As part of our Captains of Privacy Industry Interview series, Lawrence Brown, Sr. VP Legal, Houston had the fortunate opportunity to connect with privacy evangelist Anne Fealey, Global Head of Privacy for Citi. As a proven leader of privacy and information management, Anne is passionate about privacy, the appropriate uses of personal data and the exciting power of data to do great things. Rather than opposites, Anne views these as aligned principles. And her impressive career path with American Express, Prudential and Citi reflect that. We’re thrilled to share Anne’s invaluable insights with you. Enjoy!
Q: What does Citi do?
Citi is a global bank with a mission to provide financial services that enable growth and economic progress. We have over 200 years of banking experience and serve both consumers and institutional clients in more than 160 countries and jurisdictions around the world.
Q: And tell us about your background / path to your current role?
While I was working at American Express in the merchant business negotiating contracts for the sales and marketing teams, privacy increasingly became a key component in many of the negotiations. I later moved from that role to become the global head of privacy for that business and established its privacy program. After seven years, I left American Express for an opportunity to take on the role as the first global Chief Privacy Officer (CPO) at Prudential Financial. In 2018, I became the global CPO at Citi.
Privacy Team Structure and Management Best Practices
Q: You clearly have experience setting up several privacy teams from the ground up. If you were to design a privacy team from scratch, where would the role report? General Counsel/Chief Legal Officer? CCO? COO? Chief Risk Officer? CEO? Etc.
I believe that where the privacy team sits within the broader organization will vary depending on the company. Ultimately, the CPO function should be in the area where it can be most effective, whether that is within the business, in operations, information security or risk and compliance. In very large companies with many different businesses, it is very difficult for a single team to understand the many components and complexities when it comes to personal data. As a result, it is critical to build out a privacy team across the businesses and functions. I believe that buildout is the foundation for a good privacy program. A central privacy team that provides a comprehensive framework and structure (policies, training, tools, etc.) should support the business privacy team. And the cross-functional partners support both teams.
Q: Cross-functional communication and collaboration are obviously key in a successful privacy program. What players need to be peers? CISO? Others?
Depending on where the privacy team reports, the cross-functional partners will differ, but Information Security and Legal will always be essential to an effective privacy program. Compliance and Risk enable the privacy program to align with methodology around reporting for how a company complies with privacy laws and regulations and how it identifies and controls for privacy risks. Other groups that often get overlooked but are just as important are the Government and Public Affairs teams since they often work closely with the privacy team to understand emerging privacy laws and regulations. The Marketing teams also help the privacy professionals understand how their company collects and uses personal data in marketing campaigns. It really does ‘take a village.’
Q: Many companies have moved to having a lawyer in the top privacy spot. Why not Chief Privacy Counsel? Or General Counsel for Data? Does “CPO” title create an expectation that there is no attorney/client privilege? Does the ‘counsel’ add on generate the expectation of privilege?
I believe that counsel’s role is to provide advice, not make decisions. The CPO similarly provides advice, but often will be asked to make or assist the business in making decisions. For that reason, I believe the roles should remain separate. Traditionally, CPOs have had legal backgrounds because the initial understanding of how companies managed privacy risks was based on laws and regulations. So that legal background helped (and still helps) with that understanding.
Q: Is the proper scope of the role “just privacy” or a broader umbrella that might include data governance, data ethics, InfoSec, data monetization, privacy compliance, consumer trust & safety, law enforcement response, privacy public policy, etc.?
Again, I believe this will depend on the company. That said, I believe the scope of the role has to change as technology changes and the use of technology increases across all areas of business.
Q: In light of this shift, is “Chief Privacy Officer” still the right title?
I think we already are seeing a shift in titles, but for now, the CPO title still works.
Management and Operations:
Q: The pace of change in privacy is accelerating, and yet the more things change, the more it seems basic data hygiene stays the same. Are you concerned about the pace of change? Broadly speaking, what is your strategy for change so that you don’t have to iterate the program forever slight difference?
This question reflects a big part of my planning for the next few years. The pace of change today is intense. Companies can’t simply react to those changes, but must be more proactive. I believe that a privacy program should be assessed against a desired privacy framework (the new NIST Privacy Framework, for example) to determine where the program can and should mature. The levels of maturity desired may differ between companies and industries depending on risks and risk appetites, but creating project plans for reaching that desired level of maturity helps privacy programs to manage change more proactively.
Q: What are the key factors you look at in hiring outside counsel?
Hands-on experience in the field and in the industry – every law firm now has a ‘privacy practice’ but there’s a lot to be said for experience. It is not easy to craft a good outward-facing privacy notice!
Q: Lots of new hiring these days. What is the top 1 or 2 must-haves when you look at a candidate? How much does exactly on-point legal experience matter compared to say project management or ability to craft a simple business solution? What advice would you give an up and coming privacy lawyer?
The experience will depend on the role, of course, but I always look for interest in learning and the ability to work with ambiguity. Right now, privacy professionals are in demand. Something I do is to consider how experience in other areas can be leveraged, and then training someone on privacy specifics, especially when hiring at the entry level. I believe that on-point privacy experience is not as important for someone just out of law school or in the early years of their career. For someone who wants to enter the field or make the switch, I would recommend that they join the International Association of Privacy Professionals (IAPP) and utilize the tools and the community that the IAPP has to offer.
Q: What is the top privacy or data security issue that keeps you awake at night?
I tend to sleep pretty well but the risk of a data breach would disturb that. Breaches are difficult to avoid completely and they must be managed quickly and effectively to ensure that any potential harm to customers and employees is mitigated. In a breach situation, the effort needed to get the situation under control is time-consuming and replaces all other work. But that doesn’t mean the other work goes away.
Q: Anything else you’d like to share?
When I was in law school, I was the student who was looking into ‘alternative’ or ‘non-traditional’ legal careers. So landing in the place I am, where I have found great job satisfaction and enjoyment in working in the privacy field, has been fabulous. But the best part for me is working with such a diverse group of professionals – my colleagues across the world from many different companies are extremely intelligent people who are passionate about their work, and are always willing to share their knowledge and experience. They inspire me every day. I encourage anyone considering a career in privacy to come join us.
A proven leader of privacy and information management, Anne Fealey provides business consultation to businesses on privacy controls, conducting privacy impact assessments, creating privacy control testing and monitoring, and developing privacy training while enabling the appropriate use of data to help customers and clients. As the Global Head of Privacy at Citi, Anne sets the strategy around the appropriate use of personal data.
Prior to joining Citi, Anne served as Chief Privacy Officer for Prudential Financial, in which she directed Prudential’s global businesses and functions in privacy program management, data analytics projects and digital initiatives. Prior to that, Anne served as the data governance lead for the merchant and network businesses at American Express. Anne received her JD from the College of William and Mary, and has written several published articles including one discussing privacy as a property right. Click to read IAPP contributions by Anne Fealey.