Petra Hanlon

• AI & Data Strategy Leadership: Led team of data professionals to ensure compliance with UK GDPR, PECR and DPA 2018.Led on development of data strategy that laid groundwork for future AI adoption, ensuring all data collection and processing activities aligned with ethical and regulatory standards. Provided senior-level guidance on responsible use of data for innovation, including development of AI-related policies.
• Strategic Governance & Compliance: Developed and implemented data privacy framework and comprehensive data protection and records management strategies. Provided expert guidance to Directors and Executive team on data strategy and information governance.
• Risk Management & Regulatory Oversight: Managed and supported implementation of policies and procedures to ensure robust data protection practices. Took proactive role in continuous improvement of data validation and integrity across all databases. Regularly reported on risks associated with non-compliant activities to Directors and Finance and Risk Committee. Managed responses to regulatory authorities (Information Commissioner's Office, Charity Commission). Conducted internal audits to ensure legal & regulatory compliance, improve data security, mitigate data breach risks and enhance operational efficiency.
• Data Frameworks & BI Readiness: Led on and monitored Data Protection Impact Assessments (DPIAs) to ensure balance between legal compliance and operational efficiency. Ensured data protection protocols were embedded at all stages and in all mediums where information is gathered or held (Privacy by Default & Design).
• Stakeholder Engagement: Acted as primary liaison for regulatory authorities (Information Commissioner's Office, Charity Commission), ensuring prompt and thorough responses to all inquiries. Fostered strong partnerships across organization including RSPCA's subsidiaries as well as externally.

Culture and Literacy (Key Achievements):

• Reduced data breaches by 87% through implementation of staff awareness & education programmes. Developed and delivered tailored awareness and educational programs to increase data protection literacy across entire organization.
• Fostered strong partnerships across organization, resulting in 173% increase in engagement with data protection team.
• Successfully led implementation of Legitimate Interest as lawful basis within organization for using LI for DM/Post Fundraising Activity.

• NGO Collaboration: Pioneered mutual support project between NGOs to share data protection expertise.
• Governance Implementation: Reviews business' data protection and governance strategy to ensure that it is fit for purpose and recommended necessary changes. Provided pragmatic, regulatory guidance to ensure implementation of data policies and processes. Undertook detailed Privacy Impact Assessments.Managed data subject requests and oversaw data breach responses, ensuring timely and effective action.
• DSR and Incident Management: Managed data subject rights, third-party requests, and data breach incidents in compliance with regulatory requirements.
• Third-Party Risk Management: Managed data privacy contracts with third-party data processors. Reviewed supplier and client agreements, including international data transfer measures.
• Stakeholder Alignment: Led meetings to ensure stakeholders (including Legal, Marketing, IT, and InfoSec) were aligned on data protection requirements. Collaborated with Information Security function and relevant stakeholders to maintain data asset records.

Key Achievements: Operational Improvements - development and implementation of missing procedures and policies, fostered data protection culture through training and awareness initiatives, expert advice and support during absence of SSPCA's DPO.

DSR and Incident Management:

• Managed data subject rights, third party requests and data breach incidents in compliance with regulatory requirements.

Risk Assessments:

• Conducted risk assessments and DPIAs to identify and mitigate privacy risks for new and existing activities, projects, and IT systems
• Responsible for maintaining comprehensive and accurate internal records of Data Protection Team's activities.

Compliance Support

• Assisted Head of Data Protection with investigations conducted and responding to inquiries from supervisory authority,
• Support of Head of DP with regular reports to CEO, SLG, Risk Committee etc.
• Assisted Head of Data Protection in ensuring that Society's data protection policies and other guidance documents are regularly updated to provide accurate and relevant guidance to broader organization.
• Collaboration on embedding data protection protocols at all stages and across all mediums where information is collected, processed, or stored.

Key Achievements

• Restructured th Data Protection Team by implementing new organizational design and strategy to enhance efficiency and visibility. This initiative aligned team's operations with business goals and improved its ability to meet complex regulatory requirements.
• Transformed Team's Reputation from "blocker" of business activities into collaborative, solutions-oriented function. This was achieved by proactively engaging with colleagues across organization, providing clear guidance, and embedding data protection principles early in projects.
• Reduced Internal Data Protection Incidents by 30% in first year by remodeling training and awareness modules. New curriculum focused on practical, real-world scenarios and tailored training for high risk areas of business, leading to significant improvement in staff understanding and compliance with data protection best practices.
• Streamlined Incident Response by establishing clear procedures for accurate handling, investigation, and resolution of data breaches. This ensured all incidents were managed in full compliance with regulatory obligations and enabled timely implementation of corrective and preventative actions.

Framework Implementation:

• Led development and implementation of comprehensive data privacy framework, including data protection policies and procedures, ensuring compliance with GDPR.

Risk Assessments:

• Conducted risk assessments and Data Protection Impact Assessments (DPIAs) to identify and mitigate privacy risks for new and existing activities, projects and IT systems.

Incident and Rights Requests Management

• Managed data subject requests and oversaw data breach responses, ensuring timely and effective action.

Training and Reduction of Incidents:

• Designed and delivered employee training programs, raising awareness and promoting culture of data protection across organization.

Key Achievements:

• Spearheaded creation and implementation of full, end-to-end Data Privacy Framework across MHC, encompassing comprehensive policies, procedures, and internal controls to ensure robust GDPR compliance and significantly mitigate risk of regulatory non-compliance.
• Reduced percentage of internal data incidents by 62% through design and delivery of targeted training and awareness modules for both staff and senior management, successfully fostering proactive, company-wide culture of data protection.
• Developed and executed core Data Protection Strategies that proactively embedded privacy-by-design principles into new and existing business activities, projects, and IT systems, resulting in demonstrable decrease in risk of non-compliance with regulatory requirements.