Interview: Val Ilchenko, General Counsel and Chief Privacy Officer of TrustArc

Val joined TrustArc in October 2023 to lead its Legal and Privacy Departments and serve as corporate secretary. Val’s principled approach as General Counsel and Chief Privacy Officer is to seek to create efficient, elegant, and practical solutions to complex legal, business, and privacy issues wherever possible.

Previously, Val served as Deputy General Counsel and Data Privacy Officer at GoTo, a $1B+ ARR Boston-based global company providing a host of software-as-a-service (SaaS) offerings across multiple business units and a diverse portfolio of unified collaboration and IT support-focused products. Val was involved in numerous aspects of GoTo’s business operations, ranging from portfolio-wide “ground up” privacy program building, regulatory oversight during mergers and acquisitions, cybersecurity and incident response, telecommunications, international expansion, commercial/go-to-market activities, as well as governance, risk, and compliance.

Val holds a B.A from the University of Massachusetts at Amherst and a J.D. and M.B.A from Suffolk University. Outside of his role at TrustArc, you can find Val watching Bluey with his wife, kids, and dog, exploring Boston-area coffee shops, snowboarding, or attempting to revive his lawn.


Q: It was great to connect with you at the IAPP’s Global Summit 2024! What were your big takeaways from the conference?

Trevor Hughes and the IAPP team always put on fantastic events, webinars, etc. “GPS ‘24” is no exception. My biggest takeaways are:

  • AI has become THE hot topic at dinners, conferences, and casual chats for many privacy pros, as well as… while we’re probably out walking our dogs or getting coffee. Jokes aside, just like "cross-contextual behavioral advertising" was once a confusing term in the privacy space, "AI" is now widely mentioned but not seemingly well understood (on a technical basis). That’s why the Knowledge, Assurance, and Legal teams at TrustArc built a Responsible AI certification to guide organizations through their ongoing AI governance and risk management journey.
  • Aside from AI, privacy is extremely multi-faceted. Tracking technologies, technical privacy, and all the other “stuff” remains critical to remember and manage, so folks must be vigilant about developments in other hot and continual areas of focus like tracking technology, but also on baseline program controls.
  • A bit of advice: If you're an aspiring attorney in privacy, security, or governance and can't attend a conference or get certified, that's okay! I feel like it needs to be said since there’s a bit of a “peer pressure” element to these things. There are many online and free resources from IAPP, FPF, TrustArc, and others. Find any opportunity to gain exposure, ask colleagues for suggestions, and reach out to respected professionals on LinkedIn for mentorship opportunities.

Q: TrustArc seemed to be everywhere at GPS24. Give us some context, who is TrustArc?

TrustArc is a pioneer in the privacy space, having existed for over 25 years. In fact, TrustArc was founded several years before IAPP, and there was a time when Jules Polonetsky, the President of Future of Privacy Forum, was on the board of TRUSTe (our former name) years ago. Our business is divided into two main areas: PrivacyTech/Software-as-a-Service and our Assurance/Trust-as-a-Service products.

Our SaaS business serves as a one-stop shop for all “PrivacyTech” needs, including cookie/tracker management, data discovery, no-code Trust Center creation, inventory management, and privacy research. We have it all – we’ve done some big innovations already in 2024 and will do some more incredible things in the near future!

Our Assurance/TaaS business is powered by technology, like PrivacyCentral, and delivered by knowledgeable subject matter experts. It’s an easy way to elevate a company’s reputation and credibility with third-party assessment and validation of a business’s practices against either TrustArc frameworks (e.g., Enterprise Privacy certification) or government-run programs (e.g., DPF or APEC CBPR). When Assurance eligibility criteria are met for certification programs, folks get that coveted TRUSTe web seal that you see on some of the top brands' web pages or privacy notices. Our newest certification and seal program is our Responsible AI program – where we’ve had immense interest and already a number of customers certify and receive their seal! 

Q: Where do you sit within TrustArc, and what is your remit? What was your path to that role?

