oday, Anthony was joined by Mikko Niva for a truly insightful episode of his “Privacy in The New World” series. Mikko is the Global Privacy Officer at Vodafone Group. He is also a member of the Board of Directors at the IAPP and in 2019 was awarded the ‘Data Protection Officer of the Year Award’ for Excellence by the Information Commissioner’s Office.
This episode’s highlight’s include:
Anthony Brown: [00:00:01] Hello there. And welcome back to another episode of my Privacy and Data Talks podcast. Today, I’m really excited, actually to welcome another very special guest. Today I have Vodafone’s group privacy officer and head of legal for privacy, security and content standards. So welcome to the show Mikko Niva. Mikko is responsible for Vodafone’s huge global privacy programme, which covers more than 600 million mobile broadband, IoT and other customers in over 24 countries. So recently as well. Or maybe 2019, I should say it seems recent, but what a year we’ve had Mikko received the Data Protection Officer of the Year Award for Excellence in Data Protection and is also a member of the IAPP Global Board. So what a privilege to have you on the show today Mikko, how are you?
Mikko Niva: [00:01:10] I’m very good. Thank you, Anthony, for your kind introduction and this is my first ever podcast appearance, so I’m interested to see how it goes.
Anthony Brown: [00:01:24] Absolutely. Well, therefore, I feel even more honoured to have you, Mikko. And I mean, interesting times we’re living in, of course, so much going on in the world as we sit here during the, I guess, the the dregs, if you like, or the final days of of the second lockdown in 2020, staring out at a world that’s almost unrecognizable in many ways. But as we know both of us privacy and all of the challenges around it and the excitement around it are actually still here and very, very buoyant. So I thought that, you know, to kick us off, if you don’t mind, you’ve had an extraordinary journey, you know, in your professional life over the years. So all the way from training as a lawyer in your native Finland, working at Nokia Corporation in a very senior role and then moving over to the UK to become, well, essentially heading up privacy operations for Vodafone globally. So could you perhaps tell us a bit about your journey and how, how you how you arrived in this, you know, big role at Vodafone?
Mikko Niva: [00:02:43] Yeah, it’s in hindsight everything kind of like you do recognize the journey, but while you are on the journey, you don’t necessarily always know where you’re going. And I guess my journey is in some ways typical for for privacy professionals of my age, that kind of like when you when you embarked on the privacy journey, you didn’t really know that you were on a privacy journey. When I started, privacy perhaps was not really a career. At least I didn’t think of it as such. So I started as mostly like a commercial lawyer actually in the telco, in Finland, in the national incumbent. They are doing all kinds of jobs, you know, M&A and, you know, competition law even and consumer protection. And at the time, that company, perhaps similar to many other companies privacy, was something that was looked after kind of like by the most junior person in the legal team. It was just something that not many lawyers wanted to have much to do with. So I was doing that. Then I was advising kind of like how I then became to get more involved in privacy that I was advising the corporate security team and also the kind of like the big data analytics teams on all kinds of things, including privacy, of course and it turned out that, you know, a few years later, I realized that I had given advice that stopped a fairly kind of like a wide scale eavesdropping exercise by the then head of corporate security in that company, and it had become like a national scandal. So at that point, I was no longer the kind of like the rookie lawyer. I had gained some experience and I was trusted to deal with it. Make sure that you know that it’s handled properly, that the lessons are learned, but also there were criminal investigations and everything. So very stressful times. But, you know, that’s kind of like how I became the privacy guy in my native Finland. And I then was recruited by Nokia, and I was the I think I was the second person doing privacy there, but still the only person when I started. And Nokia, of course, was a massive company. That didn’t mean that they wouldn’t have paid attention to it. It’s just various like product security teams and others have been doing quite excellent work in certain aspects of privacy. But it then, you know, morphed kind of like I was doing the work and the team got bigger and we got a, you know, like a real program going and it was really interesting to sort of like be be on the journey as privacy was becoming more and more relevant for the time. You know, there was a lot of lot of talk at that time point about Web 2.0, for example, that it becomes like a two way experience instead of just passively browsing and kind of like privacy was becoming very much alive. And there were some big, big chiefs saying things like privacy is bad. Uh, at the time, not in Nokia, but in some other companies. And it turns out that that actually that wasn’t really true. It was only becoming alive actually from something that was interesting for most of us. And it became really, really topical. And then I started to go to conferences to learn more and became a speaker, then eventually. And then, you know, I got an offer from Vodafone and that seemed very appealing at the time. And that was definitely a very good decision. So we moved the family from Finland to the UK, and we’ve been here now for five and a half years.
