Author: Gerhard Walter, Editor, Solutions by HANDELSBLATT MEDIA GROUP GMBH
Interview with Christian Brennholt, Deputy Chief Privacy Officer / Senior Managing Counsel at Coca-Cola, about the challenges of data protection in a global company
- data protection standards
- the open and critical handling of stakeholder, partner and employee data
- varying interpretations of the GDPR in different countries
To what extent does a global company differ from a national company in terms of data protection?
There’s no fundamental difference. Every company, whether it operates globally or locally, must adhere to the applicable regulations and laws. That said, the data protection landscape is very diverse. For a company with locations and activities worldwide, this poses a challenge. When activities are not exclusively developed and implemented locally, the question always arises of which data protection standards apply. The easiest way would be to apply a uniform global standard. But as a rule, that doesn’t do justice to the very complex data protection landscape I mentioned. So we need to strike a balance between standardisation, and individual consulting for our companies. In that sense, the Coca-Cola global privacy office is one of several actors. We define the general structure and the basic building blocks of a data protection programme. That includes guidelines and minimum standards, but also things like decisions on software usage to support data protection processes. At the same time, we act as consultants and make recommendations, draw attention to new developments and support countries and regions closely in their data protection activities. We create efficiency by cooperating with our IT and security networks, our (internal and external) lawyers, local data protection officers and with privacy champions. Privacy champions play an important role: they are anchored in the countries and different business areas, and know and understand the regional conditions and activities precisely.
What has changed at Coca-Cola as a result of the GDPR?
Data protection has always been a very high priority for Coca-Cola. But because of the activities before the GDPR took effect, we now take more care than ever. Every one involved – whether it’s companies, individuals or government agencies – now has greater awareness. The public debate about the introduction of the GDPR has had a positive effect on the value and handling of personal data almost everywhere – and so has the further development of data protection regulations in countries or regions such as California, Brazil, the Middle East or some states in Asia or Africa. At the same time, a number of data protection incidents occurred that showed all of us clearly how important transparency and security are for the protection of this data. All these factors have changed perceptions about the importance of data protection – and not just in Europe. Companies, including Coca-Cola, are obliged to be even more open and critical in the way they handle data belonging to their stakeholders, partners and employees. The task of our specialist department is to continuously scrutinize the systems and processes, and to adapt or redesign them where necessary. We’re also responsible for reaching out to each and every employee and making them even more aware of data protection issues. For the digital transformation to keep progressing, everyone needs to pitch in.
What do you think non-European governments and companies can learn from the GDPR?
We’re already seeing some countries using the GDPR as the basis for their own data protection laws. But as a general rule, laws cannot simply be copied and ’exported’. Data protection has not developed in the same way everywhere; countries around the world are not all pursuing the same goals. So it’s normal for different rule sets to emerge that reflect local realities. But the GDPR certainly contributes to a more uniform understanding, and hence to a data protection standard. Not least because of its very broad scope and long reach – take Schrems 2, for example. On the other hand, we’re seeing that due to different interpretations, applications and enforcement within member states, the GDPR is fragmenting again. This creates uncertainty – and in my opinion it weakens the effect of, and acceptance of, the GDPR.
Do you use the German government’s Corona App?
I do. I think it’s very good, including in terms of data protection. Obviously it would be good if the download rates kept growing, as that would increase the positive effect. Developing and introducing this app was important, and the right thing to do.
Christian Brennholt studied law at the University of Freiburg / Breisgau, and international administration at the University of Grenoble / France. After several years as an attorney for IP / IT law in several law firms, Christian Brennholt switched to the corporate law sector. After heading the legal department of an internationally active, listed digital agency and service provider, he joined Coca-Cola in 2008. He spent several years at the corporate headquarters in Atlanta, initially in the Mergers & Acquisitions department and most recently as Deputy Chief Privacy Officer. In this role, he has driven the development of the global data protection team. Christian Brennholt is CIPM and CIPP / E (IAPP) certified.