Anca Vasilescu​ - Data Protection Officer for ING Bank Romania

Anca is the Data Protection Officer for ING Bank Romania, with a background in banking and consumer protection.  In this role she oversees the implementation of data privacy principles and best practices throughout the organization. Passionate about digital transformation & emerging technologies she is a certified member of the International Association of Privacy Professionals.

What are the tips & tricks for engaging the management and the business in a data protection program? How can a data protection professional bring on board the management and the business when it comes to implementing data protection rules? Did it become easier over the years?

The key elements are flexibility and consistency, which facilitate the acceptance of privacy principles and embed them into the day-to-day way of working (and not just during the initial implementation phase). A data protection professional needs to be flexible and curious enough to build a bridge between business needs and the data protection agenda, satisfying both while remaining consistent in the privacy message broadcasted throughout the organization.

As the importance of privacy has garnered a much higher level of visibility following the adoption of the GDPR, it is critical to maintain a clear voice about what it means to bring your organization in the realm of compliance. Privacy should, by no means, be a blocker for innovation or digitalization, but rather a tool to ensure a real partnership between organizations and the data subjects. Once this is internalized by both business and management, the engagement can be maintained, and good results are attainable for both sides.

When it comes to bringing people on board (and keeping them involved), a keen understanding of both current and future business priorities is necessary. Armed with this knowledge, the privacy professional may begin to showcase the benefits of data protection. This includes preparing more orderly projects based on solid discoveries in the development phases which rely on data protection principles. Once this way of working is set in place, the benefits are easy to see, ranging from leaner systems and applications (because they’ve shed the weight of unnecessary data due to data minimization and deletion) to automated processes with less or no redundancies (due to proper privacy by design mechanisms), an ethical and transparent approach or using personal data which leads, without fail, to more trust from our clients.

The mission of the privacy professional is a layered one. On the one hand, as years go by and the GDPR puts down roots throughout the business landscape, it becomes easier to circle back to its principles and simply provide reminders periodically, when necessary. On the other hand, several aspects such as remaining relevant and up to date with the privacy and business developments remain (just as) challenging now as they were initially.

Can you please describe the main challenges faced in the last 4 years regarding data protection and detail how you overcame them?

Unfortunately, one of the most encountered tunes in the initial months of the GDPR was “fines of up to 2 to 4% of the annual turnover” overshadowing the essential component of the Regulation: accountability. This basically applied a general layer of urgency which led to the most important parts the GDPR, namely the clear-cut rules for performing lean and documented processing activities, taking a backseat.

Therefore, given this context, it was imperative to clarify that most processing activities would in fact not have to be stopped, but rather taken apart and clarified, in some cases simplified, improved, and put back on track. Indeed, one of the struggles has been to place the spotlight on the structural changes necessary to properly embed the protection of personal data in business flows. This was not a fast process as it required, first and foremost, for the topic to be understood and internalized by both key stakeholders, as well as the entire staff (to varying degrees depending on their roles and responsibilities).

As time went by, maintaining stakeholder involvement and interest in the subject of privacy proved to be essential and challenging.  

Another hurdle was the embedding of privacy roles and activities into regular business processes. This is/was designed to go past the initial implementation phase and convince the organization that the topic of privacy isn’t going anywhere and that it cannot be solely performed in an ad-hoc way. Rather, it needs to become a regular component of development, change and control processes.

And, of course, the continuously changing and growing privacy landscape can be seen as a challenge for privacy professionals, keeping them involved and always ready to juggle new interpretations, laws and decisions while staying up to date with business innovations and organizational projects.

How do you see the future of data protection, in general and in your organization? Do you see any trends & developments in terms of data protection that will ease or make more challenging the work of a data protection professional? Is, for example, the rapid adoption of technology and the increased need for more tailored marketing campaigns keeps you awake at night?

The future of privacy is linked to the way it can truly become blended with other areas, from both the perspective of innovation and norms and regulations. For example, going forward, pragmatically applied privacy principles could be at the forefront of the innovative process and not act as a barrier to advancements in fields which rely on AI, NLP, and predictive analytics.

The more recent privacy developments have shown a need to not only regulate or forbid activities, but rather to provide (via decisions and guidelines) feasible and acceptable mitigators and privacy friendly alternatives. For example, it’s quite clear that in today’s globalized world, to be able to conduct business with little to no connection to entities outside of the EEA, thus ensuring zero-risks for your organization from a Schrems II judgment perspective is almost impossible while at the same time the concrete solutions for the resulting risks are few.  

From this perspective, it would be greatly beneficial to see clarifications on how areas such as the assessment of lending risk or KYC/AML requirements and trends can be fulfilled in a privacy-friendly manner, while also making sure that the initial goal of these areas is still achieved. For organizations in general, a more business segment-oriented approach to privacy guidelines would provide quintessential support, while also allowing regulators and expert bodies to come together and discuss, debate, and actually establish a common understanding of how things work, how they should work and how they can work from here on out.

One other element that seems to materialize more these days is an extremely consumer friendly approach to data protection. While it is important to understand that the delivery of information to the data subject is indeed a cornerstone of privacy, the relevance of that information for the particular data subject should also be taken into consideration alongside the degree to which it can be actually actionable on the data subject’s part. For example, what would be the benefit of informing a data subject about all underlying risks of an automated mechanism (as is proposed in a draft European act) as long as those risks are mitigated at the level of the controller and the data subject is informed on how the mechanism works and what its effects are?

From the perspective of ING, we are continuously looking towards how to better understand the needs of our clients and how to provide products that meet the needs of the digital, modern consumer. We seek to be where and when we are needed, and we strive to spare customers from the complexity of processes behind the banking experience we offer. From a privacy perspective this approach leads to challenging discussion on the ethical usage of data, as well how we can act within the reasonable expectations of our client base.

How would you describe the evolution of the data subjects’ requests in the last 4 years? How would you describe the level of awareness in terms of data protection? Did it increase over the last 4 years?

Data subject rights have never been easy. An effective data subject rights request should be based on a concrete need, which has not always been the case.

The early period of the GDPR has been impacted by another notion of its pre-implementation period: “it’s a body of law that allows you to get your personal data deleted”. This idea, as it was portrayed initially, was almost never nuanced, clarifying that almost none of the rights granted by the GDPR to data subjects are absolute. This led to a flurry of unfounded deletion requests formulated either directly by the data subject or by specialized entities which saw a business opportunity in this activity.

This was followed by an access right request trend where the GDPR right was seen as a substitute to obtaining product or service-related information (which is already obtainable via the existing consumer protection provisions).

Over time, the volume of data subject right requests has decreased, and they have become better worded and correctly anchored in privacy provisions. So, in short, yes, an evolution can be seen from a qualitative perspective, which can only be due to an improved level of privacy awareness. On the other hand, from my experience, the right to oppose the processing of data and restriction are still heavily misconstrued. Progress in this area can only be reached by clear-cut explanations provided continuously by data controllers added on top of what is required by the Regulation as a mandatory response content for data subject rights requests.