Deputy Group Data Protection Officer at Springer Nature
Q1. What do you enjoy most about being a DPO?
Being the DPO allows me to understand the operational aspects of the business as well as learning more about the products and services that we offer.
We operate a number of different publishing activities for both domestic and international markets in the UK, Europe and further afield.
I enjoy being able to connect with colleagues to advise on how they can make the best use of the data that they have or want to collect and to explain to them our centralised strategic approach to data protection, and how they fit into that global approach. The DPO role allows me to connect with operational teams as well as senior management so being able to cascade down managerial support for data protection when I am visiting various offices within the company undertaking roadshows and workshops
Q2. What data protection topic(s) would you most like to see updated guidance on and why?
Clarification on standards for information security with respect to data protection would be helpful. The concept that information security is “appropriate” for the data is not that helpful.
A key area for me is to enforce standard behaviours around data handling across our organisation and having updated guidance would be helpful in that regard. Also improved guidance on how data can be used across organisations.
Big Data is something that organisations can embrace, understanding more about their content and their customers, but only with the correct data protection mechanisms in place and I would welcome further guidance on how that can be achieved.
Q3. What was the biggest challenge you had to overcome in 2018?
The biggest challenge for me was the preparation and installation of systems and processes to capture article 30 records of processing activities. With literally thousands of different data processes taking place every day in the organisation, recording all of these was a huge task.
It was clear that a commercial application would be needed, and it took a while to find the best option for us. Then it was looking at how we can record the varying types and uses of data to meet the recording requirement. This took some trial and error and needed the support of other departments in the organisation to get it right. As we have a very complex legal structure, with many systems, processes and data sources getting everything ready for the May 2018 deadline was not easy.
Q4. What advice would you give to someone looking to move into a DPO role?
When moving into a DPO role it can be daunting. I would suggest undertaking some initial training in the basics of GDPR and legislation and at a later stage exam and a qualification. In the early days of data protection in the UK you could learn on the job and focus on the UK regulator as your barometer for all matters DP.
In theory the GDPR is supposed to unify the approach to data protection but as we are seeing many countries are adding their own twist to implementation and regulation, so you have to make sure you are up to date on all of these developments. Also, it’s important to understand who your lead regulator is. You may be in the UK for example as part of a European wide organisation but the lead authority of your organisation maybe in Germany or France, for example.
Patience will also be key. You will need to explain to colleagues how things have changed and what it means for them. With key requirements of accountability and transparency it’s letting your colleagues know that they have to justify the use of the data, not you as DPO. The data is their clients, their contacts, their systems and products. They have to provide the accountability and transparency.
It’s no easy task. In companies with complex legal structures it can be a tough job to explain to colleagues that the structure of the organisation can affect what products and services it can market and how and to whom.
Q5. What do you see as the major challenge(s) in the year ahead?
2019 will be a year of apprehension around the implications of Brexit and what changes will need to happen around how we process data. Will we need to convert data processing agreements to model clauses agreements if the UK leaves in the EU? What will be the impact on inbound and outbound international data transfers? Lots of unknowns.
2019 will see us continuing our accountability and transparency activities and we need to continue to monitor these whilst keeping an eye on regulators’ updates and guidelines to ensure we are operating to their requirements.
For more information about Springer Nature, please visit:
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.