Privado celebrates the work of Abdul this Data Privacy Day.
Head of Data Protection
Abdulhamit is the Head of Data Protection at Trendyol Group. He's previously served as Group Data Protection Officer at Hero SE, Privacy Consultant at KPMG, Assistant Editor at Deutsche Welle and Project Manager at Policult.
I am Trendyol's corporate DPO, and my daily work revolves around data protection and data protection strategies.
To answer your question a bit more holistically, I have to share some basic thoughts with you. As a consultant, I have worked with a lot of DPOs and have seen both very good and very bad examples. Also, in my own role as DPO, I had the opportunity to learn through my mistakes. Because of the independent role of the DPO, many remain passive and limit themselves to their monitoring and advisory role. If you take a classic 3 Lines of Defense approach, many DPOs stay in the third line and leave the day-to-day business of designing products and services to the 1st line. I personally like a very proactive approach. One of my team KPIs is also the number of own initiatives we start as a team and how close we are to the business as a DPO team.
In terms of a privacy program, there is no one fits all approach. You have to know the core business better than management, get into the mindset of the stakeholders and understand the business objectives and set up the privacy program very strategically. By understanding the objectives and how the company plans to achieve them, the DPO can design a privacy strategy that enables creative privacy solutions to accompany the achievement of the objectives.
Here, too, it depends on a wide variety of factors. What is the risky nature of the processes? Is sensitive data or data of minors being processed? With whom is this data shared, and what is the awareness level in the teams? What stage of growth is the organization in? If you are in the market entry phase and the primary goal is business growth, risk acceptance will be different than if you are a gatekeeper and trying to leverage your position as a large and established organization for proactive lobbying.
When I first got involved in a data protection project as a consultant, I was very reserved and thought it was going to be a really boring project. Fortunately, I had a fantastic mentor who motivated me from the beginning to take advantage of the opportunity to acquire the maximum amount of knowledge. After my first day on the project, I came home more exhausted than ever. There was just so much information and insights. The difference was that I didn't just want to give a presentation and train the clients on GDPR, I really wanted to understand everything. At the time, though, I didn't know what "everything" really meant. As a DPO, you are involved at all levels of the company and accompany so many teams. From HR with talent sourcing to offboarding to the difference between performance marketing and online marketing, as well as the countless applicable special laws that are taken into consideration with a delete and blocking policy. No two days are the same, and I get to set my own priorities. Very few professional fields allow this level of intensity.
The biggest challenge is not the GDPR itself but people and their preconceptions about data protection. One of the most important and critical tasks for me in any company is determining the narrative. In 99% of all cases, data protection is seen as a necessary evil, and my task is to change this narrative through various techniques from psychology so that data protection is seen as a matter of course. My approach changes from stakeholder to stakeholder. Some are emotionally accessible, and others are only interested in facts and figures. Therefore, I analyze my stakeholders and know their character pretty well before I am in a meeting. To get this information, as a DPO, you have to build a good network, and your colleagues have to rely on you and you on them.
Another big challenge is the image of a DPO or the DPO team in the organization. Often the team is perceived as blockers, always saying "no" or slowing down projects and products. That is my personal nightmare. That's why I put a lot of emphasis on an interdisciplinary team. My team is not and never has been made up exclusively of lawyers but as colleagues with a wide variety of skill sets and backgrounds. I almost always structure my team into
The Privacy Tech team has one leg in the Tech and Product area, and their core task is to train the Tech and Product teams sufficiently on privacy, to initiate new initiatives and to act as advisors in the development of new products and services. Lastly
They also oversee the work of the other two teams and provide quality assurance. I need colleagues with a wide range of talents in each of these teams. In the Legal Team, very good lawyers who pay attention to every word and ensure our compliance. In the Privacy Tech team, I need people who can read IT architecture well and are strong in process automation, and good project managers. In Governance, I want to have a team with very strong communication skills, who can organize themselves and get people excited about privacy. Interpersonal skills are very much needed here.
In an age where data is the new gold, tech and developers play an immensely important role. If they make mistakes, we have a big problem, as major damage can occur very quickly. At the same time, they are a completely different category of stakeholders. They speak different languages, have different values and communicate differently :) Therefore, the approach to communication, specifications, as well as project management has to be adapted. If you get this task right, then as a DPO, you have the key to the brain of the company and can gain a lot of influence on the development of products. Personally, I love working with techies because they are very creative and lazy at the same time. They take the path of least resistance, and my job is to put the right signage on their map so they take the right shortcut.
