“Data protection is not just lip service, but part of our corporate identity!”: insights from a Data Protection Officer

Abdulhamit started his career at Delivery Hero in 2018. Nearly four years later he has seen the Data Protection Team expand exponentially as they solidified their place in a company after hypergrowth! But what is a Data Protection Officer and why are the Binding Corporate Rules such a big deal? Read on to find out why Abdulhamit wants them to be part of Delivery Hero’s DNA.

As the Data Protection Officer (DPO) for Delivery Hero, what exactly does your role entail?

The classic DPO is essentially the police force within an organization that assesses processes, advises, and trains employees, as well as reports data breaches to the relevant data protection authorities, and advises the highest management level on data protection matters. At least in theory.

The scope of a good DPO, however, is much broader and more business-like than one might expect. Any system that processes personal data in any way is automatically the focus of a DPO, as all procedures need to be documented and assessed in terms of their risk to the individuals affected by the processing, such as customers, employees, or partners. This creates a unique position for the DPO. I have probably seen every process of Delivery Hero at some point, so I have a very deep insight into all of our systems. Thus a DPO can be both a policeman, but also an excellent sparring partner for everyone in the company.

A DPO should have very strong communication skills, as the stakeholders and thus the level of cooperation is very varied. While communication with external stakeholders is very formal and limited to the most important information, the DPO must be very open in internal communication, especially with the management. 

And, of course, the DPO plays a very important and central role in data breaches. To ensure that the organization is aware of when a data breach has occurred in the first place, all employees must be fully trained and the internal reporting channels must be known. Then the DPO takes over the assessment of the incident and decides whether it is a data breach that needs to be notified to the supervisory authority or even to the data subjects. All further steps, from creating the communication template to monitoring the notification, usually go through the DPO. It’s very exciting to be a DPO.

You started at Delivery Hero in 2018, since then how has your day-to-day changed?

The initial situation was very exciting. When I started at Delivery Hero in 2018, like many other companies, there was no data protection function. It was only with the General Data Protection Regulation (GDPR) that companies were shaken up, as the GDPR imposes very high fines in some cases for data protection violations.

I was basically the entire data protection team for almost two years. That was a very intense time but the best years of my career so far because I really got to know almost every employee through my work and was able to gain insight into almost all processes. 

Although Delivery Hero has grown incredibly fast since 2018, we have not been sidelined, but are very much in the spotlight. Due to our very small team size, we have to work very efficiently and goal-oriented. After all, we were responsible for global data protection and had to build an international data protection organization, train the members of this organization and control the maturity level, and of course, take further action if the result was not satisfactory. I owe this in particular to Lilla Bozso, who has managed to use her social skills to build up an international team that now works decentrally and is continuously developing.

However, after four years of very intensive work, I am very happy with the result. For Delivery Hero, data protection is not just lip service, but part of our corporate identity. Together with management, we have managed to ensure that data protection is in our DNA. No matter where we go and no matter how the team changes, data protection will always play a central role.

What is a project at Delivery Hero you are most proud of?

After almost four years, I am very proud of one particular project. We managed to develop from a group that was still in the headlines for data protection issues in 2019 to implementing Binding Corporate Rules (BCRs) today. Any privacy expert will know what requirements need to be met for a company to even consider implementing BCRs. My team and I have had to work incredibly hard to bring a hyper-growth tech company to a level where it can achieve a consistent level of data protection internationally, taking into account all the internationally recognized privacy frameworks. 

In order to roll out BCRs at all, all requirements of the GDPR need to be implemented systematically, implementation needs to be monitored and all KPIs need to be measured regularly. Without Benedikt Schweintfurth and Kadir Ider from my team, we would never have reached this milestone. When I think about the smart solutions they came up with to implement all these many details in one framework, I’m really very proud.

Delivery Hero applied for the Binding Corporate Rules. What does this mean for your team and the business?

The Binding Corporate Rules will be our DNA. With the BCRs, we commit to ensuring a consistent level of data protection across the Delivery Hero Group internationally, regardless of whether a country has an applicable data protection law or not. In practical terms, BCRs mean that we train every employee in every entity on data protection, assess risks consistently, and implement equivalent measures.

Our BCRs are our answer to the new age. Data is the gold of our time. Not only do we have an obligation to our customers, employees, and partners to protect their personal data in the best possible way, but we also have a natural self-interest in ensuring that no one has access to our most important asset: our data. Therefore, it was an important step for Delivery Hero to be the first player in our industry to implement BCRs.

Currently, we are in the approval process with our responsible regulatory authority. However, we are very motivated and confident that together with the regulator we will achieve a unique result for Berlin, namely to implement the BCRs as a Berlin-based tech company. For the team, this is a once-in-a-lifetime opportunity.