We recently had the opportunity to interview Elodie Pierloot, Head of Data Privacy at HSBC. She is leading the Data Privacy function across the entire personal banking business at HSBC, including Retail and Private Bank, Insurance and Asset Management. She has over 10 years of experience in Operational Risk and Information Security and has developed excellent skills in governance, risk management and communication. Now, enjoy the full interview below!

1. Can you give us an introduction about yourself, Elodie? How did you venture into information and privacy world?

I joined HSBC in 2007 and never left. I started working in Operational Risk in Paris, then in London. After a few years as a “Risk generalist”, I wanted to focus more on a defined risk area and be closer to the Business. I applied to an open position in Geneva’s office as a Business Information Risk Officer. It was a few years after the data theft. Information Security was obviously a hot topic, the bank had put a lot of effort to strengthen the controls, way before other banks and the Swiss entity was in advance compared to the rest of the Group.

Over the years, I realised that I needed to develop more expert knowledge to keep progressing in this fascinating and promising area. I progressively grew interest in Law, by implementing banking secrecy-related FINMA circulars, taking certifications and even getting a Law degree at the University of Neuchâtel to get a more general legal background.

I then got involved in GDPR programme implementation and I knew that privacy would be my natural next career move. It happened after I came back from maternity leave when I took a newly created position to manage Privacy for the Global Private Bank. A year later, I was asked to cover the whole of Wealth & Personal Banking, the biggest privacy Risk area in HSBC, banking with +40 Mio customers across the globe.

2. You are holding the position of Head of Data Privacy. Is there a typical workday for you and more specifically, what are some of your primary concerns on a daily basis?

Since I’m covering about 40 markets and with teammates based in Asia, my morning usually starts early with catching up on all e-mails received during the night! I usually spend most of the day in meetings as I have interactions with a broad range of stakeholders: working with my peers in the Group and other Businesses and Functions to understand challenges and develop common solutions, seeking advice and responding to challenges from Legal and Compliance, reporting to and supporting senior executive strategic decisions, cascading information and supporting colleagues in each market in their day-to-day operations of privacy controls, managing my team and collaborating with other Risk and Control functions.

I always try to keep some focus time, as this area is very new and requires creative and pragmatic solutions that cannot be thought through if in a constant rush. It means that every day is about prioritizing the most important activities to strike the right balance between mitigating privacy Risk and enabling the Business to grow.

3. What do you see as the main challenges for our privacy today?

I think Privacy today is as the same stage as sustainability 10-20 years ago. Most companies only did the bare minimum to comply with the compelling laws and regulations. Some of them understood already how important the topic was and made it a competitive advantage or even a new business model, whether motivated by ethical conviction or business opportunity. The reality today is that sustainability is everywhere and must be part of every company’s values and decisions for them to stay respectable.

Privacy could also become a major threat for humanity, and while governments are strengthening more and more their laws and regulation, companies must also take their part of the responsibility for privacy to become the new normal. The biggest challenge for them today, to my opinion, will be to acknowledge that complying with the letter of the law is not going to be sufficient. Privacy ethics should already become part of their social responsibility duties, or else they’ll soon be outdated.

4. In fact, financial services institutions are the richest sources of personally identifiable information. Given that, how financial services firms are handling data privacy?

Financial institutions are already operating in a highly regulated environment and usually have the capacity to adapt to new constraints. GDPR and DPA usually have come up just as any other regulatory change programme. In Switzerland in particular, banks already have to comply with banking secrecy. Their infrastructure has been built to restrict access and keep customer data secured, and they have a strong culture to preserve the privacy of their clients.

Besides, clients would only bank with an institution if they trust them. This relationship only works if all their assets are properly taken care of, including their personal data. Not all firms are of course adhering to the same due diligence, but I think this industry is generally better equipped to comply with privacy laws.

5. Do you think financial services firms lack plans/strategies to address privacy risks? If yes, what are the main considerations they need to take into account?

The problem many financial institutions are facing today is that they have accumulated a huge amount of personal information in systems that were not initially designed to delete it. It’s a considerable challenge to determine what information can lawfully be kept and which ones need to be disposed of, and how to do it without breaking the systems. And it’s a problem that is substantially growing every year as the trend is obviously to capture more and more information about clients to better target offering and service the clients.

Other challenges will depend on the very nature of the business: a financial institution doing aggressive digital targeted marketing on social media will clearly not face the same challenges as a small private bank with close 1-2-1 relationships with their clients and personalized services. When it comes up to privacy strategy and plan, there is no one size fits all, so it’s really hard to compare the relevancy of plans when the Risk exposure and Risk appetite can be so different.

6. How do you stay up to date with industry news and updates regarding information security and privacy?

First, I heavily rely on my colleagues from the Legal department. We have several qualified lawyers specialized in privacy globally and can rely on a great network of knowledgeable local lawyers to understand how new regulations can be met with our existing control framework, like the new PIPL in China. I’m also a member of ISACA and IAPP to keep up with the latest industry trends.

I hope that conferences and business travels can soon resume, as it’s usually the best opportunity to focus on learning and networking. In the meantime, I keep reading articles and attends webinars to keep track of trends, events and changes in regulation.

7. Our last question is usually a personal one: if you could give your 25-year-old self just one piece of career advice, what would it be?

I’d say « trust your instinct and do it ». Many people are only going to see what’s wrong and never dare to take any risk at doing something. But to be honest, common sense is the best response to most privacy and security issues, and better making a mistake than to do nothing at all!

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.