I spoke to over 50 DPOs, here's what I learned...
27 Mar 2019
Over the past 3 months I have spoken to over 50 Data Protection Officers at large B2C companies across the pharmaceutical, finance, technology, media, health care, and telco industries.
Here are my 5 key takeaways:
(N.B.: This isn’t a survey commissioned by some big corporate to make things seem incredibly optimistic.)
1. There’s an unpredictable and vast spectrum of attitudes
Some companies treat data privacy as a business priority. Others don’t care about it. And most are somewhere in between. Here’s an approximate breakdown:
- 85% want to tick the box. This cohort thinks it’s important enough to invest how much it takes for a consultant or legal firm to tell them “you’re not going to be fined”. Once someone has given them that assurance, they move on.
- 5% see an opportunity. These companies are thinking about data privacy more strategically. They want to confidently tell their customers “we respect your data” by putting data transparency and control first. They are building in a competitive advantage.
What’s confusing is: there’s very weak similarities between the companies in each category.
It’s noticeable that companies born in heavily regulated industries (e.g. pharmaceutical) are treating it with more importance. But it also depends on a variety of other factors such as how the DPO responsibility was assigned departmentally.
As such, you can talk to one company and they’ll tell you that data privacy is a huge priority to the business. Then talk to a direct competitor just down the road and they’ll tell you the exact opposite — they don’t care. 💁♂️
2. Education and awareness are still broken
- What is personal data?
- Surely we can just anonymise it?
- Can we store it outside the EU?
- What effect does Brexit have?
These are the types of questions flying around companies (mostly aimed at the DPO). And for most DPOs, answering them (along with the plethora of others) has been a significant part of their job over the last 12 months.
The DPOs that seem to be achieving the most success are the ones who have taken data privacy outside the walls of their office/department and spawned a new sub-culture across the organisation. These DPOs have empowered employees with videos, presentations, workshops, “ask-me-anything”s , privacy stewards, etc, so that employees can continue to execute their roles within the modern data privacy framework.
Saying “this and that is not allowed anymore” is not enough; employees require eduction and a huge amount of support.
3. Dealing with third parties is the biggest challenge
Consent, accountability, records of processing, security,… every DPO has their unique challenges. But there is one challenge that seems to be present among all DPOs: Third parties (😬).
I’m not surprised.
Running an efficient online business is almost impossible without the use of third parties (AWS, Google, Shopify, Intercom, Stripe, Paypal,…). But they expose a company to a risk which the company itself can’t control. Sure, DPIAs help, but they don’t nullify the risk that a third party abuses a company’s customers’ data and the company ends up being the one paying the price.
I foresee significant change happening in this area. Especially in the technical and automated management of third party relationships.
4. The consumer (or data subject) still isn’t top-of-mind
For people trying to fix data privacy problems inside their organisation, they gravitate towards tick-the-box solutions and few sit back and figure out how to answer the question:
“How does this build increased trust with our customers?”
And this non-customer-centric attitude is manifested across the web as we see it today. We are all familiar with these things now:
- Confusing cookie notices that don’t actually respect our data;
- The difficulty of making a data subject access request;
- The horribly long privacy policies that make us fall asleep.
Most companies see the value of complying with the GDPR as de-risking the large fines at play. (I.e. a bottom-line mentality.)
Hardly any companies — yet — identify the implicit value in building long-term relationships with their customers through increased trust. (I.e. top-line mentality.)
5. No company is perfectly compliant
DPOs of online businesses are very honest about this. (Are you surprised?)
Technology has been built over many years without privacy in mind. Reversing that isn’t going to happen overnight. It’s a long journey for which companies are slowly making progress. But the current non-automated and non-scalable approaches will only get so far of the way.
I suspect big changes at a more fundamental level of the tech stack over the coming years that put privacy at the very core of online businesses. Only then will we achieve true privacy by design and default.
If you’re a DPO with different feelings, I’d love to hear from you. Email me on firstname.lastname@example.org
If you want to hear more about my learnings, follow me on twitter
If you like what you read, read more of my stuff here
If you’re curious what Metomic is, join our next public event here