Over the past 3 months I have spoken to over 50 Data Protection Officers at large B2C companies across the pharmaceutical, finance, technology, media, health care, and telco industries.
Here are my 5 key takeaways:
(N.B.: This isn’t a survey commissioned by some big corporate to make things seem incredibly optimistic.)
Some companies treat data privacy as a business priority. Others don’t care about it. And most are somewhere in between. Here’s an approximate breakdown:
What’s confusing is: there’s very weak similarities between the companies in each category.
It’s noticeable that companies born in heavily regulated industries (e.g. pharmaceutical) are treating it with more importance. But it also depends on a variety of other factors such as how the DPO responsibility was assigned departmentally.
As such, you can talk to one company and they’ll tell you that data privacy is a huge priority to the business. Then talk to a direct competitor just down the road and they’ll tell you the exact opposite — they don’t care. 💁♂️
These are the types of questions flying around companies (mostly aimed at the DPO). And for most DPOs, answering them (along with the plethora of others) has been a significant part of their job over the last 12 months.
The DPOs that seem to be achieving the most success are the ones who have taken data privacy outside the walls of their office/department and spawned a new sub-culture across the organisation. These DPOs have empowered employees with videos, presentations, workshops, “ask-me-anything”s , privacy stewards, etc, so that employees can continue to execute their roles within the modern data privacy framework.
Saying “this and that is not allowed anymore” is not enough; employees require eduction and a huge amount of support.
Consent, accountability, records of processing, security,… every DPO has their unique challenges. But there is one challenge that seems to be present among all DPOs: Third parties (😬).
I’m not surprised.
Running an efficient online business is almost impossible without the use of third parties (AWS, Google, Shopify, Intercom, Stripe, Paypal,…). But they expose a company to a risk which the company itself can’t control. Sure, DPIAs help, but they don’t nullify the risk that a third party abuses a company’s customers’ data and the company ends up being the one paying the price.
I foresee significant change happening in this area. Especially in the technical and automated management of third party relationships.
For people trying to fix data privacy problems inside their organisation, they gravitate towards tick-the-box solutions and few sit back and figure out how to answer the question:
“How does this build increased trust with our customers?”
And this non-customer-centric attitude is manifested across the web as we see it today. We are all familiar with these things now:
Most companies see the value of complying with the GDPR as de-risking the large fines at play. (I.e. a bottom-line mentality.)
Hardly any companies — yet — identify the implicit value in building long-term relationships with their customers through increased trust. (I.e. top-line mentality.)
DPOs of online businesses are very honest about this. (Are you surprised?)
Technology has been built over many years without privacy in mind. Reversing that isn’t going to happen overnight. It’s a long journey for which companies are slowly making progress. But the current non-automated and non-scalable approaches will only get so far of the way.
I suspect big changes at a more fundamental level of the tech stack over the coming years that put privacy at the very core of online businesses. Only then will we achieve true privacy by design and default.