🔒 Changing landscape for privacy professionals and DPOs
Cloudflare is recognizing Data Privacy Day 2022 with a special series of fireside chats. This session features Sandro Sandri, in conversation with Tilly Lang, Cloudflare Senior Counsel, Privacy.
Sandro Sandri is CEO and Co-Founder at Bright Compass - Data Protection Services, a firm working to enhance trust through privacy and data protection.
Sandro previously was Data Protection Manager at Sonae MC, an invited lecturer at NOVA School of Law in Lisbon, Portugal, and served in privacy and data protection roles at HewardMills and Monzo Bank. He has a postgraduate diploma in Computer and Communications law from Queen Mary University of London, with core modules including Data Protection Law, E-Commerce Law, Information Security and the Law, Digital Intellectual Property Law, and Information Technologies Transactions.
Happy Data Privacy Day everybody and thank you so much for joining us for the session on the Changing Landscape for Privacy Professionals and DPOs, which stands for Data Protection Officers.
I'm really happy to have Sandro here from Bright Compass to talk us through and give us some key tips.
So Sandro, may I pass over to you to introduce yourself?
Sure. Hi Tilly and Data, Happy Data Privacy Day to everyone. Yes, so I'm a data protection practitioner at my own firm where we help SMEs in Portugal in terms of helping them implement and optimize data protection programs.
And I have experience both in -house and as a consultant in various jurisdictions as a data protection practitioner.
It's great to be here. Great.
Perfect. Well, as it's Data Privacy Day, I think the best question to start off with is, how did you get into data privacy?
Sure. I mean, I think the thing that excites me the most about data privacy is that when you really think about it, you're really talking about fundamental rights.
So it comes down to how do we ensure that we are respecting users and online citizens' privacy rights, mental rights.
And for me, that's what really got me hooked up on privacy. Because I was an explorer in my life where I was thinking, what is actually going to be determined in the future in the next 10, 15, 20 years?
And data protection rights will always pop up.
So that's the main reason why I just pursued this career.
I'm just so glad, so happy that I did. Yeah, that's what they say. There's never a dull moment working in privacy is there, especially over the last couple of years.
But I feel that the next few years going forward as well, even though I don't have a crystal ball, will also be full of a lot of changes and excitement.
Yeah, I think so as well.
So one thing I wanted to discuss is you mentioned during your career, you've worked both in-house and also for consultancies as a data practitioner.
And I was just wondering if you could talk us through some of the key differences that you've experienced in both of those different working environments, especially from a privacy program perspective.
Because obviously, it's coming at the same kind of problems, but through two different lenses.
So I'd be really interested to hear your thoughts on that.
Sure. I mean, obviously, I would say there are two main differences.
One is operationalization. And how well can you actually make the program work by being in -house versus acting as an external consultant?
And also keeping in mind the fact that by being an external consultant, you also need to have a kind of a commercial mindset as well.
Whereas in -house practitioner, that is second or third thought.
But for me, it's never about how much you are into it, because I've had experiences as an external consultant where I and my colleagues were so invested in just making things work from the outset.
So it's the human factor. It's how well are you embedded within the team, either you're talking about a client of yours or your actual organization.
And it's about also reporting lines.
You need to make sure as an external consultant that you're very clear on how you communicate to the organization.
Whereas when you work in-house, you need to understand the different ways that the different business functions work.
And I think as well, one of the things that must be quite different is just working in kind of...
I imagine when you're on the consultancy side, working with a lot of different industries as well, where you're kind of in-house, you're obviously focused on what your organization's priorities are.
Sure. I mean, that's a very valid point.
I mean, sometimes when you are... Actually, from my experience, I've worked in-house in two big retailers in different countries, and you kind of get this siloed approach in terms of you look at data privacy just from that mindset, in particular from the end consumer mindset.
But as soon as you get consultancy and you see how broad data privacy can be and how many applications you can have from the legal industry to tech, even more industrial applications, when you think about when you have a factory with 2000 employees, you also need to have massive considerations around employee privacy as well, even though you don't have any deal with that detail.
So I think that's the topic of this event being the landscape for privacy professionals.
If you can have a bit of both, I think that really strengthens your profile as a practitioner because you can have access to so many different ways of working, mentalities, tools as well.
And so talk us through what sort of a normal day for you looks like in your organization.
If there's anything that keeps you up at night, what keeps you up at night, what gets you up in the morning and sort of brings you out of bed to start the day?
