As demand for data drives businesses, Richard Kibble, Global Head Data Privacy and Chief Privacy Officer at Alcon, the largest eye care device company in the world, talks to our European Managing Director, Angela Floydd, about his career path and the impact of Covid-19 on business. From sales and marketing, to Head of Legal, to his current global privacy specialist role, Richard has made savvy career moves. Research firm Gartner estimates by 2022 more than a million organisations will have appointed a privacy or data protection officer as 65% of the world's population will have its personal information covered under regulations similar to GDPR. Richard also shares his thoughts on how lawyers can prepare for the influx of these different international privacy regulations.
Angela Floydd (AF): Richard, your path to Global Head Data Protection and Chief Privacy Officer of a global healthcare business has not been the typical career path of global heads of privacy. How did you go from being a Head of Legal for a division of one of the world's largest consumer businesses into a global privacy specialist?
Richard Kibble (RK): I have a degree in law and a diploma in competition but was assessing whether I wanted to be a lawyer or work in business roles after I completed my legal studies. I was interested in commercial sales and business and thought these areas would suit my personality, I'm outgoing and like to talk! I joined Nestle in the UK because it is such a large global consumer business, I was curious to see what it would be like and joined as a graduate in their food service/catering sales division for supplying vending machines to the catering industry. It was a pure sales role, at the sharp end, managing several accounts over a specific territory in the Midlands, involving tough negotiations and having to make cold calls, an experience that has stood me in good stead for legal and general life! After that I moved to the head office function in Croydon to be a national sales manager. My focus was the healthcare sector, prisons and the armed forces. These are public sectors where cost is a key driver. The role involved presentations and negotiations at a senior level (it's where I learned and honed these essential legal skills) and having to manage my own P&L which was great commercial experience. As part of my role I was working occasionally with our legal team and after 5 years of being on the business side, I decided I wanted to use my legal background. I ended up training and qualifying with Nestle as a lawyer and moving quickly to the company's global headquarters in Switzerland in 2003 and joining the anti-trust department known as a competence centre. After three years in that department, I had the chance to move to the company's M&A competence centre. It was a period when Nestle was involved in significant acquisitions and gave me exposure to some fantastic high value deals, working with some of the best firms and M&A lawyers in the industry.
My next career step was as Operations Counsel EMEA for Beverage Partners Worldwide, a JV between Nestle and Coca Cola which gave me great perspective of a strong brand driven product. After three and a half years in that role, I had the opportunity to take the Head of Legal role for the Nestle JV with General Mills - Cereal Partners Worldwide in 2012. It was during my time in this role, that I could see privacy was starting to become a prominent business factor. For any consumer business there is a strong focus on marketing and with the evolution of social media, I found the implications for privacy really interesting. Data is critical for all industries, some more than others but where the focus is on increasing sales, to do that effectively, you must know your customer intimately. You cannot take privacy out of data. Everyone wants to understand consumers. You can work with anonymised or pseudonymised data (in some legal areas you are required to do so) but it's less insightful. If you don’t understand privacy, data protection and security issues, it can be difficult to add value to business conversations and spot the issues if you have to keep referring to a specialist.
When there's pressure to grow specialist functions and companies are not able to staff up their privacy function significantly, they need to push the education of their lawyers so that everyone has a basic level of privacy competency. It was whilst I was developing my knowledge and understanding of privacy and security that I could see how this is going to grow in importance for all businesses as technology continues to evolve.
I had to switch my mindset from finding privacy to be a staid challenging headache, to see it for what it was going to become - the lifeblood of a thriving body corporate. The most powerful companies in the world are driven by data. I started to routinely analyse data flows throughout the organisation. It was at that point I went back to Nestle as Head of Legal for Nestle Professional Services, the catering side of Nestle which is a complex business both B2B and B2C. It was my natural home as I started my career in that division as a territory sales manager. It had been a goal of mine for nearly 15 years! I had to understand our customers and our customers' customers. This was in 2017 and GDPR and its game changing implications was imminent. My appreciation for privacy further grew and I now fully understood the strategic value in applying privacy strategically and pragmatically to the commercial environment.
