This edition of the Volunteer Spotlight features EY Chen & Co. Law Firm Data Protection Officer Galaad Delval, CIPP/E, CIPM. Before becoming DPO at EY just over a year ago, Delval worked as an EY researcher focusing on Chinese cybersecurity and data protection while also having experience with cross-border e-commerce operation and relevant legal issues.

Here, The Privacy Advisor caught up with Delval regarding, among other things, the transition to DPO and his take on the greatest challenge COVID-19 presents to the privacy space.

The Privacy Advisor: Describe your volunteer work with the IAPP and the most rewarding part of your experience(s).

Galaad Delval: I started with a few KnowledgeNets before participating in the Asia Privacy Forum in 2017 and 2018 as a speaker. I presented on Chinese data protection regulation, discussing the latest news and developments with that legal framework. After that, I wanted to do more than

just present, so I applied and was accepted to the Asia Advisory Board. I've also contributed to the IAPP's Global Legislative Predictions since 2017.

I think the most rewarding part is being involved with a group that listens. If you have new ideas or strong opinions, like I do on privacy, it is nice to have people that are willing to listen to your thoughts and discuss them with you. The IAPP gives us a platform to share ideas, learn concepts and challenge others.

The Privacy Advisor: As a young privacy professional, what has it been like for you to grow your career during such a revolutionary time for privacy/data protection around the world?

Galaad Delval: When I started at this in 2015, it was a real turning point for privacy globally, then it really took off with the (EU General Data Protection Regulation's) passing mid-2016. It was fascinating to really come into everything as matters were beginning to bubble up as they were. But at the same time, you had this realization that privacy held importance to some while others still viewed it as checking a box. That still hasn't changed five years later, and I think it's a major difference you see between young privacy pros and the more established ones.

For me, privacy is not just a checkbox. You need to make privacy live in a company and show why it's important. We aren't working on compliance just to avoid being sanctioned, but because privacy actually matters. Behind personal data, you have individuals that have to be protected. That's the key I'm not seeing as much with some older privacy pros, who see compliance as a requirement.

The Privacy Advisor: You moved into the DPO role a little over a year ago. What’s your best advice to professionals making a similar transition?

Galaad Delval: It's difficult to say because there are different companies and different transitions, but I'll give you a few cases.

If someone is becoming a DPO at a company they aren't familiar with, my first advice is to find out as much as they can about the company and try to get to know them. You want to do that because if it's a dumpster fire from the outside, it is likely not better from within, and you want to know beforehand. Your colleagues and management will feel like you're responsible for everything. If you end up in a company with nothing done and there are trouble spots everywhere, then you're not prepared mentally, you're in for a bad time. 

Along with knowing the company, you should know who your contacts are within your new company. Before any transition, you want to know everyone and, more importantly, be introduced to everyone by the board. Those connections are certainly a key, especially when you look at a country like China, where a lot of privacy departments don't interact with other departments. They're closed off, and that's a bad situation because they don't know what has been done without discussion and communication with other departments.

The Privacy Advisor: You’ve written a series on Chinese privacy law and how foreign companies can best comply with the regulations. In your opinion, what is the most important compliance practice a company can adopt and why?

Galaad Delval: Accountability. Without any doubt. Every process will use documentation. If you have a company developing its program over ad hoc procedures and documentation, then you're in for a nightmare.

You have a case in which you ask for a file, but then the killing question is: Which version of the file do you want? Who made which version? When? Why? What's the modification made? Without accountability in these cases, you will not know who did what and when, nor will you know if you're getting the latest version and if it's applicable.

The Privacy Advisor: The COVID-19 outbreak has been on the minds of people across the globe, including privacy pros. What glaring privacy issues, if any, do you see when it comes to the pandemic?

Galaad Delval: One of the most glaring issues certainly comes with remote work. We have a lot of companies going remote without training or true preparation. When you make that shift so fast, you're likely going to use third-party software or any solution available to your employees, which are all provided by third parties. Using these third-party systems for corporate, client or employee matters is, legally speaking, a breach of confidentiality because of third-party access. If it's a document, then it's analyzed. A voice conversation, depending on the country and its laws, can be stored. Social media transfers come with no certainty as to whether a recipient has deleted the file.

Photo by Keagan Henman on Unsplash