So what we do at Right Compass, it's different from a consultancy point of view than what I've done in the past already, because we work to support SMEs and startups, particularly in the country, Portugal.
And the main challenges in this part of the world is how do we actually make our case heard in terms of there needs to be a lot of sensitivity around who's new to the profession.
And in some jurisdictions where maturity levels are still evolving a little bit more, that's kind of the challenge that you need to face and be patient in terms of, I need my client in the position that I'm working with to be able to actually understand the reason why this is necessary and how are we actually going to embed basic principles such as immunization and in everything that they do.
Whereas working with larger international global organizations, we will already know that there are some things that most of these or level people, they already know.
So I think it's around sensitivity and how flexible you can be in terms of making your case heard.
And what we do every day, we support a lot around the basic procedures that some of them still don't have, like helping them set up their records of processing activities, what is an EPIA and why should you actually be using it rather than just not running an assessment and see how things work.
And we help organizations support them with their subject access requests.
We actually monitor requests for them in terms of we are the first point of touch and that we get in touch with them.
So we try to externalize this data privacy office function rather than just giving them an extra layer of work.
And I think that for SMEs working as an external data protection consultant, that's probably the way it should work right now.
Things are always evolving on that. We never know what's going to happen in a year.
And also just on the back of that, obviously there's been a growing awareness of data protection globally and more data protection laws being enacted globally as well.
So how have organizations sort of found adapting to that and also the sort of growing awareness that individuals are having of their privacy rights globally as well?
I'd just like to sort of hear your thoughts on that.
We've been having some interaction, for example, with Brazil, which is such an exciting transition that there's lots of potential.
It's a massive market if you use that word.
And for example, with Brazil, when you compare how fast they have matured versus some European jurisdictions, when we go back to 2018, it seems like they got the sensitivity for this kind of data.
They got it quite right in terms of it feels like in six to 12 months, they got faster to where they should be.
And what happened with the GDPR in some of these cases. And we also see, we're also following the developments in China and what's their new data privacy law.
How's that going to impact low data protection law as well, especially around the role of the NGO, which is so crucial.
And they are imposing some potential for imposing liability for the role of the NGO.
And it's interesting to think, is this a tendency?
Are we actually going to start seeing these in some other jurisdictions that are coming up with their own data protection laws?
I think these two jurisdictions are the ones that are really more interesting.
But definitely, if we talk about data protection, all of their protection laws, there's something in Brazil, that's the US, right?
And what's actually going to happen with SRAMs 2?
Are we going to have SRAMs 3? Are we going to have a third Prima Secha, Shield, Safe Harbor?
That's the hottest topic for me at the moment. In the data protection world, especially if you consider the latest decision from the US NDPA around analytics as well, which is very interesting, because again, it puts the focus on these kind of technologies.
Yeah, absolutely. Well, thanks so much. And then also, I suppose, just tying on from what you said there.
So, I mean, what strategic kind of advice do you provide organizations to make sure that they're sort of meeting all their sort of privacy requirements globally?
And as you mentioned, sort of Brazil enacted their privacy law and China's enacted theirs.
So, there's lots of sort of privacy laws coming into place where there's similarities between them, but also there are nuances between the different laws as well.
So, I was just wondering what your thoughts are around that and sort of what organizations should prioritize to make sure that they are meeting all those requirements?
I think this is probably one of the biggest challenges for most of the data protection practitioners out there, in terms of how do you actually match up all these different jurisdictions?
And what's the approach that you should take? Should you take a minimalistic approach, just implement the GDPR principles and see how well they shift in Brazil, in India or anything?
Or should we take a more maximalistic approach and a more preventive approach in terms of let's take the worst case scenario, the most strict law and just go with it?
Because at the end of the day, when you do what I do, which is I support businesses, I provide advice.
We also need always to have in mind that they are businesses, they are meant to actually produce, make money, make a profit.
And this commercial mindset needs to be in there and you need to work with the businesses, even if we are in -house as well.
And sometimes I see some colleagues that have an approach that is very rigid or strict.
And it's okay. But the downside of being a purist is that most of the times things don't actually get done.
So there's a very fine balance in terms of making sure that we respect fundamental rights as much as possible.
But at the same time, there needs to be innovation and progress.
And to make it worse, this needs to happen globally, right?
Not just in the US or the UK or Portugal, but in all these different jurisdictions with so many nuances and differences in terms of their own information.
And it brings me to one of the challenges that I just mentioned, which is innovation.
How are we actually ready to not only pass legislation that is adapted to a world that is actually evolving, but then do we have regulations that are prepared to enforce this kind of legislation that actually understand the technology that top technology companies are developing?
