Does compliance with the data protection regulations have to represent a huge and costly burden to organisations? Not if you have the right team on your side. Rob Masson, CEO and founder of The DPO Centre, explains how, with a little help from the experts, compliance can be a differentiator that actually builds trust and promotes growth.
Thank you for gracing us with your time, Mr. Masson! Given your seasoned experience in entrepreneurship, could we begin with a few words on what inspired you to go in the direction of data protection?
In 2016, I was in the process of completing an exit from the e-commerce agency I had run for the previous 18 years. During the 12-month earn-out period, discussions around the upcoming introduction of the GDPR were becoming increasingly frequent. By the time my exit was complete in March 2017, it had become obvious that significant opportunities were being created by the rapidly expanding data protection market.
Given that the UK market alone would require in excess of 15,000 data protection officers to meet the new regulatory requirements, but with only around 5,000 in existence at the time, demand was clearly going to be high for personnel with the necessary expertise.
What was the transition like from being a serial entrepreneur to being the founder of one of the leading data protection companies today?
Even though The DPO Centre is into its fifth year, we are still entrepreneurial in our approach. Being dynamic and willing to “fail fast” is inherent within our planning. We do not shy away from taking risks, making big bets and being bold in our approach. Some of our initiatives have failed, but they have each provided greater understanding and market intelligence, and exposed new opportunities. These have subsequently reaped far greater and longer-term rewards than any losses realised by these failures.
A primary example is when COVID first hit. Whereas others seemed to retreat and pull down the shutters, we used this period of lower client engagement to double down on our marketing and branding, introduce new initiatives that had been stuck on the drawing board, and to switch entirely from our face-to-face event-led marketing to a digital one. As a result, a year later, our July 2021 full-year results showed 91% growth in revenue, 102% growth in EBITDA and 106% growth in headcount.
You launched The DPO Centre in 2017, back when the concept of data protection and privacy had only just begun to take root. What were some of the initial hurdles you overcame?
It is fair to say that the GDPR was introduced along with considerable hype and hyperbole, which led to significant confusion in the marketplace as to what organisations were required to do prior to the law coming into force on 25 May 2018. Confusion and misconception reigned, so providing access to knowledge and sound expertise was key to our early success.
We have been very fortunate to be able to build a great team of experts. However, maintaining the steady stream of the great people we need to fuel our growth remains our biggest hurdle.
Since its founding, The DPO Centre has established itself as one of the most trusted names in the field of data protection today. Being awarded the “Professional Services Firm of the Year” at the British Data Awards 2021 proves just that. What was it like hearing the news for the first time?
Receiving this award was testament to the incredible team we have created at The DPO Centre. There have, of course, been standout contributions, but any such award is never down to the efforts of any single individual. They are the product of the hard-working, enthusiastic and committed team of professionals that I have the absolute pleasure to be working alongside.
The DPO Centre takes pride in its #ONETEAM philosophy, which you’ve said is one of the fundamental elements of your success. Could you tell us a little bit more about this mindset and why it contributes to the company’s achievements?
The DPO Centre exists not to “win” by being “the best” or “the biggest” or “the most successful”. Our purpose is to “inspire and develop one remarkable team, that delivers the extraordinary”.
#ONETEAM is our philosophy that encourages every member of our team to have respect, adapt and deliver, to grow and to enjoy their journey.
We put the needs and development of our team first, above even those of the client. We firmly believe that if you have a respected, inspired, empowered and trusting team, it is almost a given that you will cultivate happy, delighted clients who show gratitude for the quality and professionalism of the work you deliver and who gladly recommend your services to others.
As an Accelerator of Data Protection Services, how would you advocate for a culture of clean data and embrace compliance as a trusted tool for innovation and business growth?
Compliance with data protection laws should not be seen as a barrier to the introduction of new technologies and innovation. They ensure that innovation occurs responsibly and respectfully. This, in turn, builds trust, loyalty and engagement between organisations and their customers, which forms the fundamental building blocks for business growth.
We saw failure in this regard earlier in 2021, when WhatsApp informed its users that it would be sharing their personal data with its parent company, Facebook, an organisation that has built a questionable reputation when it comes to data protection compliance and respecting the rights of individuals. Almost overnight, there was a mass migration away from WhatsApp and toward other apps, such as Signal and Telegram, that presented greater transparency and assurances in respect of protecting their users’ personal data.
Data subjects are now more aware of their rights than ever before, and they are far less likely to tolerate the misuse of their personal data.
From the healthcare sector to public bodies, your client portfolio is impressively diverse. How would you say the privacy concerns of each industry differ, if at all?
Privacy concerns and challenges vary considerably from sector to sector. This can be due to the types of data subjects whose personal data is being processed. For example, education deals with large amounts of children’s data, so requires additional safeguards.
For others, it is due to the type of personal data processed. If there is a lot of sensitive “special category” data, as in healthcare, this brings further challenges.
There are also industry-specific rules and regulations, like Financial Conduct Authority (FCA) regulations in financial services, that add an additional layer of complexity.
