In this article we want to spotlight a data protection officer based on 10 questions they were asked by DPI.
Céline Nactergal , Data Protection Officer bij Nagelmackers, is this months DPO.
1 How did you end up in the role of DPO?
I arrived in the field of data protection fairly recently. I have a Master’s degree in Communication & Advertising, which, without any logic, led me to work for 15 years in Human Resources at the Nagelmackers bank, in a fairly cross-functional role of statistics and project monitoring. In this role, I was my department’s GDPR representative. When the position of DPO opened up internally, I didn’t hesitate for long to take on this new challenge.
2 Which part of the tasks of a DPO do you prefer?
I don’t have a preference for any particular assignment, it’s more the variety of tasks and the independence of the position that makes it interesting for me. The field of data protection and risk management is constantly evolving. Personal data is everywhere in the banking sector, European legislators are prolific, fraudsters are creative and case law is constantly evolving, so there’s never a dull moment as DPO!
3 Which event in the privacy landscape has affected you the most to date?
This is more of a general reflection on privacy protection. Many companies still have some way to go when it comes to raising awareness of their responsibilities, as do many of the people concerned, who are not very well informed on the subject. It has become clear that “Data is the new gold”. And the arrival of artificial intelligence, which feeds on data, will only accelerate this trend. Even so, the average person is often unaware of the amount of data concerning him or her, which is processed in a variety of ways.
4 How would you describe the role of DPO in your company?
As a small bank, we don’t have the large, multi-disciplinary teams that can be found in larger companies. Each link in the chain needs to be versatile and able to touch on all aspects of his or her chosen field.
With this in mind, and given the cross-functional nature of the GDPR, a high level of collaboration between all the bank’s departments is really necessary, as the GDPR cannot be dissociated from legal and IT matters.
5 What do you think is the biggest challenge for a DPO?
I can think of two: the uncertainty inherent in the subject of data protection, and the difficulty of staying in one’s place in this function.
As far as uncertainty is concerned, in today’s world, it’s no longer a question of if we’ll ever suffer a data leak, but when. Similarly, all IT systems are constantly evolving. So we can never rest on our laurels, we have to remain constantly vigilant and keep abreast of all developments, both internal and external.
As far as the role of DPO is concerned, by this I mean remaining in the role of DPO as described by the GDPR, i.e. a role of support, information and advice, both to one’s company and to its employees, or to any of its customers who may call upon it. The temptation is often great to switch to the role of project manager, in order to bring cross-functional GDPR projects to a successful conclusion, if the business struggles to find the necessary resources, but it’s up to each individual to take his or her share of responsibility, and to the operational departments to implement the GDPR in practice.
6 Which technological evolution do you think has the most impact on data protection (positive/negative)?
The advent and widespread use of artificial intelligence, which brings with it as many opportunities as risks, is certainly one of the biggest challenges facing DPOs today.
7 What are your experiences in the contact between the DPO and the data subject/supervisor?
Relations with data subjects mainly concern requests to exercise their rights. As far as I’m concerned, these requests are handled internally by the ‘Complaints & Privacy’ team, and in collaboration, for the most complex cases. It is currently rare for us to receive direct questions from data subjects about the processing of their data.
8 What is your golden tip for getting data protection and information security higher on management’s agenda?
Very often, what speaks to decision-makers is presenting the balance between data management and operational, reputational or legal risks. The fact that we increasingly see fines from Data Protection Authorities in the press is also advancing management awareness. The challenge is to succeed in presenting the GDPR not as yet another control or constraint, but as a genuine opportunity for improvement.
Internally, the GDPR is an integral part of the Management Committee’s focus points. Detailed reporting on GDPR compliance is carried out quarterly, directly from the DPO to the Committee itself.
On a positive note, I can see that the maturity of the various players, whether in terms of GDPR or risk in general, is constantly improving.
9 What is your Swiss army knife as a DPO?
Collaboration and information.
Collaboration between the various internal departments is essential when dealing with a cross-functional issue such as GDPR. There are no ready-made instructions for achieving GDPR compliance: the issues raised have to be dealt with on a case-by-case basis, and the support of the Legal, Compliance and IT teams is essential. A privacy representative has also been appointed in each internal department, to act as a relay for GDPR issues within the department.
Similarly, it’s vital to keep everyone in the company informed. The GDPR is very often seen as an “impediment to going round in circles”, preventing business from working, putting barriers in the way of prospecting, or complicating processes. But if the whys and wherefores are explained in a clear and accessible way, or if the benefits of such and such actions are presented to colleagues as if they were the people concerned themselves (“How would you react if you knew that such and such processing was being carried out with your data? How would you react if you knew that your bank was planning to share your data in this way? – What if it was your children’s data?”), the message immediately gets across better.
10 How do you keep up with new trends in GDPR technology and legislation?
The subject is vast and constantly evolving. So I try to stay as informed as possible via specialized websites, the sites of data protection authorities for example, or ad hoc groups on social networks.
There are also a growing number of seminars and training courses on the subject. The banking sector also has a dedicated working group within Febelfin (Belgian Federation of the Financial Sector).
As for Belgian and international case law on the subject, I’ve been taking part in the ‘Stay Tuned as DPO’ sessions organized by the Data Protection Institute for the past 2 years. In addition to the dense material analyzed for us by experts at each ‘Stay Tuned’ session, the opportunity to meet and exchange views with other DPOs is a real plus.