Data Governance

The three lines of defence in data protection

Egil Bergenlind, CEO of DPOrganizer, and former data protection officer, has spent years navigating the rapidly changing context of privacy compliance. In building a solution for efficient privacy management, he finds it useful to consider the following thought:

“What is good for customers, what is lawful, and what is ethical is not always the same thing.”

Most businesses rely on the use of personal data. In many cases, data is a key ingredient in a business’ offering. It’s an important aspect of staying both relevant with customers, and competitive in the market.

However, the future is not only data driven. You also need to be conscious about not overstepping certain boundaries, boundaries set by your customers’ expectations, boundaries set by law, and boundaries set by ethics.

Finding the right balance can be tricky, but it’s vital that you do. The risk of not doing so is lost business, brand damage and fines. Obviously, you can’t stop processing data. The risk of doing that is even worse — irrelevance.

Introducing the easy (ECE) privacy test

The test asks three questions, and only if you pass all these three lines of defence , should  the new data processing evaluated get a “go” decision.

When doing the test, we will need to involve our business/customer understanding, the law, and our gut feeling.

I call it the Easy (ECE – Expectations, Compliance, Ethics) Privacy test. 

As a business, customers should be your main priority. Understanding and managing their expectations is everything, so we start with the customer before moving on to other considerations.

1. Would the processing be in line with your customers’ expectations?

Only you can answer this. Your experience and expertise regarding your business and customers — your brains — has the answer. Your customers will differ from everyone else’s customers. Expectations vary.

If you pass the first line of defence, move to the second one.

2. Would the processing be lawful?

You don’t get to decide what is lawful, so you need to understand the law. This is where you read and interpret relevant regulations — you need your books.

And perhaps a lawyer or two.

Passed the second line? Great, third question.

3. Would you be comfortable having someone in your family be subject to the processing?

The customer is not always right. The legislator doesn’t always get it right. But you should do your best to do what is right.

Ethical standards are based on values of the societies we live in. What is ethical differs for different people in different cultures, and they change over time. So what is ethical data processing is not something you will necessarily find in the law, or hear from your customers.

So get personal. After all, ethics and processing of personal data is a very personal thing. Use your gut feeling.

Any business claiming to take privacy seriously should consider what’s good for their customers, what’s lawful and what’s right. Don’t process data unless you’ve considered all relevant aspects, and enable people to understand what you do.

Inform and engage through helpful information so people can form an opinion. Empower people to be in control of their own privacy.

Egil Bergenlind is the CEO of DPOrganizer, a company that offers privacy management software, designed specifically for privacy professionals. DPOrganizer was founded in 2015 by Egil, a former Data Protection Officer himself, and is headquartered in Stockholm, Sweden.