WoW Woman in Tech | Natasha Singh, Data Protection Specialist and a Principal Consultant at Gemserv
Interview by MarijaButkovic
Natasha Singh is a Principal Consultant in the Cybersecurity and Privacy Practice at Gemserv. She has 11 years of experience in regulatory risk and compliance. She specialises in privacy, new technologies and global data protection law. She supports organisations with their global privacy programs, governance and privacy by design. She is also the outsourced Data Protection Officer of her clients operating in several sectors.
Gemserv is an expert provider of professional services in the world driven by data and technology. Company provides high quality consultancy and outsourced services to support the digital transformation and data revolution in health and care by partnering with providers, commissioners, integrated care systems and health tech vendors.
Natasha, tell us a bit about your background and your projects so far!
I am a Data Protection Specialist and a Principal Consultant in the Cybersecurity and Privacy Practice at Gemserv. I lead on the design and implementation of data protection programs for multiple organisations which operate in complex multijurisdictional environments.
I am also the Outsourced Data Protection Officer (DPO) for my clients in diverse sectors such as, retail, information technology, energy, finance, construction and health. Having worked on multiple privacy programs for small, medium-sized and large organisations in a fast-paced dynamic environment, I have gained invaluable hands-on experience in data protection governance.
As a DPO, I am tasked to provide tailored, practical advice and guidance to different stakeholders in businesses on several matters, ranging from privacy by design, data sharing, to ePrivacy, etc. I participate in their data protection and security forums, helping my clients monitor their data protection obligations. I also assist my clients with the implementation of new technologies (such as critical national databases, digital platforms, apps) by conducting data protection impact assessments and addressing privacy challenges arising.
I have a keen interest in the regulatory, ethical, social and commercial frameworks governing information technology at the European and global level including: online privacy, information rights, e-commerce, and health technology in this digital and big data era. I have studied law and I hold the Fellow of Information Privacy (FIP), CIPP/E (Privacy Professional for Europe) and CIPT (Privacy Technologist) certifications from the IAPP (International Association of Privacy Professionals).
Data protection is an ever evolving and dynamic discipline and learning is never-ending. It has been a steep learning curve but, incredibly rewarding journey so far. I absolutely love what I do!
How did you get into this industry? Has it been an easy industry to get into or have you had many challenges?
I come from a family working in law enforcement in Mauritius. ‘Protecting’ and ‘defending’ are our lifeblood; I grew fond of law in my childhood. I worked in compliance for many years, primarily, in the offshore financial industry of Mauritius, which is a corporate tax haven as you may be aware, exploring the world of Anti-Money Laundering and combating the Financing of Terrorism; helping the Financial Services Commission find criminals through their financial transactions. After I moved to England, I wanted to specialise in a field of law which would be a natural progression from my studies and compliance background.
I was following the debate on the advent of a new law closely – the ‘General Data Protection Regulation’ (GDPR). I thought it was going to be impactful, a significant milestone for privacy and the protection of individuals and have a far-reaching effect, not just in the EU but outside of the EU as well. After attending several training sessions for upskilling, I chose it as my area of specialism. I made the right decision.
I had the opportunity to join Gemserv as a consultant, and it’s been fascinating to learn on the job how data protection is applied in many industries and understand the local cultural divergences in several territories.
I will perhaps never forget the date ‘25th May 2018’. The first months in the lead up to the GDPR coming into effect left its mark on me and our clients generally. Due to the strict penalties and the open-ended nature of the legislation, companies did not feel confident in their level of compliance.
Some had set internal stringent deadlines with the aim to achieve all actions on their project plan with the fear of being fined on 25th May 2018, this day being seen as the ‘doomsday’ while some decided to take a more strategic approach by working on a priority basis. I worked tirelessly to help my clients in their compliance journey.
Now that the most hectic side of the GDPR compliance wave has passed (although I think many organisations remain non-compliant), my clients are now more focused on outsourced advisory services.
I get asked a lot of questions and I must be able to help my clients find solutions that would work for their business model. I also need to be aware of other laws and standards that have an interplay with data protection such as ePrivacy, competition law, human rights law, law of confidentiality as well as technical standards such as ISO27001, cybersecurity standards, etc.
