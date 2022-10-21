At Medianama’s PrivacyNama 2022 event, four privacy officers shared insights into how they help organisations adopt a ‘data-friendly’ approach and what challenges companies face while dealing with data. They discussed a range of subjects, from data localisation and cross-border transfers to managing data breaches. This article based on the virtual discussion held on October 7, 2022, will help readers better understand the role and functions of a privacy officer.

Session timestamp: 3:08

Session Chair: Rahul Narayan (Advocate, Supreme Court)

Speakers: Ali Khan (Head: Governance, Risk, Compliance & Audit, ZS Associates Inc.), Ivana Bartoletti (Global Data Privacy Officer at Wipro), and Monika Tomczak-Gorlikowska (Chief Privacy Officer of Prosus N.V.), Raditya Kosasih (Group Data Protection Officer, Gojek)

Working as a privacy officer

When asked about her work as a privacy officer, Ivana Bartoletti said, “whoever works in privacy at the moment knows that there is never a quiet moment”. She added that the role of a privacy officer is not limited to just making data processing agreements or overseeing privacy programs, but extends to how an organisation applies privacy at the intersection with other disciplines. She stressed on the importance of lawyers and IT professionals working together to solve problems. Earlier, lawyers and IT professionals wouldn’t understand each other but now it has become important for a programmer working on artificial intelligence to understand the meaning of fairness from a legal and ethical standpoint.

Dealing with multiple Data Protection Authorities

Regarding this, Bartoletti stressed three important points:

The officer needs to be aware of the different processes for reporting a data breach

Even for things like what “identifiable data” means, different jurisdictions would have a different meaning

It’s a good idea to have members focused on specific jurisdictions, which helps in quickly moving ahead with plans. A breadth of knowledge is needed in the team.

Data officer without a law degree

The session chair, Rahul Narayan, asked Ali Khan if it’s essential to be a layer to become a privacy officer. It’s not just about complying with legal requirements, he responded. There are other things to look at as well, “…you need to have a RoPA in place, when you’ve got information sharing you need to have your SCC coming into play, you need to perform DPIs when you’ve got critical sensitive identifiable data coming into your systems and where is it placed and so on.”

Legality comes into play in things like how secure a person’s data is and if that data is being misused. “So not being a lawyer, I think I love to focus about the point on individualistic consent.” He shared an example where an app was selecting the option to store payment information by default after RBI announced that apps can’t store a customer’s card information without explicit authorizations. Ali, questioned if this can be called “implied” consent

Role of a privacy officer

Khan believes that the role of a privacy officer should start right at the time of ideation, even before the design stages. This does not usually happen with people working in the field, he said.

Privacy officers should act as auditors

Khan said that privacy officers should not act as unofficial policemen. Having an ‘enforcement’ of rules mindset is not the right way to go, he added.

We say that risk and compliances are your first and second line of defenses, these are business enablers, audit is your third line of defense which is also a tool for continuous improvement. It also depends on the audit and compliance professionals’ personal behaviour on how they want to make business feel that comfort that we are enablers, we are providing you with insight that could be a tool for improvement and (we’re) not somebody standing with a yardstick and say you have crossed the line.

Working as a privacy officer for an investment firm

Advertisement. Scroll to continue reading.

Monika Tomczak-Gorlikowska said she helps the companies in which her firm invests to mature, create, develop and improve their privacy programs.

She makes sure that these companies are able to demonstrate certain standards based on a set group policy.

She concurred with Ali’s approach and said that they invest in companies to “persuade them with the approach that they will be able to grow organically” and ultimately create a situation where the end goal is for privacy to become an enabler of growth

“All of this is very much pull rather than push and it’s very much on the capacity you bring to those companies” – Monika Tomczak-Gorlikowska “So the audit is really like sort of last of those methods that we use and I think we also managed to persuade our companies that you know audit is an enabler of the ability for them to identify those areas where they need to improve and we have worked a lot with our audit function to make sure that this model is properly understood by both sides.” – Monika Tomczak-Gorlikowska “The role of a privacy officer extends to providing companies “with a framework where there is a specific person in that room which will be the privacy leader for that organization depending on its size and location who is going to be there and who is going to be able to communicate effectively with their business and tech counterparts, product and tech people using the right language, having the right skills and I think as we all mentioned the world is not getting an easier place in terms of regulatory developments.” – Monika Tomczak-Gorlikowska

The concept of minimum privacy standards

Narayan asked Gorlikowska if there’s a minimum benchmark for privacy rules while dealing with different jurisdictions. She answered, “we have a set of minimum standards which are very much based on some globally accepted principles based on FAIR information principles and some more globally accepted principles”. As companies operate in different jurisdictions, they are subject to different requirements like the GDPR in Europe or the LGPD in Brazil, she added. “But there’s a common set of standards that have to be adhered to regardless (of) whether the local jurisdiction has or doesn’t have that type of requirements”

Data protection in South-East Asia

When asked about how countries are looking at GDPR while framing their privacy laws, Raditya Kosasih said that the environment of European countries and South-Asian countries are quite different. “People in European Union, I think they’re very careful when they want to share information. For example, like the picture of kids right, so it’s data about children but minors, so they’re really careful in sharing those kind of data. But people in Asia, they like to share everything on social media. So I think when you want to adopt the principles in Europe and put it in your local laws, you need to be very careful because I think the characteristic of people is very different and the type of evaluation can be very different as well,” he added. He went on to say that in his country Indonesia incidents based on social engineering continue to happen. People try to call someone and act as if they’re on behalf of a company or a bank and try to get people’s personal information – those kinds of stuff still happening and it’s still the main issue in Indonesia and I think in other countries in Southeast Asia, said Kosasih.

