Welcome. I’m John Elliott and this is my small bit of the Internet. I’m a data protection specialist working at the intersection between regulation and information technology. I’m typically engaged as a consultant or interim manager.
I combine an in-depth knowledge of data protection law (i.e. GDPR) with information security and experience in business-focussed IT delivery. I have significant knowledge and experience in payment regulation (AISP and PISP within PSD2) and payment systems (card processing and Open Banking).
I'm able to act in an interim role as an organisation's DPO; conduct high-quality Data Protection Impact Assessments for new projects; train IT teams to embed Data Protection by Default and Design into the development lifecycle; and help information security teams to understand their responsibilities under GDPR's article 32.
I have the professional qualities to be a statutory Data Protection Officer — I’ve worked in that role for a large airline and have also advised many organisations about how they can comply with GDPR. I also worked at Open Banking looking at the whole data protection and privacy implications of the new API-based way of banking created by PSD2.
PCI DSS and payment security
I was fortunate to spend around three years as Visa Europe’s representative on the technical working groups of the Payment Card Industry (PCI) Security Standards Council (SSC). In that time I contributed extensively to PCI DSS v3 and P2PE v2 and I also answered lots of questions about the standards and payment security.
I’m currently the Chair of the UK Merchants’ PCI Working Group which consists of the people responsible for PCI compliance and/or information security for the largest merchants in the UK. Collectively the group members originate over 90% of all UK payment card transactions. We meet quarterly, engage with the PCI SSC and all the UK acquirers, and also have guest speakers from various technology companies.
I develop highly-rated training courses for Pluralsight (they are listed over there in the right margin). Pluralsight is a brilliant, online library of video based training courses made by real subject matter experts. One of the best aspects of being a course author is that I have access to the entire library which is full of awesome courses such as Troy Hunt's "hack yourself first".
Professional Qualifications etc.
I keep a number of professional qualifications to provide externally validated assurance of competence to my customers' management, non-executive board or their regulators. We can all debate the actual merits of various professional bodies, their exams, their strengths and weaknesses - but to provide confidence to people who engage me, I maintain1 membership of ISC(2), ISACA, IAPP and the British Computer Society2.
Professional: BCS Fellow, Chartered IT Professional
Information Security: CISSP, CISA, CRISC
Data Protection and Privacy: CIPP/E
I’ve an LLM (i.e. Masters of Law) Information Rights Law and Practice (i.e. Data Protection) and am pursuing a part-time PhD in the Cyber Security Centre at the University of Warwick.
What do people say about me?
Former clients have been kind enough to provide recommendations on LinkedIn. This one is my favourite because saving half a million pounds for a company is a pretty cool thing to do and shows the benefit in a pragmatic approach to regulation.
“From the first day when John arrived at the Club to work with us through the initial difficult stages of PCI compliance, he was first class, not only to work with, but also the extent of his knowledge, pragmatic advice and guidance were second to none.
I will never forget a 5 minute conversation with John at a project board meeting where we proposed a number of actions costing approx. £500k. He challenged them, made us rethink it all, and the final cost to achieve the same end came out at £10k!!”
1 Maintain = 40 hours of CPE and about £600 a year, which is insane!
2 I know the name has changed to “BCS the Chartered Institute for IT” but I much prefer the old name.