X-Mode: Tell me about HelloDPO as a company, and your own history with it, wherever that started.
Jenai: HelloDPO is a data protection law firm which was started by myself and my partner Alison Deighton about twenty months ago just after GDPR D-Day! Alison and I worked together previously at another law firm providing data protection advice to a range of different clients in fintech, health, regulatory, financial services and other industries. Our vision and mission at HelloDPO has always been and is to continue to provide innovative data protection legal advice and data protection officer services not just as a “normal law firm”, but as an organization that people see as a part of their team.
X: Have you and your team members always been interested in privacy? How did you get into that part of the law?
J: We all “enjoy privacy law” — or, at least, are interested in it — because it is such a challenge. Our role is about providing clarification and guidance when there is no black or white answer (which is a lot of the time); it is about making sure an organization can operate and use personal data while staying within the confines of the law; and more than anything, it is about guiding organizations in the right direction and finding practical solutions to allow them to operate their business. When you act as a data protection officer, your role is to help protect the organization from issues of non-compliance and ensure that they are equipped to comply with the GDPR. That means making sure organizations are complying with the GDPR, it means providing pragmatic advice within the law, and sometimes, sadly, it does mean saying “no” to things which will make you unpopular!
A lot of our clients grapple with data protection issues because data protection is such a complex area of law. There are hard and fast rules, but there are also a lot of grey areas. With our expertise and experience, we are able to alleviate some of that stress. That’s another reason why we enjoy data protection legislation: because, for our clients, even when we are acting as a data protection officer, we are seen as more of an ally, rather than just an advisor.
X: I think that’s a good segue, because I’d like you to define the role of data protection officer, and tell me what that looks like.
J: The role of a data protection officer is to make sure that whatever an organization is doing with personal data, or whatever they would like to do with personal data, that this is in compliance with data protection regulations. The core role of the data protection officer is to make sure that the organization is aware of current data protection and privacy regulations, setting standards in terms of policies and procedures, raising awareness of data protection and generally being available as a point of contact on privacy matters for everyone within an organization and for data subjects and regulators. We also have to make sure that we are monitoring compliance. We do this by having regular meetings with the team to discuss any data issues and incidents or data subject rights requests and through auditing and reporting too. All of which is invaluable for flagging potential gaps in compliance.
X: From my perspective, a data protection officer is a fairly recent position. How would you convince a small startup of the importance of having one?
J: Well, I could just say that if you do not have data protection officer and you are required to designate one under the GDPR then you could get fined, however we do not think leading with the stick approach is the best. From my point of view, having a data protection officer is invaluable for your organization in the long term. The analogy we like to use is that following all the proper regulations and procedures is like having a good set of brakes on a racecar. It may seem counterintuitive to add brakes (in this case a data protection officer) to slow you down, but having those extra controls will allow your racecar — or your organization — to move much faster and with far more confidence that personal data is being used with privacy in mind. You certainly couldn’t get me to step into a racecar without brakes, although I do drive quite fast …
X: I love that analogy so much. What does a typical day look like at HelloDPO?
J: It is really varied, actually. My day actually starts at 5:00am with a gym and/or yoga session (mandatory time out for any data protection officer) then it’s straight into the office. As a data protection officer, many different things can come across my desk on a given day. There might be an individual data request that we need to work with a team on; a contract which needs to be signed and guidance is required on the role of the parties under the GDPR, we could be dealing with a data breach, and doing damage control or responding to regulator requests; we also deal with compliance of course, which involves monitoring a lot of different organizations’ policies and procedures so we may have an audit or board report to write; sometimes we have to take the lead as a key stakeholder on a privacy project for our clients; and finally, we also do a lot of data protection training for clients, both remote and face-to-face. There is really a great variety of tasks on any “normal” day.
X: Why is privacy important to you, and why should it be important to everyone in this industry?
J: At the end of the day, when you look at the data that is being used across the world, what it comes down to is that’s my data too. It’s my data and my information that organizations are taking and using. It is really important that everyone knows how their personal data is being used and I believe individuals expect that now. They expect a high level of articulation about how their personal data is being used and they will complain if they are not happy. There is so much personal data out there about you, and it is being used by many organizations in so many different ways. I believe that people should know about the consequences of giving away their personal data and they should have the opportunity to opt-out to such use.
Too many organizations, even large corporations treat data protection compliance as an afterthought. That makes us frustrated given how much our client’s care about privacy regardless of their size. It is different with a company like X-Mode, because even though you are a small company, you put so many resources into complying with data protection laws and regulations. You have to be dedicated to changing your practices in order to comply and build trust and you have to be willing to stand above the crowd in terms of compliance standards. You guys get that, and it makes our job so much easier.
X: Can you tell me how these new laws and regulations, most notably the GDPR and the CCPA, have already changed the data industry?
J: It has been good and bad. Right up front, we have seen some organizations go out of business because they were not able to become compliant. I think that is a good, because it tells us those organizations should not have been collecting personal data and using it in the first place. I also think that the GDPR and the CCPA have really brought data protection compliance to the forefront of people’s minds. This is turn raises the standards expected by individuals in terms of compliance.
There have been some downsides too, though. One is the lack of proper guidance that a lot of companies received when the GDPR was first introduced. There is definitely a gap in knowledge of what it means to be compliant. I believe that lawmakers could have done a better job at educating organizations about what “good” compliance looked like from an on the ground perspective operating a business, earlier on during the transition period.
X: Do you think that the business model of a company like X-Mode will still be viable in the long term as more regulations are introduced?
J: Yes, I believe it will be. A company like X-Mode is well-structured to weather these regulations simply because you have been built with a data protection compliance-first mindset. The more compliant you are and the more processes you have in place to demonstrate compliance if challenged, the easier it will be to stay in the market long term.