And then the third line is how do we actually ensure that these organizations not only have the sensitivity to understand that they are the first line of defense of our citizens' rights, but that the fact that they actually take this as a principled approach will actually increase their value.
And that's the main thing about that. And I talked with my clients a lot about this, which is you're not just doing this in order to protect the company and your clients.
You're actually doing this because the company will be more valuable. Because by setting up a data protection program and optimizing it, you are actually developing a tangible asset.
As any other asset that a musician has, like its own tax program or its labor program, then you also have your own program.
So yeah, I mean, global data protection laws will definitely pose these kind of challenges, especially around innovation.
And it's going to be very interesting to see what we're going to be able to do.
Yeah. Perfect. And you touched upon that you help a number of startup organizations and also smaller organizations.
But what do you think are the key things to think about, or differences, I should say, between startups and where there's a lot of high innovation, and then also multinationals, where there is still this high innovation, but also this much larger footprint?
And so what are your thoughts with that in terms of building in privacy considerations?
Well, for me, it always starts with governance. And governance has many layers.
But even when you are dealing with a four-people operation, you start right out of college, and you need to make sure that, you know, from top to bottom, everyone understands what the impact of their decision is.
Even if we're not just talking about data protection, about everything, but specifically about it.
And once you get that, you know, at least that's my first approach, that's the first thing that I do.
I try to just have a session with the main companies in the business.
And once that's done, it's about implementing basic procedures, which is something that a large organization is very tough to do.
It takes, it will take around a year to sometimes to set up a rate of processing, optimizing it, monitoring it, and make sure that you discuss with every single business function.
Whereas startups and small organizations, it's a great opportunity also for the clients, because most of the times they actually realized that they were doing some stuff that wasn't that different.
So the journey begins there.
And this journey just creates a narrative for these smaller companies that actually helps them with their compliance program.
In my view, you know, just setting up this narrative that starts with an investment in, you know, caring about your customers, about your employees, the kind of evidences, you know, to the regulators, to any third parties, to your clients as well, that you are taking this seriously, and that you're taking the first step.
And the first step can be an audit, implementation, and roadmap for the year.
And I think you have your rates of processing, your DPIA set up, your data security request, and incident management, you know, procedure also set up.
So if we, you know, take a lot of inspiration, I mean, those are the things that we kind of use to work with DSMEs.
Yeah. Yeah, great. Thank you. And I think as well, you know, it's part of the title of the segment, sort of data protection officers, and kind of their role in the organization.
And I think it's important to kind of touch on DPOs and, you know, what's sort of the role of the DPO is in organizations, and also how that's sort of changing as well.
Like we've seen a number of privacy laws being enacted that are requiring sort of DPOs.
So there's definitely an evolution there. But I was wondering if you'd be able to provide us with a bit of background to the role of the DPO, and then also sort of give some flavor in terms of how the role is developing as well.
That would be great. Sure. I mean, the background of the DPO is something that it's one of the oldest discussions in privacy in terms of when it came up.
And it's not recent, because in many jurisdictions, you know, you already had a DPO for the last 10, 15 years.
But it's kind of an assumption in some countries that the person best suited to be the DPO should be a lawyer.
Someone actually understands and knows how to interpret the laws.
Whereas in other jurisdictions, we see that, you know, for technical employees, you know, some ideas of security would also be shown, would also be best suited to be the DPO.
And as with mostly everything, the virtue is in the middle, right?
So you definitely do have someone who, yes, kind of knows how to interpret laws from a basic standpoint.
But for me, it's crucial to have a risk -based approach more than, you know, from a legal or IT sector.
And understanding how to, what actually the risk is, how to identify it, how to report it, how to suggest mitigation controls, how to register such risks.
Because as soon as you start to look at these processes as, you know, kind of a waterfall, it turns out, I've seen something, you know, waving this red flag.
Should I wait for someone to sort this out? Or am I a piece of the puzzle?
And, you know, and the principle of responsibility is also, you know, embedded here.
I think that DPOs need to have a hands-on approach. But sometimes that's kind of hard to achieve, because you also need to maintain the independence of the DPO, right?
I've seen DPOs that, well, they do everything, you know, they respond to the social requests, they carry out the DTIAs, they manage the data breach.
And I've also seen, you know, different kind of DPOs where they basically monitor everything that's going on.
And, you know, different business functions will actually be the ones in charge of ensuring that the principle of responsibility is respected.
