This article is by our founder, and former Data Protection Officer, Egil Bergenlind. DPOrganizer is based in Stockholm, Sweden. Our software helps businesses across the world map, report, visualize and manage their processing of personal data.
A key challenge and responsibility of any specialist in any organisation, is to make oneself understood by the organisation. If not, life can become difficult. That is true also for Data Protection Officers.
When I worked as a DPO, I approached my work this way. Before initiating a project, suggesting an improvement or raising a problem, I made sure everyone involved was on the same page.
Anyone who has worked with data protection knows that a successful data protection program starts with buy-in and training – both from and to all parts of the organisation, management included.
Data protection is not a job for just one person. You will not achieve much unless decision-makers are involved and your colleagues understand what data protection is and why it is important.
But involving the organisation is more than just explaining legal definitions, regulatory risks and do’s and don’ts.
In my experience, you have to start with the why.
Why do the rules exist? What is the legislator trying to achieve and how should we approach the requirements taking into account the fundamental principles of the regulatory frameworks?
One fundamental question is the one of personal data ownership.
Who actually owns personal data? If this question is discussed early on in a GDPR project and everyone is aligned around it, the rest of the work will follow much smoother.
So who owns personal data? Is it the physical person to whom personal data relates, i.e the data subject?
Or is it the company that invested time and money on collecting, creating, refining, analyzing and understanding the personal data. (And in many cases, to create great products and services to its customers.)
The GDPR does not explicitly give us an answer on personal data ownership, and I will not in this post dissect the question. (In my view though, more and more legal experts argue that personal data is owned by the data subjects, rather than the data controller).
What does follow from the GDPR however, is that data subjects should be in control of their personal data.
Data subjects are given tools necessary to exercise their rights to privacy, the right to be in control of how their personal data is processed.
I have met many C-level personnel over the years that think about this differently. “Our company invested in getting this data, and therefore it should be ours to use as we please”.
That approach is a problem.
If a company believes that the data belongs to them, it will be difficult to understand why they would need to be transparent in how it is being used or delete it on the data subject’s request. Or perhaps the most difficult one: to have to transfer it to a competitor for them to use for their benefit!
If the company instead understands and agrees that personal data may only be used in compliance with the data subjects’ rightful expectations, and agrees that it is reasonable considering the company is not entitled to ownership nor full control, building a successful compliance program is easier.
My point is this:
Everyone in the organisation does not need to understand every detail of the GDPR. But certain basics, such as personal ownership and control, are crucial to align on as it will set the tone for the work to be done.
In addition to always emphasizing how much the company can gain from dealing with personal data in a fair and responsible manner, my recommendation to DPOs is to make sure all stakeholders understand the basics.
That way, change will be possible with a lot less resistance and with more focus on the positive effects.
Maybe the business will still not be excited about having to delete personal data or transfer it to a competitor, but the response will likely be less hostile and more focused on trying to finding a pragmatic way forward that can work for both the company and the data subjects. (I’ll leave it unsaid if that is possible..)
Let’s use a comparison most of us can relate to.
Personal data is sometimes described as a new currency. It can serve as a good example to compare personal data held by a company with the financial world: money held by a bank.
Imagine if a bank wouldn’t want to return savings or transfer it to a competitor upon the customer’s request. They would probably be out of business pretty soon, or at least they should be. The comparison may not be perfect, but it’s a good one to get the message through.