Interview Series: Jennee DeVore, Corporate Counsel

2fg5opqxsmddpldq7gla Kyle Schryver December 07, 2018
Data Privacy Interview Series Legal Legal Counsel

DataGrail recently interviewed Jennee DeVore, Corporate Counsel at Penumbra, to bring you insights from a leading legal professional in the field of data privacy.

Read on to learn more.

DG: What is your role at Penumbra and what inspired you to pursue legal work, specifically within the medical field?

JD: For the past 8 years as a lawyer and a few years while I worked and attended law school, I’ve specialized in supporting life science. Currently, I’m Corporate Counsel at Penumbra, Inc. — a global healthcare company that designs, develops, manufactures, and markets its own medical devices. In this role, I support contracting and compliance needs for global operations for the company, and among those tasks, I support anything and everything concerning information security, data privacy, and information management.

I’m a biology geek at heart, so it was a natural fit for me to support the life science industry with my practice of law. As a lawyer, I love interacting with research and development teams and helping navigate the regulatory landscape that governs the process of bringing a drug or medical device to market.

DG: As Corporate Counsel, how do you interface with internal business teams at Penumbra?

JD: As with any company, it’s helpful if the internal teams loop in the legal team early and often to help make the business run smoothly. In-house counsel can serve an advisory role in risk mitigation and educating the teams on relevant legal/regulatory aspects. In fact, I hear of more and more companies expanding their legal team’s role to a holistic approach where the lawyer at the table can provide both subject matter expertise on legal and risk while participating in the decision making process along with the business team.

DG: With the introduction of the GDPR, how have you trained the internal teams at Penumbra?

JD: I’m fascinated by the topic of training and change management, and I continue to think about how to make training topics interesting and memorable. When planning the initial phase of training for GDPR compliance, our team interviewed training experts and a few of our company’s internal business partners to determine the types of approaches to training that worked for them — and repeated microlearning was a common theme.

For the first phase of data privacy training, we decided to try out the repeated microlearning approach. We led groups through an interactive overview of information security, including concepts of data privacy, and then specific teams were guided through data privacy particulars relative to their business/practice area. Additionally, while updating our Article 30 records of processing activities (RPA), the small groups that were interviewed for that process were also provided further guidance and training specific to the processes captured in the RPA. While the efficacy statistics haven’t been reported, the intention of this approach was to present the data privacy related items in small chunks of digestible information over a period of time to encourage retention of the information through continued intellectual engagement on the topic.

DG: How can legal teams prepare for upcoming regulatory changes, specifically the CCPA and other legislation being implemented in different regions?

JD: As changes develop, a common practice is for the applicable teams to perform a gap analysis of the new regulation against existing processes and procedures. This gap analysis can then be used to frame what is needed to update applicable processes and procedures into compliance with the new regulation.

GDPR is often referred to as a benchmark for data privacy regulations. I’ve heard anecdotally that many companies struggled through the amount of work that was needed to become GDPR compliant. Therefore, along with that thought, it seems that GDPR compliant companies will have a good start towards any process and procedure updates necessary to adapt to data privacy regulatory changes, including if CCPA applies to their respective business.

DG: How can businesses reassure customers that their privacy and personal data is handled with care by the data protection team?

JD: I’ve heard a number of times that privacy policies are a valuable marketing tool. As an example, I think 23andMe has worked hard to brand privacy as a core tenant of the company. They reworked their web pages in, not only in a highly-aesthetic way but to provide clear and transparent communication concerning the company’s treatment of its customer’s data. I anticipate that this approach will become part of the customer expectation. For me, personally, the form and content of a privacy policy is an easy way for me to evaluate the maturity of the company’s privacy compliance.

Check out our previous Interview Series with Melanie Kennedy, Vice President and General Counsel at MarketStar!

About the Author: Kyle Schryver is a Growth and Marketing Content Intern at DataGrail. He’s an eager worker, producing targeted content designed to provide actionable insights and solutions to readers. You can find him on LinkedIn and contact him at kyle@datagrail.io

Like what you read? Sign up for the Weekly Grail to receive insights in data privacy. Something went wrong. Please try again.

Thanks! Check your inbox to verify your email.