I’m on the executive team at TrustArc, reporting to the CEO, Jason Wesbecher. My team focuses on three main areas: Legal, Privacy, and Knowledge. Not only do we cover the typical Legal and Privacy areas, but we are also heavily involved in our platform and solutions since TrustArc makes products for privacy and compliance pros. We have a dedicated team of experts constantly researching and synthesizing the regulatory and litigation landscape and then updating our Nymity platform, PrivacyCentral controls systems, and Assurance programs. 

My path to my role? There was a young boy born in the Ukraine during the Soviet era…just kidding. I assume you mean more recently. After college, I worked as a legal assistant at a boutique litigation firm in Boston for a few years. When applying to law school, I had a bit of a momentary crisis about going but ultimately decided to attend, very intentionally focusing on working in tech and adding to my business acumen by seeking a dual degree (JD/MBA). This focus led to me interning, during grad school, in-house with tech companies, including Boston Scientific, Neolane (acquired by Adobe), and Iron Mountain. I graduated law and business school, like most, with too much debt and a bit of disdain as I did not have a cushy “Harvey Specter”-type job lined up. Through a bit of serendipity, however, I interviewed for and accepted a civilian role in Air Force Material Command, working on a procurement contracting program for state-of-the-art 3D radar systems.

My next role was in-house counsel at Progress Software, covering privacy, procurement, and corporate law. However, I spent most of my legal career at GoTo (formerly LogMeIn) – where I facilitated the buildout of 15+ privacy programs from the ground up for things like GDPR and CCPA readiness, market expansion, acquisitions, etc. I was also a long-time TrustArc client, leveraging their services to help achieve some very lofty privacy initiatives and goals and achieve scale and maturity. During that time, I led the Privacy and Regulated Technologies Team, managing privacy, security, telecommunications, export, and regulatory compliance programs (with legal and non-legal staff), as well as the product counsel team. While there, GoTo nearly quadrupled in size and merged with a Citrix spin-off, divested businesses to Google and Genesys, acquired foreign and domestic companies, went private, spun off LastPass, and dealt with a pretty comprehensive and challenging security incident response process. Being at the forefront of privacy, security, and regulatory matters during these events was truly a once or twice-in-a-lifetime learning opportunity for me, providing decades’ worth of learning in a short time. I think it really set me up for a General Counsel role, offering me the opportunity to interact frequently with executives, manage budgets, think strategically, and work cross-functionally. When Jason became CEO of TrustArc, we saw an opportunity to combine our strengths to drive TrustArc’s next phase of growth and innovation.

Privacy Management Best Practices

Q: As both General Counsel and Chief Privacy Officer, you wear two hats. How do you balance the sometimes competing priorities of privacy and other priorities?

Being a GC and CPO is a very mental job. GoTo’s General Counsel, Michael Donahue, for a long time, had one of the core Legal Team tenants “run towards the chaos.” Balancing priorities means embracing that things may be chaotic at times while also being ruthless with cutting unnecessary work or de-prioritizing it.

As part of the balancing act, you also can’t always just “crank'' away. It’s incredibly important to create space for “quiet time.” These mental breaks allow for critical innovation and deep thought.

Q: Already this year we have seen several states pass new privacy laws. There is a new federal proposal now as well. What are some of the emerging trends you see in data regulation? How should a GC or CPO be preparing their company to address these new trends?

It really depends on staffing and organizational footprint (e.g., where does your client do business), among other things like type of business, industry, forms of data managed, etc. My main advice is to focus less on trends and more on an internal “north star” for your organization's privacy practices. If you have a program with broad, global measures, it often becomes easier to adjust to regional needs like CCPA/CPRA’s sale/share requirements, Washington’s My Health My Data, etc. Determine your baseline minimums across your organization — OECD’s Privacy Principles, GDPR’s Articles 5 and 6, APEC Privacy Framework, or Nymity Privacy Management Accountability Framework can serve as great foundational models.

For everything else? Keep it in your periphery, and make sure you have good tools or advisors. We built Nymity Research, NymityAI, and PrivacyCentral to help “keep up” easily and quickly. Also, a good outside counsel or advisor will help keep you informed of significant changes. Finally, make sure to find an external PrivacyTech provider and/or firm that will be your true partner, not just your vendor.  

