Security Expert Interview Series: Juhamatti Järvi

‍The following is an interview we recently had with Juhamatti Järvi, Senior Data Protection Officer based in Switzerland. Juhamatti is a Certified Information Privacy Manager (CIPM), running group data protection projects (e.g. GDPR, e-privacy regulation, new Swiss Federal Act on Data Protection projects). He also has a solid background in commercial law and over ten years of advisory experience ranging from Fortune 500 to family-owned businesses. Now enjoy the full interview below.

interview with a DPO

1. Firstly, thank you very much for taking part in this campaign, Juhamatti. Can you tell us about your professional background and areas of interest?

I am a qualified lawyer and in the legal business since early 2011. I have been fortunate to wrestle with data protection topics since I was a law student. Since then, the realities (e.g. internet trading) and regulations (both general and sectoral regulations) have changed over and again and the future of privacy appears to be somewhat in the air. People expect simple solutions in a complex world, which is a tall order to deliver.

I am a generalist with a keen interest towards digitalization. Perhaps this background led me to a data protection career: a dynamic, rewarding field where one can combine both the legal and engineering aspects together. Data privacy is a truly multifaceted field bringing together different skillsets, mindsets, and ever-changing demands.

2. You are working as a senior data protection lawyer. In your opinion, what is your biggest challenge in this technological age?

Awareness and early involvement are evergreen topics in our field. People tend to forget or misunderstand when privacy or security professionals should be included narrowing down the assistance options and putting the deadlines under duress. Getting the right people onboard early enough will help to create a holistic, well-thought approach mitigating information security and data protection gaps.

Recent court cases (e.g. Schrems II) are setting the bar high; keeping personal data safe is not a paper-based exercise but a feat of thoughtful business decision making, engineering, and documentation. Knowing your core partners, vendors, and internal personal data processing operations is for compliant business practices.

3. What are the more interesting things you have seen since GDPR became effective?

The GDPR itself was not a game-changer per se: roughly 75-80 % of the regulation already existed under the Data Protection Directive from 1995. Interestingly, albeit unsurprisingly, the companies and individuals are leaning heavier towards the stick instead of a carrot. The hiring frenzy between 2016-2018 was a clear indication of this development; the companies rushed to hire data protection people to set their privacy programs on course. Here lies the second interesting finding: data protection is not a one-off exercise. Creating a robust data protection program does not let anyone out of the hook.

The GDPR (and countless other data protection regulations) requires the companies to constantly improve their data protection posture, and obligation which aligns well with the technological developments. Conversely, one should raise eyebrows if a company is claiming to be “GDPR-compliant”; such a thing does not exist due to the continued efforts required.

4. To what extent does a global company differ from a national company in terms of data protection?

Addressing this question boils down to two factors: i) ambitions and ii) footprint of a company. You will be hard-pressed to find a company that is strictly “national” only serving the people within their own borders. I would encourage every company to look at its resources and goals. Do you seek to be a “future proof” company or do you want to do the minimum you believe will settle your compliance efforts, or do you just ignore it?

Simultaneously, technology, e-commerce, and data processing activities are constantly developing. A good understanding of your ambitions, vision and target modus operandi are key factors in creating a robust, scalable data protection program irrespective of the country’s borders. In any case, no company will ever be 100 % “GDPR compliant”. Instead, an effort must be made to seek compliance and carefully document the steps taken.

5. What do you think non-European governments and companies can learn from the GDPR?

The GDPR has shown its undisputed importance being the number one data protection regulation worldwide. Generally, “non-GDPR countries” are seeking to introduce similar regulations. Just have a look at what is ongoing e.g. in Brazil, California, or Switzerland. Understanding the GDPR may not perhaps suffice but it will give one a distinctive upper hand to tackle recent/upcoming local data protection regulations.

The GDPR, on the other hand, is principle-driven regulation. These principles are decades old and date back to the 1940s and 1950s. Mastering these common-sense principles will help anyone to understand what the global data protection regulations stand for and enhance compliance readiness.

6. What are the most dangerous threats to the security of personal data on the Internet today, and how can we protect ourselves from them?

I have seen two distinctive developments lately: i) worldwide hacking/ransomware/malware campaigns led by organized crime cliques and ii) excessive information gathering practices coupled with non-existing retention policies leading to a “data drowning”.

i) Hacking, ransomware, and malware campaigns are oftentimes extremely profitable and simple to execute. Organizations may not have done enough to recognize the origins of such attacks. Setting up firewalls, patching systems, and training people may not be enough; your organization remains exposed to external attacks. Ask yourself if you have set e.g. geofencing and stricter email rules already.

ii) Organizations are oftentimes clueless about what personal data they have, why they have it, where it is stored and who has access to it. Missing data retention policies and automation will make this an uphill battle; an effective document housekeeping solution must be well documented and automatized. Data retention policy should be a concise document explaining to the people why data retention is a crucial topic, and automation should ensure the documents are properly archived, anonymized, or purged once the retention period has been reached. Many companies swim against the current as they consider it risky to archive, anonymize or delete any data leading to non-sustainable data pools. The size of these data pools elevates the risk and invites external actors to access such data. A company will struggle to justify its data collection and retention practices if something goes awry. The burden of proof is no picnic.  

7. Our last question is usually a personal one: what personal development do you do on a regular basis to keep yourself sharp?

I should and could do more here. I have participated in IAPP events and am volunteering for public speaking assignments. Once I helped an NGO to create their privacy notices. Learning about different data protection cultures and technical solutions is always an eye-opening experience and a win-win situation for the parties: you can offer your expertise and learn/comment on how others are handling their data protection and information security topics. Moreover, I have come to realize LinkedIn’s potential; many data protection colleagues are sharing extremely valuable and well-written summaries of e.g. court verdicts, regulatory developments, and future trends foreseen. Expanding and being open to new influences should always be welcomed.

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview SeriesReach out to us for more information.