Annika Anikari // October 12 2017
Summer of ´69 – or GDPR
First baby steps to become a subject matter expert in GDPR
After working several years as a Service Manager in privacy-wise critical services I got interested in the operational impacts of GDPR in February 2017. My starting point was that I knew IT security and data protection principles in general but would not have been able to work in expert roles in that area. I had always been leading teams of experts. To start with GDPR, I got familiar with the main principles by reading through the content related to the territorial scope, data subject’s rights, consent management and data breach notifications. Luckily, I was very soon chosen to start in my first GDPR related assignment at one of our customers’. Experience in implementing GDPR compliance was that time still quite rarely found, but I knew the main principles and was willing to learn more. The starting point at that company was to go through the processes related to data subject’s rights, figuring out the scenario of people and systems involved. During those weeks, I noticed that I was working in the middle of everything: Operations, IT systems and architecture, customer service, legal advisors and communications. I loved that position and building bridges between separate teams, talking to them and trying to understand what everybody’s role in processing personal data was.
Since April 2017 I have been working almost full-time with another customer as part of their GDPR project organization. I have also given support to people driving Digitalist Group’s own GDPR project forward. In consulting roles, this visibility to several companies in different business areas is an amazing opportunity to gain experience, because all of them have been so different. When I was working with the gap analyzes and implementing the tasks towards compliance on a daily basis, I considered my background in various roles very beneficial. From service management I had learned how to run operations securely, from quality management I had learned the process development tasks, from internal communications the importance of the trainings, two-way communication and that the guidelines can be easily found when needed. In project management and team leadership roles, I had learned how to get things done: keeping people in center of everything. I felt that GDPR and privacy were topics where all that I had ever done in the past was beneficial. I felt I had found something where all these areas connected. I was addicted.
The decision to take the certification – to prove what?
In order to avoid the situation where it was only me thinking that I had gained a lot of experience in GDPR I felt the need to test my knowledge and certify my skills. I considered it easier to show some proof of my knowledge to our customers if I had an assessment from a neutral party. I had also some certification history, because I had completed earlier IPMA C Project Management, Scrum Master and ITIL Foundation certificates. It found out that CIPP/E (Certified Information Protection Professional/Europe), provided by the International Association of Privacy Professionals (IAPP) was the only certification in European Data Protection.
The certification path consisted of a two-day’s course organized by Wakaru (IAPP partner in Finland), self-studies and a certification test. The course was organized just before the summer vacation period.
Our trainer was the Senior Associate Lauri Leppänen from the law firm Castren & Snellman. My course mates were from many different business areas. Some worked as lawyers, some as IT managers, some in project management roles, some as subject matter experts in privacy. I found the course as a good start for my self-studies. However, preparing myself to the certification tests during the vacation – what was I thinking?
Reading was not a piece of cake, I think
The timing of the certification test was good, because of during my customer assignment, my GDPR knowledge became stronger on a daily basis. However, because of working in a big compliance project, some parts of the regulation were more familiar to me than others, and in order to complete the test, I had to read a lot. The training materials from Wakaru and IAPP consisted of a .pdf file (compendium), the slides from the training and of course, the regulation text itself. To my surprise, more than 60 pages of the compendium text handled privacy legislation and its development from the time before GDPR, which I would not considered to be so important, and the regulation test was not easy either. All materials were in English. The structures of legal texts can be complicated and the expressions not similar to expressions used in other kind of texts. But the timing of my certification test could have been chosen some other way too: Because I was on summer vacation, we were travelling a big part of my vacation period, and it was not easy to find moments without disturbances before my kids had fallen asleep….and because of summer vacation, they stayed up later than normally. It did not happen only once that I found myself sleeping on my laptop or looking for nice shoes on web shops when I should have been reading the regulation, for which I tried to set the biggest amount of reading hours. The other parts of the compendium, except the legislation history, were written in a very hands-on level in an easily readable format and I went through them quite quickly.
The certification test
Schedules for the certification tests are individual. The tests consists of 90 multiple-choice questions which have to be answered in 2,5 hours. Some of the questions are easy and quick whereas some of them are based on long scenarios. You are not allowed to use any kind of materials or other web pages during the test.
First, because of the complicated scenarios I was not sure if I would be able to finish all the questions in time until I had used 2 hours, although I tried to check the time and the amount of remaining questions all the time. Only then I knew I would have enough time to answer to all of them. In the end I also seemed to have time to review some questions, which I had marked with a tag telling that I wanted to come back to them later. At the moment of submitting the test I felt very exhausted. 50 % of the answers got to be correct to pass the test and I was only hoping for the best. Every participant gets the results immediately, and I was able to read from the screen that I had passed the test with very good results, much better than I expected, because of getting over 80% of the answers correct in each partition.
My feelings afterwards
I can warmly recommend the certification. It forces you to go through the legislation from all angles, not only those articles that you at the moment need in your work. However, even though you would have passed the test with good assessments, the interesting part has only begun. Implementing the regulation text in daily operations is not easy. Because of the regulation is new, we have to make interpretations all the time: How to…? To what extent we should…? Is this the best possible practice…?
I still think I am among the lucky ones. I have been able to dedicate quite many hours of this summer to my certification, and at the same time, -because of my work-, I have a wonderful observation point to the practices in several companies. The next step is to find the correct forums and arenas for following best practice development across different business areas and countries – and being part of that development.
Processing personal data is in the center of all digital services. That means that I will be able to learn new things for a long period of time in the future, and what is especially meaningful: At the same time I will be able to share forward all those things which I have already learned, and make it easier for others.