The Rise and Resilience of an Outside DPO

We’re living at a time when many people are worried about their careers. Businesses are being upended. What seemed safe is suddenly not.

The story of Stuart Anderson is all about the rapidly changing world of European privacy regulations, and how they’ve affected companies around the globe. That’s why I was eager to talk to him in the first place.

But as I did, I found that his story is also about a man who faced life-changing career setbacks with determination and resourcefulness. And his resilience led him to success as an outside data protection officer—an occupation he couldn’t have imagined just a few years ago. His experience may serve as an inspiration to some of the people who find themselves struggling with the disruptions caused by the global pandemic.

Learning to Deal with Setbacks

When TAG Cyber asked for an analyst briefing on XpertDPO, the Dublin-based company that Anderson founded in 2018, I wasn’t expecting that music would be part of our conversation. But the bio on his website noted that his “primary discipline” was the performing arts, and he’d worked as a professional trumpet player “before, during and after his formal studies.” When I asked about that, he told me that he was close to landing a job at the Hallé Orchestra in Manchester (the first fully professional symphony orchestra in Britain, with which he had performed many times), but a financial crisis in the late 1990s sent it into a tailspin. It only regained its footing after the orchestra was cut by 20 percent, killing the job that Anderson had counted on.

That was Anderson’s first devastating professional setback. But it wasn’t his last. From music Anderson segued into software. He worked as an engineer, a technical support consultant, client services manager, operations director. And along the way, he saw an opportunity in the area of privacy.

The EU’s adoption of the General Data Protection Regulation (GDPR) in 2016 generated lots of business opportunities. Anderson completed training and certification programs during the two years that followed. He also formed a partnership to launch a software program that would offer customers a privacy platform to help them automate compliance. Anderson was the engineer who built it. But two days before the GDPR went into effect in May 2018, the co-founders of his new company pulled out after a bitter dispute.

These were two very tough blows for anyone to take. Twice on the cusp of realizing a goal he’d worked hard to attain—20 years apart—and twice denied.

What did he do? Sue his former partners? Lick his wounds? Play “Taps” on his trumpet? He picked himself up, dusted himself off and started XpertDPO. Right after the GDPR went into effect. And he built it through the disruptions of Brexit. And continued into the chaos of Covid.

Anderson has found ways to make Brexit a business opportunity. And the part-time status and flexible pricing of his DPO role can be particularly attractive to companies during the economic downturn. People talk about the resilience of a company recovering from a breach. Sometimes resilience has to start with the CEO.

The Benefits of an Outside DPO

In Article 37, the GDPR requires many companies that fall under its jurisdiction to hire a data protection officer. They can be in-house employees or outside vendors, but they must be knowledgeable and independent, and their role is to advise a company and guide its GDPR compliance, Anderson said. (See also his blog post on the subject.)

A less known rule (Article 27) requires companies located in countries outside the EU that process personal data of individuals inside the EU to appoint an individual established in the EU to represent them in matters concerning GDPR compliance.

Though Anderson’s main work is as an outside DPO, he is also hired as a nominated European representative. Companies are sometimes surprised to learn that Article 27 applies to them. For example, Anderson said, a hotel owner in Mexico who has a website, advertises his services in Germany and Spain and accepts euros for payment must appoint an EU representative.

Anderson is well situated to weather Brexit. He has an office in London, where he does about 40 percent of his work. But his main office is in Ireland, so he will retain his presence in the EU even after the United Kingdom’s exit has been completed. At that point, he will be able to act as both an EU representative and as a U.K. representative for its version of the GDPR, he said.

These are some of the reasons he maintains that Brexit, far from hurting his business, will actually present him with new opportunities. He will be able to assure potential clients that he offers them a total solution for GDPR, whether they’re located in the United Kingdom, the European Union or a country far from both. And the more complicated the situation, the better he will look.

“We’re not a law firm that does litigation and employment and wills and bolts on privacy as an added revenue stream,” he said. “It’s not an add-on or an after-thought. This is what we specialize in.”

The Paper Trail

XpertDPO is Anderson’s own shop, but he regularly works with four associates: two barristers who specialize in data privacy and spend a lot of their time reviewing contracts; a business strategist; and a data protection expert. The fact that he only uses them when he needs them keeps the costs down.

He’s a bargain, Anderson said, compared to the in-house alternatives with full-time jobs, offices and benefits. Some of his clients pay flat retainers every month. Some pay annual fees. And he charges some a fixed retainer plus hourly rates.

The work almost always starts with an internal audit to assess the data, he said. And that can sometimes be tricky these days. The pandemic has created complications.

It may be possible to conduct some audits remotely, but when there are file cabinets, he noted, you need to be there. Before Covid hit, he was hired by a credit union that had files dating back to the 1970s. Many former employees had died. There was no retention policy and no one claimed ownership of all that paper. And that’s not uncommon, he said. Lots of companies have messy records. When it’s not digitized, there’s no control. There’s no way to know who copied or altered documents. “It’s a risk,” he said.

Another company he consulted with had tents in the parking lot filled with files. As Anderson walked past them, he asked the company’s DPO, with whom he was working, “What’s in there?” The DPO shrugged. “I don’t really know,” he said, “but no one can get in.” They returned to the man’s office and went back to work. But later, after lunch, Anderson walked to the back of one tent, reached under and pulled out some files. He returned to the office and dumped the files on the DPO’s desk.

“What’s this?” the man asked. “The files that no can one get,” Anderson replied. That little demonstration, Anderson recalled with a chuckle, helped the DPO obtain more company resources than he ever would have requested.