The following is an interview we recently did with Stevan Stanojevic, Global Data Privacy Manager at Etihad Airways based in Abu Dhabi (United Arab Emirates). Stevan has a strong legal background with master’s degree in law, experience in a law office and in a compliance role at a multinational company. In his current role, he is responsible for the compliance with GDPR and data privacy laws from all the continents, especially focusing on marketing, e-commerce, HR and operations among other areas of business. Continue reading the full interview below, we promise it will be insightful.

1. Firstly, thank you for taking part in this campaign. Can you give us an introduction about yourself, Stevan? How did you venture into data privacy, ethics and compliance world? 

Thank you for inviting me. I am a privacy professional currently holding a Group Data Privacy Manager position at Etihad Aviation Group. My introduction to privacy was during my studies through participation in the Price Media Law Moot court, which was looking into freedom of opinion, expression, and peaceful assembly; it touched on privacy/data protection issues such as accessing an individual’s social media accounts for the investigation of crime.

Ever since, I have been interested in data privacy and decided upon a career centered around privacy and compliance, taking up both in-house and external counsel roles.

2. Can you discuss the evolution of people’s concerns about privacy and what do you think has changed in terms of these concerns?

The initial perception of privacy was only to have your communication protected against unlawful access. People were not at all concerned about, and to a large extent, unaware of their rights to access, deletion, accuracy, and so on. With the development of technology and myriad ways in which personal data is processed, the spotlight on privacy has grown, especially with the hype around new privacy laws such as GDPR, regulatory frameworks, and publicity surrounding personal data breaches.

Today, people are wary, and they pay attention to whether organisations have good privacy practices and if they have been associated with data breaches in the past. Good privacy practices are good for the brand, for customer/consumer confidence in the brand of course, and ultimately, they help gain and maintain customer loyalty.

3. What can we integrate into our daily tech habits in order to better protect our privacy? 

There’re so many things we could do. Firstly, I would say, check your email sender field carefully, especially if the sender is unknown to you (email spoofing happens quite often), then check whether the connection to the website is secure (look for that lock next to the website name), and be very careful what permissions you give to mobile applications (if you download a weather app, for example, consider if you really want to have it on your phone if it asks for access to your contacts, image gallery and the like).

Ask yourself if you really need all those cookies on your device. And lastly, try to read the privacy policies of websites and mobile applications you wish to use. You might find the information that would make you uncomfortable using them.

This can help you protect from phishing attacks, sharing your personal information with unauthorized parties, reduce tracking of your online activities and so on and so forth.

4. In your opinion, what must small and medium enterprises do now to comply with the GDPR and build a strong long-term data strategy?

They need to assess their existing privacy programme and identify gaps, if any. Following that, the privacy programme should address those gaps and thereafter, enhance the level of compliance. Depending on the maturity of their privacy programme, it might be necessary to repeat this exercise multiple times to achieve a level of compliance set by the senior management.

In practical terms, this could mean building a record of processing activities and keeping it updated, having proper internal governance, embedding privacy by design wherever possible, ensuring individual rights in systems and processes, appropriate security, and so on and so forth.

5. What are the most important concerns that organisations should address from a privacy perspective when they suffer a personal data breach?

Firstly, they should take immediate measures to reduce the impact of the breach on the affected individuals. Easier said than done, but sometimes organizations focus primarily on reporting a breach, rather than reducing the impact. Also, organizations should focus on investigating the root cause of the breach, remediation, reporting the breach to the authorities, and notifying the affected individuals where appropriate.

6. Obviously, you are a busy person but how do you manage your work-life balance? 

I like to think I hold a secret to that elusive work-life balance recipe however, with COVID19, life as we knew it changed completely, especially for my family and me, as we have been living abroad for the past seven years. With work from home and nurseries shut for a good part of last year, it was challenging to distinguish between work and personal life as my home became my office.

I would say the most important thing is to draw the line where your work ends and family time begins. Not always easy in our profession though.

7. How do you stay up to date with industry news and updates regarding data protection and privacy? 

I have a bookmark of blogs/news/platforms that I follow regularly to stay on top of things. Of course, there’s LinkedIn as well where I try to stay active and raise awareness and encourage discussions about hot privacy topics.

8. Your forecast of the global data protection and privacy landscape for the rest of 2021. 

I don’t see any tectonic shifts occurring in the privacy world this year. A few expected laws are already enacted or close to becoming enacted, new Standard Contractual Clauses are out, and important guidelines from the major regulators are also published.

Having said that, we might see some interesting enforcement actions aimed at enforcing certain provisions of the laws in light of guidelines such as CNIL, ICO and DPC guidelines on cookies or rules around transfers of personal data.

Disclaimer: All views expressed are personal ones and do not constitute legal advice.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.