A Life in Data Protection

Ever wondered how data protection can become a life-long career? Hear from Edna Essien, who has over 20 years of global data privacy experience and is a qualified Solicitor of England and Wales.

Current position: Director and DPO (APAC), PayPal
Data privacy history:
• Director, Head of Data Protection & Technology Compliance, APAC at Scotiabank
• Senior Legal Counsel, Global Privacy at Standard Chartered Bank
• Global data privacy and legal commercial contracting teams for telecoms and IT/Management Consulting firms in UK
• Vice President and President at AsiaDPO

1. Why you?
“Why not me?”, is the question that should be asked. I think, like most data privacy professionals, I “fell” into privacy. Very early on in my legal career in-house at a Canadian petroleum company I was approached by a recruitment agency that there was an opportunity to take a data protection role in the legal team with the telecoms arm of one of the biggest utilities companies in Europe. I knew nothing about data protection/privacy apart from completing the registration form for the UK Information Commissioner’s data processing register annually. I took the role because I looked at it as another area of law, I could with my background learn to understand and advise on just like I had had to learn about contracting law. It was very new and not many (any) young and aspiring lawyers were going to into this area, but I like a challenge, and I like to acquire new knowledge, so I went for it. I am so very glad I did as this is still an exciting (albeit in some cases challenging area of legal and compliance) and I have never looked back. Being a data privacy professional, or proudly a “geek” has brought a fulfilling career and opportunities and has brought me to Singapore.

2. How did you get involved with AsiaDPO?
I moved to Singapore in 2014 and at the time worked in Standard Chartered Bank’s global privacy team. I was looking for a network of peers where we could learn from each other much like the networks I was a member of back in the UK and in Europe. I was introduced to AsiaDPO before we were formed as a Society. It was wonderful to be amid a network formed by DPOs for DPOs.

3. How do you help and support your organisation as a DPO?
As a DPO, I think some people sometimes misunderstand that we are the “police officers” of our company’s data. That is a misconception. As a DPO, my role is to help my organisation understand the requirements of data privacy/protection laws and advise them on how they can comply with these laws bearing in mind their risk profile, the nature of their business and the personal data that we hold. I must cut across and maintain relationships with all functions and business units processing personal data and truly understand what, where and how personal data is handled. I maintain relationships with regulators, and I also have foresight on upcoming trends in these areas as well as provide an analysis and impacts on laws that could potentially affect our business. Depending on the sector that my organisation is in I also must be familiar with regulatory guidelines coming from the sectoral regulator.

4. What do you need to know as a DPO?
I think first thing is that you are not alone. When I started years ago, data protection was not a known area to specialise in. Now, there are regulatory requirements to appoint a DPO such as under the Singapore PDPA or the GDPR - so this role has gained traction. You also have networks such as AsiaDPO where you can liaise with other professionals facing similar challenges as you. Secondly, you need to know the organisation that you work for. Do not walk around either saying no to everything or quoting chunks of data privacy laws without providing practical and compliant solutions. Thirdly, Educate! Educate! Educate! I have found that when accountability starts from the ground up that is half the battle won in setting up a data privacy program. Finally, DPOs are influencers. In our roles, we must be able to influence the organisation on prioritising data privacy/protection as a key risk area.

5. What are the biggest challenges that you face as a DPO?
I must be honest and say that early in my career I did face challenges of senior stakeholders not understanding the importance of building an effective data privacy program. However, I then went on to work for organisations who understood the importance of a data privacy program. They championed the data privacy function on my behalf and made sure I had the right exposure and resources needed. Now, I think the regional/enterprise vs local compliance interplay may prove challenging. However, when you build relationships with your local teams, they iron themselves out. The evolving laws also keeps me on my toes as in some cases there is lack of harmonisation, but I have seen the move towards accountability which is welcome.

6. What does your usual day at work look like?
Like a lot of people, I work from home and lately I go into the office once a week if I have meetings that I want to attend in person. Once my daughter gets on her school bus, I go for run or walk before my day starts. PayPal is a global organization so my day may start with a call with my counterparts/teams in the U.S. as that is their evening and may end my night-time as that is their morning. My work activities are very diverse ranging from responding to regulatory examinations, attending leadership calls to give an update on key matters in data privacy, helping teams respond to customer complaints, reviewing regulations that have been captured by our regulatory development tool or conducting a Data Privacy Impact Assessments.

