Is data protection a roadblock for innovation for young tech businesses? Nienke Koorn, Privacy Officer for WeTransfer, doesn't think so. "We have a lot of privacy champions here."

Founded in 2009 in Amsterdam, WeTransfer counts 42 million monthly users, transfers 1 billion files every month, with 1000 TB of data transferred daily and is active in 195 countries.

"Compliance doesn't end with the General Data Protection Regulation (GDPR) now being fully in effect. Especially not for innovating and fast-growing companies like WeTransfer. Tools, applications and systems develop quickly within tech companies: what's being used by the whole team one day, could be outdated the next", says Nienke, who's been WeTransfer's DPO since 2017.

Nienke Koorn, Privacy Officer for WeTransfer.

"Everything I do starts with the user. You can invest in a register of processing activities, and map data flows in your organisation really well. But if you're not thinking about the user rights of your customers, you've still missed the boat. My background in Customer Support has helped me understand that users need clarity and simplicity when they reach out. That's why we rewrote the entire Privacy Statement into 10 questions users may have when they start using WeTransfer."

Not just a privacy front

"In everything WeTransfer develops, we think about making things easy for our users whilst protecting their rights. Innovation, user experience and data protection can get in each other's way, but if that happens you want to rethink your product and change things up. For example by collecting less personal data, or pseudonymising more of the data."

It's not an option for us to just have a privacy front.

"Privacy by Design and Default were important pillars when implementing the GDPR at WeTransfer, according to Nienke Koorn. "WeTransfer is a kind of mailman: we take your data and get it from A to B. You wouldn't expect that WeTransfer checks the content of whatever you're sending. Which we don't, by the way, and we tell that to our users in plain language in our Privacy Policy. We practice what we preach, everything in our Privacy Statement is how we practically handle personal data. It's the only way to preserve the trust we've built for years with our users. It's not an option to just have a privacy front."

An anchored policy

Nienke started preparing the GDPR implementation for WeTransfer back in 2017. She had the advantage of being able to build on WeTransfer's existing privacy policy. "The Privacy Statement was GDPR proof in 2017, and our internal policies were pretty far developed as well." She built onto the lean data policy: actively working to keep our user's data set as minimal as possible. One example is by automating the offloading and deleting personal data that we don't strictly need.

The privacy policies of WeTransfer didn't change that much with the GDPR coming into play, but they have been made more explicit, says Koorn. "The privacy policy is now anchored more in how the company is run and how we communicate about online privacy. I've also ensured that it's easier for the teams involved to take care of user requests. The right to be forgotten is now partly automated, and the support team can take care of deletion requests without needing my help. Those processes used to be completely manual and too much work."

We're actively working to keep our user's data set as minimal as possible.

Ear on the ground

"Stay close to the teams, and don't just invest in attention to data protection at the management level. Because I was already working at WeTransfer before I became the Privacy Officer, I understand the dynamics within teams and across the company. That helped me gain a good overview of the challenges that could arise when you want to keep moving ánd keep data safe." Part of implementing the GDPR meant that Nienke created workshops for each team, and supplementing those with stakeholder interviews. "That way I really understood what a team's workflow was like, and what actions needed to be taken for them to be compliant. From spending time with them I created an action list for each team, for which the team members are ultimately responsible."

People often have a gut feeling when things are not quite right.

"We're a tech business so about half of the people here are developers. Those are usually people that understand what happens to personal data online, and how to minimise that. We have a lot of privacy champions", Nienke says about the internal support for privacy governance.

"I've noticed that colleagues often have a gut feeling when things are not quite right. Privacy governance doesn't have to be rocket science. For me, the challenge now is to switch from short-term thinking focused on implementing the GDPR, to creating a longterm vision for our privacy governance. How can we make sure that teams take responsibility for data protection, and start looking for solutions on their own instead of needing to include me? The biggest goal for me is to make myself redundant."

Nienke will be joining GDPR Busters as an editor, frequentally contributing articles that detail the challenges of a Privacy Officer on the ground.