Interview with Alexandre Mollard - data protection officer of Lombard International Assurance

In preperation of the GDPR+1 Data Privacy Conference which takes place on the 22nd May 2019 in Luxembourg we had the opprotunity to interview Alexandre Mollard, Chief Compliance Officer and Data Protection Officer of Lombard International Assurance.

GDPR+1:

To what extent has data protection influenced the corporate culture of Lombard International Assurance?

The GDPR has had the highest level of attention, starting from the Board of Directors and is now a standing item on the agenda of the Risk Committee and Audit Committee. It is acknowledged as being everyone’s responsibility. It also allowed for clearer ownership and responsibilities on a topic that was previously shared in between our Legal and Compliance teams; including appointment of a Data Protection Officer that reports into the Board of Directors. Furthermore, it contributed to raising awareness on the back of the risk of sanctions and reputational risk of non-compliance which the GDPR entails.

GDPR+1:

What was the biggest challenge for Lombard International Assurance when implementing the GDPR?

Notwithstanding the significant amount of work and resources required to comply with the GDPR at our own scale, the biggest challenge given the spectrum of the regulation is on data retention; starting from the basics i.e. having a sound Data Retention policy, privacy by design built-in for existing system and data inventories under each department ownership to cite a few.

GDPR+1:

What was the most important lesson Lombard International Assurance learned in the course of the practical application of the GDPR? 

Do not underestimate the amount of work and resources required to implement the GDPR. We started work analysis mid-2016, and the project work ran for a year and a half to implement all key GDPR project milestones, where we believe we had a pragmatic and practical operational approach.

And it is not over … data protection requires continuous maintenance and oversight - particularly as new employees join the company, new IT systems are being deployed and new services and products are rolled out.

Finally, there are always grounds for improvement and with hindsight, do think about your GDPR 2.0 and how you can best - from a risk-based perspective- look back at what you implemented and how it can be refined.

GDPR+1: We thank you for the interview and are looking forward to meeting you at GDPR+1.