“So I think if you want to adopt the golden rules of privacy for example like GDPR you need to be very careful and make sure that the citizen or the public also have a good awareness or digital literacy. Make sure that they really understand the data privacy law before you adopt those principles because otherwise I think you can have the law but the enforcement is not there yet.” – Raditya Kosasih

Dealing with data localisation and cross-border transfer of data

Gorlikowska said there’s no company that has a silver bullet solution to dealing with cross-border transfers and data localisation norms. Data localisation can be an expensive affair, she says.

“In my past professional [experience] […] I went through the trauma of actually adhering to a number of data localization regimes globally for you know for all systems and sort of in a big centralized businesses and it is not simple, it costs a lot of money and you basically need to rework your entire governance of the program sometimes.”

In Turkey, there are no rules to enable the transfer of data outside the country, rather than a hard localisation requirement, she said. Gorlikowska went on to add that creating a set of standards that enable transfers “within the group” is very important and it is a continuous journey that will require numerous ‘updations’.

Bartoletti said, “There is this drive to technological sovereignty, the idea that somehow in the independent world, we’re all in the interdependent world, we can be tech sovereign and an idea of sovereignty which is rather a sort of closure rather than the ability to stand strong in the global supply chain.”

Speaking about the transfer of personal data including sensitive health information, Khan said that they face stringencies in some of the markets where they operate. There are countries that have administrative compliance requirements that do not permit certain data transfers but then there are countries that even “have restrictions put on technical grounds,” he added.

“…let’s look at China, cross-border data transfer is a big deal there. It’s a growing market we cannot avoid in any manner, we need to work and learn to work with the regulators to meet with the compliances. So there are some places where there’s a hard stop, you must adhere or else you cannot operate” – Ali Khan

Kosasih said that countries in South-East Asia are trying to facilitate cross-border data transfer but they want to do it properly with a set of rules to protect consumer interests.

Dealing with a data breach

Dealing with a data breach does not merely involve reporting to the regulatory authority within a specific period of time. It is also about finding out what personal data was breached, how it was compromised, its impact and how such incidents can be avoided, said Khan.

He also said that at the time of the breach, the regulators expect a company to be transparent, and that’s what Ali’s team would do.

However, there’s also a question of why the company is being put on the stand and not the “oppressor”

At the time of the data breach is when “the industry, the authorities as well as a collaborative forum needs to come together and say you know we stand by you, we all are one, understand the pain, we understand the hurt, let’s recover together and let’s be bold enough to accept we are all victims, till that point of time we do not embrace this pain, I think we are giving an opportunity to the Cyber threat actors to breach us, to find avenues to steal our data”

In case of a data breach, the role of a privacy officer is to guide the team in the right direction and to “make sure that the team can contain the issue properly and make sure there is no further data breach going on in the group of the companies”, said Kosasih.

How would you draft a ‘perfect’ data protection law? The session chair asked the panelists

Kosasih would add “local nuances that also relate to the characteristic of the people in that country”. To ensure the law is interpreted correctly, Kosasih would also add the ways in which laws will be implemented.

Gorlikowska said she would promote accountability, enable innovation and avoid bureaucracy in her law if she were to draft it.

Bartoletti said, “for me first of all it, has to be centred on sort of people’s autonomies, people’s freedoms and human rights”. Next, she would add relevant provisions for sandbox experiments for innovations and for bringing together human rights and respect for individual dignity.

Khan said he would focus on transparency, equal accountability for regulators, organisations and government, and adding elements of innovation and collaboration.

Privacy in the future

Bartoletti believes that legislations all around the world are trying to curb the power of algorithms and “increasing power in terms of editing the news that we see, making policy decisions about the allocation of funds or deciding whether we have got access to a loan”.

“…security on one side has a lot of collaboration that goes on within the fraternity, privacy is a building line, right? We yet need forums and places where we all can connect, collaborate and talk more, discuss our pain points, evolve more grow together”, said Khan

Kosasih said the upcoming challenge would be “how we can be very transparent like really make sure that we being transparent to our user on how we use data and process data in this kind of area.”

Gorlikowska said privacy officers need to earn a set at the bigger table, with the AI teams and data teams and work in collaboration. She highlighted the importance of taking a more fundamentalistic approach – like helping significant people in the organisation understand principles such as fairness

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

