ICQ Log - Data Protection & Information Security:

Interview with a DPO  


Last Updated: 29 March 2021

In this interview Caroline discussed the role of a DPO, including the challenges for DPOs in 2021, the skills required to excel in this role, advice she would give to those starting in their career and effective data protection culture within organisations. 

Is the outlook for DPOs in 2021 more or less uncertain than last year?

Technology changes rapidly, so a degree of adjustment will always be part of a DPO’s job. However, right now the current landscape has never been more certain for DPOs. Driven in part by higher privacy expectations from the general public, we are seeing and can expect: greater levels of enforcement, additional guidance from regulators; more engagement and attention from senior business leaders than ever before; all of which is taking place in an increasingly globalised data protection environment.

How do you think the role has changed in recent years?

Since GDPR and the increase of data protection awareness among business hierarchies, the job has shifted from its legalistic focus on compliance, to a more strategic and cross-functional role. Data protection is no longer a niche issue devolved to IT and Legal departments - it now cuts across all departments and you’d struggle to find a serious executive who didn’t acknowledge its importance in terms of reputation, customer journey and business performance.

What skills should a successful DPO possess?

The modern DPO needs a variety of skills. First and foremost is integrity, as the DPO is in a position of trust with access to confidential and sensitive information. Second comes diplomacy, as we tend to have numerous stakeholders across an organisation; being able to understand and balance their competing needs and priorities is key.

Also DPOs need a certain degree of humility. The challenges we face are complicated and ever-evolving. It’s important to acknowledge when you need a second opinion in order to be in an even better position to advise the business.

What advice would you give to a DPO starting out in their career?

Learn from those that came before you - taking on the role in 2021 is quite different to those who were contemplating becoming DPOs in 2017 during the pre-GDPR readiness era. Nurture relationships with DPOs from a variety of sectors who can act as a sounding board.

Develop your soft skills especially communication, influencing and people management. These skills are equally as important to the modern DPO as knowledge about privacy, security and compliance. Lastly, expect the unexpected...It’s a career with lots of interesting challenges to overcome. Our profession has changed rapidly and so have the problems we need to solve. This is why it’s important to stay humble to new ways of doing things.

Have you found any qualifications particularly beneficial to your role?

Qualifications certainly play a role and there are some useful ones out there to get you up to speed. However, the key is to stay curious during your career and take every opportunity to keep learning, which has never been easier with conferences and webinars going virtual. Things change quickly so you need to stay on top of what’s happening in data protection right now - rather than rely on what you learnt in years past.

In your opinion, will Brexit or Schrems II have more impact on Irish companies’ data protection activities?

Now that the European Commission has issued a draft adequacy decision, essentially accepting that the UK data protection regime affords adequate protections for EU data subjects, there may have been a collective sigh of relief among certain companies. While an EDPB opinion is yet to issue and the draft decision will need the green light from representatives of the EU Member States, it provides some assurance about the continuing free flow of data between the EU and UK. Nevertheless the implications of Schrems II endure. How that impacts Irish companies depends on how they are structured and the extent of their international footprint. The true impact of Schrems will become clearer when the EDPB release their final recommendations. This is one we’ll all be watching closely.

Do you think the Schrems II decision will result in fewer companies using Standard Contractual Clauses or seeking alternative options?

It’s difficult to say…when you consider what are the viable alternatives? Companies generally appear to be considering all options and willing to actively engage while also seeking confidence in a measure that will have a certain degree of longevity. Recent comments of the judge rapporteur of the CJEU who was involved in the Schrems II case and the final paragraph of that judgment itself suggests that Article 49 derogations may have a broader role to play. Finally, US-EU engagement on data sharing arrangements at a political level is crucial and will influence the next stage of developments.

What does an effective data protection culture look like within an organisation?

A strong data protection culture is one in which employees connect privacy risks to their own roles and personal lives. They understand how to operationalise data protection policies and adhere to the organisation’s security measures. If things go wrong - and they will in every business from time to time - they know how and when to surface potential issues. It also means support from the top. At TikTok, it’s something our senior leaders take very seriously. One such recent example, when my proposal to convert Data Protection Day into a month long internal Privacy Awareness Month was fully supported and encouraged.

How can DPOs create greater awareness of data protection within their business?

Consistency is critical when it comes to data protection, so make sure you’re regularly reminding your colleagues about its importance. Traditional methods really do work - breaking down the message into bite size chunks and infographics via different company channels - IM, resource hubs, newsletters - and securing speaking slots in company wide or department level meetings to explain key processes, new developments and remind everyone of best practice. Executive video testimonials can also be powerful. Get creative. At TikTok, we regularly use the platform to explain important issues to both our community and our colleagues. For example, we launched an educational video series - ‘You’re in Control’ - using top creators to present TikTok’s safety and privacy controls in an accessible and engaging fashion. The videos can also be accessed directly in-app @TikTokTips. 

Does remote working make the job of DPO more challenging?

Fundamentally yes. It’s much harder to build trust and maintain relationships across the company, especially with those from different departments, without the organic discussions that can happen in person and which are often crucial for DPOs to leverage for insights. It takes a deliberate effort to prioritise scheduling virtual coffees. Q If you had one data protection wish for 2021, what would it be? A An ever greater expansion of two crucial concepts enshrined in GDPR; data protection by design and by default, which not only benefits society as a whole at a macro level, it also makes the job of a DPO much easier when data privacy features and data privacy enhancing technologies are embedded directly into the design of projects at an early stage.

Lawyer Photo

Interview with: Caroline  Goulding

Data Protection Officer | IAPP Women Leading Privacy Advisory Board | Founder DPO Network

ICQ Spring Edition 2021

This article was taken from the ACOI's ICQ Autumn Edition 2021