Data Protection Officer at TUI UK & Ireland, TUI Group
Q1. What do you enjoy most about being a DPO?
The variety of the role, no day is the same as the one before. There is also a good mix of being reactive to situations that arise that need a swift resolution and a proactive more strategic part which needs clarity of thought and a clear vision.
TUI UK & Ireland is a large and complex business and as DPO I get involved with all areas of the organisation to give advice on aspects of data privacy alongside our Legal and Information Security teams. Being part of the GDPR project – one of the largest and widest reaching that the business has ever executed – has been both challenging and also extremely rewarding. It’s given me a fantastic and comprehensive insight in to how all areas of the business
Q2. What data protection topic(s) would you most like to see updated guidance on and why?
An update on breach reporting would be helpful. The ICO has spoken previously about the issue of over-reporting and from the number of self-reported breaches that have been publicised recently it would seem as if there are a lot of breaches being reported that may not need to be.
It would also be good to have really clear guidance from the ICO once the revised Privacy and Electronic Communications Regulation is produced about any changes on a practical level, particularly around consent and online marketing.
Q3. What was the biggest challenge you had to overcome in 2018?
It’s difficult to say anything other than implementing GDPR itself. And that’s largely due to the complexity of TUI UK & Ireland which makes it all the more of a challenge. However, we started the project in good time and had very good support from the Executive Board and key stakeholders.
We also had an extremely talented project team, which helped considerably and we were able to break the whole project down into achievable and measurable milestones.
Q4. What advice would you give to someone looking to move into a DPO role?
It can be very demanding dealing with both internal and external challenges so you have to be resilient and have a strong character. You need to have an open mind and be prepared to ask and get asked lots of questions – not all of which you will know the answer. As a result, getting a good understanding of the organisation is really important and identifying the key areas of risk will enable you to prioritise your efforts accordingly.
Maintaining a solid understanding of the applicable legislation at all times is important so plan time to complete training, get relevant qualifications and attend networking and industry sessions to keep your knowledge current.
Q5. What do you see as the major challenge(s) in the year ahead?
Moving from the GDPR project towards a data privacy programme that has the right policies, procedures and overall level of accountability will be a challenge for the vast majority of large UK businesses, including TUI. There is a clear need and a desire to embed the ongoing culture of data privacy in the organisation now that GDPR is ‘old news’. We have clear plans to execute this and to maintain the level of focus alongside all of the other business priorities this year.
For more information on the Tui Group, please visit:
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.