Marco, how did you go from being a lawyer to moving in-house?

My career started in law. After graduating in 2009, I worked for more than seven years at various law firms, where I had the opportunity to deal with many issues in many different areas, ranging from labor law to IP, e-commerce management and litigation. Initially, the data protection component was not the focus of my work, but I still tried to delve into it and keep myself constantly updated, believing that it was an area from which value could be generated through the use of new technologies. Until a few years ago, the culture in the field of data protection had not evolved very much and only the trappings were known. This made work extremely monotonous and unrewarding. I therefore decided to leave the world of law to make my passions and interests my job. In 2016 I obtained a master’s degree in new technology law and legal informatics from the University of Bologna and then started working as in-house legal counsel for the Datalogic Group, reporting directly to the general counsel. Although the role was more generic, the sector of activity of the company gave me the opportunity to delve into IT-related issues. It was my first experience in the company, in Bologna, a city I love very much.

What happened next, career-wise?

Afterwards, I received a proposal from the Volkswagen Group, where I worked from 2017 to 2019, moving to Verona. This role was the most difficult challenge for me, as not only was data protection a new topic at the time, but in addition, there was no concrete knowledge of what the consequences of applying the GDPR would be. What’s more, the company had five brands in Italy, which came with a number of extremely significant technological and operational complexities. As DPO, I reported directly to the CEO and functionally to the IT director. After two years, I felt the desire to enter an industry that was more regulated and to confront new and more challenging areas. I thus took the opportunity to join ING, out of a personal interest in banking. Since 2019, I have held the role of DPO at ING Italia. For this role, it was necessary to have a strong knowledge of technological components. Since 2019, I have been a certified DPO at the TÜV Examination Institute, and I am currently completing an executive master’s in management & digital transformation at the Politecnico di Milano.

What was the biggest challenge when you joined ING?

When I joined ING, the biggest challenge was to analyze in detail the processes and technologies to support the company as functionally as possible as it went through the process of complying with the GDPR and local data protection regulations. Since I joined, the top management and business functions have worked in accordance with the advice given to provide new input to all levels of the organization so that the compliance requirements in the field of data protection are interpreted in a way that is functional to business development in the medium to long term.

How is your team organized?

The group DPO is based in Amsterdam, and a DPO is designated for the local offices. I report to managing director Michal Szczurek, and coordinate a team with skills ranging from purely legal to economic and technological. The aim is to have a diverse team with differentiated skills to interface with the business and all levels of the organization.

What personal input and contributions do you feel you have made to ING Italia so far?

At group level, I have contributed in particular to the definition of the framework for assessing legitimate interest, balancing-of-interests tests, and guidelines for managing data breaches and IT incidents. In addition, I also contributed to the definition of risk management frameworks in the area of data privacy and in the structuring of training and awareness programs. In Italy, we have tried to promote the culture of data valorization and interoperability. Our aim is not only to ensure regulatory compliance, but also to support the business in an active way, trying to fully evaluate all alternatives to generate value. An extremely important part of our work involves general training and on-the-job training: we have structured training programs for all employees with the needs of each area in mind, promoting a risk management culture. Awareness and empowerment are constantly growing in the organization, thanks also to the strong impetus and support of top management. In some cases, we lead projects with the global team that have an impact for the whole group. Helping colleagues make things happen is also one of ING's mantras.

"Helping colleagues make things happen is one of ING's mantras"

Tell us a bit more about ING Italia?

ING is a Dutch-originated bank present in 40 countries with over 37 million customers and 57,000 employees. It offers products and services to savers, large companies and financial institutions. In Italy it has been present since 2001 with its retail banking activities and today is among the leading digital banks in terms of number of customers (about 1,200,000). It is used via app by 7 out of 10 customers who appreciate the simplicity and immediacy of its services. Since 1979 it has also operated wholesale banking where it is a leader in specialized finance and financial markets, and counts on an extensive global network, mainly situated in Europe. Differentiating customer-experience and sustainability at the core of its activities are the two pillars of ING’s strategy, which are also reflected in Italy.