Although one of the main aims of the GDPR has been to harmonise data protection law across the EU, it does allow member states some discretion on the application of the law and introduces broad derogations on some areas. So, having knowledge of these is important to advise organisations which operate across the EU.
To be able to provide up-to-date advice to my clients, I also need to stay on top of privacy issues and trends, by following the Supervisory Authorities and known privacy leaders.
Also, as the world we live in becomes more digital, the more engaging my job becomes looking at the privacy implications surrounding mobile internet and cloud tech, collection of large and complex data sets, data sharing economy, and the internet of things. I believe this is what makes this discipline highly progressive.
What does your current job role entail?
No two days are the same! I must be efficient with time and be able to multitask. I can be advising on specific matters, drafting or implementing the requirements; on some days, I might need to resolve issues that crop up and drop everything else, for instance, data breaches. I also enjoy nurturing the junior members of the team and helping them in their development. As a team, we are very much invested in collective learning and upskilling to bring the best services to our clients. I also need to keep abreast of potential risks and opportunities offered by technological advances to encourage data protection by design and default into the innovation process.
What projects are you working on at the moment?
I am involved in several projects at a time. However, my most exciting projects are probably those related to technology in the health care sector, given the nature and sensitivity of the data. I am working on a large information governance project for the Department of Health and Social Care of a British Crown Dependency, quite a complex project but very interesting from a data sharing perspective. I am closely assisting some innovative health tech companies in launching their digital services. It is satisfying to help them right from the conceptual stage and make an impact from a data protection by design perspective.
You will be speaking on behalf of Gemserv at our virtual global conference about FemTech on June 25 - FemTech Forum. Topic of the panel is 'Balancing Trust, Privacy and Innovation in FemTech'. Could you tell us a bit more about Gemserv's expertise in this space, why is it so important for startups to know about handling data privacy and security and what are some go-to pieces of advice you could give to any startup in this space?
At Gemserv, we work with start-ups, medium sized and large organisations, providing them with data protection and cybersecurity services. Our start-up clients are mainly providers of technological platforms to a B2C audience and have a customer base in the UK and the EU.
It is very important of them to know about data protection and security. The collection and use of information, especially, personal data is increasingly important to companies, but it is affected by data protection regulation to safeguard people’s privacy. One of the central tenets of the GDPR is data protection by design, which says that looking after the security of personal data a business is entrusted with, should be at the heart of the business.
The GDPR has a sweeping effect, regardless of the size of an organisation, be it a start-up or a large organisation. A breach can lead to a fine, the maximum fine under the GDPR being €20 million, or 4% of an organisation’s global annual revenue, whichever amount is higher. The GDPR has changed the enforcement environment. Such figures might mean nothing for big companies, but it could have a dwindling effect on the finances of a start-up.
Merely focusing on the fine aspect, just for the sake of being compliant, is not going to allow a start-up to benefit from the regulation. In my opinion, data protection presents opportunities. It is a risk management tool and is central to the general strategy of a business. Start-ups must embed it from inception and nurture its development throughout their growth journey. In my experience, the advantages of adopting such a position are as follows:
Encourages security – Privacy and innovation must sit side by side. Companies must adopt privacy by design (PbD) frameworks to protect personal data without creating obstacles to their business activities and innovation. A successful framework is one which is tailored for their business purposes, risk-oriented and translates operationally by looking at data-oriented, process-oriented strategies, and privacy security tools to inform investment decisions at the very early stages of a process, system, service design rather than trying to retrofit privacy later on and incur additional costs for changes.
Attractiveness to customers – Consumers are becoming a lot savvier when it comes to the awareness of their rights. The more data is collected and used on the basis of transparency and trust, the better services will be created from a customer point of view, as they will address one of the individual’s main concerns which is the control and protection of their personal data. I would see trust as the new currency to drive business growth. It is challenging to have innovation without trust.
Attractiveness to investors – Start-ups must include GDPR as part of their business strategy and a way of generating trust with investors in their business models to attract further investment.
Trusted partners and reputation management – In the course of business, start-ups will engage with various partners with whom they will share data. Market reputation can be easily damaged in a case of a security breach, cyber-attack or in a case of non-GDPR compliance, by any company that provides services to them. The GDPR allows them to audit their compliance posture and gain assurance for further engagement.
Therefore, my advice would be to engage with data protection from the early stages of your journey and draw it into your strategic discussions.
