One of the many high points of JW Michaels is partnering with the most sought after and talented leaders across a range of industries. Recently, Lawrence Brown, Sr. VP Legal, Houston had the fortunate opportunity to connect with privacy icon Orrie Dinstein, Global Chief Privacy Officer at Marsh & McLennan Companies (MMC) and former Chief Privacy Officer at GE Capital. As a proven expert in Privacy and Data Protection Law, Cybersecurity law, Information Governance, Data Analytics, and AI, Orrie shared invaluable insights from his impressive history working with complex organizations in the financial services industry.
Q: What does Marsh & McLennan Companies do?
A: We are a global professional services company with a focus on risk, strategy and people. We have 75,000 employees in over 130 countries, so this is a large organization with clients literally all over the world.
Q: And tell us about your background
A: I started my legal career as an IP litigator. My privacy journey began in 1998, writing privacy policies for websites, but it really took a more serious turn when I joined GE Capital in 2001. Over my 13 years there, I set up and ran three privacy programs, ultimately serving as the CPO of GE Capital. In 2014 I moved to MMC as their first global CPO.
Privacy Team Structure and Management Best Practices
Q: Orrie, you clearly have experience setting up several privacy teams from the ground up. If you were to design a privacy team from scratch, where would the role report? General Counsel/Chief Legal Officer? CCO? COO? Chief Risk Officer? CEO? Etc.
A: My short answer is the role should report where it can be the most effective and that will differ between companies. In my first CPO role at GE, I reported to the CCO, and then I got moved under the GC. In my current role, I first reported to the Chief Risk & Compliance Officer, but now I report jointly to the CIO and the CCO. No matter who you report into, I would say that you want two key elements from your placement in the organization: (1) being visible and effective and (2) being in a position where you are keyed into what’s going on. To me, the first element usually supports a reporting line into Compliance, and the second element means having a reporting line into IT. I have that dual reporting structure in my current role, and it works really well.
Q: Cross-functional communication and collaboration are obviously key in a successful privacy program. What players need to be peers? CISO? Others?
A: Privacy touches all parts of the organization because there’s data everywhere. I see IT and Operations as the core partners. Information security is a second key partner because privacy and security go hand in glove, and when things go wrong, we need to be aligned and work together. The other key partners are HR for employee data, Vendor management for all vendor interactions, and of course the broader Legal and Compliance team provides a lot of our core support in terms of resourcing and support with our day to day work like contracting. While not one of the key players we regularly interact with, I’ve also found Internal Audit to be a really effective partner. So it really takes a village, and here at MMC, these are all great partnerships that help me do my job effectively.
Q: Many companies have moved to having a lawyer in the top privacy spot. Why not Chief Privacy Counsel? Or General Counsel for Data? Does “CPO” title create an expectation that there is no attorney/client privilege? Does the ‘counsel’ addon generate the expectation of privilege?
A: This is a tough question! Let me start by saying that I would not put a “chief privacy counsel” in charge of a privacy program because, at its heart, the CPO role is not a legal role. So the question then becomes should a CPO always be a lawyer. As a lawyer, I have always had a bias for hiring lawyers to my team in the senior roles because a CPO needs to be able to give legal advice and be able to interpret the law, and I always found it a bit of a strange construct where a CPO needs to consult the privacy counsel in order to give advice. But the reality is that many non-lawyer CPOs know the law as well as the lawyers (if not better) and they rarely go through the formality of consulting legal unless they need to issue formal advice. I have also found that privacy professionals with compliance orientation tend to have a much stronger operational sense and business understanding compared to lawyers. And I can tell you from experience in my own team that our non-lawyers bring a level of business and operational savviness that really brings great value. So at the end of the day, I think there’s no right answer here – there are great CPOs out there who are lawyers and great CPOs who aren’t. The key is to get the right person and if there’s a need for a CPO to work closely with a “chief privacy counsel” to make sure their roles are well defined and there’s no competition over who does what.
As to the attorney/client privilege, clearly where you have a lawyer in the role, it is easier to assert the privilege but let’s not forget that the privilege doesn’t apply automatically to everything I do or say simply because I’m a lawyer. A lot of the CPO work is not privileged by nature. And where it’s important to assert the privilege, companies can easily get the work of the CPO covered by attorney-client privilege (usually through what we call in the U.S. an “Upjohn letter”).
