Articles

5 Actionable Lessons From the World’s Top DPOs

Business
Mine Staff
Mine Staff
Aug 16, 2023
8
min read
5 Actionable Lessons From the World’s Top DPOs

Being a privacy professional or a Data Protection Officer (DPO) is no easy feat. In today's digital age, data is being collected and used in ways we could never have imagined, and it's the DPO's job to make sure that this data is protected. With new privacy laws being passed and new technologies being developed, the role of the DPO is constantly evolving.

That's why we've interviewed 10 of the best DPOs in the world, representing companies like Microsoft, Wix, Cloudflare, Grindr, Logitech, ASOS, and Udemy and compiled their tips & practices right here.

1. The powerful benefits of a global standard

The most common attribute of the best DPOs is that they give users worldwide easy access to their data privacy policies, and have a global policy that applies to all users globally in the same way (no matter where they live).

According to Julia Glidden, Microsoft's CVP of Worldwide Public Sector, Microsoft was “the first company to expand the core rights of the EU’s GDPR to all of our clients around the world” — and it seems that many companies followed their lead.

iRobot also shares this policy. Their DPO Bethany Singer Baefsky told us that “any customer, regardless of where they are in the world, can log into the app or website and request account deletion.”

The reasoning behind this is fairly simple: As Amdoc's Avishay Klein and Klarna's Filip Johnssen put it, we live in a global world, and it’s too late to stop digitization; everyone should be treated equally.In today’s reality, companies have to expect more and more countries to add privacy regulations, and also consumers to be demanding of certain rights no matter their location. The solution to all this is to embrace a unified, global standard.Microsoft's CVP of Worldwide Public Sector DPO told us Amdocs’ Klarna’s

The two biggest benefits of creating a global privacy standard for your users are:

1. Having time: No need to check “Where is this user from?” every time you deal with data. Say goodbye to having a fragmented process for different requests, and have your bases covered for all

2. Increasing brand trust: As consumers become more aware of their privacy rights, they will appreciate and respect companies that provide them regardless of location.

2. Innovative ways to handle privacy requests

How can privacy professionals reduce their workload when it comes to handling privacy requests (such as deletion, copy, access, and more)? Many of the Top DPOs manage what could be redundant tasks through an innovative approach.

  • Proper identification: Specifically for DSARs, Wix DPO Lior Saar told us that “the right to access might be a sweet target for malicious parties to easily get their hands on personal data [...] therefore users’ identification is critical to ensure data will be transferred to the right hands."
  • Use a 3rd party solution: Udemy DPO Edward Hu emphasizes the importance of a 3rd party solution to manage privacy requests: “I’ve managed data subject requests manually, using only email and spreadsheets, and the difference is huge."Having a third-party solution also centralizes all of that information into a single place so that you can demonstrate your compliance should the need arise.
  • Reduce the manual requirements for submitting privacy requests: As ASOS DPO James de Cort told us, it’s important to streamline the process both for the company and for the users. This could include having a dedicated structured form for submitting requests, and automated workflows to handle them on the company side.
  • Ask for feedback: According to Filip Johnssen, it’s important to listen to your customers when it comes to their privacy experience (especially when submitting DSRs or DSARs): “We listen to all feedback from customers, read all guidelines and decisions from authorities, and constantly update the processes to become better and better. We also ask our customers about feedback more actively, instead of passively waiting for incoming complaints. I think that is something more companies should do."
  • Create the right processes: “The key," Logitech's Global Head of Privacy Emerald de Leeuw told us, “is to have great processes and to ensure the relevant people follow them. This means providing training, writing the process down, and monitoring whether your process works over time."

3. It’s all about transparency & choice

If you're looking to build trust with your users, one of the best things you can do is give them control over their data privacy. Transparency is also key in reassuring users that you're keeping their information safe.

A. More control may increase conversion rates

According to Saar, “We were truly surprised that after implementing our consent banner on Wix, we witnessed an increase in our conversion rates in certain [locations]. We augmented our users’ trust and received improved conversion in return, it’s so simple as that.”

B. Transparency builds trust

De Cort told us, “I’m really proud of our Privacy Notice, which forms the agreement between us and our customers on all the data we collect and what we do with it. We’ve taken steps to continually improve and help our customers understand their choices and the benefits of sharing their data with us. We’ve also embedded privacy information in the customer journey, making it clear and simple whenever we are collecting data, building trust with our customers. We’ve made it clear what the benefit is if they choose to share their body shape or size information or how we provide specific recommendations on the latest fashion choices.”

Cloudfare DPO Emily Hancock noted they'd also taken steps towards transparency: “A new Data Localisation Suite, GDPR FAQs, and a new Cloudflare Trust Hub were just a few of the deliverables that came from our team’s work.”

