privacy Award for Best Privacy Culture Improvement. RX Chief Privacy Officer Merilyne Davies reveals how her team have built RX’s privacy culture from the ground up, and why it is so important for us to remain a trusted custodian of our customers’ data.

RX organises some 400 events in 22 countries around the world, with all the data gathering, processing and privacy safeguarding that entails. Our customers share their personal data with us to make vital business connections, and to get valuable information that will help them to drive innovation and growth. In an age of increasing regulation, security threats and customer expectations around privacy, it is critical that we are a safe custodian of that data.

When I joined RX four years ago, my first priority was to quickly understand what the organisational understanding and approach to privacy compliance, the personal data assets we hold and how we process that data. Further, as we are a global business we needed to review our compliance maturity against the requirements of all the applicable privacy and Data Protection legislation, regulatory guidance and best practice and measure our risks and gaps accordingly. It was from this analysis we were able to benchmark our compliance maturity on where we were and where we needed to be.

With the end goal firmly in sight, we set about planning how to get there by establishing our privacy strategy and building a global culture of privacy through the implementation of our privacy  programme.

Having set ourselves a five year target for delivery, our work was given greater focus and urgency by the pandemic, which led to a massive acceleration in the development and use of digital and data by RX to support our face to face business. In the event, we achieved our privacy goals one year ahead of schedule.

This was achieved in no small part to the Board-level buy-in at RX, including our CEO, Hugh Jones who has made privacy and cyber security one of our top 3 strategic priorities.  Guarding against reputational risk begins with setting the proper tone at the top, that the organisation values and embraces a culture of privacy. Having a very engaged CEO, CFO, GC and COO has enabled us to power through change and bring all our people with us.

This was supported further by the establishment of our Compliance Governance Framework, which, amongst other things, defined risk and compliance roles and responsibilities up to and including Board level. This enabled us to leverage internal support and maintain momentum in the delivery of our Programme across the organisation

I am also fortunate that for our parent company RELX, as for RX, privacy and data protection compliance is a business critical issue. Obtaining RELX guidance as well as working closely with my counterparts in Risk, Scientific, Technical & Medical and Legal there is a team of world leading experts I work with in discussing emerging privacy risks and trends, to determine policy, and develop best-practice guidance and training.

RX’s one-stop data compliance shop

In our new global privacy culture, privacy compliance is lead  by the Global Privacy Office, staffed by my amazing team of Privacy and Data Protection SMEs based in Europe, USA and the Philippines. In addition, we also have a network of trained Privacy Leads within each business unit, who their teams can go to for first stage advice on the application of legislation. In addition, every data processing activity in RX, such as email marketing, sales calls, registration and online matchmaking is now subject to a set of global privacy standards, which our people must follow. Vendors and suppliers who handle our customers’ data, are also assessed and subjected to our assessments and global privacy standards.

We have also introduced our new Compliance Shared Service Centre, which provides a ‘one-stop shop’ for all compliance assessments and approvals from privacy, cyber security to sanction screenings etc. Now, when our teams want to process personal data or use a supplier, they simply lodge a request with the CSSC. The CSSC collects all the necessary information ready for review by our compliance SMEs meaning we all work together to identify risks and establish safeguards, bringing simplicity and consistency, with faster turn-around times.

We have definitely seen a big improvement in the level of data maturity at RX. We have moved on from the ‘what is personal data’ discussions to ‘how will this processing impact the individual and what is the solution’. Our people are leading conversations on privacy compliance and how to achieve this, even without having one of our SMEs in the room nudging the conversation.  They get the importance of data privacy and the commercial value of securing RX’s reputation as a company customers can trust their personal data with.

Processing personal information is key to everything that we do here at RX and goes to the very heart of our innovation and customer experience strategies. The PICASSO awards celebrate the brightest and best in data protection. Winning the award for Best Privacy Culture Improvement is a testament to the dedication of our global privacy team and the positive engagement of our people with our global privacy culture.