#PDPCAsks: A Life in Data Protection with Edna Essien, Director and DPO at PayPal
Ever wondered how data protection can become a life-long career? Here’s a quick look at what Edna Essien , Director and DPO at PayPal with over 20 years of global data privacy experience, had to say in the first of our #PDPCAsks series.
As a Data Protection Officer (DPO), how do you help and support your organisation?
Edna: I think some people sometimes misunderstand that we are the “police officers” of our company’s data. That is a misconception.
As a DPO, my role is to help my organisation understand the requirements of data privacy/protection laws and advise them on how they can comply with these laws bearing in mind their risk profile, the nature of their business and the personal data that we hold. I must cut across and maintain relationships with all functions and business units processing personal data and truly understand what, where and how personal data is handled.
I maintain relationships with regulators, and I also have foresight on upcoming trends in these areas as well as provide an analysis and impacts on laws that could potentially affect our business. Depending on the sector that my organisation is in, I also must be familiar with regulatory guidelines coming from the sectoral regulator.
My work activities are very diverse ranging from responding to regulatory examinations, attending leadership calls to give an update on key matters in data privacy, helping teams respond to customer complaints, reviewing regulations that have been captured by our regulatory development tool or conducting a Data Privacy Impact Assessments (DPIAs).
What do you need to know as a DPO?
Edna: I think (the) first thing is that you are not alone. When I started years ago, data protection was not a known area to specialise in. Now, there are regulatory requirements to appoint a DPO such as under the Personal Data Protection Act (PDPA) or the European Union General Data Protection Regulation (EU GDPR) - so this role has gained traction. You also have networks such as AsiaDPO where you can liaise with other professionals facing similar challenges as you.
Secondly, you need to know the organisation that you work for. Do not walk around either saying no to everything or quoting chunks of data privacy laws without providing practical and compliant solutions.
Thirdly, Educate! Educate! Educate! I have found that when accountability starts from the ground up that is half the battle won in setting up a data privacy program. And finally, DPOs are influencers. In our roles, we must be able to influence the organisation on prioritising data privacy/protection as a key risk area.
领英推荐
What are the biggest challenges that you face as a DPO?
Edna: I must be honest and say that early in my career I did face challenges of senior stakeholders not understanding the importance of building an effective data privacy program. However, I then went on to work for organisations who understood the importance of a data privacy program. They championed the data privacy function on my behalf and made sure I had the right exposure and resources needed.
Now, I think the regional/enterprise vs local compliance interplay may prove challenging. However, when you build relationships with your local teams, they iron themselves out. The evolving laws also keeps me on my toes as in some cases there is lack of harmonisation, but I have seen the move towards accountability which is welcome.
What is your response to the argument that privacy is dead?
Edna: I think privacy is far from being dead. What I do see is the willingness of individuals to share their personal data and life on social media. However, I still think they care how their data is being used and abused. The laws are still evolving even in APAC, and more are coming in other regions such as Africa, Middle East and LATAM.
The move to a more digitalised world also comes with balancing the needs and goals of organisations vs the data privacy rights of individuals. I think data privacy will continue to grow and evolve and I am looking forward to seeing how that looks in a few years. I hope we can solve issues around transborder data flows as the world is truly a village.
Having worked in various countries, what are your views on cultural differences in privacy concerns?
Edna: I would definitely say that there is a difference. Coming from the UK, we have a long history of data protection laws. Therefore, there is more awareness and individuals do exercise their rights (e.g., data deletion, data access requests, complaints to the regulators) more that I have witnessed in Asia - which is a fast-developing region for regulatory developments. Asia might follow the same trend.
I do think that the PDPC and other regulators like the EU regulators are, overall, open to discuss the regulatory framework in the context of commercial needs and we need to keep that engagement active. As a DPO, there were more career opportunities in the EU but over the last couple of years I have seen more MNCs looking to appoints APAC DPOs - which to me signal their recognition of the growth of data privacy regulation in this region.
What trends do you foresee in the data protection landscape over the next 5 years?
Edna: I think data privacy permeates every area of life now whether you are on social media or use any kind of technology or even you are walking around doing your daily tasks being surveilled by CCTV.
As a DPO we are seeing the interplay of data privacy with ethics, competition law and human rights (e.g., Roe vs Wade). I also think we need to keep a close eye on technological and digital developments (e.g., AI, Cryptocurrency), and how data is used in global events such as the COVID pandemic, and more traditionally – outsourcing, evolving regulations and individuals wanting more control of their personal data.
This article has been shortened for readability purposes. To read the full article, visit https://www.pdpc.gov.sg/a-life-in-data-protection.