C. The benefit of simplifying your privacy language

Take Klarna's approach on this matter: “I focus a lot on my customers and consider my output as products for these customers. I ask myself how I can best serve my customers and provide them with the best product. By doing this, I set myself free from being too ‘lawyerish’.”

Wix's tactic, going with an easy to understand privacy policy, is also interesting: “Our primary goal is to make sure our users understand what and for which purposes Wix uses its users’ data. Most importantly, in plain English (that is why we have our #ItsThatEasy part in our Privacy Policy).”

D. Features that empower users

Grindr is an example of of a company that develops features to empower users: “In addition to existing in-app controls like screenshot blocking,” Grindr DPO Ron de Jesus told us, “allowing users to hide their distance and profiles from searches, and in-app blocking and reporting functions, we’ve developed a HolisticSecurity Guide that educates our users on safety both on and off the app. And our program ‘Grindr forEquality’ collaborates with local LGBTQ+ advocacy groups around the world, using the app’s global reach to deploy health and safety information, including to LGBTQ+ people facing particular hardships.”

E. Always opt-in

Inspired by iRobot's approach, we recommend building product features that require data processing (for example, smart home integrations) as fully opt-in.

Pro tip! You can offer more transparency and choice to your users by creating a Privacy Center that enables them to easily submit requests for data access or erasure with a structured form (instead of requiring them to send an email to your privacy team).

4. Recruiting other teams to “think privacy”

When it comes to managing privacy aspects in a company, cross-department collaboration is essential. No single department can do it all on its own – it takes a team effort. that’s why it’s so important to recruit other teams to “think Privacy”. By getting everyone on board, you can make sure that all bases are covered and that no stone is left unturned.

Almost all DPOs we’ve talked with declared the importance of working with other teams:

  • "We’re working cross-functionally with our legal, policy, security, sales, marketing, product, and engineering teams,” Hancock said.
  • “The people at Udemy understand that respecting privacy as a right is an indispensable part of achieving that mission,” Hu noted.
  • “Compliance with data privacy is all about defining and implementing correct processes to allow relevant stakeholders to ‘think privacy’ and mitigate risks in all relevant streams (vendor management, IT controls, data transfers, and more),” Klein detailed.

On raising awareness among employees, Logitech’s Emerald de Leeuw told us:

"Everyone is a human first. Privacy is about us all and the key is to ensure everyone understands this. Our data is in the hands of companies everywhere, we all want those companies to treat us fairly and to comply with the law in respect of the data we trust them with. Once everyone understands that the data they work with belongs to real people, just like us, who trust us, it is easier to make the connection, and it is not about "checking a box." It is now about doing the right thing, which is much easier and less boring than a compliance task."

Collaborate on the same privacy software

To follow the steps of giants, we recommend managing all of your privacy tasks in a unified platform. And with “unified,” we mean making sure that anyone who is important as part of the process that should be able to access it can so you have one organized hub. You may restrict access for some team members, but it’s important to have a singular point of interaction.

Bonus tip! How to get other teams to “think privacy”?


AmDocs' Avishay Klein gave us his two cents: “It’s about educating stakeholders to ask the correct questions with respect to the relevant activity. For example, do I need to collect or share all this personal data in order to complete the task at hand? Did I check if I am allowed to use such data for the relevant purpose? Did I check with IT and Security that data is being secured and managed adequately? And so on. By asking the correct and intuitive questions,“thinking privacy” becomes easy.”

5. Privacy by design & by default

Once you get all teams on board with your way of thinking (see previous lesson), start working on implementing privacy to the very initial steps of your company’s product development.

A good way of doing this is through implementing it at each stage in creating systems and products- so that any data collected can stay out hands who shouldn’t have them!

When designing a system or product there are many steps that companies should take into account including having a policy on what type information gathering activities will occur during manufacture; coding personal details onto nonessential components where possible (withhold these if necessary); ensuring anonymity across platforms — meaning no unnecessary linking back between user sessions online.

Take Wix's approach as inspiration for this lesson: “Part of doing the best product is saying that privacy principles should be incorporated into the product design from scratch. It should not be an afterthought or something to cross off the checklist. Part of our efforts in building the best products out there involves (among other things) gaining our users’ trust by dealing with their data in a respectable way. By the way, as you all know, this is exactly ‘Privacy by Design.’"

Another interesting perspective is one from iRobot's Bethany Singer Baefsky, telling us: “Data Protection is, by necessity, a company-wide effort, so relationship-building across the board is critical. That’s where the storytelling part comes in. Narratives answer the “why” behind the “what” and are essential in cultivating a culture of privacy-by-design and by default."

The benefit of privacy-by-design

As Udemy's Edward Hu puts it, “the advantage of using a principles-based framework to design a privacy program is that the core requirements will be the same for any individual”, regardless of the type of user they are."

If, for example, your company would expand its offering to new audiences in the future, privacy by-design principles will assure that their privacy is secured, "built in."