Data Protection Officer at Yoti Ltd
Q1. What do you enjoy most about being a DPO?
Feeling like you’re actually making a difference to people’s privacy by helping your company get to where it wants to go, but in a privacy-friendly way. Knowing that your input had a positive influence on a new product or feature really makes the job worthwhile. I also enjoy being a DPO at a company whose values and principles align with my own, and who really do care about privacy and security and getting it right.
Q2. What data protection topic(s) would you most like to see updated guidance on and why?
In general, I find a lot of ICO guidance too vague and simplistic, so while there is a lot of it on different topics, it never deals with the complex scenarios you actually come across in practice. (The one exception being the marketing guidance which is comprehensive, clear and has endured.) Topics not yet covered I’d like to see guidance on are:
How non-EU companies doing business in the EU but with no EU establishments should actually comply with the GDPR representative requirement.
How to deal with transfers where you have an EU controller > EU service provider (processor) > non-EU processor. There are no model clauses for this scenario and there is no direct contractual relationship between the EU controller and the non-EU sub-processor.
Q3. What was the biggest challenge you had to overcome in 2018?
Implementing GDPR compliance measures as the sole data protection person in a fast-growing and fast-moving technology company without getting in the way of product development efforts and technology innovation.
Q4. What advice would you give to someone looking to move into a DPO role?
Decide what it is you actually want to do. The DPO role can mean different things to different people, and can vary by country. It can cover a broad range of activities from big-picture strategy and governance to drafting and reviewing policies to dealing with access requests and recording training done in spreadsheets.
Understand that knowing and being able to explain what the law requires is not enough. You need a mix of skills, and you need to be able to help your company with practical implementation solutions communicated in their language.
Decide if you want to be part of a team or work solo. Decide if you want to lead on the topic or not. Decide what types of companies / sectors you would be happy working in. Answering these questions will help you narrow down the right role in the right company.
Q5. What do you see as the major challenge(s) in the year ahead?
It can sometimes be difficult to maintain people’s enthusiasm or interest in compliance measures once you move from implementing them to keeping them ticking over. Particularly the ones requiring more paperwork where there is no immediate or obvious connection to improving or maintaining individuals’ privacy (one negative effect of GDPR).
Brexit also presents some challenges as small companies are not in a position to plan for multiple scenarios and then just press play on whichever comes to pass.
For more information on Emma Butler and Yoti Ltd, please visit:
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.