Three questions for Entercard’s new Data Protection Officer

Did you know that it is mandatory for some companies that process large amounts of data, as part of their core business, to employ a Data Protection Officer when the new EU regulation on data privacy comes into force? We are taking a closer look at what that means for Entercard.

When the Swedish Personal Data Act is replaced with the General Data Protection Regulation (GDPR), the role of personal data representative will also be replaced with that of Data Protection Officer.

In early February this year, Entercard hired a Data Protection Officer, Henok Tesfazghi. He previously served as Senior Legal Adviser at the Norwegian Data Protection Authority, and has extensive experience of subjects that include Data Privacy, Privacy Law and Corporate Governance.

What are your responsibilities as Data Protection Officer at Entercard?

“My main task is to see to it that Entercard follows the new General Data Protection Regulation. I am also the contact person for the Swedish Data Protection Authority and will cooperate with them on issues such as inspections. I am also the contact point between Entercard and our customers. They will be able to contact me with any questions concerning the processing of personal data and their rights under the new regulation.”

“GDPR involves new rights for individuals and therefore new obligations for Entercard. We are getting ready for that by establishing good practices. We are documenting, for instance, what we should do if we get a request for data portability. There is information that should be readily available to all employees and it is part of my job to provide advice and guidance and make sure that we keep staff up to date with developments.”

What benefits do you see with the new General Data Protection Regulation?

“The Privacy Directive is from 1995 and is without a doubt outdated. The new General Data Protection Regulation is more modern and better reflects our new digital society. Previously directives were implemented differently from country to country and Norway could, for example, implement its Personal Data Act differently than Sweden.”

“The new regulation will be directly applicable in the various member states and will contribute to a more coordinated approach to the protection of personal data within the EU. The same rules will apply throughout the European Union, which means that the free flow of data within the EU will not be hampered. GDPR also makes greater demands on documentation, which is a positive development. You must be able to demonstrate that you are complying with the rules.”

How important is it to help one another from an interorganisational perspective?

“It is important to participate in forums and talk to other players in the financial industry about how they are going about preparing for the introduction of GDPR. In Norway, as in Sweden and Denmark, we need to talk about the challenges that exist in the role of the Data Protection Officer. We give each other advice and support across the organisations’ boundaries regarding how to solve the problems that may arise along the way.”

“I believe that you should take the chance to learn more from other players in the industry and to cooperate on security issues. For example, if we are going to help a client transfer personal information to another bank, it is necessary that we have knowledge on how to do this according to the GDPR.”