What do you think are the most interesting aspects of your job as a DPO?

What I find fascinating about data management is the fact that the person who knows where the data is and how to manage it can actively influence the strategic choices of the organization. In this matter, what really counts is not the knowledge you have, which will be out of date tomorrow, but the attitude to find answers to the things you don’t know as quickly as possible. I really enjoy the work I do, because it allows me to interact with all functions and levels of the organization and to learn something new every day in order to improve myself and try to be more and more at the service of my colleagues.

How has the role of DPO changed over the years?

The figure of the DPO has changed a lot. At middle management level, there is a greater widespread awareness of data issues, while at top management level it would be important to transfer a greater sense of urgency and devote the right attention with adequate resources to data protection. Certainly, the last 3-4 years have seen an exponential growth of accountability in organizations, to which the spread of measures and sanctions has undoubtedly also contributed. The evolution I see in the industry is centered on an increased use of technology in change-enabling processes to ensure that data protection and enhancement safeguards are managed end-to-end in business processes. I have definitely seen an enhancement of data and its use in the digital world, with new tracking tools. In the web sphere, these will have to be developed with particular care, so that companies are able to be close to customers by providing them with targeted information, without overstepping the necessary limits. Structuring business activities correctly makes it practically impossible to miss valuable opportunities for both companies and users.

What, on the other hand, deserves more attention?

Generally speaking, looking at what is happening in all sectors, I believe that more attention should be paid to the development of more effective risk management frameworks focused on objective and measurable criteria. When we talk about risk, we should not focus exclusively on the sanctions that might result from inappropriate conduct, but also on the fact of ensuring the provision of increasingly secure and efficient services to users so as not to undermine a central value in the relationship between data controller and data subjects, namely trust. There are no processes and safeguards that are capable of 100% avoiding all risks; therefore, it is important to make precise analyses in order to make informed decisions. To do business, sustainability must also be taken into account, which should be one of the central components of organizations’ strategies.

"When we talk about risk, we should not necessarily mean sanctions, but pay attention to reputational and trust risk towards the customer"

How can the correct use of data support business strategies?

Data analysis is a great opportunity if done competently and with the right people. The key is to talk to the business using the same language and support it in a sustainable way by promoting a culture of awareness. One of the most critical issues is that often the data that companies have at their disposal is not used, or they don’t know how to use it to their best advantage. This is true for any company that uses data to do business, but in banking this has different operational implications to the way of doing business. In this context, it is important to ensure for the future a user experience that is more and more performant and responsive to customer needs in order to enhance the value of data. At ING, for example, we support clients in identifying the products that best meet their needs based on a clear communication strategy that is also aimed at helping them understand the real benefits of using data for specific purposes, so that clients can make informed choices with respect to the Bank’s use of that data.

What do you think is the key to performing the DPO function properly?

Performing the DPO function adequately requires strong skills and the ability to keep constantly updated. The ability to listen and to interact clearly and transparently at all levels of the organization is crucial to ensure that the needs are supported. The concept of adequacy, in my view, encapsulates the essence of what the DPO function should guarantee: good skills and attitudes are not enough if they are not put in service of the organization in a dynamic and proactive manner. Adequacy reflects precisely this concept, i.e. the ability to be what the organization really needs, taking into account how it is structured and the value it aims to promote. In the field of data protection, the concept of accountability is often mentioned; this is precisely because legislation outlines the requirements to be met, and then gives organizations room for maneuver within these requirements. This is an exceptional opportunity for organizations, which have the chance to put requirements and standards into practice in a differentiated manner. It is important that organizations equip themselves with the right people with respect to the goal of generating value in the medium to long term.

"Adequacy is a key word: the approach that is adopted must first of all be adequate"

Can you tell us more about your collaboration with the Italian Data Protection Authority?

