In conversation with former CTO and DPO at Trustpilot, Jan Bülow, one of our trusted advisors and investors.
Jan Bülow started his career as a programmer as he in his own words, “..wanted to avoid working with people, and work with machines instead.”. Life had different plans though, and he spent the last fifteen years of his career as a CTO and CISO in three different scale-ups. Before retiring, he took on the role as Trustpilot’s first DPO in light of his background and strong interest in GDPR and privacy.
Given his experience with the GDPR and privacy, from the perspective of a CTO, we decided to meet with Jan in March 2020, to discuss the development in the privacy landscape, and how it may impact companies, now, and in the future.
Jan: I think the biggest change has been that we now understand that having access to a given set of personal data doesn’t mean that we can do whatever we like with it. And that if we cannot justify having the data, we should dispose of it immediately. Knowledge and information are not the same thing. It is not just a question of having as much data as possible, it is about having the right and relevant data. Companies need to think about what data they have, and why,and how they use it. The GDPR has forced companies to think about the purpose of the data they collect. This part of the online world was lawless from the outset. But now, I am happy to say, we now have laws to protect the users of technology, and companies need to operate differently. It is not just compliance in terms of technology, it is a commercial and legal question as well.
"Knowledge and information are not the same thing. It is not just a question of having as much data as possible, it is about having the right and relevant data."
Jan: I don’t think the GDPR affects the CTO more heavily than it affects others in the management team, or at least it shouldn’t. Compliance is about upholding the law, it relates to the whole company, and not just the technology teams, and is to some degree the responsibility of everyone in the company. Some people have said to me that the GDPR wouldn't matter, because no one would ever get fined. Or, they spoke about the GDPR being imperfect - and that might be true, but it makes perfect sense to me as the law is really young. I do understand some of the criticism the GDPR has received, as parts of the laws are contradictory, unclear or vague. But, for most parts, the laws seem understandable, consistent and reasonable, and I am sure they will mature as time passes.
Jan: I think the legislative work will continue, and I expect a continued strong involvement from big-tech and ad-tech to nudge laws in their preferred direction. In general I think that big-tech and other big-data players will respect the law. But, there may be some alternative interpretation of it, which could keep the data protection agencies and courts busy. As to whether ad-tech companies will accept lower revenues due to loss of tracking? No, I don’t think they will, but I also don’t think they will challenge the law by not complying. I think they will continue to try to influence the laws and somehow tweak their technologies to comply in a way that harms their revenue as little as possible.
“I think the legislative work will continue, and I expect a continued strong involvement from big-tech and ad-tech to nudge laws in their preferred direction.”
Jan: I’m a strong supporter of having to consent before the company may do anything with my data. About fifteen years ago I worked for a company, where we were part of the first wave of web analytics. Knowing what I know from that time, it makes sense to me that the law's focus is on cookies. But when I also consider all the great privacy related laws that have emerged since then, I find the continued legal focus on cookies somewhat illogical. As I see it, my consent should be about whether or not the business collects my personal data for a specific purpose, and not whether cookies are placed in my browser to assist in the technical collection. So, as an example, asking me whether I consent to the company collecting data about my actions on the site for the purpose of improving the site design. If I consent, the company would use the various technical measures needed to do this, and probably include cookies in the mix. I’m happy to see language on more and more websites taking this direction.
“...I find the continued legal focus on cookies somewhat illogical. As I see it, my consent should be about whether or not the business collects my personal data for a specific purpose…”
I think it is of large value for both businesses and individuals that we now have legislation and Data Protection Agencies to protect the privacy of the online user. It will be interesting to follow the development, and see this evolve over the next few years, where I'm particularly interested in how ad-tech will comply.