By now I had been with Nestle for 20 years, I was ready for a new challenge and reflecting on what I wanted to do next and where I knew the exciting legal growth opportunities would be - in privacy. I could see there were newly created roles in the privacy sphere as a result of GDPR and when an opportunity came up with Moody's, one of the world's leading global financial services organisations, I decided to make the switch and gain exposure to a different sector and take on a role where I would be responsible for implementing GDPR across Europe.
After I had done this, the opportunity came up to lead the privacy team globally at Alcon and I was very keen to make this move as it was a chance to join a leading medical device healthcare business at an interesting time as Alcon had just been spun off from Novartis. The company had created a new CPO position. I took it on in July 2019. I report to the General Counsel based in the US and am growing the privacy programme for Alcon worldwide. Building a world class privacy program requires strategic planning and key global priorities. In Alcon we have 6 global privacy strategic priorities. We call it the < Iceberg > plan because we visualise them literally with an iceberg, so the message is easily memorable and consistent across the global organisation. The communication skills I still use from my sales days.... This iceberg has the 6 priority layers. At its base (below the water line) corporate governance and training right through to the tip being website privacy harmonisation (very visible). It is our plan and we were able to recruit a great internal privacy team to deliver it. A CPO cannot deliver a global plan without a dedicated focused team of privacy officers but importantly, local legal and compliance personnel that understand privacy and are empowered to deal with the issues in real time. A privacy function’s responsibility is to assist with that empowerment. For me, that is the optimum and most efficient working structure.
AF: What has been the impact of Covid-19 for your business?
RK: Alcon is the largest eye care device company in the world. We operate in the ophthalmic surgical and vision care markets, which are large, dynamic and growing. We are dedicated to helping people see brilliantly. We have a strong foundation based on our trusted brand, a legacy of industry firsts and advancements, leading positions in the markets in which we operate and a continued commitment to substantial investment in innovation. Like many businesses, Alcon's Surgical business was impacted due to decline in global demand for surgical procedures due to COVID-19.
AF: When it comes to usual business practice (or trying to maintain this), how has Covid impacted privacy and data protection?
RK: Additional assessments were required connected to privacy, for our businesses legitimate needs to implement measures to protect the health and safety of associates and ensure business continuity, as an eye care device company providing important products to our customers and patients during the unique and challenging COVID 19 period. This included the assessment of national authorities COVID 19 guidance on these necessary measures.
AF: Has your allocation of internal resources changed? i.e. is your team spending more time on safeguarding and risk assessment than key strategic work?
RK: There has certainly been a focus in these past three months on safeguarding and risk assessment during these exceptional COVID times but as a team we also maintained our focus on the privacy function strategic priorities and roadmap that deliver the Alcon privacy program.
AF: How are you doing with managing your team remotely and what has been the biggest learning curve in response for Covid-19 so far?
RK: We have a global privacy team with associates in Switzerland, US and in major business locations, so we are familiar with delivering results and coordinating remotely. The biggest learning curve is that effective organisations inherently have the ability to quickly adapt to their environment including fundamentally new ways of working and can come to terms with that efficiently.
AF: What would you say will be the biggest challenge for you and your team in the next weeks and months?
RK: Global increase in privacy and cyber security regulation and enforcement through new regulations in many countries and this will only continue eg Brazil, California and many other US States, India, to name just a few. It will be a challenge for international legal departments to deliver compliance and oversight when the laws, regulation and enforcement are increasing and changing globally. The data of a significant proportion of the world's population will be regulated by privacy rules similar to GDPR by 2023. We all need to make sure the right skill set is in place and strike the balance between privacy specialists and privacy knowledge for efficiency. My advice to all lawyers is know your company's engagement and approach to data. For some industries data is not as important as others but for most who really want to understand their customers/consumers, it's beyond valuable. A critically competitive sharp edge. Understanding data is important for that. Have a risk assessment map and compliance programme for your existing situation but also a long-term plan for how the laws will change and the impact on your business, whether you are specialist or not.
AF: Thanks so much for your insights Richard, it's fascinating to hear how you came to be in your current role, an astute move given that privacy, data protection and cyber security will continue to dominate corporate agendas for the foreseeable future!