ICQ Log - Member Profile:

Interview with Steven Roberts


Last Updated: 01 June 2021

We spoke to Steven Roberts, Head of Marketing at Griffith College, Author, Certified Data Protection Officer, and Vice Chair of the ACOI’s Data Protection and Information Security Working Group. In his interview, Steven talks about his book Data Protection for Marketers: A Practical Guide, tips for upskilling as a marketeer and insights about the future of data protection and GDPR

What made you decide to write the book?

I felt there was a need to write a book for a marketing and communications audience. Since the introduction of the General Data Protection Regulation (GDPR) in May 2018, the issue of data protection has been at the forefront for many marketing teams. Most of the texts currently available are aimed more at legal or compliance practitioners. I wanted to provide marketing professionals, as one of the largest users of personal data within organisations, with a practical, straightforward publication that covered the key aspects of data protection along with useful case study examples relevant to the work they undertake.


At a broader level, I have penned many articles on data protection, strategy and marketing over the past number of years. Writing a book seemed a natural evolution of this process. To provide something that could contribute in a helpful and meaningful way to the greater adoption of data protection best practice.


What are the key take-outs from the book?

The book seeks to provide an overview of the key aspects of GDPR. For example, it looks at what constitutes personal data, the lawful bases for processing, the responsibilities of data controllers and processors, and the data protection principles underpinning the regulation.

In addition, I provide readers with a background to the history of data protection, and the different approaches to data privacy in jurisdictions such as the EU and USA. I also look at some of the challenges the Regulation is currently facing and may face in the future, as well as proposing mental models teams can apply when seeking to build a strong data protection culture.


For a marketing leader or team wishing to upskill in data protection, where should they start?

For teams seeking to increase their data protection competence, the best place to start is with a solid understanding of the legal bases for processing and the seven core data protection principles. These form the bedrock on which the GDPR is built. Following on from there, I emphasise throughout the book the importance of ongoing training, both for new and existing staff. This allows a team to iteratively develop their understanding of privacy best practice. Many firms undertook once-off training in the run-up to the introduction of GDPR; the real benefit is from a long term commitment to upskilling in this area.


Lastly, having clarity on how to respond to subject access requests and other means by which consumers can exercise their data protection rights is key. Putting in place good processes, with clearly defined owners, is one of the best ways of ensuring that a company can respond within the time limits set by the GDPR.

How do you see GDPR and data protection developing?

It is important to recognise that the GDPR is at an early phase in its adoption. There is still a lack of clarity amongst many businesses across Europe regarding aspects such as how fines will be applied in the event of a data breach and what constitutes best practice in responding to a subject access request.


The Data Protection Commission, as part of the public consultation on its draft Regulatory Strategy, states the importance of bringing ‘legal clarity’ and upholding a ‘consistent application of data protection law’, noting that here are currently ‘ambiguities of interpretation’ of the GDPR. This presents a significant challenge for businesses, particularly those with a footprint in multiple EU countries. Inconsistencies remain across a range of areas, with one example being the differing approaches adopted by supervisory authorities to the use of website cookies.Ireland, Spain and Germany all have variances in how best practice is interpreted regarding consent, creating headaches for the compliance and marketing teams who must adhere to these local requirements.


The future of work, with its increasing reliance on technologies such as big data, automation and machine learning will provide challenges for businesses in meeting the requirements for clarity, accountability and transparency in how they process personal data. It will also provide a useful litmus test as to the effectiveness of the GDPR’s principle-based, technology-neutral approach to data protection.


What are the key data protection trends compliance officers should be aware of for 2021?

There are significant question marks regarding international data transfers. Compliance and legal professionals are currently appraising a new set of EU standard contractual clauses (SCCs), whilst also awaiting a replacement for the EU-US Privacy Shield, which was ruled invalid last July. There has been significant pushback from business groups across Europe to a proposed set of supplementary measures that companies must undertake when transferring data to jurisdictions lacking the level of data protection required under GDPR. Many companies feel that, if adopted, these will place an unrealistic compliance burden on them and reduce their ability to trade internationally.


From a marketing perspective, a number of supervisory authorities have expressed serious concerns about the transparency and compliance of the current advertising technology or adtech model, which is widely used by marketers in Ireland and internationally. Lastly, businesses with a presence in Britain or Northern Ireland will breathe a sigh of relief when an adequacy decision for the UK is formally approved by the EU.

What advice would you have for any potential authors?

The best advice I found was to take advantage of the compound effect. Rather than facing a challenge of writing 40,000 to 50,000 words, commit instead to writing 300 words a day. Over time, this compounds into a substantial text. Some days you will write more, but committing to this on a daily basis is key. Beyond that, it’s crucial that any potential author is clear on the audience they are writing for and the reason why their proposed book will provide value to them.


Where can readers purchase a copy of the book?

The old cliché applies in this case – it’s available at all good bookstores, and can also be ordered directly from the publisher, Orpen Press , or online from retailers such as Amazon .


Steven’s new book, Data Protection for Marketers: A Practical Guide , is available to order from Orpen Press and from all good bookstores.

Lawyer Photo

Member: Steven Roberts

Head of Marketing at Griffith College. A Certified Data Protection Officer and Vice Chair of the ACOI’s Data Protection and Information Security Working Group


ICQ Summer Edition 2021

This article was taken from the ACOI's ICQ Summer Edition 2021