We interviewed Tarun Samtani, Global DPO at Boden, to discuss the challenges he faces within his role as a DPO at a global retailer that's undergoing a period of sustained growth.
As the DPO of a global retailer, what are the main challenges you currently face in your role?
The biggest challenge I see in this role is – the fast paced continuously moving target. When you work for a business where the growth appetite is 3 times in 5 years (i.e. growing from £350m to £1Bn), every single piece of the business is changing on a daily basis. Learning about the changing environment and guiding the business teams as well the Board on various decisions can be the most challenging part.
Another challenge is to get business teams to own the risk for any of the decisions they take. Most business teams think their risk is only limited to the activity they are looking to do not with Data Protection. With every engagement, I make them realise it’s also the risk they own on the use of data that will be involved in that activity.
At the end of the day, I am advisor so my role is to identify the risk of using the personal data in their activities, assigning a risk level, giving them options to risk treatment and help them choose the right risk decisions. Then they are responsible to the Board for any risks they own.
How do the challenges of your role differ from your previous experience gained across other sectors?
Honestly, not so much because most of the business I have worked in the past few years have been fast paced businesses which I am so used to now.
One of the challenges in my previous role in Pharma was learning their language and terminology. Each team would talk so differently when asked about the data they hold or process. Terms such Pharmacovigilance and TMF’s would just go over my head in the start and took me a little while to get used to it but it was very rewarding to learn different things in a new environment.
How do you overcome the challenges of being a Data Protection Officer whose responsibilities sit across several different markets and jurisdictions, ensuring that different areas of the business take responsibility and understand data related risks?
This is the most interesting part of the role according to me. What may be completely acceptable to do in terms of marketing in the UK, may not go down so well in France and may completely unacceptable in Germany. And it may be easier to do it in the US due to less restrictive laws. But as a DPO, I have to ensure that most restrictive the laws are applied across the business and markets to ensure some consistency as well be more conservative about Privacy in general for all consumers irrespective of their location.
Again, you have to balance this very carefully with the business interests in the commercial sense. You do not want the business to suffer solely because the laws do not allow any flexibility. So this is where you have to work with the lawyers ensuring we balance the privacy rights of the individuals against the things that the business would like to do with their data.
When it comes to assigning responsibility to the business teams, I think I have learnt very well on how to deal in the past few years.
How did you go about getting the buy-in from senior leadership and the board required for a long-term cultural shift and process changes required for ongoing GDPR compliance?
This is a very good question and I think this requires a good support and Governance on the Data Protection programme.
Firstly, I ensure we have a regular monthly update to the Board on the Data Protection challenges across the business highlighting any support required for the next steps in the programme. This is chaired by me with the Board and very well attended which itself shows a good support from the Senior Leadership and the Board.
Secondly, I ensure any new risks have been identified and highlighted to the Board with a view to get steer on the risk treatment options. Generally, these would have been already been discussed with the Business Risk owner including the treatment options thus gaining their support in advance. In the meeting, they support the case as they own the risk and thus take on the responsibility of the risk. The Board takes the decision on whether they are within the acceptable levels for the business and whether there is ownership of it.
Thirdly, since I report directly to the Board, it becomes easier to manage the change that I am looking to achieve in the business.
What do you think are the best methods for embedding a culture of compliance and best practice around data privacy within an organisation? What role does training have to play?
When it comes to changing culture, I have always taken a slow and steady approach depending on where the organisation stands in the curve. If the organisation has a privacy culture programme, I assess whether it’s compliance oriented or beyond. Many organisations start with a standard eLearning methods which more or less are tick box oriented. I focus on starting with a compliance oriented method to going to building privacy in everything they do. It’s all about embedding privacy in the mindset of the people. It’s a cultural shift as you mentioned. The tone has to come from the top. I have always focussed on engaging with staff on a 1-to-1 basis within teams, champions, etc. I believe if you have to change culture you have to work with the individuals in understanding their challenges. Once you understand their role and challenges in their role, you interwind Data privacy requirements into their role that do not hinder their role. You guide them through the process and help them so they understand why you want to bring those changes. Once you have their acceptance, you are on to a winning programme.
Training plays a huge role and not just eLearning but giving them an opportunity to talk and share about their experiences so others can learn from them. For example, I engage with all staff in their team meetings that give them an opportunity to ask questions as well as to share their experiences with colleagues. This makes it more lively for all staff as they learn from their own peers rather than just the DPO.
When it comes to training, do you think there is a benefit to bespoke training being delivered in-house, or can a more ‘off the shelf’ model provide value?
It depends on the size of the business. I have always been a huge supporter for bespoke and have built Data protection training programmes right from the scratch. But if the size of the business is 75,000 employees, you cannot do these completely bespoke. So you have to build in a mix of materials – off the shelf as well as bespoke content.
The idea of training has to be that you have to connect with everyone across the business who have different backgrounds, different roles, different scope and understanding of Data privacy. With so many elements in the picture, you cannot be using just one tool to enable that cultural shift. I have worked with standard eLearning packages, created bespoke content for various teams, engaged with staff in team meetings, brought different teams together to share their experiences, created newsletters and posters to target audience, etc. You have to try various methods to connect with all types of audience. Luckily, I have had great success with building security and privacy culture programmes.
What role does the DPO have to play in a rapidly expanding business?
The DPO is first an Advisor to the Board and the Business teams;
The DPO has to be a very good Risk Manager, someone who not only understands Data Privacy and risks associated with using personal data in particular business activity but also can translate the risk into business sense and give them a view of risk treatment options.
That also means a DPO has to be a good communicator/translator to ensure risks can be translated in a commercial aspect and assigned to the Risk owners.
The DPO also has to be a good people person as this role really involves working with people at all levels in the organisation.
The DPO has to be a good mentor so he/she can mentor champions across the business for building a first level of defence in the business and also work with peers/colleagues to get buy-in for risk ownership.