Interview: Ericka Watson, Chief Privacy Officer at Regeneron

Ericka Watson is an accomplished leader, ethicist, technologist, data and legal strategist; she is an architect of enabling and innovative program designs and teams. She has been the Chief Privacy Officer at Regeneron Pharmaceuticals for the past five years, a leading biotechnology company using the power of science to bring new medicines to patients in need. She has strategic and tactical experience developing and implementing global comprehensive corporate privacy programs and cross-business working environments in the management of regulated data.

She leads with passion and is responsible for leading efforts to safeguard personal data through global data privacy compliance strategies in alignment with the corporate vision and provide legal advice on a wide range of business matters and strategies related to data, security and technology.

Ericka started her career with an excitement for data ethics and the law at GE Healthcare, where she developed and drove their privacy program. She expanded her expertise in healthcare privacy when she joined AbbVie, a global biopharmaceutical company, as their senior privacy leader. She later rekindled her love for technology when she joined Danaher Corporation, a global science and technology innovator committed to helping customers solve complex challenges and improving quality of life around the world, as their Global Data Privacy and EU Data Privacy Officer. She drove global efforts for these companies, which led to enabling compliance with data protection requirements through strategic partnerships, legal analysis and application, implementation of tools, and awareness programs.

Ericka is the past-chair elect of the ABA Science and Technology Section, and is still very active in the section.  She is also currently a board member of the International Pharmaceutical and Medical Device Privacy Consortium (IPMPC) Planning Committee. Ericka received her bachelors from CUNY-Hunter College and earned her juris doctor from the University of Wisconsin - Madison. She lives in New York with her husband and two children.

Intro / Background & Experience

Q: What does Regeneron do?

Regeneron is a leading biotechnology company that invents life-transforming medicines for people with serious diseases. The company uses its deep clinical and scientific expertise to discover, develop, and manufacture treatments for a range of health conditions, including but not limited to, eye diseases, allergic and inflammatory diseases, cancer, cardiovascular and metabolic diseases, infectious diseases, and rare diseases.

Regeneron's unique ability to repeatedly and consistently translate science into medicine has led to seven FDA-approved treatments and numerous product candidates in development, all of which were homegrown in their laboratories. Their medicines and pipeline are designed to help patients with diseases ranging from the most common to the most rare.

Q: Tell us about your current role. Do you cover ‘just’ privacy?

In the role of Regeneron's Chief Privacy Officer, I would akin it to a compass, guiding the organization through a complex labyrinth of existing and emerging data privacy laws. My mission is to craft solutions that not only support compliance but also easily integrate into business operations.

A key aspect of my role is to empower the business to navigate data privacy laws with confidence and integrity. This necessitates close collaboration with key stakeholders across the organization, from the head of research development and IT to various law groups, human resources, and commercial teams, among others.

My responsibilities includes the creation and execution of a comprehensive data privacy program. This program is a mosaic of policies, guidelines, solutions technology, and training, each piece meticulously designed to fortify our commitment to privacy.

Q: What motivated you to pursue a career in privacy?

I was motivated to pursue a career in privacy very early. I realized the importance of data privacy as a major ethical concern during my time at New York Presbyterian hospital, Cornell University. Initially, my ambition was to enter medical school with the aim of becoming a neurosurgeon. However, my career trajectory took a swift turn as I began to dive into the complex legal, technical and ethical challenges associated with making medical data accessible to patients, doctors, and researchers.

The ethical concerns were very clear, invoking a sense of responsibility to commit to taking action to help prevent historical injustices from repeating themselves in the name of science, especially against traditionally underrepresented populations. I wanted to spearhead change and impact informed decision-making.

With my growing interest in bioethics, I began to understand and contemplate the ethical quandaries associated with the ease of access to sensitive data and the potential for its misuse. This started my journey that would lead me to become a champion for data privacy, a journey that continues to inspire.

Q: How did you develop your experience? What was your path to your current role?

At the time, it was very unique to go to law school with a focus on data privacy, but that is what I did.  I knew that I wanted to work on privacy legal matters before starting law school. I knew that I wanted to work in the field of health, because this is where I understood I could make the biggest difference. My first job in the area of privacy was working at the University of Wisconsin Medical Hospital as a legal intern in the privacy office, and then with the Center for Technology and Democracy supporting the Health Privacy Project as an intern. This gave me a great foundation and served as a launchpad for me to go in-house to GE Healthcare after law school.

Q: Although you are a lawyer, you never practiced in BigLaw. How has not having BigLaw experience impacted your career?  

It hasn't impacted my career in a negative way. Bringing on a fresh attorney into a company, there are concerns that a new lawyer would make mistakes, but companies were willing to take the chance with me. Working in big law affords you the opportunity to see new use cases across many clients, you are managed by a partner that is responsible for your work where mistakes are corrected before the client ever sees it. I think in-house provides a similar opportunity, but the clients are the business unit and the enterprise. Your manager is your sounding board, so you can catch your mistakes. I put in a lot of attention to making sure I understand the ins and outs of a legal matter in order to support the nimbleness of the business, I must identify multiple solutions and present the best solution to support the business needs. Working in-house helped me exercise not only my legal skills but also my problem-solving skills consistently. I love the opportunities that going straight in-house has gifted me.

Privacy Program, Ops, Development

Q: The latest trend amongst the Fortune 500 titans seems to be an expansion of the CPO role. Should CPOs be focused strictly on privacy? Should it continue to morph into an umbrella role covering privacy, cyber, trust & safety, AI, etc?

Privacy is a staple and should always be led by knowledgeable and experienced professionals. However, today's CPOs have a broad perspective and understanding of the business and many other legal areas. Should it morph? Not necessarily. Can it morph, absolutely.  CPOs are uniquely positioned to take on several other areas where data is the main driver. Privacy is getting pulled into discussion and strategy on AI governance. I’m seeing companies realize that their CPO is actually better titled with Data Ethics, Privacy & AI, etc… because they are identifying these process needs and taking the reins to raise awareness and to spearhead it.  I also believe that a CPO has transferable skills that would make them a good CCO or a GC.

Q: For someone not living privacy day to day, they might pick up a newspaper and think privacy only applies to meta or big tech. What message would you have about privacy in pharma?

Privacy is a universal issue that affects all sectors, including health care and pharma. In pharma, we deal with sensitive personal health data from clinical trials, patient support programs, adverse events, and employees. This data, if misused or handled, can have serious implications for those individuals. Violations of privacy requirements could lead to unauthorized use, identity theft, discrimination, or stigmatization for these individuals. Also, privacy is not simply about compliance with laws; it is also about building trust. There is a moral and ethical obligation to protect the privacy of the individual data we handle. It is my responsibility to do everything in my control to protect the privacy of the data we handle every day.

Q: How is privacy a value add to a corporation? Why do I need privacy folks involved in the launch of a tool/widget/service/ etc? What role should they play in the process?

Data is at the heart of business operations and often is data about people or derived from people. Privacy is a strategic tool and not simply a regulatory obligation. It is a value add that enables businesses to responsibly harness data, paving the way for innovative solutions that address both present and future business needs. Prioritizing privacy from the outset is a catalyst for business innovation, fostering trustworthiness with data subjects. This trustworthiness supports the tailoring of products and services.  

Q: How do you balance the need for innovation or research with privacy considerations?

As we adopt emerging technologies and consider novel solutions, we continue to be responsible for the protection of privacy. However, privacy experts can propose different compliance solutions that balance business considerations and risks to enable the innovation to be realized.

Q: How do you define success for you/your team? How do you work lead/manage your team to achieve those goals?

Several elements come into play when I consider what constitutes success for myself and my team. A key aspect is the diversity of backgrounds and thoughts, as I firmly believe in the importance of bringing one’s full self to the workplace. This allows us to challenge ourselves and foster growth and evolution within the data privacy office.

