Rethinking privacy with Eli Lilly at IAPP GPS 2025

At the IAPP GPS 2025 Spotlight Stage, David McInerney, Commercial Manager at Syrenis and Lisa Brzycki, Information and Cyber Risk Executive at Eli Lilly, delivered a compelling conversation on privacy, consent, and risk management.

As technology, legislation, and consumer behavior continue to evolve and intersect, their discussion centered on how organizations can shift from a compliance-first mindset to a strategic, risk-based approach that drives both trust and business value.

Featuring first-hand experiences from a global pharmaceutical leader, it was an insightful session with valuable insights on how privacy professionals can secure stakeholder buy-in for their projects, prepare for future challenges, and leverage technology to go beyond compliance and unlock growth-driving insights.

In case you missed it or need a recap, we’ve pulled out 5 key takeaways below…

1. From compliance to cultural transformation

Lisa Brzycki emphasized that privacy must evolve from a “little c” compliance function—often seen as a checkbox exercise—into a core part of enterprise risk management. In many organizations, especially those governed by HIPAA or similar regulations, privacy has historically been bundled with cybersecurity or legal compliance. But that’s no longer sufficient.

“We need a big cultural transformation into risk management… Privacy risk is not just a compliance checkbox—it’s a strategic differentiator.”

This shift requires privacy leaders to engage boards and executives in conversations about risk tolerance, not just regulatory adherence. It’s about embedding privacy into the DNA of the organization, aligning it with business growth and customer trust.

How Cassie can help:

Cassie is built to support this transformation. It doesn’t just log consent—it provides a centralized, auditable, and policy-driven framework that aligns with your organization’s risk tolerance. With configurable workflows and real-time dashboards, Cassie empowers privacy teams to demonstrate control effectiveness and support enterprise-wide risk conversations.

2. Consent Management as a strategic control

Consent and preference management platforms (CPM platforms) like Cassie are no longer just tools for legal compliance—they are foundational to enabling ethical data use and customer trust. Lisa positioned CPM platforms as one of the most critical control solutions in a privacy program, especially in regulated industries like healthcare.

“Consent management platforms are really top of the list in terms of being able to run that down with the business.”

She stressed that CPM platforms must be adaptable to evolving global regulations and capable of supporting innovation without compromising on trust. This includes integration with identity and access management systems, DSRs (data subject requests), and multi-factor authentication.

How Cassie can help:

Cassie is a purpose-built CMP that adapts to global regulatory requirements, from GDPR and HIPAA to emerging state-level laws. It supports granular consent capture, dynamic preference centers, and seamless integration with identity and access management systems—ensuring that consent is honored across every customer touchpoint.

3. Speaking the language of the board: Risk and ROI

One of the most actionable insights was Lisa’s advice on how to communicate privacy value to executive leadership. Boards don’t respond to abstract notions of “trust” or “governance”—they respond to financial impact.

“No CIO, no CEO ever said, ‘Please let me throw a bunch of money at governance.’”

Lisa recommended framing privacy investments in terms of:

• Inherent risk: What could go wrong without controls in place.
• Residual risk: What remains after controls are applied.
• Annualized loss expectancy: A financial model that quantifies potential losses from privacy incidents.

She used vivid analogies—like an open window being a vulnerability and a regulator or hacker being the threat actor—to make these concepts relatable. The goal is to show how privacy controls reduce financial exposure and protect brand equity.

How Cassie helps:

Cassie’s reporting capabilities allow teams to quantify consent volumes, identify gaps, and model risk exposure. By surfacing metrics that tie directly to regulatory fines, customer churn, and operational inefficiencies, Cassie helps privacy leaders build a compelling business case for investment and board-level attention.

4. Matching risk to tolerance, not eliminating it

A common misconception in privacy and security is that the goal is to eliminate risk. Lisa challenged this, arguing that the real objective is to align risk with the organization’s tolerance.

“Your goal is not to continuously reduce risk. Your goal is to match your privacy risk to the enterprise tolerance for that risk.”

This means defining what level of risk is acceptable and investing accordingly. Over-controlling can lead to missed opportunities and wasted resources. Under-controlling can lead to breaches and fines. The sweet spot is where risk is managed in line with business strategy.

How Cassie helps:

Cassie’s flexible architecture allows organizations to tailor consent experiences and enforcement levels based on risk profiles, jurisdictions, and business priorities. This enables a balanced approach—one that respects user rights while supporting data activation and personalization at scale.

5. Privacy as a driver of personalization and growth

Finally, Lisa made a compelling case for privacy as a growth enabler. When customers trust a brand with their data, they’re more likely to engage—and that data can be used to deliver personalized experiences that drive revenue.

“It’s astounding how personalization drives both revenue and customer satisfaction.”

In sectors like healthcare and financial services, this means delivering relevant, timely, and compliant experiences that meet real needs. Privacy isn’t just about avoiding fines—it’s about unlocking value.

How Cassie helps:

Cassie bridges the gap between compliance and customer experience. By capturing and honoring preferences in real time, it empowers marketing and product teams to deliver personalized journeys that are both compliant and trusted. The result? Higher engagement, stronger loyalty, and a competitive edge.

Final thoughts?

“Consent management isn’t just a compliance checkbox—it’s a strategic control that underpins customer trust and business agility. What I appreciate about consent management platforms like Cassie is their ability to adapt to evolving regulations while enabling organizations to activate data responsibly. Cassie supports the kind of risk-aligned, customer-centric approach we need—one that helps privacy leaders speak the language of the board, quantify risk, and demonstrate real value. It’s not just about avoiding fines; it’s about enabling growth through trusted data use.”

Lisa Brzycki, Information and Cyber Risk Executive, Eli Lilly