In this column, we want to highlight a DPO through a handful of questions DPI asked. Thomas Graditzky, Data Protection Officer at Fedasil, is happy to answer them.
How did you get into the role of DPO?
As legal counsel for an international humanitarian organization for many years, I was involved in overseeing the management of often particularly sensitive data of vulnerable people (wounded, detainees, etc.).
With the development of the legislative framework regarding the protection of personal data, in Europe and around the world, I evolved very naturally into this area within this organization.
I became deputy DPO for operations in the Middle East and Asia-Pacific. I then had the opportunity to work as DPO at the Federal Agency for the Reception of Asylum Seekers (Fedasil).
What part of a DPO’s duties do you prefer?
Raising awareness of data protection issues and principles is particularly important to me.
It is far from obvious, but it is essential to ensure that all colleagues are aware of the specific risks to the public affected by our organization’s activities and know how to provide them with the best possible protection in terms of processing personal data.
What event in the privacy landscape has impacted/affected you the most to date?
The adoption and enactment of the General Data Protection Regulation and the impact it had on the development of normative frameworks elsewhere in the world, including within international organizations.
Even when rules already existed, it was a matter of reinforcing, developing and clarifying them. All actions involving the processing of personal data had to be reconsidered by this new perspective.
How would you describe the role of DPO in your company?
The role of the DPO in my organization corresponds to that provided for in the General Data Protection Regulation; a discreet but pervasive role, all the more so given the numerous and complex treatments carried out within the Agency and the entire shelter network.
In particular, the specific challenges relate to the great vulnerability of the people involved – the applicants for international protection – and to the pressure on many of my colleagues, who are well aware of the problems, to act quickly, efficiently and often creatively within the framework of the current crisis in the sector.
What do you think is the biggest challenge for a DPO?
It’s about staying on course, despite all the difficulties you encounter along the way, staying convinced and persuaded, staying a voice among everyone who speaks to the management body of the company or “organization.
Which technological evolution do you think has the most impact on data protection (positive/negative)?
The advent of artificial intelligence is definitely worth mentioning here, with all the challenges it brings to the application of the current normative framework in the field of personal data protection, for example in terms of responsibilities and transparency.
What are your experiences in the contact between DPO and data subject/supervisor?
Contacts take place mainly in the context of the exercise of rights by data subjects. Sometimes questions are also received outside this framework in connection with some data processing by the Agency.
The intention is to increase these contacts, for example by better involving these people in carrying out data protection impact analyses or to better assess the appropriateness of the way information related to data processing is provided.
What is your golden tip for getting data protection and information security higher on management’s agenda?
As far as I am concerned: be clear and direct about the impact of compliance or non-compliance on the people involved on the one hand, but also on the organization, its reputation, etc.. In this context, it is important to highlight all the contributions of data protection.
However, the situation probably depends very much on the sector of activity and the profile of the management members. Sometimes it is effective to appeal to the personal experience of the latter, or to their possible reaction in a situation that is likely to concern them more directly.
What is your Swiss army knife as a DPO?
Listening, patience and perseverance allow me to handle many challenges.
How do you stay abreast of new trends in AVG technology and legislation?
I try to keep myself as informed as possible by monitoring or consulting various websites, by exchanges on social networks that can draw my attention to information that would have otherwise eluded me, by occasionally attending conferences, workshops or seminars, and, last but not least by participating in Stay Tuned as DPO trainings organized by the Data Protection Institute.
This particularly stimulating training ensures that we stay globally up-to-date in the field of personal data protection.