Is data protection a roadblock for innovation for young tech businesses? Nienke Koorn, Privacy Officer for WeTransfer, doesn't think so. "We have a lot of privacy champions here."
Founded in 2009 in Amsterdam, WeTransfer counts 42 million monthly users, transfers 1 billion files every month, with 1000 TB of data transferred daily and is active in 195 countries.
"Compliance doesn't end with the General Data Protection Regulation (GDPR) now being fully in effect. Especially not for innovating and fast-growing companies like WeTransfer. Tools, applications and systems develop quickly within tech companies: what's being used by the whole team one day, could be outdated the next", says Nienke, who's been WeTransfer's DPO since 2017.
Nienke Koorn, Privacy Officer for WeTransfer.
"Everything I do starts with the user. You can invest in a register of processing activities, and map data flows in your organisation really well. But if you're not thinking about the user rights of your customers, you've still missed the boat. My background in Customer Support has helped me understand that users need clarity and simplicity when they reach out. That's why we rewrote the entire Privacy Statement into 10 questions users may have when they start using WeTransfer."
Not just a privacy front
"In everything WeTransfer develops, we think about making things easy for our users whilst protecting their rights. Innovation, user experience and data protection can get in each other's way, but if that happens you want to rethink your product and change things up. For example by collecting less personal data, or pseudonymising more of the data."
It's not an option for us to just have a privacy front.
An anchored policy
We're actively working to keep our user's data set as minimal as possible.
Ear on the ground
"Stay close to the teams, and don't just invest in attention to data protection at the management level. Because I was already working at WeTransfer before I became the Privacy Officer, I understand the dynamics within teams and across the company. That helped me gain a good overview of the challenges that could arise when you want to keep moving ánd keep data safe." Part of implementing the GDPR meant that Nienke created workshops for each team, and supplementing those with stakeholder interviews. "That way I really understood what a team's workflow was like, and what actions needed to be taken for them to be compliant. From spending time with them I created an action list for each team, for which the team members are ultimately responsible."
People often have a gut feeling when things are not quite right.
"We're a tech business so about half of the people here are developers. Those are usually people that understand what happens to personal data online, and how to minimise that. We have a lot of privacy champions", Nienke says about the internal support for privacy governance.
"I've noticed that colleagues often have a gut feeling when things are not quite right. Privacy governance doesn't have to be rocket science. For me, the challenge now is to switch from short-term thinking focused on implementing the GDPR, to creating a longterm vision for our privacy governance. How can we make sure that teams take responsibility for data protection, and start looking for solutions on their own instead of needing to include me? The biggest goal for me is to make myself redundant."
Nienke will be joining GDPR Busters as an editor, frequentally contributing articles that detail the challenges of a Privacy Officer on the ground.