Abdulhamit Cavdar on Changing the Narrative Around Data Privacy

What is your role and how does it relate to ensuring data privacy?

I am Trendyol's corporate DPO, and my daily work revolves around data protection and data protection strategies.

Tell us about your approach to building privacy programs

To answer your question a bit more holistically, I have to share some basic thoughts with you. As a consultant, I have worked with a lot of DPOs and have seen both very good and very bad examples. Also, in my own role as DPO, I had the opportunity to learn through my mistakes. Because of the independent role of the DPO, many remain passive and limit themselves to their monitoring and advisory role. If you take a classic 3 Lines of Defense approach, many DPOs stay in the third line and leave the day-to-day business of designing products and services to the 1st line. I personally like a very proactive approach. One of my team KPIs is also the number of own initiatives we start as a team and how close we are to the business as a DPO team. 

‍

In terms of a privacy program, there is no one fits all approach. You have to know the core business better than management, get into the mindset of the stakeholders and understand the business objectives and set up the privacy program very strategically. By understanding the objectives and how the company plans to achieve them, the DPO can design a privacy strategy that enables creative privacy solutions to accompany the achievement of the objectives. 

How do you measure and prioritize data privacy risks?

Here, too, it depends on a wide variety of factors. What is the risky nature of the processes? Is sensitive data or data of minors being processed? With whom is this data shared, and what is the awareness level in the teams? What stage of growth is the organization in? If you are in the market entry phase and the primary goal is business growth, risk acceptance will be different than if you are a gatekeeper and trying to leverage your position as a large and established organization for proactive lobbying. 

What’s one thing that has surprised you in your data privacy work? 

When I first got involved in a data protection project as a consultant, I was very reserved and thought it was going to be a really boring project. Fortunately, I had a fantastic mentor who motivated me from the beginning to take advantage of the opportunity to acquire the maximum amount of knowledge. After my first day on the project, I came home more exhausted than ever. There was just so much information and insights. The difference was that I didn't just want to give a presentation and train the clients on GDPR, I really wanted to understand everything. At the time, though, I didn't know what "everything" really meant. As a DPO, you are involved at all levels of the company and accompany so many teams. From HR with talent sourcing to offboarding to the difference between performance marketing and online marketing, as well as the countless applicable special laws that are taken into consideration with a delete and blocking policy. No two days are the same, and I get to set my own priorities. Very few professional fields allow this level of intensity. 

What are some challenges you have faced and how have you overcome them?

The biggest challenge is not the GDPR itself but people and their preconceptions about data protection. One of the most important and critical tasks for me in any company is determining the narrative. In 99% of all cases, data protection is seen as a necessary evil, and my task is to change this narrative through various techniques from psychology so that data protection is seen as a matter of course. My approach changes from stakeholder to stakeholder. Some are emotionally accessible, and others are only interested in facts and figures. Therefore, I analyze my stakeholders and know their character pretty well before I am in a meeting. To get this information, as a DPO, you have to build a good network, and your colleagues have to rely on you and you on them. 

‍

Another big challenge is the image of a DPO or the DPO team in the organization. Often the team is perceived as blockers, always saying "no" or slowing down projects and products. That is my personal nightmare. That's why I put a lot of emphasis on an interdisciplinary team. My team is not and never has been made up exclusively of lawyers but as colleagues with a wide variety of skill sets and backgrounds. I almost always structure my team into 

1. A legal stream, which takes care of all legal issues, such as contract negotiations, privacy policies or evaluation of legally complex issues, 
2. A privacy tech team, which is the bridge between legal and tech, translating the legal requirements into a more technical language. 

The Privacy Tech team has one leg in the Tech and Product area, and their core task is to train the Tech and Product teams sufficiently on privacy, to initiate new initiatives and to act as advisors in the development of new products and services. Lastly 

3. We have the Privacy Governance team that continuously reviews and revises the strategy, builds the organization, and ensures that we are meeting our responsibilities as a DPO team, and ensures overall awareness in the organization. 

They also oversee the work of the other two teams and provide quality assurance. I need colleagues with a wide range of talents in each of these teams. In the Legal Team, very good lawyers who pay attention to every word and ensure our compliance. In the Privacy Tech team, I need people who can read IT architecture well and are strong in process automation, and good project managers. In Governance, I want to have a team with very strong communication skills, who can organize themselves and get people excited about privacy. Interpersonal skills are very much needed here.

What has been your experience engaging technical or developer teams?

In an age where data is the new gold, tech and developers play an immensely important role. If they make mistakes, we have a big problem, as major damage can occur very quickly. At the same time, they are a completely different category of stakeholders. They speak different languages, have different values and communicate differently :) Therefore, the approach to communication, specifications, as well as project management has to be adapted. If you get this task right, then as a DPO, you have the key to the brain of the company and can gain a lot of influence on the development of products. Personally, I love working with techies because they are very creative and lazy at the same time. They take the path of least resistance, and my job is to put the right signage on their map so they take the right shortcut.

What are some best practices to share or pitfalls to avoid when trying to ensure data privacy?

The biggest mistake in general, in my view, is when data protection is seen as the DPO's job. Injecting data protection into the DNA of an organization requires the participation of every single employee. What does that mean for us? We have to inspire our colleagues right from the onboarding stage. We don't do that with boring presentations with 100 points on a slide but with creative and interactive presentations. If we win their hearts, we will have won close partners. 

‍

Another pitfall in my eyes are to form silos, that is, when knowledge is not shared. This can be both within the DPO team. For example, if a Data Processing Agreement is reviewed and the process behind it is not filed as RoPA, it means that the required process knowledge is not available and consequently, we do not have knowledge about the risk nature, the legal basis, cannot start a DPIA and so on. When teams don't communicate with each other, it can lead to a lot of extra work and frustration. So I see myself more as a conductor, coordinating the teams and making sure that these silos are not formed. The same goes for engineers and IT security teams, of course. If there are new risks because encryption can be lifted due to a newer technology, that is very important information that significantly influences our assessment of process risks. For this reason, a very good privacy organization is an absolute must for any organization.

What predictions do you have for Data Privacy in 2023?

We are in an incredibly interesting time. With new technologies like ChatGPT and other AI trends, there are so many opportunities for us, but also risks. I think 2023 will be a time of new technologies and risks that we haven't seen before. With AI, you can not only write code but also find and exploit loopholes. At the same time, data protection and information security will take on an even more important role, and we will have to continue to develop and challenge ourselves in order not to stand still. Discussions about the umpteenth Privacy Shield agreement are interesting but will not be influential for 2023.

What does Data Privacy Day mean to you?

It is a very good opportunity to increase awareness within the organization but also to reflect. Where do we stand? What do we still want to achieve? Are we reaching our employees or do we need to change our strategy? It's like a birthday. You celebrate not only the day itself, but all the accomplishments of the last year and also the failures and at the same time, you realize that you have become one year older and other challenges are coming up.