Q: How can privacy leaders help their company change from seeing privacy as a regulatory/compliance burden to a value add for shareholders/revenue drivers?

Simple – stop solely or predominantly talking about “risks” and “fines.” Apple knew long ago that selling their devices wasn't just about quality but evoking an emotional response. Too many privacy and legal leaders cater their message to like-minded individuals. Marketing, sales, engineering, product, human resources, etc. – they all speak a different language and it is not generally the same “legal” language or mindset.

I saw more traction in my own experiences when I adopted two strategies: 1) “winning hearts and minds” – advocating for things like protecting the brand, doing the right thing, treating others' data as you would want yours treated, closing deals faster with “trust,” etc. This approach garnered more support and sponsorship from folks internally, and 2) it built “goodwill” – being a true partner to the rest of the organization. Make measured, thoughtful asks and offer help more often than requesting it. Many folks need help from you – pitch in often. If you build enough goodwill, difficult asks (e.g., opting in for marketing in certain regions or needing budget increases) are less likely to be resisted since the organization and your leaders will know you've exhausted all other options.

Q: TrustArc recently announced some new product innovations, such as Responsible AI Certification and NymityAI. Putting any specific situation aside, when a business wants to launch a new product, isn’t that a business or operations project? What should the role of the GC be in that process? What should the privacy pro’s role look like in that process?

TrustArc is different – I came on as someone who was an “operator” and running privacy programs firsthand. Our Chief Product Officer and I constantly collaborate and whiteboard in our problem-solving. We discuss the industry's current state, the issues faced by privacy pros, TrustArc's strengths, and areas for improvement at length and relentlessly. At TrustArc, my team and I are really working to enable the industry, reduce challenges, and help our clients achieve much-needed “scale, speed, and savings,” as I often say. We look at our past struggles in our experiences – for me at Progress and GoTo and for my Deputy GC, Cathleen Doyel at PowerSchool and Snowflake – to think of the “art of the possible” to make the lives of privacy and legal teams easier.

Stepping back from my own experience at TrustArc – in general, launching a new product is a team sport. Privacy should usually not be the tip of the spear or front of the Mighty Ducks “Flying V.” Legal and Privacy need to be involved – from providing guidance on intellectual property and copyright considerations to security, privacy, and commercial/go-to-market implications or requirements. A strong relationship between Product and Engineering is crucial to avoid being reactive and in order to manage legal and compliance risks. In most roles, Legal and Privacy must have a seat at the table but make no mistake – they should usually not be the primary speaker at that table (of course, each project and industry is different).

Q:  The privacy workload has exploded over the last 2 years with no sign of slowing. What is your secret for “managing up” that you can marshal resources such as headcount and budget?

My secret would be similar to the “hearts and minds'' and “goodwill” efforts mentioned above. Speak less frequently but be impactful, ask less often but when you ask, make it count. That being said, unlike “influencing the organization” when it comes to your own budgets and programs, GC’s and CFO’s often want supporting data for a request. It's a lot easier to get buy-in, for example, to procure a data subject rights tool to help you manage volume if you show your GC and/or CFO that you are dealing with 1000’s of DSARs a year and that number is growing or to ask for headcount if you show data around how many contract/privacy requests you receive a year and how that figure has grown quarter-over-quarter. Become more data-driven with your approach.

Lastly – think “big picture” – yes, you may not have the budget to buy a tool like NymityAI, but if it saves you tens of thousands in outside counsel spend, it may be worth an experiment. Similarly, moving outside counsel or consolidating your tech stack can help. In each case, “find” money or document some savings. Sometimes, finding money or documenting savings similarly builds goodwill to “cash in” later on with a future request for resources.

Team/Career Management

Q:  Across the industry, there is an incredible wave of new hiring. What are the top 1 or 2 must-haves when you look at a candidate? How do you know if a candidate is truly “doing privacy”?  How much does exactly on-point legal experience matter compared to, say, project management or ability to craft a simple business solution?

