A data protection officer is an independent governance role that manages a company’s compliance with existing data protection laws of the land in which the company operates. It is not part of the operational teams and has a reporting line directly to the highest level of management. Barry Cook is Privacy and Group Data Protection Officer at VFS Global, who is accountable for ensuring that the company handles the personal data of visa applicants and its employees in a manner that is compliant with the law and also with the company’s own internal data protection policies, to ensure that the privacy of this data is maintained at all times during its life-cycle.
Data privacy overview
As a company, VFS Global operates across over 140 countries and handles large volumes of applicant information (for visas and citizen services). The company is one of just 35 per cent of global companies that are GDPR-compliant (as per a Talend report published in September 2018). This means that they are complying with demanding standards set by the various aspects of the European data protection regulation, which came into effect in May 2018. Similarly, they are compliant with data protection regulations of all countries they serve and operate in.
Modern data protection laws seek to find a good balance between the rights of the individual and the interests of organisations who process that data. Putting personal data processing in a robust and workable data protection and privacy framework is a high priority at VFS Global. “We have in place a complex, robust and multi-layered safeguards at the digital (server infrastructure) and physical (at our Visa Application Centres or VACs) levels so that the high standards set by GDPR forms the global baseline for data protection,” says Cook.
In order to be updated, they also monitor the development of data protection laws in the countries that they operate. This way the company can be proactive to ensure that it stays compliant to new laws as well ensuring that the processes are effective and don’t result in increased administrative burden at the VAC level.
Even before GDPR, the company has always had strong information security practices in place, with robust frameworks for handling data and an existing compliance-driven culture, as per the strict requirements laid down by client governments. “To comply with GDPR, we have implemented a 13-point privacy framework that enables us to operationalise the requirements of the GDPR, and measure compliance with it,” he adds. Cook further explains by giving an example, “We put in place various processes for receiving consent from applicants for storage of their personal data, online and offline. Extensive training of our staff has also been part of our preparations. Many companies are looking at GDPR compliance as a means to strengthen their data and privacy norms, and naturally so, since this new era of data regulations heralds a data revolution.”
In the last few years, the conversations around data protection and data privacy have underscored a better understanding of the core philosophy of management of personal data. It is important to remember that organisations simply ‘borrow’ an individual’s personal data for the purposes of performing a task. No more than that specific task.
“The best-case scenario for allowing flexible transfer of data, while also ensuring the security of personal data, is based on the standard of ‘adequacy of transfer’. This means one country or organisation must determine that another country or organisation has sufficient data protection safeguards to ensure that the rights and freedoms of individuals travel with their data. Once the country or organisation is satisfied that the destination country has adequate safeguards in place, data can be transferred easily. Clearly, this must be underpinned by the capability of national data protection agencies to be able to perform checks of compliance and to be able to take corrective or punitive action if required,” mentions Cook.
Mitigating security challenges
As the world’s largest visa service provider that handles sensitive information of millions of applicants in more than 140 countries, for 61 client governments, it has always been incumbent on VFS to put rigorous data security checks in place. “As such, in terms of technical and organisation measures for data security, we were already at an advanced level even before the GDPR – having attained ISO 27001 certification for Information Security Management Systems, our IT teams were well aligned with operating with strict controls. We also utilise sophisticated cyber security and threat detection tools as the nature of our business demands this,” he reveals.
An important aspect of data privacy controls is ensuring employees across the global operations are adequately sensitised to the context and necessity of the protocols. So the company had to initiate a global internal awareness campaign to explain the basics of data privacy concepts to employees and this greatly facilitated the adoption of the data protection processes and procedures that followed. Large organisations who are attempting this for the first time may find this a challenging task, but it is an essential one, believes Cook.
Data breaches are an expected risk to any organisation that is processing personal data. Therefore, it is vital to have in place both technical and organisational measures that detect, mitigate and recover from data breach, such that the risk to the personal data involved is minimised. “At VFS Global, we use some very sophisticated detection tools that alert the security team of a potential incident. However, technology can only go so far and we recognise the value of the human element when it comes to data breach prevention. We encourage our employees to be very vigilant about risks which might manifest themselves at any time,” he states.
Impact of AI
Artificial Intelligence (AI) is the latest trend in data processing and as such has the potential to greatly change the way in which visa processing is performed. “That said, we have to look at just how AI based process will take decisions. One of the fundamental tenets of AI is that the algorithm ‘learns’ from each decision made. A classic example of this is VFS Global’s first digital employee ViVA, the first-ever chatbot in the visa services space. ViVA offers applicants round-the-clock support for visa queries, akin to any highly trained customer support executive. In effect, AI has to go to school to learn how to make decisions that are fair as well ethically and morally correct. This is where the privacy professional has to ensure that privacy by design is built in from the very start.” he explains.