Dear data protection officer (or chief privacy officer, privacy counsel, privacy director, etcetera — however your organization calls you):

You may not read this letter immediately, as you are still heads-down on implementing the EU General Data Protection Regulation in your organization. I want you to know that I think you are amazing and to say thank you for the herculean effort and boundless commitment you have given to getting your organizations ready for the GDPR.

I know you often feel unappreciated, and so many people just don’t understand what you have to do every day as you open your inbox in the morning. Very few people fully understand what it takes to get your organization in compliance with the GDPR (and all the other global privacy laws you are subject to) and how many sleepless nights you have had thinking about it. They don’t get how vast your role is, how many different hats you wear and how many skills you need to have in your repertoire, how many varying and competing pressures you face every single day, and how tough it is to be constantly between a rock and a hard place.

You have to be able to navigate the unchartered waters of various data privacy laws well beyond just the GDPR; be proficient in the latest technology and speak the language of your tech teams and data scientists; understand everything about your organization’s data and its relevance for your business; explain how blockchain and anonymization work; have that unique “gut feeling” about the risks of data processing and insights in how to balance your organization’s legitimate interests with the rights of individuals, not to mention awareness of the legal effects of decisions based on automated processing; be around every time somebody in your organization launches yet another project, system, product, service or enters into a business partnership that involves use of personal data (just about everything under the sun).

You have to be the philosopher-and-ethicist-in-residence, determine if data processing is fair, or know how to do the right thing. You also have to be the agony aunt and to know how to respond when an agitated customer wants all the data your organization holds about them or when they claim they have a right to be forgotten. You have to be on the barricades every day, defending human rights while flying the flag of innovation and digital enablement and progress. You have to be a good storyteller to engage your leaders and captivate people you work with and make it clear to them why privacy and responsible use of data matter. You have to be an ambassador for your organization and maintain more than just an “entente cordiale” with data protection authorities, legislators and policymakers, media, privacy advocates, and just about everybody else.

You must have the courage and integrity to stand up and explain when a regulator knocks on your organization’s door or a privacy activist sends yet another stinging criticism your way.

And this list goes on and on. I told you, what you do is unique, and you are amazing.  

Some of you may be lucky to work in a place that understands the importance of your work and the value of data privacy accountability of your organization. You may be blessed to report to enlightened leaders and visionary boards that realize the strategic role you play and the importance of data and its responsible use for the growth of your organization. You may be privileged in that your leaders understand the critical role of digital trust and confidence in ensuring sustainable and beneficial uses of data for the world where data will be driving economic and societal progress. But even then, luck comes to those who deserve it. It is because of your leadership that your organization has turned up the dial and sees data privacy as a business and strategic issue, beyond pure legal compliance or the threat of GDPR fines.

I hope you get the credit you deserve for all that you did and all that you will continue to do every day after May 25 for as long as you have this role. I hope that recognition does not come just from your boss and your organization’s leadership, but that it also comes from data protection authorities you work with, from privacy activists who keep you on your toes, to media who scrutinize your organization’s every single move and from every single person who is on your organization’s IT systems, and all customers who can now relax knowing they can continue to enjoy exciting services and products with you ensuring their data is used responsibly. 

Behind every single organization, there is you and (hopefully) your team. I know nobody ever thanks you enough, so on behalf of all of them, thank you. You are amazing.

P.S. I would have sent this letter to your CEO, but I don’t have her/his address. So, please, do pass it on.

With warmest regards,
Bojana Bellamy

President
Centre for Information Policy Leadership at Hunton Andrews Kurth

photo credit: Kevin Doncaster Ready via photopin (license)