It depends on your hiring needs. The absolute most important skill, for me, is “grit.” Yes, prior experience is critical, to make sure someone knows how to negotiate a contract or data processing addendum, read a regulation and distill it down, etc. However, there are many candidates with those skills – far fewer have the right mix of attitude, determination, willingness to get their hands dirty, put in the work, and are receptive to give, receive, and action feedback. I’ve experimented with different ways to make that determination – from asking candidates to walk me through either real-life situations or through simulated scenarios to using candidate references.

Q: Many folks ask me about what is next for CPOs. How did you make the switch from privacy head to General Counsel?

Off the bat, not every CPO is (or needs to be) a lawyer so it really depends. I always ask folks “what do you want to do” and the answer really varies, not everyone has fully determined what they “want to be when they grow up,” but some common desired end-goals are to become a CPO, GC, manager, or great individual contributor.

For me, it’s always about building depth of experience. I knew some years back I wanted to expand my “reach” and role and eventually become a General Counsel. Knowing that helped inform the type of projects I took on based on my end goal. My experience as Deputy General Counsel of a large global organization (at GoTo), felt like I was (intentionally or unintentionally) being groomed for an executive-level type role because I was learning strategy, budgets, communications styles as well as how to work with executive and senior management. Plus, I was getting visibility across the company and was contributing to key initiatives.

Takeaway – do something well, work to rise among the ranks, learn to expand your breadth, refine, refine, refine, and have a specific end goal in mind (e.g., transitioning to a GC role).  

Q: What advice would you give an up-and-coming privacy professional?

Webinars, conferences, and certifications are helpful, but nothing can beat pulling open the regulations sometimes and just reading, for example, the GDPR or CPRA, front-to-back – come up with your own opinions and conclusions. This was my big “aha” moment back in 2016 during GDPR prep – so many questions I had were answered when I stopped googling, asking others, etc., and just “read the ______ manual.” Additionally, seek a mentor, ask others if you can pitch in, find a good advisor/outside counsel, etc. Law and privacy work are generally a type of trade, and as important as education is, we also need to “learn by doing” sometimes. Like I mentioned earlier on, find a mentor – many of us, including myself, have hired mentees in the past – I certainly did at GoTo!

Q: The last several years have seen lots of change, especially with covid, WFH, RTO policies, etc. How do you maintain team culture? What does ‘culture’ even mean?

My former supervisors at GoTo had a really special approach to leadership. They were hard with their feedback, generous with their praise, and available when I needed them. This gave me the psychological safety to take risks, experiment, and think big. My management style was directly influenced by them, but I’ve added three particular new inclusions: 1) recognizing that “excellence is a choice” – the folks I have the privilege of leading are extraordinary, and my goal is to make sure we all choose excellence. As often as we can, choosing excellence means choosing to adopt an “extreme ownership” mentality and taking pride in the quality and craftsmanship of our work.; 2) there’s usually a little time for jokes and levity – even during incident response, end-of-quarter, tight deadlines, etc. – we’re not machines. Everything can’t feel like it’s at “an 11” or on fire at all times (even when sometimes it is).; and 3) finally… be OK “getting into it.” Deep work that requires deep focus or conversations that can’t be contained within a one-hour Zoom meeting are crucial for strategic work, innovation, and breakthroughs.

Lastly, with respect to culture-building, especially with remote work, I would say “find time” – find time to chat about hobbies or weekend plans, do ice breakers, meet in person, respectfully debate, problem-solve live or on video conference, etc. Culture isn’t just created by work output or personalities, it’s a combination.

Q: Anything else you’d like to share?

Start somewhere! Program building is hard, and often, you just need to put one foot in front of the other until you have greater clarity on what needs to happen next. I adopted a “kaizen” continuous improvement approach to my programs – something is better than nothing and that something always can be improved upon. What’s incredible is that as you look back on incremental improvements over a number of months, quarters, years, you  will see tremendous meaningful improvement just by being iterative.

Stay in the Know

Sign up and stay infomed with our local news and updates

Related Posts

Stay in the Know

Sign up and stay infomed with our local news and updates
Read More linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram