GDPR is not just a law. It is a basic human right! Meet Lyng: a data protection officer (DPO) who believes that the key to success in implementing GDPR in any organisation is to understand how the rules can work in favour of the organisation, its departments and its customers.
Lyng is DPO at Emento. Emento is a communications platform that makes it easy for public institutions to communicate with citizens.
“Emento started out by focusing on the communication friction that often exists when a patient undergoes an extensive medical or surgical treatment. Patients often don't know what they are about to enter or what they will face. Before Emento, patients were just overloaded with information that nobody in a critical situation is capable of fully understanding. At Emento we want to change that by informing the patient only what is relevant to know, when it is relevant to know. Step-by-step information. ” Explains Lyng
The system is equipped with a timeline that makes it easy for the patient to understand what has happened and what is going to happen.
“Well it's all about communication, communication and then some more communication. Quite similar to my role as DPO where communication is a must have skill. If you can't communicate properly you won't succeed as a DPO.” Continues Lyng.
Lyng holds a bachelor in Business Administration and International Management and a Master in Innovation and Business Development from Aarhus University.
Today Lyng has three roles/titles at Emento: 1) Business Developer which is her primary role and 2) The company's official DPO 3) General Secretary of TRUST (responsible for implementing ISO 27002)
How did you end up becoming the DPO?
“It came quite naturally. When you work in a company like Emento, that has grown from the stage of being a startup to a senior startup today, you help where you can, and you have many different roles along the way. Roles that doesn´t necessarily always fit your educational background. And in my case, I was responsible for the job of getting audit statements for our solution at Emento (more specifically for ISO27002) and implementing GDPR-controls. And then it sort of took off from there” Lyng explains.
“But bear in mind. As a private company you are not necessarily obliged to have a DPO. But after a while when it was almost certain that we would land some major contracts which would undoubtedly lead to many active users on our platform, we felt we couldn´t postpone the inevitable. And due to my previous involvement I became in charge.”
How is your DPO role different from other DPOs at other companies?
“The main difference is that I carry three different titles. This is something you need to be extremely aware of since the role as DPO should act as an independent organ inside the organization. Because of the conflict of interest that it brings along, you need to be constantly aware of when you act as business developer and when you act as DPO to avoid conflicts.”
“Besides that I feel very fortunate due to the amount of management attention GDPR gets inside our organisation. Our management team commits to one full day monthly to work solely on GDPR-matters. This makes my job so much easier.”
Lyng explains that for a business like Emento management attention to GDPR also comes quite naturally, since handling personal data is part of their core business. Even though Emento is still a fairly young company, their customers (public institutions like hospitals etc.) don´t distinguish between whether one of their vendors has 10 or a 1000 employees. They all need to follow the same rules and are treated equally.
Tell me about a typical day as DPO - what does it look like?
“I continuously check if we have received any requests from our registered users. They typically come from our support function and are normally handled there. However, most users can handle their own requests via the Emento system. I guess that's why we don´t get so many requests. We get around one or two requests per month and it is usually related to the deletion of personal information. And most often in situations where a user has created a profile by mistake. We mostly never hear anything from returning users, even though we expected more requests to begin with. ”
After that, Lyng then makes sure that the relevant people inside Emento remember to delete the information. Another part of her daily job is to check and make sure that the data processor agreements that they have entered with their suppliers are followed. Moreover, training and educating the organisation in GDPR also takes up much of Lyng´s time.
“A lot of people don't understand what GDPR´s section about security is all about - for example what technical measures mean. Why do you get a key card for instance? Why does it have to be “follow-me-print”? Moreover, we spend a lot of time educating how you handle a data request, and how you need to react if you receive the wrong information. Other things like what you can share with your customers and what we are allowed to do with customer information also takes up a lot of training time”
“Besides that I spend a lot of time talking and listening to the organisation. I try not to enforce GDPR like just another law we should strictly follow. I believe the key to success is to turn things a bit around. Instead of policing people, I try to listen to their challenges and what they are trying to accomplish. And then I find ways that GDPR can actually help them achieve just that. Otherwise, GDPR becomes just another law with a list of things we need to put a checkmark on. And that will in my opinion not lead to a wholehearted implementation of the regulation. ”
“On a more personal note, I believe that GDPR serves a basic human right. And I encourage all people working with GDPR to remember that. If you apply that mindset and look beyond the directive and remember why GDPR was implemented in the first place, it becomes easier to work with GDPR and to get your organisation along. It becomes purpose driven! I love to cite Pernille Tranberg (a data ethics advisor) for her quote: “You should treat your customers data like you would have someone else to treat your kids´ data.” It makes perfect sense and most people can agree to that. This helps to see the greater picture and in the long run it also makes perfect business sense.
“You should treat your customers' data like you would have someone else to treat your kids' data.” quote - Pernille Tranberg, Data & Ethics advisor
What tools are you using?
“We don't have so many digital tools right now. Focus has mostly been on processes - then we can talk about tools later. To some extent we use our own tool (emento). Then we use Permido to ensure end-to-end-encryption of emails. And then we use the project management tool.
Looking outside Emento what do you think is needed in terms of anonymization and redaction of data?
“Well the need for anonymizing data can be used in many different scenarios - for example when archiving data, in innovation projects, when exchanging data to third parties etc. The obvious benefit is that by anonymizing your data completely, you exempt it from GDPR. But it requires that it is not possible to reengineer the information. So security is a very important part when looking for a software redaction tool (like Cleardox). And of course, it needs to be easy to redact personal data like names, email addresses, phone numbers and other personal identifiers. But a software redaction tool should ideally also be able to detect and redact indirect identifiers, such as work title plus company name. Otherwise, the reader can figure out who the person is.”
What are some of the challenging parts that you encounter in working with GDPR?
“The ability to juggle around three different jobs at the same time is a challenge. Not only because of the inherent and constant interest of conflict you face. But also because it is a lot of work. Unlike larger organisations, we don't have a lot of support functions (like legal) that can help us do the job. So we have to do a lot of the stuff ourselves. That is also why my aim is to outsource part of the work to the different departments like HR, IT and the like. The limited resources forces us to think creatively about delegating tasks. But it also serves the greater purpose of getting the entire organisation involved and familiar with GDPR“
“In addition, I think it is a challenge to find proper metrics to measure how well you are doing with the implementation and how compliant you are. All our work needs to be documented and presented to management from time to time, so we need some ways to measure it. But how do you measure progress? Handling time? Number of policies implemented? Number of complaints and in relation to what? Participation in training? It's all very subjective and not necessarily a measure of success - merely an indicator at best.“
“Furthermore, I spend a lot of time working with our article 30-register. It's time consuming and challenging. This is where we to a higher degree need to involve and delegate tasks to the organization in order to make the implementation scalable going forward.”
“Finally, I spent time collecting new ISAE3000 and ISAE3402 statements. That needs to be done every year. I follow up on the rights of our registered users. I make sure deletion of data has been completed. I make sure that we have the user approvals before we collect and store data. I frequently test our emergency procedures. I test our data risk analysis and make sure they are up to date. I report to management on a continuous basis, and I make sure I'm up to date with case law. All that is part of our yearly cycle.”
Now let's turn our attention to GDPR at a macro level. What would you wish were different in the articles and in the way it has been enforced across nation states?
“One thing I can't explain is why private companies and government institutions are treated differently when it comes to sanctions. The incentive to follow the rules are in my opinion skewed in favour of public institutions who are less punished if things go bad. Why? I do understand that for public institutions, potential bigger fines will end up being paid by the citizens, which is of course not fair. So I do see the dilemma, but the Danish Dataprotection Authority has other tools too which I haven't seen used - at least so far. ”
“Coming back to my point made earlier, I miss a deeper focus in our communication on why we implement these rules in the first place - that GDPR is a basic human right. I wish that the EU and the different nation states had spent more time communicating the importance of that. Instead we spend time talking about rules we need to follow. Data ethics could and should be more present in the debate and in the implementation of the rules. Otherwise we risk that GDPR becomes this annoying checklist you need to complete, and it all becomes very superficial and insincere.”
Allright Lyng. It is time to finish. But before we round off. What is the best advice you can give to a new DPO?
“Great question. I think the key lies in good communication and great stakeholder management. It's not a one man's show. Avoid thinking in rules we need to follow. But focus on the overall storytelling and how the rules can actually help the different people inside the organisation achieving their goals and thus the overall business goals. So a focus on communication and the right framing. That's probably the best advice I can give. The rest is merely a matter of technicality.”
On behalf of the entire Cleardox team, we sincerely thank Lyng and the Emento team for her story and the willingness to share it with us.