The biggest mistake in general, in my view, is when data protection is seen as the DPO's job. Injecting data protection into the DNA of an organization requires the participation of every single employee. What does that mean for us? We have to inspire our colleagues right from the onboarding stage. We don't do that with boring presentations with 100 points on a slide but with creative and interactive presentations. If we win their hearts, we will have won close partners.
Another pitfall in my eyes are to form silos, that is, when knowledge is not shared. This can be both within the DPO team. For example, if a Data Processing Agreement is reviewed and the process behind it is not filed as RoPA, it means that the required process knowledge is not available and consequently, we do not have knowledge about the risk nature, the legal basis, cannot start a DPIA and so on. When teams don't communicate with each other, it can lead to a lot of extra work and frustration. So I see myself more as a conductor, coordinating the teams and making sure that these silos are not formed. The same goes for engineers and IT security teams, of course. If there are new risks because encryption can be lifted due to a newer technology, that is very important information that significantly influences our assessment of process risks. For this reason, a very good privacy organization is an absolute must for any organization.
We are in an incredibly interesting time. With new technologies like ChatGPT and other AI trends, there are so many opportunities for us, but also risks. I think 2023 will be a time of new technologies and risks that we haven't seen before. With AI, you can not only write code but also find and exploit loopholes. At the same time, data protection and information security will take on an even more important role, and we will have to continue to develop and challenge ourselves in order not to stand still. Discussions about the umpteenth Privacy Shield agreement are interesting but will not be influential for 2023.
It is a very good opportunity to increase awareness within the organization but also to reflect. Where do we stand? What do we still want to achieve? Are we reaching our employees or do we need to change our strategy? It's like a birthday. You celebrate not only the day itself, but all the accomplishments of the last year and also the failures and at the same time, you realize that you have become one year older and other challenges are coming up.
Stay up to date with our Data Privacy events and gatherings, and when new insights are published.
Connect with like-minded professionals and learn from the best in the field of data privacy.
Data Privacy Stars are innovative privacy champions who have a grasp of today’s challenges and can project a vision about what should come next. ‘Privacy All Stars' are professionals with considerable data privacy-related achievements accumulated over the years, while 'Privacy Rising Stars’ are passionately driving data privacy initiatives.
Data Privacy Stars are innovative privacy champions who have a grasp of today’s challenges and can project a vision about what should come next. ‘Privacy All Stars' are professionals with considerable data privacy-related achievements accumulated over the years, while 'Privacy Rising Stars’ are passionately driving data privacy initiatives.
Privado is celebrating Data Privacy Day by recognizing individuals doing outstanding work in implementing innovative privacy programs. As part of its Data Privacy Stars campaign, Privado has planned a series of activities to celebrate and recognize these individuals.
Privado is celebrating Data Privacy Day by recognizing individuals doing outstanding work in implementing innovative privacy programs. As part of its Data Privacy Stars campaign, Privado has planned a series of activities to celebrate and recognize these individuals.
The ‘Data Privacy Star’ recognition validates individuals who receive it as innovative privacy champions who have a grasp of today’s challenges and can project a vision about what should come next.
The ‘Data Privacy Star’ recognition validates individuals who receive it as innovative privacy champions who have a grasp of today’s challenges and can project a vision about what should come next.
As part of the Data Privacy Stars campaign, Privado has planned a series of activities to celebrate and recognize the privacy stars. These include a series of 10-minute video interviews called 'Star Insights', a microsite featuring Data Privacy Stars, celebrating the Privacy Stars on the NASDAQ Billboard, exclusive Data Privacy Week Dinners in the US and Europe, and ongoing engagement on the Privado Community.
As part of the Data Privacy Stars campaign, Privado has planned a series of activities to celebrate and recognize the privacy stars. These include a series of 10-minute video interviews called 'Star Insights', a microsite featuring Data Privacy Stars, celebrating the Privacy Stars on the NASDAQ Billboard, exclusive Data Privacy Week Dinners in the US and Europe, and ongoing engagement on the Privado Community.
If you have any questions or want to know more about the Data Privacy Stars campaign, you can reach out to Privado on hello@privado.ai.
If you have any questions or want to know more about the Data Privacy Stars campaign, you can reach out to Privado on hello@privado.ai.