I was drawn to privacy as a field of law, as it allowed me to combine two things that motivate me: to learn about technology and the ‘new stuff’, and to promote fairness and fundamental rights. It felt like being part of an important change in our lives and society – and still does.
At the beginning of my career, I was very focused on knowing everything there is about data protection and privacy. I would spend hours reading all the news stories, guidance, opinions and theory I could get my hands on. I was also really lucky to score some interesting jobs both in government and private companies which helped me to understand the topic from different angles. Today trying to keep up with all the developments in the field is next to impossible. That is what is so cool about privacy – it is still developing fast and the importance is growing as new technologies emerge. So you’ll never have a dull day on this field!
When I talk about ‘privacy’ – the area I work in – it includes both data protection and privacy. These enable everyone to trust, that they are safe and can control intrusions to their digital and physical life. It means that people have the right not to be subjected to constant surveillance aimed at influencing their behaviour. As many people are not aware of how fast technology is developing and what the implications are, companies and their privacy teams must both take responsibility for designing services that benefit their users and also be honest and transparent on how personal data is used.
Sustainable privacy compliance is a team sport
One of the typical mistakes companies make is that they rely on the privacy team to ‘take care of the legal stuff’. This often leads to the creation of parallel universes – one which describes on paper how things should be and then the other real one. It is not enough that the privacy counsel knows perfectly what should be done from a legal point of view – although in some cases even to come up with the legal requirements is difficult! Privacy compliance is first and foremost a team sport. The privacy team must understand business and be able to talk the same language and provide advice on a realistic level. It is equally important that the business embraces privacy as a topic just like any other hygiene factor. Just as you wouldn’t design a house that does not meet normal expectations like floors, windows, and ceilings – you shouldn’t design a digital product without privacy. To go one step further, isn’t it better that also privacy as part of the product is designed by the product team, not the lawyers?
But what does a privacy counsel actually do?
We have a 2-folded role in the organisation. On one side, we define processes and expectations on how privacy legal compliance should be handled in the different brands and teams of Schibsted. This includes things like how assessments should be performed, and what type of contracts are put in place with partners. We also must ensure that we have proper documentation in place about how personal data is processed. On the other side, we also act as ‘interpreters’ of legal requirements in practical situations. This often means we support teams with questions like: can certain personal data be processed? Or whether we are allowed to send marketing to a specific group of customers? On top of navigating the legal and technical landscape, what is becoming more and more important is to understand; What is it that our customers and users expect? How can we offer them services that create value out of data use, while not collecting unnecessary data and respecting the boundaries users set for data use?
As mentioned I strongly believe in distributed privacy responsibility. Everyone in the organisation must be responsible for their own personal data processing. However, it would be misleading not to admit that data protection and privacy are quite complex topics where also the target state and expectations keep changing continuously. It is not realistic to expect that all roles in an organisation can be on an expert level. Part of my role is to get everyone on the right level of understanding on privacy topics. Some roles like people working in data, marketing and advertising need deeper understanding whereas sales and content creation teams can manage with the basic understanding.
The journey ahead
Still, my long term goal is to make myself useless. To make the organisation so good at the privacy that I am no longer needed. This is one of those goals where it is not so much about achieving it, but about the journey. Welcome to onboard Schibsted Suomi!
Laura Tarhonen
Privacy Counsel at Schibsted Suomi