Anthony Brown: [00:07:27] Blimey did you have children at that point? Was it was it literally had to uproot your entire family then to to the UK?
Mikko Niva: [00:07:34] Yes, yes, that’s right. So the children, my daughter had recently started school, so she was in third grade and my son was about to start school, so they then got into a UK school. And, you know, everyone’s been super welcoming all the time. So it’s been it’s been a pleasant journey. But there’s been some changes in the, you know, in the way we go about our life, but it’s been mostly mostly very, very pleasant.
Anthony Brown: [00:08:06] Yeah, and no doubt as well. I spoke about this on previous episodes as well. But the and certainly from my own experience as well, the privacy community is so strong and so supportive and not just in this country, of course, but you know, around the world and everyone is very collaborative. So no doubt that I’m sure really helped. And and of course, now you’re you’re part of the, you know, the board at the IAPP , which does so much great work as well, obviously for all its members and bringing people together. So obviously, I mean, an enormous task. I’m sure when you arrived at Vodafone, which you know for anyone, I guess in the know, it’s always had a really superb, you know, reputation for privacy and its program. Obviously, you will have been brought on with, you know, a big, big job ahead of you. And obviously you’ve built, you know, continued the work that was done before. No doubt, but you’ve got a truly global programme that’s across 21 countries. I mean, in your opinion Mikko and coming from your experience, where do you start, you know, with such a large programme, such a large framework that’s around so many jurisdictions.
Mikko Niva: [00:09:28] Well, I actually want to start. From from Nokia times because there I learned a few very important things which have helped me in the tasks that I later had to deal with. And some of you have heard me actually say this joke in some of the conferences, but I remember very vividly a point in time in my early career privacy carrier. Perhaps when I was talking, you know, excitedly about some of the finer aspects of some proportionality or, you know, kind of like important privacy principles to a product manager who was an engineer and he kind of like brought me back to the level where we I think we all need to be that yeah, that’s. It’s all very interesting. But in my life, it’s about zeros and ones. So which is it? And that kind of like, got it on a path of kind of like privacy. Engineering, perhaps, was a term that started to be there. But it was more it was all about sort of like translating your understanding of the regulatory frameworks into implementable requirements. It’s not an easy task, but that’s that’s kind of like if you want to have something that is understood by non-experts, it can be implemented by non-experts, it can be implemented in a consistent way across different countries, you know, very large number of all kinds of different activities. That’s what you have to do. And then also you have to have these sort of like you don’t really get far by just reciting the GDPR, for example, you need to understand that. What are the particular problems in my company and how do I apply these rules in to those problems? So in Nokia, we started to work on things like privacy patterns, so they they are kind of like contextualized, repeatable solutions for recurring problems. I think that’s the definition. So then when we when the GDPR kind of like times arose in Vodafone, we kind of like took the existing frameworks, which were very good. But then kind of like created like a 2.0 of that framework and which would kind of be, you know, real concrete controls. So you set the right expectations, so you have the high level policy, then you translate that policy into real controls that can be tested that are easily easy to understand. Sort of like what do I need to do and who needs to do what and when and what’s the frequency and all that. And I remember spending an extraordinary amount of time writing those. Those controls we have, we have kind of like, I don’t know, third, third or fourth round of them already. But without that, I don’t think we would have been at all successful in implementing anything consistently across a very large number of markets. So so that’s that’s kind of like you have to have maybe maybe that’s the that’s the kind of like the what that needs to be done. The why kind of like comes from the from the organization’s values. So very happy to be with whatever we have always felt the top management has been very supportive of our agenda. Everybody really understands the importance of privacy in the organization. So GDPR was just kind of like, I think it would be wrong to say that in our company was a revolution. It was just a further argument to do things in a robust, good way. So the tone from the top, you have to have the why. You know, I may know why, but the rest of the organization may not know. So the tone from the top really, really important that management support really is key some of the other other important things. So the why the what is the question of accountability? And I mean, that is now in a very sort of like personal and concrete sense. So we the privacy is mostly like a first line of defense problem. So you have to have the actual business owners buying into what you do. They need to be held accountable. You need to build those repeatable mechanisms that produces information about the effectiveness of your control implementation. Um, so let’s say you have like a building process, so that building process as a process manager, it’s end to end. Understood what it is. So that’s your scope. You need to make sure that that is performed in the right way. So means you have to have wide requirements for it. You test it if you tell what you need to do, then you test it and then you hold the, you know, the business owners to account and then you keep that machine alive. So then there’s no question about whose problem it actually is. Yeah. And and that that is not an easy thing to do. It takes time to build it. And not necessarily everyone agrees with it all the time. But that’s that’s kind of like how we how we run it. So, yeah, so from the top, it’s like that in the policy and principles and top management communication and buy in the what needs to be translated into concrete standards controls and then you need to have your scope. So we we basically realised that we have like a or like there’s so much going on, thousands of systems, actually. So where do you start? So we realised that, well, it’s a process based organization. Businesses have been defined. So you know what? This process is soft customer care, billing, payroll, you know? I think we have more than 300 defined processes. And then you classify them and just look like high, medium and low risk activities, and then you make sure that the process owners know what they are supposed to be doing. So what we did is that we didn’t only tell them, but we tested. Kind of like to set the baseline and then there are control deficiencies. When you do it the first time you identify what those deficiencies are. You agree what the remediation is. You put a name and the timeline on it. You follow up you. You provide regular reports. And that’s what we have been doing ever since.
