From implementing up-to-date privacy practices across the organization to handling a high number of data subject requests, a Data Protection Lead has to overcome many challenges to succeed.

Paul Breitbarth is the Data Protection Lead at Catawiki, the leading online marketplace for special objects that fulfil people’s passions. Catawiki’s values include being a reliable and responsible marketplace and as such data protection and privacy compliance is seen as very important. In his role, he ensures that the people within Catawiki are enabled to comply with data protection laws and regulations. Prior to joining Catawiki, Paul worked as a privacy lawyer at a major international compliance software provider. He has also served as a privacy advisor to the Dutch government. Paul holds a master’s degree in law from Maastricht University.

Tell us a little about your professional history and your involvement with the European Union. How did you become interested in privacy?

After my legal studies, I started as a deputy committee clerk in the Senate. The very first file on my desk was a data protection file (the mandatory retention of telecoms data for counter-terrorism and serious crime purposes, which is still an issue today). Various Senators were really on top of the right to data protection, and encouraged me to look more into the topic on their behalf. When the time came to switch to my second job, I applied as a case worker with the Dutch Data Protection Authority, and I have never left the profession since. Today, I'm working as Data Protection Lead, as a data protection supervisor (for the European Patent Office), as a data protection teacher (at Maastricht University) and as a data protection advocate (through the Serious Privacy podcast). I think it's fair to say data protection has become a big part of the life that I once planned to lead as a generalist.

Can you give us an overview of Catawiki's approach to privacy? Can you share any best practices that Catawiki has developed when it comes to privacy?

Catawiki is a relatively young online platform, which also means we process a lot of personal data of people that participate in the auctions to find - and buy - an object they love. All this data is one of our core assets, and we are careful in how we deal with it. I have come in to help mature the data protection compliance program, with a core focus on the GDPR, but also to get us ready for expansion in new markets. 

I have long been a fan of two key concepts in the GDPR: accountability and the risk-based approach, and those are the concepts that are also at the core of the compliance program we are currently rolling out. Earlier this year, we conducted a series of risk appetite assessments with our management team, in order to understand their priorities, but also to help them understand mine. Furthermore, a lot of effort is going into documenting everything we do, and making sure that my colleagues in the business are enabled to make optimal use of the data we have, all while respecting the applicable rules and regulations. 

It's also a fun challenge!

What are some of the biggest challenges you face in your role?

A lack of time. There are so many things I want to do, that I sometimes set my own bar too high. Luckily, I have extensive experience in time management, since for the past decade I have combined multiple jobs with my main role as a data protection lawyer. 

My second challenge is technology. I consider myself pretty tech savvy, but still it is a challenge to fully appreciate the detail of the workings of a platform like Catawiki. If one day I have the time, I should probably learn to code a little myself...

What advice would you give businesses that are starting out on their journey to compliance?

Don't think you can do everything at once. Build a roadmap spanning two or three years, be clear about where you want your program to go to and gradually implement your compliance policies. A dear friend in the privacy community told me when I started this role: "only have one priority at the time" and I think she was right. Being responsible for data protection, especially in a scale-up, can be very demanding, so don't underestimate how much time you'll spend on business-as-usual items like contract reviews, individual rights requests and building awareness. But at the same time, you should make sure that time is available to work on your roadmap items as well: at some point, the company  will need to have the foundations in place, if only to enable your business colleagues to do more of those going concern items themselves, under your guidance. 

On a whole different note, people should not forget that compliance will forever be a moving target. You will never be done, because of new laws, new guidance and new enforcement decisions, that may impact your work or your roadmap.

What do you think are the most important steps that companies can take to protect their customers' personal data?

First and foremost: know your data and understand the data flows into and out of your company. If you have no idea about those, there is no end and no beginning to compliance.

What are your top priorities as a Data Protection Lead of a tech company? How do you build a Privacy Program practically?

For myself, my first priority when I came in was to understand the business. Of course I had an idea about Catawiki's product, and the website, but really understanding the behind-the-scenes and how the organisation functions takes time. After that, ensure you know who your allies and partners are. Nobody can build a compliance program on their own, so try to find the right people that can help you.

I feel privileged to have a very supporting General Counsel and Management Team, that have also allowed me straight away to establish a network of data protection champions. They are my eyes, ears and voice in the organisation, and are able to inform me about new developments, echo the messages I send into the various teams, chase people that have not taken the training yet, and more. 

In terms of operational priorities, I think they are no different from any data protection lawyer working on a compliance program today: we're talking about cookies and trackers, about international data transfers, making sure the contracts are in order... But as mentioned above, I also spend time in ensuring Catawiki will be an accountable organisation. We should have a good story to tell to our users on how their data is processed, and what will consequently happen with it.

For the business, this means implementing privacy and compliance by design and by default in everything we do. For privacy, this is of course a legal requirement, but especially for a tech company, it is more than that. If you do the right thing from the start, it makes choices and risk assessments easier along the way.

‍The PrivacyTech (SaaS and tools dedicated to privacy management) industry is booming. Do you think it's essential for businesses to use privacy software? How do you see this industry in the future?

Yes. It's no secret I worked for tech vendors in previous roles, so I know the value of privacy tech. I can confidently say I could not run a program without.

‍What do you think is the biggest myth about privacy in the tech industry?‍

In my view, the biggest myth is that privacy is dead. On the contrary, it is very much alive. If not because of all the laws that are continuously adopted and updated around the world, then because people really care. I can see it in the number of requests we get from individuals to access their data - not just from Mine! - but also in conversations with friends and family. Especially since GDPR, people really are aware they have a fundamental right to privacy.

Let's end with a personal note. Do you regularly delete digital accounts or apps that you are not using anymore?

Of course! Although I guess I could always do better...

—

Read more about our Top DPOs 2022 project here.