In recent times, the Italian Data Protection Authority has shown itself to be increasingly enterprising and proactive, providing concrete input to organizations in interpreting requirements and determining standards to be met. In particular, this proactivity has been seen in the banking sector, an area which since November last year has benefited from a working group, under the patronage of ABI, which includes the major credit institutions operating in our country, including ING Italia. The purpose of this initiative is to promote a proactive and dynamic discussion with the authority on complex issues in order to clarify how to interpret certain requirements and direct the adoption of appropriate risk management safeguards. Particular interest in the interaction with the authority has been devoted to the figure of the DPO, initiating discussions with all banking sector operators to understand how organizations are structured on this front from an organizational point of view and what the areas for improvement might be. In addition, the authority is also paying particular attention to the protection of minors, an extremely important area for promoting a culture of data protection with regard to subjects who are increasingly subject to risks when using the tools offered by information society services and the web.

Marco, how did you go from being a lawyer to moving in-house?

My career started in law. After graduating in 2009, I worked for more than seven years at various law firms, where I had the opportunity to deal with many issues in many different areas, ranging from labor law to IP, e-commerce management and litigation. Initially, the data protection component was not the focus of my work, but I still tried to delve into it and keep myself constantly updated, believing that it was an area from which value could be generated through the use of new technologies. Until a few years ago, the culture in the field of data protection had not evolved very much and only the trappings were known. This made work extremely monotonous and unrewarding. I therefore decided to leave the world of law to make my passions and interests my job. In 2016 I obtained a master’s degree in new technology law and legal informatics from the University of Bologna and then started working as in-house legal counsel for the Datalogic Group, reporting directly to the general counsel. Although the role was more generic, the sector of activity of the company gave me the opportunity to delve into IT-related issues. It was my first experience in the company, in Bologna, a city I love very much.

What happened next, career-wise?

Afterwards, I received a proposal from the Volkswagen Group, where I worked from 2017 to 2019, moving to Verona. This role was the most difficult challenge for me, as not only was data protection a new topic at the time, but in addition, there was no concrete knowledge of what the consequences of applying the GDPR would be. What’s more, the company had five brands in Italy, which came with a number of extremely significant technological and operational complexities. As DPO, I reported directly to the CEO and functionally to the IT director. After two years, I felt the desire to enter an industry that was more regulated and to confront new and more challenging areas. I thus took the opportunity to join ING, out of a personal interest in banking. Since 2019, I have held the role of DPO at ING Italia. For this role, it was necessary to have a strong knowledge of technological components. Since 2019, I have been a certified DPO at the TÜV Examination Institute, and I am currently completing an executive master’s in management & digital transformation at the Politecnico di Milano.

What was the biggest challenge when you joined ING?

When I joined ING, the biggest challenge was to analyze in detail the processes and technologies to support the company as functionally as possible as it went through the process of complying with the GDPR and local data protection regulations. Since I joined, the top management and business functions have worked in accordance with the advice given to provide new input to all levels of the organization so that the compliance requirements in the field of data protection are interpreted in a way that is functional to business development in the medium to long term.

How is your team organized?

The group DPO is based in Amsterdam, and a DPO is designated for the local offices. I report to managing director Michal Szczurek, and coordinate a team with skills ranging from purely legal to economic and technological. The aim is to have a diverse team with differentiated skills to interface with the business and all levels of the organization.

What personal input and contributions do you feel you have made to ING Italia so far?

At group level, I have contributed in particular to the definition of the framework for assessing legitimate interest, balancing-of-interests tests, and guidelines for managing data breaches and IT incidents. In addition, I also contributed to the definition of risk management frameworks in the area of data privacy and in the structuring of training and awareness programs. In Italy, we have tried to promote the culture of data valorization and interoperability. Our aim is not only to ensure regulatory compliance, but also to support the business in an active way, trying to fully evaluate all alternatives to generate value. An extremely important part of our work involves general training and on-the-job training: we have structured training programs for all employees with the needs of each area in mind, promoting a risk management culture. Awareness and empowerment are constantly growing in the organization, thanks also to the strong impetus and support of top management. In some cases, we lead projects with the global team that have an impact for the whole group. Helping colleagues make things happen is also one of ING's mantras.

"Helping colleagues make things happen is one of ING's mantras"

Tell us a bit more about ING Italia?

ING is a Dutch-originated bank present in 40 countries with over 37 million customers and 57,000 employees. It offers products and services to savers, large companies and financial institutions. In Italy it has been present since 2001 with its retail banking activities and today is among the leading digital banks in terms of number of customers (about 1,200,000). It is used via app by 7 out of 10 customers who appreciate the simplicity and immediacy of its services. Since 1979 it has also operated wholesale banking where it is a leader in specialized finance and financial markets, and counts on an extensive global network, mainly situated in Europe. Differentiating customer-experience and sustainability at the core of its activities are the two pillars of ING’s strategy, which are also reflected in Italy.

What do you think are the most interesting aspects of your job as a DPO?

What I find fascinating about data management is the fact that the person who knows where the data is and how to manage it can actively influence the strategic choices of the organization. In this matter, what really counts is not the knowledge you have, which will be out of date tomorrow, but the attitude to find answers to the things you don’t know as quickly as possible. I really enjoy the work I do, because it allows me to interact with all functions and levels of the organization and to learn something new every day in order to improve myself and try to be more and more at the service of my colleagues.

How has the role of DPO changed over the years?

The figure of the DPO has changed a lot. At middle management level, there is a greater widespread awareness of data issues, while at top management level it would be important to transfer a greater sense of urgency and devote the right attention with adequate resources to data protection. Certainly, the last 3-4 years have seen an exponential growth of accountability in organizations, to which the spread of measures and sanctions has undoubtedly also contributed. The evolution I see in the industry is centered on an increased use of technology in change-enabling processes to ensure that data protection and enhancement safeguards are managed end-to-end in business processes. I have definitely seen an enhancement of data and its use in the digital world, with new tracking tools. In the web sphere, these will have to be developed with particular care, so that companies are able to be close to customers by providing them with targeted information, without overstepping the necessary limits. Structuring business activities correctly makes it practically impossible to miss valuable opportunities for both companies and users.

What, on the other hand, deserves more attention?

Generally speaking, looking at what is happening in all sectors, I believe that more attention should be paid to the development of more effective risk management frameworks focused on objective and measurable criteria. When we talk about risk, we should not focus exclusively on the sanctions that might result from inappropriate conduct, but also on the fact of ensuring the provision of increasingly secure and efficient services to users so as not to undermine a central value in the relationship between data controller and data subjects, namely trust. There are no processes and safeguards that are capable of 100% avoiding all risks; therefore, it is important to make precise analyses in order to make informed decisions. To do business, sustainability must also be taken into account, which should be one of the central components of organizations’ strategies.

"When we talk about risk, we should not necessarily mean sanctions, but pay attention to reputational and trust risk towards the customer"

How can the correct use of data support business strategies?

Data analysis is a great opportunity if done competently and with the right people. The key is to talk to the business using the same language and support it in a sustainable way by promoting a culture of awareness. One of the most critical issues is that often the data that companies have at their disposal is not used, or they don’t know how to use it to their best advantage. This is true for any company that uses data to do business, but in banking this has different operational implications to the way of doing business. In this context, it is important to ensure for the future a user experience that is more and more performant and responsive to customer needs in order to enhance the value of data. At ING, for example, we support clients in identifying the products that best meet their needs based on a clear communication strategy that is also aimed at helping them understand the real benefits of using data for specific purposes, so that clients can make informed choices with respect to the Bank’s use of that data.

What do you think is the key to performing the DPO function properly?

Performing the DPO function adequately requires strong skills and the ability to keep constantly updated. The ability to listen and to interact clearly and transparently at all levels of the organization is crucial to ensure that the needs are supported. The concept of adequacy, in my view, encapsulates the essence of what the DPO function should guarantee: good skills and attitudes are not enough if they are not put in service of the organization in a dynamic and proactive manner. Adequacy reflects precisely this concept, i.e. the ability to be what the organization really needs, taking into account how it is structured and the value it aims to promote. In the field of data protection, the concept of accountability is often mentioned; this is precisely because legislation outlines the requirements to be met, and then gives organizations room for maneuver within these requirements. This is an exceptional opportunity for organizations, which have the chance to put requirements and standards into practice in a differentiated manner. It is important that organizations equip themselves with the right people with respect to the goal of generating value in the medium to long term.

"Adequacy is a key word: the approach that is adopted must first of all be adequate"

Can you tell us more about your collaboration with the Italian Data Protection Authority?

In recent times, the Italian Data Protection Authority has shown itself to be increasingly enterprising and proactive, providing concrete input to organizations in interpreting requirements and determining standards to be met. In particular, this proactivity has been seen in the banking sector, an area which since November last year has benefited from a working group, under the patronage of ABI, which includes the major credit institutions operating in our country, including ING Italia. The purpose of this initiative is to promote a proactive and dynamic discussion with the authority on complex issues in order to clarify how to interpret certain requirements and direct the adoption of appropriate risk management safeguards. Particular interest in the interaction with the authority has been devoted to the figure of the DPO, initiating discussions with all banking sector operators to understand how organizations are structured on this front from an organizational point of view and what the areas for improvement might be. In addition, the authority is also paying particular attention to the protection of minors, an extremely important area for promoting a culture of data protection with regard to subjects who are increasingly subject to risks when using the tools offered by information society services and the web.

“Ciò che conta davvero non sono le conoscenze, che domani saranno già vecchie, ma l'attitudine a trovare le risposte."

Marco Ancora, già appassionato di protezione e gestione di dati, acquisisce il ruolo di DPO di ING Italia nel 2019. Da allora si è occupato di promuovere la cultura della valorizzazione del dato. Attento ai rischi, ma consapevole che “un business perfetto è solamente quello esente da rischi, che non esiste”, Marco è arrivato a dare il suo contributo direttamente lì dove tutto inizia, grazie anche alla cooperazione con l’Autorità Garante per la Protezione dei Dati Personali. Ha inoltre condiviso con Leaders League criticità e opportunità della sua funzione.

Marco, come è passato dalla carriera di avvocato a quella di legale interno?

La mia carriera inizia dall’avvocatura. Dopo la laurea nel 2009, ho lavorato per oltre sette anni in studi legali, dove ho avuto l’opportunità di trattare tantissime tematiche in settori molti diversi, che spaziano dal diritto del lavoro, all’IP, alla gestione dell’e-commerce e al contenzioso. Inizialmente, la componente relativa alla data protection non era il centro della mia attività, ma cercavo comunque di approfondire questa tematica e di tenermi costantemente aggiornato, ritenendo che fosse un ambito da cui si potesse generare valore grazie anche all’impiego delle nuove tecnologie. Fino a pochi anni fa, la cultura sull’ambito della data protection non era molto evoluta e se ne conoscevano solo i segni distintivi. Tutto questo ha reso il lavoro estremamente monotono e poco gratificante. Ho così deciso di lasciare il mondo dell’avvocatura per fare delle mie passioni e interessi il mio lavoro. Nel 2016 ho conseguito un Master in Diritto delle Nuove Tecnologie e Informatica Giuridica all’Università di Bologna ed in seguito ho iniziato a lavorare come in house Legal Counsel per il Gruppo Datalogic, con riporto diretto al General Counsel. Nonostante il ruolo fosse più generico, il settore stesso dell’azienda mi ha dato modo di approfondire tematiche relative all’IT. Si è trattato della mia prima esperienza in azienda, a Bologna, città che amo tantissimo.

Qual è stata l’evoluzione seguente?

In seguito, ho ricevuto una proposta dal gruppo Volkswagen, per il quale ho lavorato dal 2017 al 2019, spostandomi a Verona. Questo ruolo ha rappresentato per me una la sfida più difficile, in quanto non solo in quegli anni la protezione dei dati era un argomento nuovo, ma in più non si sapeva nel concreto quali sarebbero state le conseguenze dell’applicazione del GDPR. Inoltre, l’azienda possedeva cinque brand in Italia, con una serie di complessità tecnologiche e operative estremamente rilevanti. In qualità di DPO, riportavo direttamente all’amministratore delegato e funzionalmente al direttore IT. Dopo due anni, ho sentito il desiderio di inserirmi in un settore che fosse più regolamentato per confrontarmi in ambiti nuovi e più sfidanti. Ho colto così l’opportunità di entrare in ING anche per un interesse personale verso l’ambito bancario. Dal 2019, ricopro il ruolo di DPO di ING Italia. Per questo ruolo, era necessario avere una forte conoscenza delle componenti tecnologiche. Dal 2019 sono un DPO certificato presso il TÜV Examination Institute, e attualmente sto ultimando un Executive Master in Management & Digital Transformation presso il Politecnico di Milano.

Quali sono state le criticità maggiori al momento del suo ingresso in ING?

Al momento del mio ingresso in ING la sfida più grande è stata quella di analizzare nel dettaglio i processi e le tecnologie per supportare l’azienda nel modo più funzionale possibile nel processo di adeguamento al GDPR e alla normativa locale in materia di protezione dei dati personali. A partire dal mio ingresso, il top management e le funzioni di business hanno lavorato seguendo gli advice forniti per dare nuovi input a tutti i livelli dell’organizzazione affinché i requisiti di conformità in ambito data protection fossero interpretati in ottica funzionale allo sviluppo del business nel medio-lungo periodo.

Come è organizzato il vostro team?

Il DPO di gruppo è basato ad Amsterdam, ed è designato un DPO per le sedi locali. Io riporto all’amministratore delegato Michal Szczurek, e coordino un team con competenze che spaziano dall’ambito puramente giuridico a quello economico e tecnologico. L’obiettivo è quello di avere un team variegato con competenze differenziate per interfacciarci con il business e con tutti i livelli dell’organizzazione.

Quali sono stati gli input e i contributi personali che sente di aver dato a ING Italia finora?

A livello di gruppo, ho fornito un contributo in particolare alla definizione del framework di valutazione del legittimo interesse, di test di bilanciamento degli interessi e linee guida per la gestione dei data breaches e incidenti informatici. Inoltre, ho fornito il mio contributo anche alla definizione dei presidi di gestione dei rischi in ambito data privacy e nella strutturazione dei programmi di formazione e awareness. In Italia abbiamo cercato di promuovere la cultura della valorizzazione e dell’interoperabilità del dato. Il nostro scopo è quello non solo di garantire la conformità alla normativa, ma anche quello di supportare il business in modo attivo, cercando di valutare pienamente tutte le alternative per generare valore. Una parte estremamente importante del nostro lavoro riguarda la formazione e il training on the job: abbiamo strutturato programmi di formazione rivolti a tutti i dipendenti pensando alle esigenze di ciascuna area promuovendo la cultura di gestione del rischio. Consapevolezza e responsabilizzazione sono connotati in costante crescita nell’organizzazione, grazie anche al forte impulso e supporto del top management. In alcuni casi, indirizziamo con il team globale progetti che hanno un impatto per tutto il gruppo, in modo da proporre un approccio su ampia scala che sia win-win. Aiutare i colleghi a far sì che le cose accadano è anche uno dei mantra di ING.

“Aiutare i colleghi a far sì che le cose accadano è anche uno dei mantra di ING.”

Può dirci di più di ING Italia?

