DataGrail recently interviewed Alexandra Ross, Director, Global Privacy and Data Security Counsel at Autodesk to bring you insights from a leading legal professional in the field of data privacy.
DG: How have you seen the data privacy landscape change from a legal perspective over the past 3 years?
AR: GDPR, the comprehensive European privacy law that came into effect in May of 2018, was a watershed event. Due to large fines and obligations regarding accountability, it forced companies worldwide to develop a global privacy program or increase their investment in privacy compliance.
We’ve also seen regulator’s enforcement priorities move beyond data breach and security issues and towards data use and alleged misuse. Prime examples are the cases against Facebook related to sharing data with Cambridge Analytica and the Google vs CNIL case regarding cookie notice and consent.
In the past 3 years, we’ve observed an increase in the number of countries, states, and municipalities enacting laws that regulate data protection and privacy — some based on EU principles and the GDPR and some that aren’t.
The complexity of the legal landscape in this area intensifies the challenge of developing global privacy programs. In addition to changes in the legal landscape, the acceleration of technologies, such as AI and Machine Learning, raise new ethical issues and impact how society at large grapples with data privacy.
DG: What is your favorite part of working in data privacy?
AR: I enjoy delving into a range of issues and the opportunity to use systems thinking — the holistic approach that focuses on how the parts of a data protection program are interconnected. I’m involved in high-level strategy and governance as well as tactical program review and audits.
In one day, I might collaborate with data governance stakeholders on issues of accountability and organizational structure, develop data strategies, review our incident response process, and work with our government affairs team to provide input on policy issues and the practical impacts of pending legislation.
DG: How can legal teams prepare for upcoming regulatory changes, specifically the CCPA and other legislation being implemented in different regions (Nevada, NY)?
AR: First, find ways to gather the relevant information — either from within your legal and government affairs teams, outside counsel, industry organizations, like BSA, or privacy organizations, like the International Association of Privacy Professionals (IAPP), and Future of Privacy Forum (FPF).
The next step is to follow a principles-based approach: identify what aspects of new laws and regulations are currently comparable to the privacy framework and methodology of your company and what’s new or different. For example, the CCPA has certain similarities to GDPR but some major differences, including the broad definition of personal information and the requirement to provide an opt-out for ‘sale’ of data.
Depending on the risk tolerance and culture of your company, you may choose to incorporate the new obligations across your global privacy program or only implement them in certain areas.
DG: What inspired the creation of The Privacy Guru, and how has it helped you develop your expertise as a privacy professional?
AR: I launched the Privacy Guru blog in 2014 and published an ebook, Privacy for Humans, shortly thereafter as a way to express my creativity and connect with other privacy professionals and technology users. My intent is to promote the mindful use of technology and encourage thoughtful and informed discussion on a range of data privacy and security topics.
The practice of putting my thoughts together to write blog posts and making meaningful contributions to the privacy discourse has helped me develop discipline, increased my depth of knowledge and given me admiration for writers who do this full time. Writing the blog serves me in a similar way to seeking out and participating in speaking engagements.
DG: How can companies with a strong foundation in security improve privacy for their users?
AR: I would suggest leveraging existing security programs, resources and stakeholders to address privacy compliance needs. For example, incorporate privacy controls and ‘by design’ principles into an existing enterprise security controls and a security by design framework for product development.
DG: With growing privacy awareness from consumers, how might technology companies build trust with users regarding their privacy practices?
AR: Transparency is key — review your privacy statement, Trust or Privacy Center and include information that is relevant and impactful to your customers. Gather data from your sales and customer support organizations so that you can better understand customer concerns and address those issues with enhanced customer-facing information, FAQs, and playbooks for your internal teams or even public statements from your executives.
As more privacy certifications become available that will also be a way to demonstrate compliance and accountability — as companies can do now for security with SOC2 certifications.
Enjoy this interview? Check out our previous Interview Series with Gordon Wade, Data Privacy and Protection Lawyer at PwC Middle East!