An inside perspective on working with GDPR in one of Denmark's largest banks
Meet Marie, a Managing compliance officer from Danske Bank, who invites us inside the walls of one of the largest financial institutions in Denmark in order to learn how data protection compliance is ensured and how the everyday life looks like through the lenses of a data protection compliance officer
Previously in DPO-insight story, we met Lyng from Emento where we learned how life as a DPO is in a senior startup company, when you also have to juggle around other jobs. Today we move up the corporate ladder and learn how one of the biggest financial institutions is facing the challenges of GDPR.
Marie is a Managing compliance officer who works under the bank's Group DPO, Ronan Coyle, and helps ensure compliance with data protection and privacy in Danske Bank. In the process, Marie has helped establishing the Bank's data protection compliance team from a stage of only four people into a current team size of 15 employees - all dedicated to one thing: GDPR compliance.
Marie holds a master in Business administration and Commercial law (Cand.merc.jur) from Copenhagen Business School (CBS). Prior to Danske Bank she worked as a legal counsel within Life Science
“This was where I was introduced to the world of GDPR and personal data. It immediately grabbed my attention. In life science you are dealing with a lot of personal data. For instance in clinical trials that aim to develop new pharma or medical devices. In life science, I soon learned that GDPR was a field I wanted to be more involved with. So when the offer from Danske Bank came, it was a very easy choice for me to accept it”
The DPO governance structure
Maries compliance team is covering 33 business units and legal entities in 12 different countries. The DPO team is thus a central unit responsible for the bank's DPO-related matters supporting the Group DPO.
Data Protection Compliance is split up in two teams: One called Data Protection Contentious which is dealing with all day-to-day-contentious matters and one called Data Protection and IT compliance advisory, which is dealing with more in depth advisory tasks and policy drafting. Marie is heading the contentious team.
“The contentious team's core responsibility is to handle all immediate GDPR issues - issues that require the bank's immediate attention and need to be handled at once. Everything from data breaches, customer complaints escalated to the DPO, issues in regards to data subject rights i.e. data insight, disclosure of personal data to authorities, contact to Data Protection Authorities, Inspections etc.
The reason behind this governance structure came out of a basic structural need when the bank started working with GDPR. The daily handling of immediate GDPR issues made it hard for the team to focus on the more long term GDPR goals and advice. The new structure ensures fulfillment of both requirements.
A typical day
“Due to our organisational setup it probably comes as no surprise, that a typical day for me is very unpredictable. The only certain thing about this job is that nothing is certain. This is also what makes the job so non-trivial.
“Some patterns are there, however. Very often, we get requests related to personal data breaches that must be notified to the Data Protection Authority. In these situations, our most important task is to act as a second line of defense - that is, we advise solely on the matter. Furthermore, we are key responsible for all communication with the Data protection Authorities. Both in connection to data subject complaints that have been escalated to the DPO or in regards to follow up questions on reported data breaches. Data subjects can also contact the DPO directly with questions or request – we will handle those accordingly together with the relevant part of the business. We also advice the business on communication to data subjects in connection to data breaches.
The function taken as a whole, what else do you dedicate many resources to?
“Training of employees. We spend a lot of time educating our colleagues through training. Throughout the year employees are invited to training sessions that keep their knowledge up to date. Training is a must if you want to have a scalable GDPR-organisation where everybody is involved. These courses are compulsory and are normally carried out online. A common theme in these courses is to teach people how you handle data in your day-to-day routines“
“Setting out Policies and the governance framework is another big task for the team. The daily advice for employees across all business units and Legal entities is equally important to the team.”
Is it your experience that your customers have become more aware of their data rights as a consequence of GDPR?
“Definitely. Customers are more aware and sceptical about the data collected about them. We sometimes experience this in our AML and KYC process where we need to collect a lot of data on our customers in order to ensure proper identification of them.”
Is there a conflict between GDPR and compliance with AML & KYC?
“Not at all. The requirement in AML & KYC is that you need to know your customers. For customers this might seem like a broad collecting of their data. But it is important to remember that GDPR is not as such restricting processing of personal data– it just requires you to have a legal basis and a justifiable purpose behind the processing”
Technology and innovation
What is your role when it comes to innovation inside the bank?
“Since a lot of the bank's innovative activities involve the use of personal data we usually get involved when new ways of processing personal data are considered.
In terms of technology within your field, What kind of GDPR tools are you using?
“Well speaking of redaction software we use a redaction software tool that exists on a feature level in a documents disclosure system that we use for investigation purposes. However, as far as I am concerned, we don't have a stand alone redaction software tool like Cleardox.
“In terms of other tools, we have a tool for data requests. We generally receive a lot of requests from customers who want to know what kind of data we have registered about them. These requests have only grown in numbers after GDPR went into force. As a result, we have developed a digital tool that can automate 95% of that work - without any human intervention. After a request has been made, our tool will crawl all data on that customer and present it in a user friendly manner in a report. The report is delivered to the customer in his or hers e-boks only hours after the request has been made. ”
“Finally, we use a tool for handling processes related to our article 30, and it helps us map out and keep track of all our processes. It has been a challenge to map out all these processes and secure that they are updated accordingly. But the tool makes the job easier.”
GDPR as whole
What would make your job as a compliance officer easier?
“More caselaw. As I see it, one of the biggest challenges is to fully understand how the different elements needs to be interpreted and carried out in real life. People spend a lot of time interpreting the law in order to implement it correctly throughout the business. It would be useful with more guides and manuals from the Data protection Authorities. They are doing a great job, so it isn’t criticism. I just wish we could have more of that across all jurisdictions”
Another challenge is that the different countries again have different interpretations of the law. This makes it extremely challenging for us, since we need to implement policies that are common for all countries we are operating in. It would be easier if the different member states offered the same manuals. A more streamlined approach would be welcomed. “
What is the most interesting part of being a DPO?
“I find it deeply satisfying to be at the service of our customers and make sure that they get a good experience. In addition, I´m passionate about finding solutions to problems that at one hand ensures that we continue to innovate and develop as a bank, and on the other hand ensures high ethical standards and responsibility with personal data, towards our customers and employees. ”
What is the best advice you can give to someone new to GDPR-compliance?
“Become part of a GDPR-network and actively seek new knowledge through that. As mentioned, hands on guidance and manuals are missing. A lot of that can be compensated for, if you have a good network”