A daunting task for the financial industry





Privacy- and Data Protection professionals have been around for many years – some jurisdictions have even had as a mandatory requirement to appoint Data Protection Officers. No one has however ever yet worked as a Data Protection Officer under the General Data Protection Regulation (GDPR).  Maria Holmström Mellberg, Group Privacy and GDPR Lead at Nordea, DP Forum board member and speaker at Nordic Privacy Arena 23-24 October, outlines some of the challenges for DPO:s in the financial industry.

What are the most pressing concerns for the financial industry in terms of GDPR preparation?

– I think it is safe to say that we as an industry are used to adapting to what is often referred to as tsunamis of new regulations and it is for example a fact that many of us are active in many jurisdictions and highly dependent on complex IT-legacies for our activities. We are also used to handling a high-degree of customer confidentiality stemming from for example bank secrecy, says Holmström Mellberg.

– We know the importance of trust also when it comes to processing personal data. Hence we are reasonably well versed when it comes to eating interpreting and implementing complex and sometimes contradictory new regulations, which the GDPR is. The complexity of the task is daunting.

– Many of us are running our GDPR-preparations in fairly large project portfolios as change programmes and we have been up and running for quite some time now, in fact so long that we have also adjusted the approaches a couple of times already. The fine-tuned understanding of the GDPR increases in parallel with improvements of methodologies and technical tools. It is a difficult balance whether to start out using for example excel tools while ensuring that processes are set up or to jump on some tooling offers already out there in the market. As we get closer and closer to 25 May 2018 we learn what to focus on and perhaps even reprioritise our projects.

Are you worried about international data transfers and that data protection may adopt different strategies and approaches? 

– Since many of us are running cross-border activities we are concerned that ministries and regulators in some jurisdictions will continue to press for too many and too strict variants. The journey towards more common interpretations and aligned supervision is supported by the industry. Common understanding and interpretations are fundamental, so investing in training, awareness and communication is key.

– We acknowledge the fact that May 25th is a milestone rather than a closing date and that we are all embarking on a journey.

Traditionally the privacy and data protection professional has been a lawyer – what happens to that now – will the DPO necessarily have to have for example a law degree?

– Interestingly enough it seems that what you see as the mandatory background seems to depend on your own background. If you are a lawyer, you point to the fact that the only ones understanding data privacy are lawyers, if you are an information security and cyber security professional you see that as the best background and the same goes for other professions such as marketers, data and privacy engineers, various architects, compliance professionals and risk professionals.

– Given the extreme complexity of the topic alongside the importance of data and new technological advances the person accepting the role as DPO must have not only a reasonable understanding of legal and regulatory requirements but also of information security, cyber risk, data and technology – and all the above.

– Most importantly perhaps, in order to be successful the DPO must be able to relate and interact internally and externally at all levels – to go out on the floor and infuse privacy be design with various developers, discuss privacy risk and corporate risk with boards, communicate transparency and trust with customers and the general public and finally with politicians and regulators of different flavours by in a forward looking dialogue in favour of the general good.

– As these persons do not come off-shelf from neither law schools, business schools nor institutes of technology, they will themselves be important contributors and servants of the non-silo, network eco-system of the future. A quite scary but interesting task.

Many are now working on the challenges to create one DPO organisation for large complex entities or across corporate groups. How do you ensure that conflicts of interest are avoided, and that such organizations are agile and fast-paced enough?

– The DPO-role is expected to be truly multi—faceted. The DPO in a very small organisation must have a broad background and a curious mindset. In larger businesses the DPO organization may well be one, headed by a Group DPO or similar (especially made possible also by the fact that the GDPR allows for outsourcing of the role, ie in this case outsourcing within a group of companies) and supporting country, subsidiary or business area/topic DP-specialists. In addition to that it can be valuable to arrange for ambassadors or similar in various extend arm positions.

– When it comes to the tasks as they are listed in article 38 of the GDPR it can be valuable to set up individuals or teams that are specialising in the different angles of for example advising and monitoring (ranging from policy, strategy and control setting, framework implementation, training and awareness, monitoring and reporting etc). It can be valuable to pay some extra attention to avoiding conflicts of interest and not sitting on several chairs, when developing a model for the DPO. Some conflicts might not be possible to avoid, and they must hence be assessed and managed. Others are more easily avoided, such as not placing the DPO in places where the independence would be more difficult to ensure, such as avoiding reporting lines into certain units (mentioned in international discussions have been IT, HR, marketing, legal, but this must be outlined for each industry and organisation).

– In the financial industry we live under the strict frameworks of three line of defence and are under supervision of Financial Supervisory Authorities. Hence we are working to understand the ultimate model for the financial industry as compared to and in parallel with for example the Chief Information Security Officer and the Compliance Officer. This is done among ourselves locally and internationally and dialogue with both the Financial Supervisory Authorities and Data Protection Authorities is needed. As often each firm must find a model that suits their existing governance and business model in order to best demonstrate accountability, enhance trust and most importantly develop better services for individuals, regardless of whether they are customers, employees or citizens.

When you took up the work to lead the GDPR and Privacy work at Nordea you were a relative newcomer to data protection – what were your impressions?

– I have been in and out of financial regulatory compliance ever since I joined Nordea more than 25 years ago and I have loved it ever since. It is a great opportunity to be able to support business and help enhance services and work for a greater good. When I came into the pure privacy and data protection field I was lucky to do so at a very critical time in history.

– There has probably never been a point in time when dialogues about privacy and data protection have been more crucial to carry out. This dialogue should not at all be driven by the GDPR but by the needs of society to discuss what it means to be human in relation data about us, how to be in control of data and how data is gathered and used about us and other aspects of society and business where data is in focus. It was amazing to be invited to join the open, active and challenging dialogue and development in the area.

– I can only encourage and invite tempted colleagues to join in as well. Joining organisations such as DP Forum are one way to enter the dialogue, to learn more and to help make a difference.

About us

The Data Protection Forum was founded in 2012.  Today the forum engages and supports almost 400 members engaged in privacy and data protection. Members represent all types of authorities and industry sectors of any level of size and complexity and in all stages of maturity in areas of technological and data as well as governance and control.

Maria Holmström Mellberg works on Privacy and Data Protection matters including the implementation of the GDPR and the overall strengthening of Privacy and Data Protection for Nordea Group. She is a board member of DP Forum and is also engaged in other international, European as well as Swedish data protection foras, for example the European Banking Federation and the Swedish Bankers’ Association.


Fredrik Svärd
Secretary-General, DP Forum