Head of privacy | Rio Tinto
Carolyn Lidgerwood
Head of privacy | Rio Tinto
What has been the number one challenge that has impacted you over the past year?
I lead Rio Tinto’s global data privacy programme across six continents and thirty-five countries. The challenges facing me, and data privacy lawyers everywhere are related to three key trends: First, the growth of personal data is exponential. Engaging with the modern digital world (including connected devices) means more personal data is generated constantly about where we go, what we buy, what we look at, and how we work. Second, companies are increasingly tempted to generate and hold on to personal data, assuming that they might need this to gain valuable ‘insights’ in a world of data analytics. Third, this is happening in an environment where: (i)data breaches are headline news. The damage caused by data breaches (to the people and the companies involved) is pronounced. If Australian executives were not paying attention to data privacy previously, then they should have been by the end of 2022, with unprecedented coverage of serious data breaches in the telecommunications and health insurance sectors; (ii) human error is currently a leading cause of data breaches (according to regulators and many large companies). Whether due to ‘cutting corners,’ a lack of care or a failure to follow the training, ‘root cause analyses and regulatory reports of data breaches illustrate that it is challenging to address; and (iii) data privacy laws around the world are increasing and maturing significantly. It is common to see countries with no data privacy laws of substance enacting new laws based on the EU General Data Protection Regulation (such as Mongolia and South Africa) and ‘mature’ data privacy jurisdictions strengthening their laws, such as Australia and Quebec.
In this context, identifying the ‘no.1 challenge’ over the past year is not straightforward! However, ensuring proportionality and data minimisation in personal data processing is a big challenge. This requires only collecting the amount and type of personal data that is genuinely needed and by fair means. In practice, that can mean advising business clients not to use certain intrusive technologies or involve excessive personal data processing (such as biometric data processing), notwithstanding that other companies are doing so. It also means maintaining a focus on what is ‘compliant’ (applying principles-based law) and what is an ethical and respectful way to treat people and their data. Our business clients need to know that if personal data is collected, there are data privacy obligations – which translates to additional work for them!
But if personal data is not collected, those obligations do not arise.
As a leader of a legal team, what have you most enjoyed over the past year?
Since the start of the Covid-19 pandemic, I have hired three new team members entirely remotely in Australia, the US and the UK. Thanks to technologies like Teams and Zoom, we have been working remotely ever since. Recently the four of us were all able to meet face-to-face for the first time. Working around a table in the same room together was more enjoyable than I would ever have expected pre-Covid! There was great productivity, and we got to know each other much better. It made me appreciate how good the team is and how much we can achieve together – a particularly satisfying feeling!
Head of Privacy | Rio Tinto
Head of privacy | Rio Tinto
What are the most important transactions and litigations that you have been involved in during the last two years? Many people working in global data privacy law would provide exactly...
Head of privacy | Rio Tinto
Being an Anglo-Australian firm and a leading multinational materials and mining corporation in operation for almost 150 years, Rio Tinto has a long and well established history as one of...