As part of our Captains of Industry Interview series, Lawrence Brown, Sr. VP Legal, Houston had the good fortune to sit down in February with CPO and GRC Leader for Macy’s, Michael ‘Mac’ McCullough. Mac is a long-time privacy practitioner, thought leader, and speaker on data privacy management, data risk/compliance, and building trust environments. It is our immense pleasure to share Mac’s invaluable insights with you. Enjoy!
Q: What does Macy’s do?
Macy’s, Inc. is one of the nation’s premier omni-channel fashion retailers. The company comprises three retail brands, Macy’s, Bloomingdale’s, and Bluemercury. Macy’s, Inc. is headquartered in New York, New York. With a national store footprint, robust e-commerce business, and rich mobile experience, our customers can shop the way they live – anytime and through any channel.
Comments, however, are solely my own and are not representative of my employer.
Q: And tell us about your background/path to your current role?
Happy to. Midwestern guy, joined the Marines as a ground pounder and got broken, prompting an unusual path to George Washington University Law. It was serendipitous, resulting in a controlled fall into a privacy “career” that did not exist at the time. As a philosophy guy, I was interested in constitutional law, particularly unsettled areas of law. National security and privacy drew my interest in my first year. At the time, there were no law school programs for privacy. Fortuitously, as a 2L, Jeffrey Rosen offered a privacy seminar class as he was working on his seminal book The Unwanted Gaze. That set my path.
Along with a law school classmate, we went deep on privacy and started writing and speaking regularly. Ultimately, my classmate, another GWU Law student a year ahead of us, and I became 3 of the first 5 named CPOs in the country. Both my schoolmates are at the top of the field and continue to excel at the highest levels. I am grateful to both.
I started my professional privacy career as a CPO for a Secure Internet Application Service Provider before the dotcom bubble burst. Then the bubble burst. A perpetually forward-looking, prescient executive at IBM, Steven Adler, was putting together a small privacy global “strike team” and recruited me as a senior consultant. Even then, Steven was able to intuit the fundamental problems for operationalizing privacy at a time when business, legal, and tech were in want of a common language and the privacy debate revolved almost exclusively around policy.
Being IBM, we needed to bring privacy to tech solutions. So our strike team convened in Switzerland for several months with some of our best researchers and engineers to build the Enterprise Privacy Architecture, eventually earning several patents. That architecture became the cornerstone for the first privacy architecting language. It is the core modeling concept I have used throughout my career to build methodologies, privacy training and certifications, and build privacy programs at several agencies and commercial organizations. Over a decade, I was fortunate to build and lead outstanding teams delivering practical, value-added services to dozens of clients on HIPAA, Enterprise Architecture, and Privacy, including a first of a kind data breach response diagnostic tool. This brings me to the rewarding decade I’ve spent as CPO with the superlative team and brand that is Macy’s.
Privacy Team Structure and Management Best Practices
Q: You have experience setting up several privacy teams from the ground up and, through your career, have seen some very different privacy org structures – not always reporting up through legal. If you were to design a privacy team from scratch, where would the role report? General Counsel/Chief Legal Officer? CCO? COO? Chief Risk Officer? CFO? CEO? Etc.
It is the number 2 perennial privacy question, “Where should the CPO sit?” Business is transforming. Consequently, company structures are necessarily evolving. 10 or even 5 years ago, few organizations had bona fide dedicated data analytics organizations or Chief Digital or Data Officers – both are becoming more common, if not necessary. It was not uncommon to have the CPO report into a Chief Marketing Officer in the early days of an emergent privacy management profession. Now that relationship is unusual due, at least in part, to perceived conflicts of interest. Personally, I have reported to the CEO, COO, CLO/GC, CFO/Enterprise Risk Officer, and CISO at various times, reflecting changing needs and organization. Currently, the General Counsel’s office is most often the default placement for CPO’s across industries. Still, the kneejerk retort to the question from seasoned privacy pros would be a collective sigh of, “It depends.” Unsatisfactory for most.
Over the years, I’ve developed a 3-part approach to get from “it depends” to a more satisfactory response. It focuses on understanding an organization’s: 1) Business Priorities; 2) Risk Profile; and 3) Culture. Charting enterprise strategic objectives and priorities sets the first layer. The second layer heatmaps risks (strategic, operational, legal, regulatory, and reputational) for services, products, and operations over the business priorities. The last step overlays company business culture attributes (high/low discipline organization, process-oriented, centralized/decentralized, customer orientation, gravity-centers, product-led/service lead, sponsors, resources and budgeting). While there is no perfect answer to the question, what emerges is a relief map to orient CPO placement discussions and decisions.
Additionally, and of equal value, this mapping highlights and prioritizes the semi-empirically-derived critical partnerships and affinity groups necessary for CPO success. In short, it (still) depends. And if you are wonderin’…the number 1 question is “what exactly is ‘privacy’?”
Q: Cross-functional communication and collaboration are obviously key in a successful privacy program. What players need to be peers? CISO? Others?
I build multi-disciplinary, cross-functional teams comprised of members with varied experiences and skillsets. It’s critically important that teams share a common purpose, expectations are clear and we have standard ways of working because that team is the backbone of a consistent, communicable and successful program often more than the individual CPO. The team is the CPO’s multiplier for building trust in the program and durable partnerships. Essential, any-given-day “win the hand” partnerships include the CISO; GC’s office; CCO/Compliance; and Communications. The “win the game” partnerships must include the CEO/COO; business owners, data owners, L&D, and the SMEs, product managers and engineers that define, design and drive the business.
Privacy programs start inside the perimeter but extend far outside it. I would be remiss if I failed to mention the increasing importance of 2nd and 3rd party relationships…, as well as some associated challenges. Companies are refocusing on core competencies. Strategic and operational partners are again fulfilling non-core services via IoT, value-additive collaboration tools, cloud computing and analytics. Gig and sharing economy companies from transportation to services are even becoming partners. Makes a lot of sense for the time we are in. On one end of the spectrum, there is an increasing concentration of partner services in leading market players (“the only/biggest game in town” players). On the other end, there are newer, less deep or mature players. To manage their own risks and costs, both leading and emerging players can be less flexible in contracting and the stuff that contributes to building partnerships. This can presents dilemmas for contracting companies and their CPOs in areas such as data governance, ownership, minimization and non-proliferation, secondary use, and retention that expand the risk and compliance surface.
No CPO acts by fiat. Successes or failures rely on the strength of these partnerships: partnerships within the privacy team, the company and, increasingly with 3rd parties – even customers (should) have a collaborative role in their security and privacy.
Q: Many companies have moved to having a lawyer in the top privacy spot. Why not Chief Privacy Counsel? Or General Counsel for Data? Does “CPO” title create an expectation that there is no attorney/client privilege? Does the ‘counsel’ addon generate the expectation of privilege?
Adding ‘counsel’ to a business title adds a presumption of attorney-client privilege. Established organizations are clear on who is functioning as an attorney for the company. Folks who are lawyers but not functioning as counsel, including outside consultants, are well-aware of the position played; carefully managing the relationship by differentiating business advice from legal advice and collaboratively managing what needs to inure some level of legal protection and what does not. Often CPOs functioning as counsel still run contracts through outside counsel to strengthen attorney-client and work product arguments, especially for security and breach-related work. Still, I can’t remember the last time I saw a good fight in privacy over privilege. Much of operational privacy is fact-based. And, as we are often reminded, facts are not privileged. Relatedly, we are seeing a test of (work product) privilege related to forensics reports in ongoing Capital One breach litigation. I can’t help but wonder how privilege around privacy will play out as new privacy laws and at least 1 new privacy protection agency comes online just as bona fide privacy management SaaS tools (and templatized reporting) are maturing to support privacy management functions as much as compliance/audit functions.
