CNME Editor Mark Forker secured an exclusive interview with Rocío Ávila, Data Protection officer (CIPP/E) at VFS Global, to find out more about their data protection procedures amidst a constantly evolving digital economy, the important of a stable, but agile privacy framework – and the challenges and opportunities presented by artificial intelligence when it comes to data processing and protection.
The world we live in continues to constantly evolve at rapid pace, and the primary catalyst behind these transformative changes is technology.
The digital economy is underpinned by technology and innovation, and it fuels almost every single interaction we have either inside, or outside of the workplace.
However, when it comes to the underlying infrastructure that facilitates this digital economy, many questions and challenges remain, and some of the most prominent of these are related to privacy and data protection.
Artificial Intelligence is the future, and the democratisation of AI through large public LLMs such as ChatGPT have propelled AI to new heights.
However, there are valid concerns over data privacy and security when it comes to Generative AI.
VFS Global is the world’s largest outsourcing and technology services specialist for governments and diplomatic missions worldwide.
Like many organisations during the digital revolution, they have been forced to transform their operations – and it is imperative for them to be agile in order to meet the demands of a marketplace that continues to change face.
CNME sat down with Rocío Ávila, Data Protection Officer (CIPP/E) at VFS Global for a broad-ranging interview that examined many different topics.
Ávila began the conversation by discussing some of the data protection procedures they have in place, and highlighted the importance of its privacy framework.
“In the current climate we know there are many challenges facing all organisations and we are all trying to navigate that, and we have seen a huge increase in cybercrime on a global scale. It goes without saying that not only for us at VFS Global, but for all organisations, data protection is absolutely pivotal. Our focus is not only in terms of how we can continue to better protect our data, but also around proactively exploring and embracing new technologies to help us manage our data in a more compliant and responsible manner. We have a strong privacy program and framework, and that really serves as the backbone in terms of how we process and manage all the data that we are entrusted with at VFS Global,” said Ávila.
VFS Global works primarily with government entities, and the requirements from each government entity from location to location can obviously be quite varied, with this in mind, Ávila elaborated more on why the data privacy framework they have established is so important to them.
“We have very strict policies, procedures, and guidelines that help us navigate through the different compliances that are required within each different government that we work with when it comes to the personal data that we are handling. Obviously, at VFS Global, we process data on behalf of different government clients, and that essentially makes us a data processor. It’s important for us to understand what the expectations are from the government client that we work on behalf of, but at the same time to be compliant with the law of the land in which we operate. That’s why the privacy framework we have is so important for us to ensure we meet the compliance requirements from region to region,” said Ávila.
Ávila also disclosed that VFS Global follow the requirements of the ISO certification 27001, adding that in the case of 27001 they are certified as a data processor, and a data controller.
Ávila then spoke of the emphasis the company places on training and awareness programs.
“We have got lots of security measures in place, but if our staff is not trained adequately then it means nothing at the end of the day. We have a strong training program in place that is related to privacy and data protection, and our main focus is GDPR, but not only GDPR. However, GDPR is one of the most stringent policies globally when it comes to how you can process data. The training programs we rollout are part of the onboarding process of new employees, and we also conduct refresher programs consistently throughout the year, so training and learning is embedded into the culture of VFS Global,” said Ávila.
The Data Protection Officer at VFS Global believes that many companies tend to focus only on how they process the data of their customers, but she argued that it is equally as important to focus on how you process the data of your own employees.
“We are an international company, and we are present in so many different countries, and with that comes various different regulations and rules in terms of what you can and can’t do with that data. So, it is incumbent on us to be proactive in terms of enhancing the awareness and knowledge on the rights of our employees as a data subject, not just when they are processing data on behalf of our government clients. It’s important that we equip them with the skills to detect and protect the data they are processing. It is critical that adopt a mindset that enables them to always be vigilant in case something happens in the backend that is not in line with the policies and procedures that we have in place,” said Ávila.
As aforementioned above, it is critical for businesses to be agile in the current climate, especially in this era of artificial intelligence.
As Ávila explains the program VFS Global designed is both flexible and agile.
“From a privacy perspective, it is critical to have a program that is both robust, but also flexible to meet the agility that will be required as technology continues to evolve. It is also important to have a stable framework that doesn’t need to be changed every six months to a year, but instead can be reviewed regularly, and if it needs to be tweaked, or updated then the changes can be applied,” said Ávila.
As a global entity that operates in countries all over the world, compliance can be complex, as certain rules in one location will be obsolete in another.
Ávila outlines how VFS Global use technology to help them to keep on top of changing rules and regulations when it comes to compliance.
“As a global organisation, we have people sitting all over the world in different locations and they have differing expertise across the privacy spectrum. We use different types of technology and software in order to enable us to stay on top of everything that is happening within the privacy domain. For example, if there is a new privacy law passed by a country, or a new bill is being discussed in parliament then it’s critical that we have visibility on that. Internally, we then discuss the potential repercussions that law may have on our existing privacy programs, and look ay ways in which we will be able to align our procedures, and practices to meet the compliance of any new laws passed,” said Ávila.
Generative AI has dominated the tech landscape since the introduction of ChatGPT by Open AI in November 2022.
Undoubtedly, Gen AI presents a plethora of opportunities, but again, businesses and technology leaders need to be measured when adopting AI, because there is still grey areas in relation to privacy and security around data.
Ávila conceded that most Data Protection Officers were relatively conservative when it comes to new disruptive technology, but stressed that the caution they adopt should not be confused for a reluctance to embrace new technologies.
However, she admitted that the introduction of the AI Act that was passed by the European Union in March 2024, provides greater clarity on how the technology can be dispensed.
“I think it’s fair to say that as Data Protection Officers we tend to adopt a very conservative approach towards technology. We like to take a step back from all the noise, take a deep breath, and then analyse what the next best step forward for us is. The new AI Act that was passed by the European Union in March of the year, and that will soon be adopted as EU Law really gives us a much clearer view of what the expectations are. From a personal point of view, I always want to determine what the real impact will be from a data subject perspective. We have witnessed the introduction of Chatbots across so many different organisations, and it can be very helpful, so it’s not a matter of not embracing technology, on the contrary we want to embrace technology, but in a manner that is always compliant and does not negatively impact the data rights of our users. The less invasive the better for us, and if it enhances the services and experiences that we provide to our end-users then we will adopt it, but only after it has been passed our stringent assessment and meets our requirements,” said Ávila.
As highlighted throughout our conversation, when it comes to AI, big questions marks remain and there is plenty of cynicism in certain quarters regarding data privacy.
Many feel that due to the rapid evolution of Gen AI, and in the subsequent rush to commercialise Gen AI many businesses may take shortcuts, and in some cases have the cart pulling the horse, and that lack of due diligence puts users at risk.
Ávila said that for them transparency is critical for them as an organisation, describing it as a fundamental part of their make-up.
“In terms of the challenges, when it comes to AI you have to be transparent, and transparency is critical for us, and is firmly embedded in our DNA as an organisation. The most challenging point for all organisations at this juncture is the fact that everybody has an opinion on AI, good or bad, and there is a scramble to deploy the technology. However, it is important to reinforce that we are the very start of this journey, and enterprises need to make sure that when you deploy the technology it is right fit for their organisation. I’m going to be an interested observer of its evolution over the next 12 months, and I think we’ll have a clearer picture on things by the end of 2024,” said Ávila.