ING è una banca di origine olandese presente in 40 Paesi con oltre 37 milioni di clienti e 57.000 dipendenti. Offre prodotti e servizi a risparmiatori, grandi imprese e istituzioni finanziarie. In Italia è presente dal 2001 con le attività di Retail Banking ed è oggi è tra le banche digitali leader per numero di clienti (circa 1.200.000). È utilizzata tramite App da 7 clienti su 10 che ne apprezzano la semplicità e l’immediatezza dei servizi. Dal 1979 opera anche con le attività Wholesale Banking dove è leader nella finanza specializzata e nei mercati finanziari e conta su un esteso network a livello globale, con focus principale in Europa. Customer-experience differenziante e sostenibilità al centro delle proprie attività sono i due pilastri della strategia ING, che trovano la loro declinazione anche in Italia.

Quali pensa che siano gli aspetti più interessanti del suo lavoro di un DPO?

Ciò che trovo affascinante della gestione dei dati, è il fatto che colui che sa dove si trovano i dati e come gestirli, può influenzare attivamente le scelte strategiche dell’organizzazione. In questa materia, ciò che conta davvero non sono le conoscenze, che domani saranno già vecchie, ma l’attitudine a trovare le risposte nel modo più rapido possibile. Il lavoro che faccio mi piace tantissimo, perché mi permette di interagire con tutte le funzioni e i livelli dell’organizzazione e di apprendere tutti i giorni qualcosa di nuovo per migliorarmi e cercare di essere sempre più a servizio dei colleghi.

Qual è stata a suo avviso l’evoluzione della figura di DPO?

La figura del DPO è cambiata molto. A livello di middle management, c’è una maggiore conoscenza diffusa della tematica, mentre a livello di top management sarebbe importante trasferire un maggiore senso di urgenza e dedicare la giusta attenzione con risorse adeguate ai presidi di data protection. Sicuramente, negli ultimi 3-4 anni si è vista una crescita esponenziale di responsabilizzazione nelle organizzazioni, cui ha indubbiamente contribuito anche la diffusione di provvedimenti e sanzioni. L’evoluzione che vedo nel settore è incentrata su un maggiore impiego delle tecnologie nei processi abilitanti al cambiamento per garantire che i presidi sulla protezione e valorizzazione dei dati siano gestiti end-to end nei processi di business. Ho notato sicuramente una valorizzazione del dato e dell’uso che ne viene fatto nel mondo digitale, con nuovi strumenti di tracciamento. Nell’ambito web, questi dovranno essere sviluppati con particolare attenzione, perché le aziende siano in grado di essere vicine ai clienti fornendo loro informazioni mirate, senza travalicare i limiti necessari. Strutturare in modo corretto le attività di business può consentire di non perdere opportunità preziose sia per le aziende che per gli utenti.

Cosa, invece, meriterebbe maggiore attenzione?

In generale, guardando a quel che accade in tutti i settori, ritengo che meriterebbe maggiore attenzione lo sviluppo di presidi di gestione del rischio più efficaci e incentrati su criteri oggettivi e misurabili. Quando parliamo di rischio, non bisogna focalizzarsi esclusivamente sulle sanzioni che potrebbero derivare da condotte non adeguate, ma anche al fatto di garantire l’erogazione di servizi sempre più sicuri ed efficienti agli utenti per non minare così anche un valore centrale nella relazione tra titolare dei dati e interessati del trattamento, ovvero il trust. Non esistono processi e presidi che siano in grado di scongiurare al 100 per cento qualsiasi rischio; quindi, è importante fare analisi precise per assumere delle decisioni consapevoli. Per fare business, occorre mettere in conto anche la sostenibilità, che dovrebbe essere una delle componenti centrali delle strategie delle organizzazioni.

“Quando parliamo di rischio, non bisogna intendere necessariamente le sanzioni, ma fare attenzione al rischio reputazionale e di fiducia nei confronti del cliente.”

In che modo il corretto utilizzo dei dati può supportare le strategie di business?