Anthony Brown: [00:16:41] It’s an enormous task.
Mikko Niva: [00:16:42] So yeah – It’s not only like a privacy, like a subject of task. You need to have all kinds of people in your in your program to execute it.
Anthony Brown: [00:17:00] So I mean, you know what strikes me as well speaking to to you and to, you know, some of your contemporaries in other businesses as well is that I guess it can be quite a lonely journey sometimes, you know, for a CPO, somebody who is at the top of the tree in terms of privacy, you’ve got to, you know, you’ve got to really lead from the front and try and bring people along on the journey with you. You know, you’ve got to really try and influence people, you know, but also there’s a sense that you want them to just get it and just to come along with you without too many difficulties. Can it? Can it be quite a lonely journey? You know, at the start, perhaps when you somewhere and you’re trying to make the changes that you see necessary.
Mikko Niva: [00:17:49] Yeah, yeah. I mean, I think you raised a good point that the privacy community globally is a really good community, so I want to emphasize that none of us is actually alone and there are all kinds of ways to participate conferences, IAPP, other organizations, it’s, you know, and people are very willing to help. And it’s kind of like a new, new maturing regime. But but then when you’re kind of like where the rubber meets the road, it certainly can be a bit of a lonely exercise. And there are many reasons for that. So I’ve been that one man band in a big organization. It’s something that I hope I don’t have to do anymore. It’s a pretty, you know, an uneasy place to be. But then like, how do you break through from that? Because. And like one of the challenges I admit, having throughout my privacy career has been that not everyone who needs to understand what you do. Actually understands it. They see you through a particular lens. So a contract lawyer sees you through the data protection agreement. A compliance officer sees you through some control assurance thing. The product manager doesn’t really understand what you’re all about. Some kind of obstruction in the way between my idea getting launched into the marketplace. So it’s really important to spend the time to try to articulate what are what the tasks actually are. If you won’t be able to do that, it’s kind of difficult to ask for more resources, for example. Yeah, because everybody would say that, well, I’m very busy. But doing what? Yeah. You know, that’s like a genuine question. Yeah. So until you can make it visible, so then it’s difficult. So we, for example, we will become better and better in that. But it’s so we have all kinds of KPIs, for example. So we show like how many privacy impact assessments we make, what sort of control deficiencies we identify, what are the highest risk points, you know, how many, how many data subject access requests, whatever. Kind of like define your work and then measure it because there comes a point in time when it’s very useful to have those KPIs at your disposal for compliance evidence, but also may help you with resourcing discussions as well.
Anthony Brown: [00:20:39] Yeah, absolutely. So what do you see then? Do you think? Oh, in fact, let me ask you this first. I mean, you’ve been recognized for several years now as, as you know, a real spokesperson, advocate and champion of ethics within privacy. In fact, when you received your award and I need to check my notes here, but you, Elizabeth Denham commented Mikko’s dedication in leading his business to understand how important privacy is to inspire public trust and confidence is truly commendable. So my question to you Mikko is along around the instinct for privacy and privacy ethics. Do you think it’s innate? Do you think you, you were born with? It is right from the start. You have this sense of it? Or is it something learned? You think other privacy pros perhaps may not have it instinctively? I know it’s quite a wide question, but what’s your what’s your sense on that, perhaps within privacy pros?
