READ
Risk & Compliance Case

Navigating privacy challenges at an international bank: GDPR & the benefits of outsourcing 

The challenge

  • The client needed to replace their Data Protection Officer (second line).
  • The client also didn’t have a Privacy Officer (first line).
  • These roles are difficult to fill as they require specific legal and organisational understanding.
  • In the case of this international bank, the global aspect added another layer of complexity.


Our approach

  • Initial assessment of the client’s compliance with GDPR and privacy legislation through a quick scan.
  • Improve privacy awareness among employees to reduce the likelihood of data leaks or breaches.
  • Mitigate the impact of the absence of a Privacy Officer.
  • Evaluate new products and perform risk analyses.


Key results

  • The client is assured of GDPR and privacy compliance.
  • Efficient risk assessment allows the bank to confidently introduce new products while complying with data protection and privacy laws.
  • Our on-site presence and flexible schedule allows us to be easily accessible to the client when needed.
  • The added value of an external DPO is increased independence, extensive practical experience and a holistic view.
  • As the external DPO becomes more familiar with the organisation, their ability to provide effective solutions increases.
Date:December 9, 2022

Faced with the challenge of replacing its internal Data Protection Officer (DPO), our client – a branch of an international bank specialising in mortgages – turned to us for support. Starting with an initial assessment to get the lay of the land, we’ve been ensuring the bank’s compliance with GDPR legislation ever since. As independence is a critical part of the DPO’s role, it’s always a good idea to outsource this important task to an external party such as Projective Group. 

A unique profile for a unique role 

Our client is a branch of an international bank that specialises in mortgages and plans to expand its services to include wealth management. When they were suddenly faced with the loss of both their internal Data Protection Officer (DPO) and their Privacy Officer (PO), they didn’t know what to do. How do you replace someone with such an intricate responsibility of understanding both the organisation’s operations and the complexities of privacy laws and regulations?  

As Projective Group has a longstanding relationship with this client, where we’ve worked with them on several projects and provided general compliance services, they turned to us. Our existing partnership provided a solid foundation for addressing their specific DPO needs. “The ideal DPO must combine extensive legal knowledge with practical insight into the organisation’s operations. They have to strike a balance between being legally sound and ensuring that privacy policies fit seamlessly into day-to-day operations,” says Eric de Vries, who has taken on this challenge. 

The ideal DPO must combine extensive legal knowledge with practical insight into the organisation’s operations.

Eric de Vries, External DPO 

From a quick scan to lasting results 

As always, the first thing we did was a quick scan of the client’s compliance with GDPR and privacy legislation. We checked whether the policies, processes, website, documents, privacy statement etc. were in line with the legal requirements. This baseline assessment is crucial to justify our recommendations and identify areas for improvement.  

One of the things that came out of this scan was the need for greater privacy awareness among employees. “One of the things we’ve all heard about when it comes to privacy, is data leaks. The majority of leaks are caused by employees – not maliciously, but accidentally. Leaving a document on the train, inadvertently forwarding an email to someone who shouldn’t see its contents.. By improving awareness of these risks, the likelihood of data breaches is significantly reduced,” says Eric de Vries. 

The majority of data leaks are caused by employees – not maliciously, but accidentally. Improving privacy awareness significantly reduces the likelihood of data breaches. 

Eric de Vries, External DPO

The importance of independence 

Whether it’s risk assessment, data privacy impact analysis, regular meetings with stakeholders or flagging critical privacy and data protection issues, the DPO must always be free from top-down pressure or conflicts of interest. Independence is a fundamental part of the DPO’s role. That’s why it may be better to outsource to an external party who brings not only independence but also extensive practical experience and a holistic view.

“A good DPO will make sure you’ve got the risks covered, but at the same time will not say no to all projects because they’re too risky. You need someone who is independent, experienced and knows the ins and outs of the organisation,” says Eric de Vries. “The advantage of an external DPO is that they can be deployed quickly, but they can also stay for a long-term partnership. The better they get to know the organisation’s processes, the better they can think along in terms of effective solutions and possibilities”. 

Eric is available to the client two days a week, but his schedule is flexible when there are urgent issues to deal with, such as a data leak. So there’s no need to worry about availability, even with an external DPO. 

Conclusion 

In a world where data protection regulations are constantly evolving, having a reliable and adaptable Data Protection Officer is a strategic advantage, even if your organisation isn’t legally required to have one (because not all companies are). There are many benefits to hiring an external DPO, from greater independence to a broad knowledge of laws and regulations across different industries and insight into practical implementation.  

Are you looking to hire or replace a DPO? For a short or long term partnership? Our privacy consultants are skilled and experienced and can fill the position of DPO in a practical and professional way, as well as provide support to your internal privacy team. 

About Projective Group

Established in 2006, Projective Group is a leading Financial Services change specialist. With deep expertise across practices in Data, Payments, Transformation and Risk & Compliance.

We are recognised within the industry as a complete solutions provider, partnering with clients in Financial Services to provide resolutions that are both holistic and pragmatic.  We have evolved to become a trusted partner for companies that want to thrive and prosper in an ever-changing Financial Services landscape.