Beatriz Ruiz-Beato is the DPO for NEC in Europe, the Middle East and Africa. While she’s focusing on these regions, she’s collaborating with the global organization to harmonize and coordinate privacy efforts – including driving implementation of DPOrganizer.
Can you tell us a bit about what NEC does?
NEC is a Japanese technology and electronics company, offering IT network solutions for the public and private sector. Right now, we are focused on 5G, big data analytics, tracking of biometric data and cloud. From a privacy point of view, I’m thinking a lot about behavioural patterns we see in analytics as well as biometrics – like facial recognition, iris and vein scans – since they are very sensitive types of data that need to be managed carefully.
What has been your biggest privacy challenge so far?
The amount of unstructured data we had across our global offices was by far our biggest challenge. I’m managing different countries with different perspectives on privacy matters, which makes everything a bit more difficult to put together in a harmonised way. From a global point of view, when you are trying to use the European model as the standard, you have lots of conflicts with different privacy laws around the world.
You can often come across regions where local actors believe that their law is more restrictive than GDPR. That may have been true five years ago, but now global privacy regulations are more harmonised. And since every country is using their own models and templates, not only is there a lack of data harmonisation, but all of the data used to be mapped in the countries’ respective languages, which didn’t help things.
How did you manage privacy before getting DPOrganizer?
NEC was mapping data, but everything was unharmonised and buried across spreadsheets and emails. It was difficult to update, control and track. If we’d suffered a data breach or received a data subject request, it would have been very hard to track permissions. Even in our centralised system, data mapping contained no references to the systems used by each country or where it was located.
Was there a specific point when you needed a solution?
We realised that there’s no way to properly review our data mapping in our spreadsheet solution, and if we’d be subject to an investigation we wouldn’t have proper inventory. So I started looking at all the solutions out there.
What do you value the most about DPOrganizer?
The tool is very easy to use, both for me as a privacy professional and for my colleagues outside the privacy team. Other tools are much more complex, making it especially difficult when you involve stakeholders who are not used to sitting in a privacy tool every day.
I also like that the tool is flexible, so we could adapt dashboards to fit different country requirements. Being able to display information differently depending on what data we gather in a specific region, while keeping the data from all countries centralised in the tool, made it much easier to manage.
The team at DPOrganizer is in general also very friendly. You were doing a lot of things to help while purchasing, and we had several video sessions to understand how the tool works. Once we had purchased the tool, I really appreciated all the time you spent helping us transition our data from our current spreadsheets into the tool.
Do you have a favourite feature?
Finding a better way of managing our ROPA was my priority, and the time I’ve spent on that has been cut way down. But the assessment feature is also great, because it’s very easy for stakeholders to fill in. The DPIAs especially used to be very complex to fulfil for stakeholders – they were shocked when they saw the previous document we used. When we switched to your version, the process has become much smoother. And since we don’t need a separate system for DPIA’s, we now have all that data linked to our register of activities.
Overall, both for me and my stakeholders, getting something done in DPOrganizer takes only 50 percent of the time it did in our previous solutions.
I also really like the reports, since you can basically make them instantly in the tool.
If you would give advice to anyone about looking at tools, what would you tell them?
Don’t pick a complex or fancy-looking solution. If you deal with multiple regions and models, people won’t get it, and then they won’t use it. You need to have a tool that was created by someone who’s worked with privacy. The role of a privacy professional is abstract, and few people outside the field know what your challenges are, so many other tools in the market think from a technical perspective, but not from a privacy pro’s perspective.