Mikko Niva: [00:21:43] Well, I think. I think I’m not alone in thinking that we have the coolest job like this is amazing. You know, everybody wants to have a purposeful job and you feel like a privacy professional. I think you don’t really have to. Kind of like worry about not being able to understand what and why you are doing the work. So I think that’s the first thing, so you are actually protecting something. And I think many people would would have that sort of an instinct that it’s it’s innately good. How do you then go about your daily life? I’m sure daily professional life, I’m sure, you know, kind of like your interest and everything influences that and kind of like the objectives that you’ve been given given from your organization. So there may be you may be approaching it from a mostly a compliance point of view like legal compliance, point of view or you may be, you know, if you collect more on the activist side than you are, you have a different perspective to it. But I think ultimately, everybody is kind of like going broadly to the same direction. It’s just slightly sort of like, are you going this way a little bit that way? So, so ethics is really, really. Interesting. And I see that it’s it’s part of the the the privacy professional’s thinking it needs to be in the way because we are protecting rights and freedoms of individuals and that’s a big, big task. I think its a challenging concept because I think, you know, if it is separate from legal, then what is it? How do you measure it? What’s the standard? How do you make it repeatable and everything so. So I’ve kind of like recently approached it from a that like the exam question for me has been how do you make ethics scalable and repeatable? So what is the actual yardstick? So that’s a that’s a journey, I guess, with many of us are on. What else could I say about the topic? So I personally do think that it’s difficult to do your job if you’re not at all sensitive on these topics. And one thing that is interesting about privacy as a whole is that it doesn’t really seem to have boundaries. Like, almost everything can somehow be a privacy problem. The context is so broad and I think it’s important to have like a kind of like an open mind and this apprentice mindset. Yeah, yeah. You know, I certainly don’t with Everything. Anything can take me by surprise, and then I need to study and analyze it and try to make some sense of it.
Anthony Brown: [00:24:56] Well, and this is this is why privacy is going nowhere. I mean, it’s as long as we’re around, it’s going to be one of the biggest topics I think, you know, in the world that we’re now living in, and that makes it such an exciting place to be. I mean, what do you see, Mikko in your opinion, as the biggest privacy challenge on the horizon or hurdle on the horizon? And that could be for businesses or consumers.
Mikko Niva: [00:25:27] Well, I think every. What most privacy people would be somehow influenced by the AI key questions around that ultimate, you know, again, it’s a very good area of law. You have the legal side of it, but then you have. Kind of like the ethics and all kinds of practical questions around it as well, so kind of like how do you? How do you make sure that we’ll end up and end up having societies that we still recognize as as as mostly acceptable places to live in privacy plays a big role in it. I think the what we are, unfortunately now seeing more and more is the kind of like the return of geopolitics in the world. So again, from a privacy compliance point of view, the challenges on international data transfers, lots of uncertainty, lots of work depending on your your, your, your take on the world, you may you may question, you know, how, how important it is from a from a, you know, like a material privacy point of view. But it certainly that argument can be laid out there that if it actually is because of the underlying facts as a result of which is this problem is arising. The politics basically thinks more broadly in the kind of like in the profession itself, I think the challenge is that, you know, when everything is becoming digital. That is the environment where these privacy problems also arise. That would be the same for cyber, for example, like where do you get all the people? How do you create sort of like operational procedures that do not rely on the kind of like only having the best experts available, but maybe the experts should be defining the frameworks and training, but then can you trust it? And you know, it’s it’s kind of like the scale and the volume. We are creating all kinds of new ecosystems here. So it’s not. I think this is something that I’ve always thought that is really important part of the of the answer to this various privacy challenges that it’s not any of them you’re dealing with, like an ecosystem and some companies perhaps more in a controlling role or in that ecosystem in the sense that they can set the rules for that entire ecosystem to work properly. So that sort of thinking, I think, is very important going forward. With 5G, for example, it seems likely that there will be new kinds of ecosystems where the aggregate impact of that ecosystem to produce the impact of that must be itself. So it’s really important for for people, people working, working in this ecosystem to think of it, like how do we protect this ecosystem as well so that it? Becomes trustworthy from the from the day
Anthony Brown: [00:29:05] And looking, you know, looking towards the future and looking towards perhaps some of the privacy pros of the future. If you were talking to somebody now who’s perhaps at university and still deciding which route in life they want to go, and they they spoke to you and said, Hey, what was privacy all about? Do you think I should consider a career in it? I’m thinking about it. What would you say to them about about perhaps whether they should or not?