To the question, “If it is a lawyer in the top privacy spot, why not Chief Privacy Counsel or General Counsel for Data?” My sense is Chief Privacy Counsel is too limiting if the role is truly that of CPO. CPO’s need to align around more than just the law and policy but also partner in a quasi-legal sense around technology, business, and operations in equal measure. “Officer” captures that better, at least to my mind. In addition, “officer” opens the possibility of directly reporting to a board, as a CFO might. Adding ‘Counsel’ necessarily changes the nature of the relationship to both the board and the CEO. This could be an important consideration if privacy is a critical issue for the board. Is it primarily a business or legal/compliance issue?
Regulators or press are more likely to ask for your CPO rather than a ‘head of privacy,’ ‘director,’ or ‘chief privacy counsel.’ In this area, ‘counsel’ may unnecessarily add to a perception of “lawyering up.” Clearly, there is a choice of titling, and “counsel” was a choice. Certainly, lawyers will be involved in any significant conversation, but that may not be the perception a business wants to lead with. Especially internationally where, and I don’t have hard numbers this, many of the regulators are career civil servants, academics, and advocates even if also lawyers.
Q: Is the proper scope of the role “just privacy” or a broader umbrella that might include data governance, data ethics, InfoSec, data monetization, privacy compliance, consumer trust & safety, law enforcement response, privacy public policy, etc.?
There is a high degree of plasticity in “privacy” roles (not tethered to a specific product line or auditing function). It’s one of the things I love about my profession, broad purview across enterprise and operations. It touches all the areas you mention in the question. In addition to the breadth of issues coverage, privacy pros need to understand the priorities and functioning of the entire business. Context is everything. And business ops from analytics to customer care to marketing are moving at light speed. We have to commit to learning every day to stay conversational (and effective) amidst wildfire change in areas such as InfoSec and threats, adtech, machine learning/AI, or augmented and virtual reality where your partners (and their 3rd parties) are deep specialists.
As interesting as the expansion of the privacy role is, the burgeoning privacy profession means diversification of roles including dedicated privacy analysts, engineers, and auditors; and the deepening of sector-specific privacy specializations in areas such as automotive, marketing, data science, smart-cities, health, and finance. That is an important recognition, especially for privacy practitioners in the 5 year and under band. Be broad but also get deep in an area. Be mindful and choose well where you want to be deep because with increasing competition, your incremental choices are where you will demonstrate the most value and where you may be most competitive for your next job. Lastly, be and stay tech-savvy. A privacy pro’s knowledge of the company’s (and other companies’) tech stack gives a degree of insight and context others don’t have, enabling a stronger partnership with the CIO and CISO. This tech-savviness also differentiates most privacy officers from counsel.
Q: In light of this shift, is “Chief Privacy Officer” still the right title?
It’s an expected title. There is absolutely currency and important signaling associated with the ‘CPO’ title, whether the role is filled by an attorney or not. It’s the same type of currency as CISO. It’s a marquee showing company investment and priorities.
Q: How does the CPO role sync with GDPR’s DPO? Different roles or semantics and the same person?
I’d refer back to the previous question on where the CPO should sit. Considerations around resources, industry, global market position, and to some extent, complexity of operations also figure in the determination. Having a single CPO/DPO may be most efficacious for smaller companies. There are highly competent DPO-for-hire providers available as well.
A lot of privacy thinkers reasonably aver the CPO/DPO should be the same person. (And there is a question if a German-speaking DPO is needed in some cases for Germany specifically, which may or may not be the Article 37 DPO). Certainly, many of the topflight CPOs can and do wear both hats. For me, there are diverging paths between the DPO and the CPO.
The DPO’s writ is established in law and focuses on compliance and assurance. DPOs can and should provide recommendations and guidance, per Article 38.1, as it relates to those areas. I value the direct and independent voice a DPO is intended to provide. On the other hand, especially for larger, complex organizations and as discussed earlier, the role ascribed to the CPO is broader – and expanding. More focus is on strategy, orchestration, data value maximization and design. In short, the DPO advises; the CPO makes decisions.
