Security Expert Interview Series: Konstantin Tiazhelnikov
We recently had the opportunity to speak with Konstantin Tiazhelnikov, Data Protection Lawyer and Chief Privacy Officer (see his Linkedin profile here). In this interview, Konstantin discusses compliance challenges and expectations for 2021 and for the years to come, and reveals how combining professional expertise in several jurisdictions – EEA and Russia – may streamline the work in a global company. He also shares his 3 pieces of career advice for those making their first steps in privacy and data protection. Continue reading this amazing interview to learn more.
1. When did you first think of “Privacy & Data Protection” as a career?
Believe it or not, it all started by accident. Soon after I landed a job as an ordinary member of our legal team with no privacy background, our previous CPO resigned, and I was offered to take over from him. I clearly understood that I lacked the knowledge and skills required to perform this role successfully, but at the same time, I felt passion and desire to turn myself into a diligent learner who literally binge-reads tons of privacy & data protection documentation and management literature in the evening and applies new knowledge in practice next morning. Looking back, I now understand how risky it was then to entrust me with such a demanding job, this is why I feel so grateful to my management for giving me a chance. And I can now say that it was worth it: while some jobs may become tedious over time, privacy and data protection leave you no chances to get bored halfway through. I did not happen to have an experienced mentor – not now, not then – this is why I owe all the progress I did over these 4 years (no matter how significant it was) to my passion, enthusiasm, and glowing eyes. I understand that there is still a long way to go, and I am excited about how much more I will definitely learn in the future. This is why my motto is “Privacy can be taught, passion cannot”.
2. What are 3 must-have skills a Data Protection Officer should have and is technical background necessary?
The required skillset of a DPO largely stems from the role he or she performs in a particular jurisdiction and in a particular company.
E.g., in the context of EEA countries, a question about DPO skills is exactly the case when it is easier to write a long-read book rather than to give a short answer. There are, of course, much more than just three, five, or even fifteen skills. It goes without saying that DPO must be a strong expert in applicable data protection legal framework and practices, in privacy and security risk assessment, keep abreast of changes occurring in the world of technologies, coupled with an exceptional understanding of how this impacts the current risk picture, etc. But, in my opinion, what makes a DPO role particularly complex and tricky is an intricated mixture of ‘soft skills’ he or she has to possess.
Just a quick example: under Articles 38-39 of the GDPR, DPO acts as the contact point for supervisory authorities (and cooperates with them), for data subjects, serves as a go-to person for the controller or the processor and the employees. In other words, a DPO communicates with various categories of stakeholders who have different cultural, professional, and personal backgrounds, different levels of understanding of privacy issues, different levels of impact on the organisation. It means that a DPO has to be able to communicate and negotiate effectively and skilfully, factor in cultural peculiarities, and display sensitivity and ability to build working relations.
Furthermore, a DPO should not forget that he or she is not a consultant giving boilerplate advice and sending a bill afterward. Instead, a DPO is someone who the controller’s or the processor’s employees look up to in a hope to receive tailored and workable advice that can be operationalized as easily as possible. This is very critical to understand.
There is, of course, much more than described above. The thing I’d like to say is that a graduate student, even with exceptional theoretical knowledge, is hardly suitable for the DPO role. It requires much hands-on experience and solid ‘soft skills’.
3. What is the most important for privacy pros to keep up to date with, given the constantly changing privacy landscape?
From this point of view, it is way more challenging to be a privacy pro rather than, say, an ordinary lawyer or a manager. Privacy & data protection is at the intersection of several areas of expertise (legal, management, IT, InfoSec, etc.). Of course, you cannot be a subject-matter expert in everything, but it is essential to understand what is going on in each field that is involved.
Privacy & data protection legal framework is changing almost every day, new program management solutions are constantly emerging, while the advent of new technologies may have clear legal implications – e.g., the data that we consider ‘truly anonymized’ today (although there is still no strict industry standard on the sequence of steps to be taken to render the data ‘truly anonymized’) might not have the same status tomorrow in case a newly emerged technology re-establishes the possibility of re-identification (increasing volumes of data massive as such (‘big data’), developing AI capabilities and lack of data subjects’ control over how their data is used add tension to this topic).
All I want to say is that a privacy pro has to digest a huge amount of information daily. Luckily, we have numerous newsletters, privacy daily dashboards, webinars, and the helpful LinkedIn community to rub minds with colleagues and industry experts.
4. What are the advantages of having professional expertise in several jurisdictions simultaneously – EEA and Russia?
An obvious answer is that being qualified in two jurisdictions is more beneficial than in one, but there is, of course, much more than meets the eye.
I have heard from some Russian experts that the Russian Federal law “On personal data” is just a light version of the GDPR, but I can’t disagree more. It is important to understand that privacy & data protection legislation is not a bush randomly growing in fields; rather, it is a reflection of social values, attitude towards collectivity and individuality, country’s history in general, and many other things.
When you read the GDPR supplemented with WP29 and the EDPB documents, you not only understand the rule of law, but you also absorb the underlying philosophy that is closely intertwined with the history of privacy & data protection laws in Europe (and, probably, with the overall perception of individual’s role in society). It is impossible to expect the same from the Russian law, which inherited much from the Soviet legal system and where the first law on personal data (remaining in force to date) was adopted only in 2006.
In practice, this means, for example, that in Russia it is often hard to understand how to interpret broad GDPR language like “reasonably likely to be used” or “proves impossible or involves disproportionate effort”, while for European colleagues it may be weird to see casuistic wording and inconsistent provisions of the Russian law “On personal data”. Having an in-depth understanding of both “worlds” helps to bridge the gap between them and, in the course of interaction between EEA and non-EEA offices of a global company, successfully serves as a mediator (both in a legal and in a cultural sense). This helps a lot when it comes to cross-jurisdictional projects.