I kind of prefer the later one, the later approach, because for me, it's just evidence as how the whole organization is invested into ensuring that also the role of the DPO is being respected, rather than just giving everything to the DPO.
And then, you know, you just, this is your job, you are the focus, the point, the nexus of things we will see.
It's not like that. And that's why in some companies, you will see that, you know, yes, you have a DPO, but you also have a Chief Privacy Officer.
And the way that it works is that the DPO has responsibility, yes, for kind of monitoring, understanding the risks, it seems to be around compliance, but the CPO, the Chief Privacy Officer, makes sure that the procedures are operationalized.
And, you know, he or she is the one who actually looks at it on a daily basis.
And I like that approach. But again, you need to have the resources to have not only one DPO, but SCPO, maybe different teams.
It's not doable.
So, in less mature jurisdictions, I mean, you know, in less evolved companies, you will definitely see a DPO that has a more hands-on approach.
There's nothing wrong with that, as long as we understand that, you know, in order to achieve the next maturity level, the DPO needs to start stepping back, just making sure that he or she has that.
And yeah, in terms of background, I think you don't need to be a lawyer, you don't need to be a techie to be a DPO.
You need to make sure that the first thing on your mind is the data subject, right?
And after that, you can think about what space for the company, and not the other way around.
So thanks for that, because it's definitely a topic that has a lot of debate around it, especially as you mentioned in the privacy field.
But we also talked about, you know, companies sort of setting up their privacy programs, and maybe kind of, what I like to say, getting to the starting line, almost.
But in terms of what, you know, advice to organizations that are maturing their privacy programs, and also like the importance of making sure that sort of your privacy documentation is updated and relevant.
What advice would you have for privacy professionals out there to make sure, you know, that they are sort of keeping their documents up to date regarding the processing that their organization's doing, and also that their privacy program sort of is at the maturity level that it needs to be at?
Well, obviously, the most basic answer that I can give you is, you definitely need to have buy-in from the whole organization, especially at the top.
Otherwise, it's going to be very challenging to actually implement stuff, and it's going to be very exhausting.
It's going to be exhausting as a privacy practitioner to make sure that, you know, these specific privacy processing activity has been updated.
Because at the end of the day, the way I see it, I as a data protection manager, analyst, consultant, whatever, I shouldn't be the one who is updating records of processing.
For example, I should be supporting a business function who is in charge of doing that.
Otherwise, how do you ensure that, you know, the principle of contribution is respected?
If me, who is here to just look out for our citizens' rights, for data subjects' rights, you know, it shouldn't be that person's work.
It should be, you know, the guy or the woman who works at marketing or at the sales department.
We need to be able to evidence that these functions, they also take you seriously.
Yeah, no, absolutely. Thank you.
And then also, I mean, what would you say the three challenges, top challenges, I should say, for privacy professionals in 2022, but also over the past couple of years as well?
Well, I mean, I think that the hardest topic, the biggest challenge for everyone is to understand what's going to happen in the future.
This is unavoidable. Not only as a privacy professional, but you need to be able to understand, to be able to interpret the court's decision and how's that going to impact regulators around the globe, particularly in the EU.
We've seen some countries that have, you know, just issued some decisions on this topic.
And it is already having a massive impact with legal teams, with data protection teams, because you need to make sure that your contractual reviews are up to date.
And this is one of the biggest challenges for these right now is, you know, some years ago, starting contractual clauses was just a formality.
Some people would say that. And right now, businesses are beginning to take it seriously as they should.
We've also created the Europe Transfer Impact Assessment, which is something that existed some years ago.
So there's a lot in terms of evidencing now that not only your work as a company is compliant, but that the jurisdiction where you're working with is also compliant, which is going to be tough in some jurisdictions.
And I suppose, you know, the challenge per se, but an advice that I would give to everyone who is in privacy and wants to get into privacy, and get everything, you know, written down, written evidence is, you know, what you should always go for.
And just not for, it's not about protecting yourself or anything like that.
But sometimes we're talking about things that are so technical, and so dense, and that can have such a great impact to the company, that you need to have time to focus and understand what's going on.
And the thing is, things do tend to change really quickly in this field, especially with these decisions that I've just mentioned.
So you need to have your reasoning written down, because sometimes that reasoning might be used as a defense, or as a way to evidence your compliance efforts.
Perfect. Well, I mean, thank you so much, Sandro, for joining us on today's segment, and I wish you a happy Data Privacy Day.
Thank you so much. And we'll see what 2022 has in store for us.