One measure of success that I frequently assess with my team is their level of satisfaction and continuous learning. I believe that passion is a vital ingredient in the work we do, and happiness and learning are fundamental to nurturing this passion.

When hiring, I look for team members who are not only dynamic in their problem-solving approach but also capable of demonstrating independence. As a leader, my role is to assist my team in achieving their goals. I do this by collaborating with them to refine legal conclusions and business solutions, support their positions, and advocating for their acceptance among business leaders.

Q: Particularly for lawyers looking to move in-house, they may not have experience working outside of privacy or legal. What do you do cross-functionally (for example, with IT, product/biz unit leaders, etc) to achieve success? What does that look like in practice?

Working in-house is a shift, as I consider knowing the business and deeply understanding the process and people a critical factor to being successful in-house. It is beyond understanding the laws to know what the business is capable of to demonstrate compliance and how one solution may impact many aspects of business progress.

Privacy Hiring

Q: What are the key factors you look at in determining your outside counsel?

The most important key factors for determining outside counsel is their knowledge of the industry, their ability to quickly provide work product, and global expertise.

Q: Lots of new hiring these days. What is the top 1 or 2 must-haves when you look at a candidate? How much does exactly on-point legal experience matter compared to say project management or ability to craft a simple business solution?

When hiring for a privacy lawyer role, it is critical that the candidates have demonstrable experience with applying privacy requirements to practical business scenarios. They should have a comprehensive understanding of the legal landscape that governs the industry they aspire to join.

Another important quality is adaptability and agility, as the business scenarios we navigate may rapidly evolve or change over time. Furthermore, the ideal candidate should be a compelling and influential communicator, capable of articulating complex ideas with clarity and conviction.

Q: For a privacy lawyer, is a technical (meaning IT) background important today? Should it be? Will it be?

No, but it would be helpful.

Q: What advice would you give an up-and-coming privacy lawyer/professional?

Although there are lots of new laws going into effect and being drafted, it is important to know the history and intent behind these laws and more established privacy laws. Also, find the time to understand how these laws may impact different industries.

Privacy Future

Q: How do you plan for needs of the future especially staffing levels? What are your key factors for determining staffing levels? Department budget? 

Regeneron is a swiftly expanding organization, and we've adopted an unconventional approach to staffing for privacy. We ensure each region is represented by a dedicated attorney, and for pivotal subjects such as genetics and AI, we employ specialized privacy attorneys. However, our strategy extends to resources within the business that foster collaboration and privacy compliance. Our budgeting process is dynamic, reflecting the financial needs for each year as we continue to grow and evolve.

Q: In a rapidly evolving privacy landscape, how do you ensure that employees stay informed about emerging threats and best practices?

Communication is key, and we use many avenues to keep employees informed. We send out quarterly newsletters, we attend staff meetings, we raise awareness with our business privacy stewards monthly, and leadership quarterly in our reoccurring meetings, we also push training in our etraining platform. We also hold office hours weekly, which get a nice attendance.

Q:  Why are we talking about AI? Isn’t AI just more software code?  Why is this time different? Why should privacy pros care about AI? What questions should privacy pros be asking?

AI is a tool, and it is not new. However, there are new types of AI models that are captivating the world, such as Generative AI, which takes in data and generates new content based on the data provided. As we all embrace AI, we must also be mindful of the ethical considerations and potential unintended consequences that come with it (like bias, loss of confidentiality, loss of privacy, and overreliance). The power of AI is massive, as we continue to innovate and push the boundaries of science and business, we must be thoughtful and reflective, to ensure that our AI solutions are designed and implemented with the utmost respect for privacy, transparency, and fairness.

Q: What is the top privacy or data security issue that kept you awake at night as CPO?

Data governance/strategy. It is critical to know where data originated, what the limitations are (based in the consent, notice, of contractual language), where it is going and how it will be used. Not knowing these details could result in unintended privacy violations.