In December 2019, the moment arrived when I received some incredible news: I’d passed a recruitment process and was set to begin the (bizarre, though we didn’t know it yet!) year of 2020 working in the field I’d been studying and planning to work in for months. Since then, working in privacy, I’ve had the opportunity to see how this dynamic worked in different scenarios:
The beginning: lawyer and consultant at a firm focused on digital protection and IT law
What I can say about the situation back then, in early 2020, was that everyone was trying to understand and learn. Everyone. Clients had no idea what they needed to do and were terrified by the potential for high fines. We consultants were literally changing the wheel while the car was moving: we took all our theoretical knowledge of the letter of the law, combined it with GDPR studies and guidelines, and tried to put it into practice. When things are in their early stages, there’s that sense of trial and error, until you discover an ideal model that makes sense. I remember that after we finished the first data mappings, the critical moment arrived: how were we going to present this to clients? We found the answer by experimenting: assessment templates provided by the French and UK authorities were part of our daily routine, we took some ideas, combined them with Excel, tested them… the first versions weren’t great, but eventually we came up with a prototype.
Consultant at an IT company:
In my second role in the field, also as a consultant, but this time at an IT company, I was able to benefit from a multidisciplinary environment (compliance consultancy work involved not only the legal aspects, as in my previous role, but also working with cybersecurity teams and on processes related to ISO standards). In addition to this multi-faceted approach (which was how I imagined things should work in practice back when I was in a law firm dealing with civil cases and studying the theoretical aspects of the law), the advantage was having experienced a more mature team model that had already delivered numerous projects to clients and, as a result, possessed concrete reporting templates that had been tested and proven to work.
An extremely challenging experience, but one from which I felt I learnt a great deal about the corporate environment:
Subsequently, working at a bank as an information security analyst, I felt almost like a child having to learn things for the first time, without much practical experience to fall back on. In a high-pressure environment with demanding requirements and always having to keep an eye on audit deadlines (which was the first time I’d had to deal with this reality), I had the support of previous models. In a more traditional and highly regulated environment such as a bank, countless models are already available to adapt to the specific scenario. Here, the major challenge was to understand the environment and familiarise myself with the sector’s terminology, demands and specificities. Realising that many things required profound changes to become functional or make sense, I sometimes came up against barriers related to day-to-day urgencies, the inherent bureaucracy of the environment, which requires a complex and not particularly swift approval chain, among other demands running in parallel. This was a great learning experience regarding the (countless) limitations that arise and that prevent, delay or alter the ideal scenario.
The job that gave me experience in dog years
In my most recent professional role, however, the situation couldn’t have been more different: initially, it was an environment offering a great deal of autonomy, where it was clear that all teams (not just privacy, but primarily product, engineering and partner teams) were experimenting, and the sky was the limit. This meant adapting quickly and making constant changes. After a while, a major change occurred that ended up affecting the whole company: shifts in the global economy meant that ‘infinite money’ was no longer a reality. Teams would need to focus on what was important: projects would need to be prioritised. What happened in practice, from my personal point of view, was great: the product teams no longer had a ’novelty’ every week (and would abandon them just as quickly as they proposed them). Quarters began to be organised within an organisational framework (my team was ALWAYS organised by quarter, and even before we finished the current one, we had already: closed and discussed the present one and planned the next ones, in greater or lesser detail). This meant we no longer had to adapt our plans so much as the weeks went by. Organisation gave rise to predictability. Everything became more ‘smooth’: before each quarter began, the product teams would already provide us with documents detailing the upcoming initiatives. We were able to assess what they were planning and what we would need to follow up on, either synchronously or asynchronously. Meetings were already focused on specific points of uncertainty, rather than on understanding the entire context from scratch. This resulted in support for more product squads, better time management, the completion of privacy assessment forms and ROPA documents that were accurate, and time savings that allowed us to take on new initiatives, such as building a privacy programme from scratch, improving customer service channels, refining the workflow for handling data subject requests, and updating old ROPA’s. It became clear to me that it doesn’t matter if the workplace is a start-up: with organisation and functional, well-designed internal processes, everyone wins. Productivity, innovation, compliance with legal requirements, and a sense of projects being planned and completed. Mental and functional organisation is extremely important. It takes effort and can take a while, but it’s absolutely worth it to build this wall one brick at a time.