What is your biggest achievement to date?
Specialising in this discipline for almost 3 years now has been one of my personal and professional achievements and I won’t stop here. I’m particularly proud of the knowledge and experience that I have gained. My upcoming plan is to delve more into the growing concern around technological data ethics and privacy.
What does the #WomenInTech movement mean to you? What are the challenges of being a woman in tech / STEM?
I do think that women are underrepresented when it comes to science, technology, engineering and mathematics, be it at university or in the workforce. The challenges are diverse, ranging from access to education, skill building opportunities to confidence and visibility, as these fields have traditionally been dominated by men and potentially unconscious bias. So, there is a need for action and reform to improve education, skills development, upskilling and entrepreneurship opportunities, challenging negative stereotypes and closing gender gap issues in a workforce. I think movements like WomeninTech are a good platform to help girls and women with the necessary skills, confidence development, strengthening mentoring, and networking opportunities, to help them succeed in their career fields.
In your opinion, what will be the key trends in the digital health space in the next 5 years and where do you see it heading?
I think the healthcare industry will be looking for ways to treat patients virtually, predict and prevent diseases, increase hospitals' efficiency, as well as overcome security and tech talent shortage issues. Therefore, technologies will be harnessed to bring value to care.
The COVID-19 pandemic has already set the stage for the importance of telemedicine and has sparked a growth in its use to deliver care. We will probably see more investment from governments and healthcare companies in telemedicine. However, telemedicine relies on networks to provide more speed and quality. Healthcare organisations will increasingly turn to 5G to make it easier to exchange large imaging files. 5G also promises to make it easier to use AI and IoT technology, besides allowing for remote monitoring of patients.
I was also reading that the wearable medical device market is expected to reach more than $27 million by 2023. I think the healthcare sector has started embracing the internet of medical things (IoMT) and this market is set to grow due to high demand in patient-oriented medical devices that gather, analyse, and transmit data to healthcare IT systems in real-time. Tech products and services such as wearables and medical monitors, mobile health-related apps, IoMT converged with telehealth, and residential medical devices do not only assist in monitoring health status but also ensure on-time communication with caregivers and medical experts, when needed. These devices generate massive amounts of data, so cybersecurity and data protection will be at the forefront, and secure cloud platforms boosting collaboration between doctors and patients will be crucial.
There will also be more investment in data analytics as healthcare organisations strive to identify operational, clinical, and financial processes to obtain clinical metrics to boost success in providing reliable care and battle large scale pandemics.
AI along with machine learning promises to bring a lot of value to the sector, in terms of providing innovative ways of diagnosing diseases, undertaking medical research, drug discovery and clinical trials, and monitoring and predicting epidemic outbreaks.
Who are your 3 inspirational women and / or businesses in tech?
I follow 2 brilliant women who I think are thought leaders in privacy:
(1) Gabriela Zanfir Fortuna – She is a Senior Counsel for the Future of Privacy Forum. I think her work on global privacy developments and European data protection law with focus on technological aspects such as AI, AdTech, EdTech, de-identification etc. are very interesting.
(2) Ivana Bartoletti – She is a Technical Director at Deloitte. She was my line manager for two good years at Gemserv and I enjoyed working with her. She is an exuberant thought leader in data, power, politics and ethics. She has such broad knowledge in privacy that it makes her one of the key persons to listen to if you want to constantly provoke your own thinking.
Gemserv is an expert provider of professional services in the world driven by data and technology. Company provides high quality consultancy and outsourced services to support the digital transformation and data revolution in health and care by partnering with providers, commissioners, integrated care systems and health tech vendors.
Website: https://www.gemserv.com/
Social media: @gemservhealth for Linkedin and Twitter
Women of Wearables is very proud to have Gemserv as one of our sponsors and supporting partners for the upcoming FemTech Forum 2020 - first virtual global conference about FemTech taking place on 25th of June!
Find out more about our agenda and speakers here!
This interview was conducted by Marija Butkovic, Digital Marketing and PR strategist, founder and CEO of Women of Wearables. She regularly writes and speaks on topics of wearable tech, fashion tech, IoT, entrepreneurship and diversity. Visit marijabutkovic.co.uk or follow Marija on Twitter @MarijaButkovic.