«Data protection is everyone’s responsibility»

Facebook’s parent company Meta has been fined 390 million euros for data protection violations. That’s a headline no company wants to read about itself. What about data protection at Digitec Galaxus? Is our customers’ data safe? Are you afraid of fines?
Luckily, our business model is quite different to Meta’s. We sell products, not data. From that point of view, I’m not worried about massive fines. What’s more, the trust people have in Galaxus and Digitec is a precious commodity. Data loss would be a disaster, especially because we’ve only just launched our services in countries such as Austria, France or Italy. We do everything technically possible to protect data. But to speak of 100 percent security would be a lie. There’s always a need for optimisation and there’s never a guarantee.

What can customers do to make sure their data is secure?
Experience shows that a surprisingly large number of people use only one password for multiple platforms. It’s worth making the effort to choose a new password for every platform. On top of this, passwords should be complicated and use different spellings, numbers and special characters. There are password manager tools that simplify working with passwords. Of course, these tools could be hacked as well, in theory. But the risk of this happening is much greater if the same password is used numerous times. Two-factor authentication, i.e. logging in with an additional security element, is also worth activating. It offers greater protection of user accounts. Galaxus offers this option. Here’s how to activate two-factor authentication.

How did you become a data protection officer at Galaxus?
It might be easier to say what I didn’t do to get here: I’m not a lawyer. I worked for the Swiss Federal Railways (SBB) in marketing, then in IT project management. Data protection has been important in marketing and IT for a long time. In 2018, when the General Data Protection Regulation (GDPR) came into force in the EU, many Swiss companies were ill prepared. The issue was known, but no one dealt with it. That’s how I got into it – and eventually decided to stay in this area. I think I might have found a niche quite unintentionally – knowing about the legal side of data protection as well as understanding the business side. By the way, it’s an exciting time in Switzerland, too, as a new data protection law is introduced this year.

So, is having a marketing or IT background a must if you want to become a data protection officer?
No, not at all. But I believe the subject is easier to deal with if you have experience on the business side of things. In addition, things can quickly become very technical when dealing with data protection. The legal aspects can be complex, but it’s possible to understand them even if you’re not a lawyer. After all, data protection affects us all in our everyday lives, so we’re going to bump into it every now and then.

You joined us about a year ago. How aware are Digitec Galaxus employees of data protection? Are people happy when you show up or do they roll their eyes and think «Oh no, it’s the privacy guy again...»?
I’ve found people and the culture to be really open. There’s a lot of interest in the subject, which isn’t a given. I’m sure some employees were happy to see the company invest in data security.

How did teams respond to you?
Well, some departments are more affected than others. Marketing, customer service or HR, for example. But our Product Development department also has to consider data protection when they build new features for our shops. There are very few differences in departments’ reactions. I’d say the teams that are more affected are particularly willing to collaborate. Of course, there are discussions from time to time, too. After all, complying with regulations can mean additional work. This can be challenging, especially when teams are trying to get things done quickly.

How do you experience the work culture at Digitec Galaxus?
The company’s values are available online and employees really do stick to them. All companies talk about values, but at Digitec Galaxus, people actually live by them. It’s fascinating that a start-up groove has been kept, even though the company has more than 2,500 employees.

Currently, you’re a lone warrior in data protection. Can it stay that way?
I may be the only one with this job title, but there are data privacy representatives in all departments and I work very closely with our IT security team. Data protection is everyone’s responsibility. As an example, all customer service agents need to know the basics in their area. This is why we do customised training for all departments.

I’ve heard that employees have to pay penalties themselves if they commit a data protection offence. Is that true?
In the EU, not the employees but the companies are liable – and the fines can be high. This is a big difference to the new data protection law in Switzerland, where private individuals can actually be fined – and a fine can be up to 250,000 Swiss francs. But something serious has to happen for such a high fine to be given. Employees who know and adhere to the basics have nothing to fear.

Thank you very much for the interview!