Interview with ASOS' DPO James De Cort
From implementing up-to-date privacy practices across the organization to handling a high number of data subject requests, a DPO has to overcome many challenges to succeed.
James De Cort, Data Protection Officer at ASOS.com, was recently named one of the top DPOs to follow in 2022 by the tech and privacy community. James has an extensive background, with experiences ranging from the financial industry (VISA, PwC) to communications (Skype).
What roles have you fulfilled before becoming a Data Protection Officer? What was your career path leading to this position?
My career path wasn’t linear, but I can take experiences from every role and how they helped me get to the position I’m in now.
I started in a retail store before joining a local council, working in various roles before encountering Data Protection and Freedom of Information for the first time. I really enjoyed the combination of upholding and respecting legal requirements and providing the outcome the business wanted or needed. I was lucky to work with a great manager and mentor that supported a move to Skype, where my eyes were really opened to integrating privacy management into software and technology products. I then left to do some consultancy work, applying data protection to other industries, when the role at ASOS came up – I’ve now been here for an incredible three years.
ASOS is an interesting company when it comes to privacy, as it involves a very unique set of data points (clothing, body measurements, and fashion preferences). How do you make sure this data remains safe, and how do you give control to the data subjects?
Safety and control are at the essence of our approach to data collection, storage, and further processing. We rely heavily on our fantastic colleagues in Cybersecurity and the Risk and Compliance team, which helps us make sure we get the best outcome for our customers and ASOS as part of every processing relationship we engage in. ASOS strongly believes that being transparent with our customers about the value of the data we collect and the service it helps us provide is critical to ensure they’re in control of their data.
<hl>We’ve made it clear what the benefit is if they choose to share their body shape or size information or how we provide specific recommendations on the latest fashion choices<hl>. Ultimately, it helps you find the right clothing that will fit you best and give you more confidence in the clothing and outfits you choose.
This is exactly what the new "value-based internet" is all about: people sharing their data if they know measures are taken for its protection and if the benefit they receive out-weighs the cost (risks). What is the single thing about ASOS that you are proudest of in terms of privacy?
I’m really proud of our Privacy Notice, which forms the agreement between us and our customers on all the data we collect and what we do with it. We’ve taken steps to continually improve and help our customers understand their choices and the benefits of sharing their data with us. <hl>We’ve also embedded privacy information in the customer journey, making it clear and simple whenever we are collecting data, building trust with our customers<hl>.
Transparency of this magnitude is truly remarkable. What do you look forward to most about going to work every day? What gets you excited?
It’s commonly said that no day in privacy is ever the same, and at ASOS, I’ve definitely found that to be true. <hl>The range of topics, subjects, projects, and challenges we are involved in — from the first design stage to final implementation and release — is as much a challenge as it is fascinating<hl>. I still enjoy preserving a great customer experience, meeting legal requirements, and getting an outcome that meets the business's needs.
Most recently, I’ve really enjoyed building a team that works cohesively across the entire business and enhancing our reputation, as well as building a couple of our own bespoke tools to help us manage our work more efficiently.
What are ASOS's methods for dealing with incoming data privacy requests (DSR, DSAR, etc.)? Can you share some advice about that? As you have a large user base, we assume you get many of them.
In the last year <hl>we’ve taken steps to streamline processes and reduce the manual requirements of requests<hl> as best we can. This is a continual effort, and we can only achieve the efficiencies we are seeing with the support of our stakeholders. Recent changes in account management requirements for the iOS app were something we were keen to also apply to our Android app at release. We are now working on adding the same features to web and mobile web accounts, and there are more features to come.
Can you share the top concern (or challenge) you're facing as a DPO?
<hl>Meeting the requirements of the different privacy laws globally<hl> is one of the biggest challenges for every business. This requires us to build out a program that establishes the requirements of different legislation and the best way for us to meet each one.
Let's end with a personal note. Do you regularly delete digital accounts or apps that you are not using anymore?
Yes, I do. There are so many distractions and things competing for your time and attention that I find I have to check the notification and email settings during sign-up. If I’m not using an app or a digital account, I uninstall or delete it. I’ll confess it sometimes causes me issues with trying to reset a password for an account I’ve erased, but I find you can easily register again and use the app or service when you need to. It’s not easy, and it’s not habitual yet, but getting reminders on permissions and apps that haven’t been used in a while is also a great feature on my smartphone.
Read more about our Top DPOs 2022 project here.