Q: Is the proper scope of the role “just privacy” or a broader umbrella that might include data governance, data ethics, InfoSec, data monetization, privacy compliance, consumer trust & safety, law enforcement response, privacy public policy, etc.?
A: This is a great question, and it is actually part of a transition that is occurring in the way CPOs are looking at their roles and the way companies are looking at the CPO role. Basically, this is all driven by the rise of the importance and value of data. Most companies don’t have a data czar, and they also don’t have a data lawyer, so on both sides when they look around, often all they see is the CPO. And this means CPOs are increasingly asked to weigh in on broader data questions like governance and quality and ethics. But in the last few years, there’s been an emergence of a new role of the Chief Data Officer or CDO. These come in many flavors with some focused on technical elements like building data lakes and managing the data, others are data scientists and focus on the analytics, and others come from a data governance angle. These are all different disciplines, and they require different skills, and sometimes these roles don’t sit under the same structure, leaving a gap in coordination. Add the CPO, the CISO, and maybe a few others who have a stake in data, and it can get messy quickly. So sometimes someone emerges as the leader of the group. And if that leader is not the CPO, then the CPO needs to make sure that his/her role in this structure is understood and valued. The risk CPOs face is that the data discussion is moving away from a privacy/compliance-driven discussion to more of a technical or operational discussion where the CPO’s role is reduced. And of course, the CPO should always make sure he/she is involved in the data strategy and planning discussions with all of these players before the final strategy becomes crystalized so they can make sure to build in privacy by design elements before it’s too late.
Q: In light of this shift, is “Chief Privacy Officer” still the right title?
A: For now it is but as noted above there’s a change happening and I think that in the next 2-3 years we will see more variability in the titles. It reminds me that when I started working at GE, my title had “e-commerce” in it, and GE had a “chief e-commerce lawyer.” One day in 2003 he told all of us that he was changing his title to “chief privacy officer” and we were all shocked that he was not going to have “e-commerce” in his title. Now you would be hard-pressed to find a lot of people who even understand what e-commerce means! So I predict that in a few years we will see a change and maybe “privacy” won’t even be part of the title. And then I have to wonder what the IAPP will do to its name…
Q: How does the CPO role sync with GDPR’s DPO? Different roles or semantics and the same person?
A: Great question. I think the jury is still out on what the European regulators expect from the DPO role. We see a lot of variability in how companies have defined the role, where the DPO sits and what they are expected to do. Some companies are clearly treating the role as a strategic one, and on the other end of the spectrum, I see cases where it is treated as a somewhat junior, bureaucratic one, and most DPOs fall somewhere on that spectrum. I think the DPO title will remain and the DPO role will remain a somewhat narrow role simply because the obligations of the DPO are prescribed in the GDPR and that includes a need to avoid conflicts of interest. So I think it will be hard for DPOs to evolve into a broader data-driven role that the CPOs seem to be pulled into.
Management and operations:
Q: The pace of change in privacy is accelerating, and yet the more things change, the more it seems basic data hygiene stays the same. Are you concerned about the pace of change? Broadly speaking, what is your strategy for change so that you don’t have to iterate the program forever slight difference?
A: The pace of change is my number one concern. We all emerged from a two-year blitz to comply with the GDPR just to fall right into CCPA and LGPD, and of course, there’s new laws all over the world and changes to existing laws, and in the U.S. there’s a constant barrage of new state-level laws. Just reading all the alerts I get requires a few hours every day! And then actually doing something about all these laws feels like an endless game of whack-a-mole. So to me and many of my peers I think the path forward is emerging in the form of a set of global principles we apply everywhere with modifications on unique elements like appointing DPOs or dealing with data localization restrictions on a case by case basis. And that, of course, is easier said than done but as a concept, I think it is where we are heading, and we are spending a lot of time on defining this path forward.
Q: What are your key factors for determining staffing levels? Department budget?
A: I think any CPO on the planet will tell you that they are short on staff and their budget is tiny. Certainly, if we compare ourselves to the information security teams, we fall short by a lot. But to me, the answer is not to think about this narrowly. Going back to the partnerships I mentioned, the key to success is leveraging these partnerships. Getting people from other functions to help champion privacy and to support our projects and to pay for things is the way forward, and it doesn’t all have to fall under the CPO. For example, for GDPR, we had some 700 people working on the project, and we spent in the seven figures. This was not my team and not my budget. But we got the work done, and that’s what matters. And now for CCPA, we are similarly marshaling resources and budgets well beyond the core privacy team and budget.