Another advantage may sound weird on its face, but it truly makes sense if you think about it! I believe that privacy pros with experience in such jurisdictions like Russia are better prepared for success in an EEA environment than their peers with only domestic (i.e., European) experience. And here is why. European privacy & data protection law is probably the most developed and thought-out framework in the world (this is why it aims to be globally recognized as the ‘gold standard’). That is not the case for, e.g., Russia where data protection legislation is relatively succinct, highly controversial, adopts outdated and/or unclear concepts, and in general lag far behind the European doctrine. This is why a Russian privacy pro is better trained to act in the conditions of multiple “grey zones”, to apply unclear concepts to practical cases, and to quickly seek solutions in non-standard situations, bridging business interests and compliance issues. For a ‘purely European’ colleague it is often more difficult to develop the same skills because worked-out European legislation and doctrine do not usually require ‘to pivot’ in conditions of uncertainty (at least, to the same extent – of course, we all know that it would be a huge mistake to assume that no ‘grey zones’ remains in the European data protection legislation and practice).
5. We know that you have been holding the position of Chief Privacy Officer (Data Protection Responsible) for the Russian branch of the global company operating in a “food & beverages” sector…”. Please tell us what are the biggest compliance challenges that are being faced by food & beverages organisations.
‘Food & beverages’ organisations are not like companies in, say, healthcare and healthcare insurance industry which systematically process personal data of special categories on a large scale and may be subject to specific sectoral laws (e.g., HIPAA in the U.S.). This is why I’d rather evaluate the ‘food and beverages’ industry profile as general. I understand that, when it comes to GDPR operationalization and ensuring compliance, big global companies face significantly different ‘aches and pains compared to SMEs often experiencing troubles with relatively basic things. But it does not mean that global companies do not face them.
Surely, no global company remained unaffected by the “Schrems-II” ruling which substantially changed the global privacy landscape in July 2020. Besides, the Brexit saga made many privacy pros worried, and it is still not finished yet – although I am sure that ‘adequacy’ will soon be granted by the European Commission (to what extent this step is right – that’s another story).
Answering the question, I think it is safe to say that the biggest data protection challenge for global companies today (including those operating in a “food & beverages” sector) is the operationalization of new international data transfer requirements which are still by no means clear.
6. How have you seen the data privacy landscape change from a legal perspective over the last 2 years?
A lot has happened, indeed. A curious fact. The GDPR came into full effect in May 2018. Since then, we have seen a great number of the EDPB opinions and guidelines, rulings of the CJEU, rulings of courts, and decisions of supervisory authorities of particular EEA member states (which sometimes applied the GDPR provisions inconsistently even within the same member state), and many more. All this transformed the European data protection landscape considerably, while not a single letter has changed in the GDPR itself!
Over these years we learned how to understand the GDPR, how it intertwines with other acts, e.g., ePrivacy Directive. And all these efforts resulted in a somewhat new ‘product’ that continues to undergo transformation every day.
Above I briefly touched on the European framework, but one should not forget about other jurisdictions where a lot is currently happening as well – e.g., U.S. states are proposing new legislation, supplemented with the proposed Federal Information Transparency and Personal Data Control Act.
One of my peers has recently shared a blog post where he was joking about how checking LinkedIn every morning looks like. The gist was how many tons of information regarding the EDPB, EU member states and their supervisory authorities, Google, Apple, Facebook, U.S. states (and so forth) you see literally every day, and it all repeats tomorrow. I can say that I understand him as never before.
7. What trend(s) do you expect to see in data protection in 2021?
As they say, your expectations are your problems. I don’t think I will say here something that may surprise our readers.
Of course, I would like to see more clarity as regards ‘Schrems-II’ rules. Unfortunately, there has been little progress since July 2020, while the EDPB Recommendations 01/2020 are still stuck in the phase of ‘version for public consultations’ and, seemingly, set a course for having data flows confined within the EU, than for developing realistic and workable mechanisms for international data transfers. I also cannot welcome the recent ruling of the Conseil d’Etat (France’s highest administrative court) in the Doctolib and Amazon Web Services case which substantially changed the ‘Schrems-II’ landscape.
It not only raises new questions and concerns but also contributes to possible inconsistent interpretation of ‘Schrems-II’ rules across the EU member states – the respective approaches should be proclaimed at the pan-European level to ensure the consistent application thereof and to avoid misalignments, rather than emanate from courts of particular member states.
It would also be fascinating to see how ePrivacy Regulation saga will progress in 2021 amid the Portuguese presidency of the Council of the EU. Hopefully, Covid-19-related privacy issues will eventually take a back burner as the pandemic will gradually discontinue. I also think that we should expect more high-profile data breaches and the constantly increasing role of technologies in privacy in general (including AI, facial recognition, governmental surveillance, and more) – not only in 2021 but in the years to come.
9. What are your 3 pieces of career advice you would like to give to people who are just getting out of university and are interested in a career in data protection?
Probably it is too early for me to give any career advice, but still, I can try.
1. Consume as much information as possible (read books, articles, blogposts, watch webinars, attend conferences, etc.);
2. Rub minds and socialize with those who are smarter and more experienced than you;
3. Keep your eyes glowing. Remember that everything can be taught, except enthusiasm and passion. Find something that will support the fire deep inside you. If you have just learned something interesting and eager to share it with someone – do it! For example, write an article or blogpost on LinkedIn!
And kind of bonus. Do not hesitate to talk to the professional community and let them know what you think, even if you don’t believe you have enough knowledge and experience thus far. Do not hesitate to ask for a piece of advice from those more experienced than you. And do not be afraid of mistakes – we are humans and not machines, and when mistakes are approached constructively, they become a good platform for growth.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.