At The DPO Centre, across our team, we are fortunate to have a range of industry experts who have the knowledge and experience of dealing with the different concerns that each of these challenges present.
What do you think are the challenges for organisations implementing a data protection system in this new normal, and how would you address them with your services?
A key impact that the pandemic has had on our working lives is that many of us now work from home for some or all of the time. We have gone from coming into the relatively secure environments of our workplaces, where we work on devices that are under the direct control of our IT teams, to now working from home on our personal equipment and over our home Wi-Fi. Facilities such as VPNs and remote access can reduce the risks but, in many cases, data processing is occurring at home, making it much harder to apply the appropriate “technical and organisational measures” that the law demands and to respond fully to individuals’ rights requests, such as DSARs.
Mitigating these issues starts with implementing appropriate policies and procedures, and delivering tailored training that ensures that employees are aware that it is everyone’s responsibility to comply with data protection law, especially when working remotely.
You’ve mentioned that The DPO Centre continuously exists for the purpose of lightening the burden of the pressures that come with data protection laws and privacy concerns, especially in the EU and the UK. What steps have you taken in this direction?
Our service delivery is based upon a “continuous support framework” whereby we assign a “primary” DPO to deliver the number of days of support per month to proactively meet the client’s needs. This is then supported by a “secondary” DPO, who is provided entirely at our cost, to ensure continuity of service, should their primary DPO ever be unavailable. And then, finally, we provide access to our advice line, which acts as a “concierge” service to triage issues as they arise and mobilises the necessary mitigation resources. This therefore delivers a full month-round service, but far more cost-effectively than maintaining an in-house team.
If you were to look at it as a glass-half-full situation, what would you say were the opportunities the pandemic provided for the data protection industry that would otherwise not have been accessible?
The transition to working from home threw up a host of data protection issues that privacy professionals suddenly had to deal with. Whilst this was challenging, it did reinforce how dynamic and adaptable data protection practices and frameworks need to be, so has led to significant improvements for many.
The pandemic also created issues such as the UK government’s decision to develop their “Track and Trace” app using a centralised, rather than decentralised, approach to data processing. This highlighted all manner of privacy-related issues in the mainstream news that significantly raised the profile and importance of data protection to the public and focused the attention of a great many more organisations that it would otherwise have passed by.
The switch from face-to-face to online data protection events and conferences has made them far more accessible to people working in data protection all over the world, providing greater opportunities to connect with other privacy professionals and facilitating valuable networking and knowledge-sharing.
What can we expect to see from The DPO Centre in the coming years?
The DPO Centre has a focus on growth, not because we want to become the dominant force in the market commercially, but because with growth comes greater opportunity for everyone within the organisation. This includes creating opportunities to work with ever more interesting and complex clients, to develop deeper specialisms and be further recognised for our expertise. It is also to create an entity of sufficient scale that is able to have a progressively greater and more positive influence on the direction of the industry and the significance of the role of data protection officer.
We believe that our current growth trajectory, supported by the exceptional range of initiatives we have in development, will enable us to have an increasingly profound and highly positive impact on the future of the privacy sector.
What new services is The DPO Centre looking to launch over the next 12 months?
One of the rights afforded to us by data protection law, coupled with the increase in data protection awareness during the pandemic, has meant that many organisations have seen a significant rise in Data Subject Access Requests (DSARs). DSARs are valuable, as they enable you to request a copy of all your personal data being processed by an organisation to ensure it is accurate and is being processed lawfully. The downside is that they can be used vexatiously and submitted unnecessarily frequently, and have become standard requests that pre-empt employment tribunal cases.
DSARs present clients with significant challenges, both in terms of having the necessary expertise to respond appropriately, but also to have the resources available to complete the response within the statutory one-month time frame. Some contentious HR-related DSARs can run to 10,000 pages or more.
In response to this, The DPO Centre launched its new DSAR response service, which provides the requisite expertise and resources, reducing or entirely removing the burden that these requests pose.
Thinking globally, are countries now offering similar levels of data protection?
The global data protection landscape is constantly evolving, with new legislation being introduced and case law influencing the decisions that need to be made. The GDPR is still considered the global “gold standard” for data protection law, so many other jurisdictions have replicated it to some degree.
However, all countries have their own interpretations and variations, which is even the case across the 27 EU member states. Being able to understand and remain up to date with the requirements in these varying jurisdictions and apply the correct law is a complex task, so is generally outside the capability of a single person.
The DPO Centre solves this issue by providing clients with a DPO who has specialist knowledge of their sector, but also one that has access to the broad pool of knowledge available across our large team.
As founder and CEO of The DPO Centre, Rob Masson is actively driving innovation, transformation and thought leadership in data protection and privacy. With over 30 years of business experience, Rob has been involved in delivering solutions to some of the world’s largest and most respected companies.
Rob set up The DPO Centre to assist organisations of all sizes to identify how evolving Data Protection legislation will affect them, the steps they need to take to comply, and how when implemented well, compliance builds trust, confidence, loyalty and engagement.