Interview with Andrea González of Oracle

2020-04-20, by Julia Bialek, Head of GDPR Conference, EIPS
Andrea Gonzalez

Today, we would like to introduce another great expert in the field of data protection: Andrea González, privacy and security counsel at Oracle where she contributes to Oracle's compliance efforts with privacy regulations in Europe, the Middle East and Africa. In her role she also provides advice to the different lines of business and legal groups on privacy and security aspects of Oracle's services portfolio (e.g., cloud computing, blockchain).

Prior to this, González served as privacy counsel in the health technology multinational Philips, providing strategic guidance to management on business decisions impacted by privacy considerations. Her practice as a lawyer mostly focused on emerging technologies and management of ethical challenges associated with the processing of personal data in the health sector.

Andrea González, thank you for answering our questions.

1. To what extent has data protection influenced the corporate culture of your company or of your clients?

GDPR has been the largest data privacy awareness campaign ever conducted. It has changed every organization’s data practices. For many companies, it has also been a sort of  de facto standard setter for their data protection culture and policies globally. With new and strengthened rights for individuals, accountability requirements for companies, and increased scrutiny by regulators, companies collecting and handling personal data in the EU need to consider their data handling practices and use cases more carefully. In essence, GDPR means that companies have to be a lot more conscientious with people’s data and as a consequence this changes the way organizations exchange data, the way in which they engage in digital marketing, source candidates in their HR functions or develop their services and offerings from the earliest stages.

2. What was the biggest challenge for your company or your clients when implementing the GDPR?

I see important challenges in terms of leadership, complexity of key regulatory concepts and design and operation of data protection impact assessments.

- Leadership. In the field of data management, leadership is the resource most required. Convincing boards of the importance of having a clear data strategy, and establishing top data priorities remains the most difficult task – including deciding what kind of data the business needs, for what purposes they need it, the company's stance and perspective on the privacy rights of individuals.

- Complexity of key regulatory concepts. Correctly determining whether group company entities and/or partners act as a controller, joint controller or processor is just one of a number of key regulatory concepts still proving a difficult and demanding challenge for organizations and individual stakeholders to grasp.

- Design and operation of data protection impact assessments. Shaping an organization's process on risk management, one which delivers a degree of substantive compliance with the purpose of the GDPR requirements -rather than a “box-ticking” approach- has been extremely complex.

3. What was the most important lesson you or your clients learned in the course of the practical application of the GDPR?

Partnering positively across the organization to deliver on GDPR requirements is indispensable. Establishing constructive relationships and the ability to relate and communicate with all your colleagues are essential tools when working with hard deadlines, multidisciplinary matters and deep transformational changes.

4. Some companies use data protection for advertising purposes. What do you think about this?

Companies need to honestly communicate and connect with society. No doubt, a company should be able  to promote its values, which can in turn enable individuals' choices.  That being said, marketing communications should not be misleading, nor act as window dressing or conscience-salving. Data protection statements need to be inextricably linked with companies business and core data activities.

Thank you for the interview, Andrea González.