Mikko Niva: [00:29:34] I would, of course, say you should. It’s been one of the best choices I made. There was a point in my time when when it was a question of we want to stay a generalist at the time, but have not regretted it at all. That was very, very good choice. Very timely choice at the time, so I think privacy, as you also said, Anthony, it’s here to stay. It’s not going anywhere. I think it’s just getting more and more important. And even if you don’t want to become like a full blown privacy professional, I think if you want to be working in a digital environment and what environment is not digital going forward, it’s useful to know if you are producing something. It’s useful to know these rules. So that you’re protecting maybe your startup against some unnecessary risks and things like that. So I think that would be my first comment, and it’s a great choice. Then the second comment made may be that what I would always recommend to everyone is to say, Well, this is kind of perhaps like a bit of management jargon, but I think at some point there was discussion about this sort of like a T-shaped person that is good that you kind of like, understand quite a few things and then you have a deep expertise. So that has certainly served me well. So I didn’t become a privacy professional before having done quite a few other sort of like legal jobs. But that being said, I think privacy is becoming or maybe has already become kind of like a regime on its own rights. By that, I mean, that legal law is kind of like you can become a lawyer, but then you can be like many different things as a lawyer, like a litigator or, you know, M&A lawyer or contract lawyer or whatever, and finance would be another example. So you can be you have you can have, like many different kinds of careers within finance. I mean, I think privacy already in many larger companies, at least, you already have very different people with very different tasks and different skill sets that are required. Yeah for you doing the job effectively? So that’s certainly what I’m thinking about it
Anthony Brown: [00:32:22] Yeah, absolutely. I think I think you’re so right. I mean, from where I’ve where I sat and, you know, in the time that I’ve focused purely within privacy, the array of roles and opportunities is, you know, it’s it’s it’s impressive and it’s exciting. And like you said, you know, these teams are now becoming a team in their own right that used to be a bolt on or not even a bolt on. They just sort of sat somewhere, but no one really knew where, you know. And yeah, you know, whether it’s somebody technical in a supportive role, a legal role, whatever operational role, compliance or are, there’s so much within it and it makes it such an exciting place to be. Just finally, Mikko, I would just love to ask you as well. I think, you know, anyone listening to this will have had a great sense of what type of person you are and what you enjoy about privacy. But if there was one thing, perhaps you know that makes you leap out of bed knowing you’re doing the job you do. And you know, what do you enjoy most about your role, do you think?
Mikko Niva: [00:33:26] It’s been different things throughout different stages, so. I really I actually this may sound strange, but actually enjoy reading regulations. The lawyer in me then and kind of like trying to understand like, what does this mean in this particular context then? Yeah. Or does it make any sense? So why? So I kind of like part of my part of my role is to, you know, help craft corporate positions on legislative proposals coming from the European Commission, for example. So that’s kind of it’s one of my pet things. But then I have really, really enjoyed in kind of like the work around operationalizing privacy. And that’s a very broad thing, sort of like kind of a like a process engineer almost like creating workflows. And that kind of excites me too. And kind of, you know, like we think we have like we want to have like a privacy factory. So what is the factory? It has processes and standards and processes and workflows and inputs and outputs and everything to kind of like thinking those terms. And then, you know, getting the right team together, then that can actually, you know, take that vision and make it great and even greater than I ever thought it was was possible. Very recently, as has the team has grown. I’ve kind of I take a lot of pride and joy in kind of like seeing that we are bringing new people in the team and and how they then sort of like find their wings and, you know, become, you know, real world class professionals. So very quickly of them.
Anthony Brown: [00:35:36] I mean, it’s fascinating. Fascinating stuff Mikko. It’s so clear to me and anyone listening that, you know, Vodafone both now and in the future is in really safe hands with you there. And, you know, congratulations on an outstanding job. And I think it’s, you know, to talk to somebody who’s got such a big responsibility as you and to for you to be able to so clearly define it and talk about what you’ve done is it’s testament really to what you’ve achieved there. Some people couldn’t really explain in very simple terms. So, you know, hats off. It’s been fascinating talking to you. I hope our listeners and viewers have really enjoyed meeting you Mikko. So unfortunately, we’ve run out of time. But so without further ado, we’re going to say adios. But thank you so much Mikko and to all the listeners and viewers, I hope you enjoyed and look out for the next episode. But for now, I hope you’ve enjoyed this and take care now. Bye now.