L’analisi dei dati è un’ottima opportunità se fatta con competenza e con le figure adeguate. La chiave è parlare con il business usando lo stesso linguaggio e supportarlo in modo sostenibile promuovendo la cultura della consapevolezza. Una delle criticità maggiori è che spesso i dati che le aziende hanno a disposizione non vengono usati, o non si sa come usarli per valorizzarli. È un discorso che vale per qualunque azienda che utilizzi dati per fare business, ma nell’ambito bancario questo ha dei risvolti operativi diversi rispetto al modo di fare business. In questo contesto, è importante garantire per il futuro una user experience sempre più performante e rispondente alle esigenze della clientela per valorizzare i dati. In ING, ad esempio, supportiamo i clienti nell’identificazione dei prodotti che rispondono maggiormente alle loro esigenze basandoci su una strategia comunicativa chiara finalizzata anche a far comprendere i reali benefici relativi all’utilizzo dei dati per specifiche finalità, ciò affinché i clienti possano assumere scelte consapevoli rispetto all’utilizzo dei medesimi dati da parte della Banca.

Quale pensa che sia la chiave per svolgere al meglio la funzione di DPO?

Per svolgere in modo adeguato la funzione di DPO servono forti competenze e attitudini a mantenersi costantemente aggiornati. La capacità di ascolto e d’interazione chiara e trasparente a tutti i livelli dell’organizzazione è determinante per garantire un supporto funzionale alle esigenze. Il concetto di adeguatezza, a mio parere, racchiude l’essenza che la funzione di DPO dovrebbe garantire: ottime competenze e attitudini non sono sufficienti se non sono messe al servizio dell’organizzazione in modo dinamico e proattivo. L’adeguatezza rispecchia proprio tale concetto, ovvero la capacità di essere ciò di cui l’organizzazione ha realmente bisogno tenendo conto di come è strutturata e del valore che si prefigge di promuovere. In ambito data protection si parla spesso del concetto di accountability, ovvero di responsabilizzazione; ciò proprio in quanto la normativa traccia i requisiti da rispettare, e concede poi un margine di manovra alle organizzazioni nell’ambito di detti requisiti. Questa è un’opportunità eccezionale per le organizzazioni, che hanno l’occasione di calare in concreto i requisiti e standard in modo differenziato. È importante che le organizzazioni si dotino delle persone giuste rispetto all’obiettivo di generare valore nel medio-lungo periodo.

“Il concetto di adeguatezza è una parola principe: l’approccio che viene adottato deve innanzi tutto essere adeguato.”

Può dirci di più della collaborazione con l’Autorità Garante per la Protezione dei Dati personali?

Negli ultimi tempi l’Autorità Garante per la Protezione dei Dati Personali si è dimostrata sempre più intraprendente e proattiva, fornendo un concreto apporto alle organizzazioni nell’interpretazione di requisiti e determinazione di standard da rispettare. In particolare, tale proattività si è riscontrata nel settore bancario, ambito nel quale da novembre dello scorso anno è stato istituito, con il patrocinio di ABI, un tavolo di lavoro che ricomprende i maggiori Istituti di credito operanti nel nostro Paese, tra i quali è presente anche ING Italia. Lo scopo di tale iniziativa è quello di promuovere un confronto proattivo e dinamico con l’Autorità su tematiche complesse al fine di chiarire come interpretare determinati requisiti e indirizzare l’adozione di adeguati presidi di gestione del rischio. Particolare interesse nell’interazione con l’Autorità è stato dedicato alla figura del DPO, avviando confronti con tutti gli operatori del settore bancario per comprendere come le organizzazioni siano strutturate su tale fronte dal punto di vista organizzativo e quali possano essere le aree di miglioramento. Inoltre, l’Autorità sta rivolgendo particolare attenzione anche alla tutela dei minori, ambito estremamente importante per promuovere la cultura della protezione dei dati nei confronti di soggetti sempre più sottoposti a rischi nell’utilizzo degli strumenti offerti dai servizi della società dell’informazione e dal web.