Interview with Klarna's DPO Filip Johnssén
From implementing up-to-date privacy practices across the organization to working with stakeholders, a DPO has to overcome many challenges to succeed.
Filip Johnssén, Data Protection Officer at Klarna, was recently named one of the top DPOs to follow in 2022 by the tech and privacy community.
Filip regularly shares his views and approach to data protection and privacy on Linkedin, and many of the nomination emails we received considered him a thought leader in this field. The first sentence of his Linkedin bio is, “Data protection should help the business,” which truly illustrates his enlightened agenda as a thinker and a leader in the privacy industry.
Filip is a co-author of the book: “Data Protection Officer (BCS Guides)”, and he is currently working on his next book. In addition, he hosts a successful podcast in Sweden about data protection, “Dataministeriet” (translates to “Ministry of Data”), and has an impressive background as a privacy professional in the public sector.
What is your approach to data protection and privacy? How does it affect your work as the DPO of Klarna?
A few key ideas drive everything I do as a DPO: One idea is to always keep in mind that data protection and privacy are based on fundamental values. Another idea is understanding that laws represent the voice of the people. <hl>For me, this means looking at data protection not as a box-ticking exercise but as what is the right thing to do based on the values and ideas behind a legal requirement<hl>.
Another idea I work by is more on the practical side: I focus a lot on my customers and consider my output as products for these customers. I ask myself how I can best serve my customers and provide them with the best product. <hl>By doing this, I set myself free from being too “lawyerish”<hl> and create the most value for Klarna regardless of the skills I must use in each specific case.
Lastly, I also try to stay close to the business and try to learn and understand as much as possible before giving a piece of advice. For example, suppose I find something I consider not to live up to Klarna’s high data protection standard. In that case, I always suggest a solution that takes into account what the business wants to achieve.
I really like this approach. Can you share the top challenge you're facing as a DPO in a BNLP company? Do you think that Fintech, in general, poses more challenges than other industries?
I consider myself lucky to work in an industry that is used to being highly regulated. As a bank, we must adhere to many laws, therefore, the organization understands the importance of compliance and listening to what you say. We also have an attitude among all of our employees that we care about our compliance and strive to achieve it.
A challenge all companies are facing right now is, of course, the cross-border aspects. We have solid processes for transfer impact assessments and so on, but on a more general note — it is unsatisfying that we can’t get a global standard for transferring data. <hl>It’s too late to stop digitization and globalization, and nobody really wants to stop it either<hl>. I think the time has come to solve the issue instead of continuously finding errors with the solutions.
That’s exactly why at Mine, we believe it might be beneficial for organizations to consider implementing a standard practice for processing DSRs which is compliant across all territories. In your opinion, what don't regulators understand about the business side when it comes to regulating data protection and privacy?
I’m not sure it’s about regulators not understanding the business side. I think they just have another angle to the topic. In the end, we all want to achieve the same thing, but perhaps we have different ideas on how to best get there.
One difference I’ve seen a tendency of is that authorities sometimes are very focused on the word in the law and look at things a bit binary. In reality, nothing is either-or; it is much more complex, and a business has far more considerations than just data protection laws.
In terms of privacy, what is Klarna's greatest strength? What is the single thing about Klarna that you are proudest of (privacy-wise)?
That’s easy: <hl>being customer-obsessed and fast-paced<hl>. This means we always change things for the best of our customers at a very high speed. If we get feedback about anything regarding data protection, we immediately analyze it and implement changes if necessary. That is something I’m proud of.
Speaking of change and pace, do you think Data Protection Officers should work in the public sector before transitioning to tech?
DPOs don't necessarily follow a fixed path to success. As a matter of fact, having different and “exotic” backgrounds can lead to becoming an excellent DPO.
In my specific case, the experience I gained from working in a very specialized public entity (The Swedish Security Service) with brutally smart and motivated people, together with the truly global aspects I had to tackle at Sandvik, gave me the tools for handling Klarna’s fast pace and expansion to new markets.
What are Klarna's methods for dealing with incoming data privacy requests (DSR, DSAR, etc)? Can you share some advice about that? As you have a large user base, we assume you get many of them.
Klarna is a customer-focused company. Everything we do should serve the interest of our customers. This is true for all our products, including data subjects’ rights processes. <hl>We listen to all feedback from customers, read all guidelines and decisions from authorities, and constantly update the processes to become better and better<hl>. We also ask our customers about feedback more actively, instead of passively waiting for incoming complaints. I think that is something more companies should do.
Do you think consumers’ perspectives on privacy are changing in recent years?
Since I am very interested in the more fundamental aspects of privacy and how it has developed historically, I don’t think we have seen any major change lately. Throughout history, much bigger, almost paradigm, changes have taken place. Imagine when the first printed newspaper came out, or the telegraph could spread the news with the speed of light (almost), or when you could take photos for the first time. There was no way of being forgotten if something had been printed in thousands of newspapers.
<hl>Before all of that, privacy intrusion was done by physical means, for example, sneaking in the bushes. I think those technical shifts had a much bigger impact on the perception of privacy than the last decade’s social media platforms<hl>. Time will tell if I’m right or wrong…
Lastly, what do you look forward to most about going to work every day? What gets you excited?
Obviously, all the fantastic colleagues throughout Klarna. They keep me on my toes and support me when I ask for it. <hl>They are just great!<hl>
Read more about our Top DPOs 2022 project here.