Q: What are the key factors you look at in hiring outside counsel?
A: I have two core requirements — first – expertise. If you don’t know the answer when I call or within a short while afterward, then you’re probably not the right lawyer. Second, practicality. Privacy laws are often really hard to apply in reality, and there’s a lot of creativity that needs to go into translating what the law says into what we think the regulators expect and what is practical in a business setting. Most regulators I have spoken to are practical and rational, and they apply the law based on something other than a dry reading of the words. I like to work with outside counsel who understands that and ideally have those insights from the regulators. Just telling me what the words are in section X of the GDPR or the CCPA or telling me how big the fine will be if I’m not in compliance doesn’t provide any value.
Q: Lots of new hiring these days. What is the top 1 or 2 must-haves when you look at a candidate? How much does exactly on-point legal experience matter compared to say project management or ability to craft a simple business solution? What advice would you give an up and coming privacy lawyer?
A: My view is that experience matters, but there’s a shortage of experienced privacy professionals. We have a huge amount of newbies in the profession, and that means you sometimes need to compromise on experience. The two things I find most valuable are brains and attitude. A smart person who likes and wants to do privacy will learn what they need to be successful. An experienced person who is not as smart or motivated will often not be as productive. I should add that a CIPP certification helps because to me, it shows a commitment to the profession. It’s not about studying and passing the test; it’s about the need to maintain your certification through constant CPE credits. That tells me this person is invested in privacy as a career. And then, of course, we get to more specific needs so, for example, I strongly value the need to have a good PM on my team, and that’s a unique skill set. A good PM is worth more than just adding another privacy person to your team because they bring unique skills and so much of what we do these days is a project by nature and requires the right skills to manage it and move it forward. So my advice to new privacy professionals is to make sure you can show how you will provide value day 1. Companies aren’t law firms – we don’t have time to teach you and grow your skills and knowledge over several years. We need people who can function well from the day after they walk in the door.
Q: What is the top privacy or data security issue that keeps you awake at night?
A: I tend to sleep quite well, but obviously, I worry the most about data breaches. They are hard to totally avoid, and when they happen, you can find yourself in a world of hurt from clients, regulators, and other constituents. That will totally destroy your ability to do anything else while you’re managing the crisis and therefore breaches are a huge disruption to your work. So that keeps me up, not just because of the fear of having to deal with the fallout from a breach but just as much because I fear it will take me away from doing my day job.
Q: Anything else you’d like to share?
A: I started my career as an intellectual property litigator. I morphed into an e-commerce lawyer, and from there, I shifted into technology and privacy work with a short stint working on Y2K matters. Along the way, I worked on a lot of new and emerging issues, and I have to say that of all the things I worked on the privacy work has been by far the most interesting and also the most satisfying. When we do what we do as CPOs, we have a unique role because we are always keeping one eye on what’s right for the company, one eye on what’s right for the individuals whose data we manage and a third eye on what the regulators expect from us. It’s never just about the bottom line, and that’s very satisfying. Additionally, emerging technologies are giving rise to new issues, and that keeps us constantly on our mental toes and makes it so much fun. When I think of the issues I handled 5, 10 and 15 years ago, some of them haven’t really changed much, but there’s a lot of fresh and challenging concerns to contend with (such as AI, Blockchain, Internet of Things) and even more new things heading our way in the coming years. So I think this is the best legal profession to be in and the best time to be in the privacy field.
ABOUT ORRIE DINSTEIN
Orrie Dinstein is the Global Chief Privacy Officer at Marsh & McLennan Companies (MMC). He has global responsibility for data protection, and he works closely with the Legal & Compliance, IT and Information Security teams, as well as other functions, to establish policies, procedures, processes and tools related to privacy and data protection matters. Prior to joining Marsh & McLennan, Orrie was the Chief Privacy Officer at GE Capital.
Orrie received an LL.M. degree in intellectual property from NYU School of Law and is a graduate of the Hebrew University of Jerusalem School of Law. He is a member of the New York State Bar and the Israel Bar. He is a Certified Information Privacy Professional (CIPP) and a frequent speaker on privacy, security, technology and social media matters. Click here for IAPP contributions by Orrie Dinstein