7. What trends do you foresee in the data protection landscape over the next 5 years?
I think data privacy permeates every area of life now whether you are on social media or use any kind of technology or even you are walking around doing your daily tasks being surveilled by CCTV. As a DPO we are seeing the interplay of data privacy with ethics, competition law and human rights (e.g. Roe vs Wade). I also think we need to keep a close eye on technological and digital developments (e.g. AI, Cryptocurrency), and how data is used in global events such as the COVID pandemic, and more traditionally – outsourcing, evolving regulations and individuals wanting more control of their personal data.

8. What do you think is the most dangerous threat to personal data protection today?
I don’t think I can pinpoint any particular threat to personal data protection that I can foresee. I think the danger is when the work of DPOs is not treated as important, or if laws move towards a state of protectionism rather than protection of individuals’ personal data.

9. Where do you go for inspiration or resources that you use in your development as a DPO?
I use a mixture of resources such as regulators like the PDPC’s website, law firm alerts and data protection libraries, resources from networks like AsiaDPO and attending meetings/seminars/conferences such as the PDPC Workshop run by AsiaDPO. Within my organisation we also have in-house tools to monitor regulatory developments in this area.

10. Having worked in various countries, what are your views on cultural differences in privacy concerns?
I would definitely say that there is a difference. Coming from the UK, we have a long history of data protection laws. Therefore, there is more awareness and individuals do exercise their rights (data deletion, data access requests, complaints to the regulators) more that I have witnessed in Asia - which is a fast-developing region for regulatory developments. Asia might follow the same trend. I was surprised when I came here that many shops/companies (reception) could ask for my FIN number. To me, that was akin to handing over my passport number or national insurance number which was used for very limited purposes. I was glad when the law changed on the processing of FIN. I do think that the PDPC and other regulators like the EU regulators are, overall, open to discuss the regulatory framework in the context of commercial needs and we need to keep that engagement active. As a DPO, there were more career opportunities in the EU but over the last couple of years I have seen more MNCs looking to appoints APAC DPOs - which to me signal their recognition of the growth of data privacy regulation in this region. Having worked for several U.S. companies, I have also been surprised by the lack of a U.S. omnibus data privacy law, although there are section specific laws such as HIPPA, COPPA, GLBA and state laws like CCPA. This is an area I’m keeping a close watch on – as there is a draft U.S. omnibus data privacy law.

11. What is your response to the argument that privacy is dead?
I think privacy is far from being dead. What I do see is the willingness of individuals to share their personal data and life on social media. However, I still think they care how their data is being used and abused. The laws are still evolving even in APAC, and more are coming in other regions such as Africa, Middle East and LATAM. The move to a more digitalised world also comes with balancing the needs and goals of organisations vs the data privacy rights of individuals. I think data privacy will continue to grow and evolve and I am looking forward to seeing how that looks in a few years. I hope we can solve issues around transborder data flows as the world is truly a village.

12. What are people’s most common misconceptions about what you do?
I think the first step is they need to know what data privacy is! It took my family years to understand what I did as it was (and still is) such a niche area. A lot of people think data privacy is security, cybersecurity, data management oversight, intellectual property to name but a few. I think most of these areas commingle with data privacy but that is not the core of what it is.

13. As a DPO, how important is it to network with your peers?
Incredibly important. The adage “no man is an island” rings true especially as a DPO. I am honoured that I have been able to serve my peers as part of the managing committee of AsiaDPO, building a committee of experts, the first and only such committee in Asia. We have existed for around a decade, and formally registered as a society in 2017. 2022 marks our five-year anniversary. Our members include privacy practitioners and professionals from diverse backgrounds, trained in disciplines ranging from law to business and tech. In Singapore, we are the only data protec6on expert body to be established and run by practitioners (DPOs). AsiaDPO’s mission is to develop the profession of privacy and data protec6on in Asia by promoting practitioner excellence and making distinctive contributions to the DPO community of practice. This means:
• Building resources for skills enhancement and peer sharing of unique perspectives;
• Keeping members updated on international developments in our field; and
• Bringing our practising expertise to partner regulators, thought leaders and civil society to develop and advance data protection in Asia.

Ultimately, the goal is to ensure that the practice of privacy and data protection remains progressive, robust, and relevant in the long term.

14. What suggestions do you have to network with your peers?
I think that now that the world is opening up, do take the opportunities to attend seminars and workshops (including the upcoming PDPC week and AsiaDPO workshop) as well as joining as a member of AsiaDPO. More information on AsiaDPO can be found at https://www.asiadpo.org