As young professionals seek to break into the privacy space, they do so hoping to play the kind of role PayU Chief Privacy Officer Ulrika Dellrud, CIPP/E, CIPM, has across her more than 20 years in the industry. Dellrud's resume includes prominent privacy roles at the likes of Oracle, Novartis Corporation, General Electric and others. Her greatest claim to privacy fame dates back to being a drafter of GE's binding corporate rules and leading the approval process of the BCRs across EU member states.

Dellrud has also been a stalwart in IAPP Europe's operations. In addition to her regular speaking engagements at conferences and KnowledgeNets, Dellrud served on various IAPP advisory boards, most recently sitting on the Women Leading Privacy Advisory Board. "The IAPP is very close to my heart," Dellrud said, noting how IAPP has "become like a family over the years."

In this Volunteer Spotlight, Dellrud opens up about facets of her work at PayU and discusses the proper use and execution of BCRs.

The Privacy Advisor: Has PayU as an organization had to rethink its privacy practices at all in light of COVID-19? Also, how has the pandemic affected your work personally, if at all?

Dellrud: Like many other organizations, we have had a COVID-19 preparedness task force. Given that the working environment has completely changed during this time, we have, of course, looked into the appropriateness of the various online communications tools we are now using to an even greater extent. However, I am based in Brussels, and my team is truly a global one — members based in Cape Town, Bogota, Sao Paulo, Istanbul, Poznan, Moscow, Tel Aviv, Gurgaon, Singapore and Bangkok. From a daily communications point of view, things have not changed immensely. Of course, in the local offices, we have drawn up privacy guidelines around, for instance, what records human resources should keep of colleagues who may have contracted the virus, how long any information linked to a positive result should be kept, and making sure that data minimization is respected, etcetera.  

The Privacy Advisor: "Schrems II" and its effect on data transfers continue to dominate discussions in the privacy space. Not specific to PayU, but in general, what’s your best advice for navigating cross-border transfers during these uncertain times?

Dellrud: There are a number of steps companies can take in light of the "Schrems II" decision. First and foremost, make sure you know your data and your data flows. This is so basic but yet not a given for many companies. Also, think about whether there is some data that is more “risky” or more likely to be susceptible to interception than others. It is certainly not only data flows from the EU to the U.S. that are in scope, as there is a big impact if you use standard contractual clauses, so a good overview of all the flows, and especially those stemming from the EU is a necessity. Linked to this, and equally important, is to know your vendors, who they are and where they process or store your data. It quickly becomes a risky area as you do not have any control over them especially if they, in turn, subcontract the processing; work closely with your vendor risk manager to assess the situation. If you are using cloud-based suppliers, investigate if you can store your data in their EU-hosted instances. Other mitigation efforts to think about would be, again, around data minimization and assessing your technical measures, but encryption does not always work; data cannot be encrypted if you need to process it for fraud prevention purposes and reconciliation/banking purposes for instance. Finally, document your privacy and security risk assessment.

The Privacy Advisor: You have an extensive background related to BCRs. Can BCRs be the answer to the "Schrems II" conundrum, or are there underlying considerations creating roadblocks?

Dellrud: Good question. Well, while BCRs are not in the scope of the "Schrems II" decision per se, they are, in fact, another instrument for assessing adequacy, so supervisory authorities must assess whether companies will be able to comply with the contractual safeguards laid down in the BCR arrangement, including in relation to government surveillance. So in that regard, it is more appealing for companies because the burden is not on the company controllers to do the adequacy assessment, and this will most likely mean a surge in BCR applications as a viable alternative to SCCs and the EU-U.S. Privacy Shield to supervisory authorities. Query, however, how fast the turnaround time is with already understaffed and overstretched supervisory authorities. A company with an approved BCR today should probably look over its current practices and procedures when addressing the lawfulness of government access requests and make an even more thorough assessment than already in place.

The Privacy Advisor: Given PayU’s global standing and having to comply with various regulations, which regulatory framework has been most straightforward to deal with? Is there one that has been more difficult than the others?

Dellrud: PayU is a true global operator, active in more than 20 countries, with a heavy emphasis on emerging markets. Interestingly, many of those countries have, within the last couple of years, gone from, in some cases, virtually no privacy law to adopting a full-fledged (EU General Data Protection Regulation)-style legislation, while others have taken a somewhat lighter approach but still drawing inspiration from the GDPR. Nigeria is one such example. India is another where we will soon have a more robust privacy regime. However, it is not so much the privacy or data protection laws that pose a difficulty, but rather the banking and secrecy laws in countries like Turkey and Russia that require certain categories of data not be shared with third parties and/or not stored abroad.

The Privacy Advisor: Is there anything unique that you’ve brought to PayU’s privacy program that you think other organizations are either overlooking or should explore?

Dellrud: PayU’s privacy and data protection program incorporates globally recognized privacy principles and GDPR elements as its foundation. This program is then rolled out globally, which means that we have a common baseline for a global framework. In some countries, where the local law is stricter, we go further and in other countries, where the local law is less strict or perhaps not very mature, we may not roll out certain parts of the framework immediately so we do not hamper the business needs on the local market and ensure that they can compete on a level playing field. This approach has proven very successful as many of the countries where we are, in fact, copying the GDPR, so it makes sense as we will then be in very good shape once the new law enters into force.

Although not unique, our appointment of privacy champions throughout the various business units contributes to a successful privacy program where the core team is rather small in size. It requires of course a lot of bespoke training and effort, but having these “ears and eyes” embedded throughout the organization is of tremendous help to ensuring proper implementation of policies and becoming aware early on of new ideas or plans within the function.

Photo by Keagan Henman on Unsplash