Dual hats dilute some of the focus and time of the CPO. The DPO must be contactable by data subjects. Ultimately, dual hats may not maximize the benefit of both or either function. I’m also thinking about the future. I don’t think it is too far-fetched for more regional regimes to require their own geographically dedicated DPOs as Brazil has already done through LGPD. How many dual hats are reasonable to wear?
A separate DPO can more closely focus on cultural awareness and building the relationships with regulators and partners that are central to program success – both for the companies and regulators and partners in the region. The joint team of an aligned DPO(s) and CPO can send powerful messages at propitious times. Messaging that perhaps won’t have the same gravity if the CPO and DPO are one and the same. Based on my observations, my sense is having a DPO and CPO gives a point of escalation that is lost when the role is dual-hatted. The DPO should be readily available and responsive to regulators. Optimally, the CPO should have more discretion on time and timing. In fact, I would say the EU itself breaks out similar roles, for example, between the EDPS and other roles such as the EC DPO. Logistically speaking, traveling between hemispheres in the role of DPO can be taxing on a single CPO.
*Feels like I’m in a meme sitting at a table with a placard that reads, ‘Change my mind.’
Management and Operations:
Q: The pace of change in privacy is accelerating, and yet the more things change, the more it seems basic data hygiene stays the same. Are you concerned about the pace of change? Broadly speaking, what is your strategy for change so that you don’t have to iterate the program for every slight difference?
Think you said it. The more things change, the more the basics stay the same. The fundamentals of operational privacy have been bounded by immutable, internationally accepted principles since the mid 1970s. Emphasis may be placed on differing principles between privacy regimes. For example, openness/transparency and individual participation may figure more prominently than, say, data quality in a particular regime. With the introduction of the Rights to be Forgotten/Deletion or Anonymization in regimes, the principle-based privacy playing field is firmly set. No privacy regime will likely color outside established lines. There will not be new principles.
I don’t want to downplay the significant initial and ongoing costs of a bona fide, compliant privacy program. There are both capital and operating expense associated with compliance across a broad spectrum from data and process discovery to staffing. However, a well-conceived and executed program should have clear line of sight on expense and a phased, risk-based maturation plan. Buy or build privacy solutions should be based on flexible, scalable, and extensible methods and platforms to accommodate expected continuous externally driven change. However, these changes will relate primarily to managing procedurals and adjusting to evolving incremental rules of the game. For example, covered data, reporting composition and timelines, or look-back periods may differ between regimes. Privacy compliance then becomes the sum of processes designed to meet various (and sometimes inconsistent) procedural requirements. This state of play has significant implications for the future role of CPOs and privacy professionals. Here are a few.
For one, choice of law is a vanishing concept in privacy. It is all global laws – even if you are not an international player, because your 3rd party service providers discussed earlier are likely international players. These 3rd parties’ contract on a “1 size fits all” basis as also discussed previously. So, by virtue of the contract, companies are likely making representations about privacy under international regimes.
Second, with solid foundations and actionable pre-figured rules sets, privacy compliance platforms are really hitting their stride in terms of affordability, coverage, accuracy, and ease of use. Privacy operations and compliance are becoming automated. Third, just as companies will increasingly leverage technology to manage privacy, 3rd party Privacy Enhancing Technology agents will prosecute consumer rights. Which again will likely be handed off and processed by a privacy compliance tool from intake to out-process.
Taken together, operational privacy is likely to become the domain of analysts who could just as easily be in a broad-based GRC program as in a dedicated privacy program. On the project management and engineering sides, privacy can easily be built into toolkits and SDKs, making privacy 1 of many requirements and not a specialty. Privacy is losing its novelty and inscrutability. Over the next 5 years and decade, I predict we will see “privacy” pushed down in organization structures as companies seek to focus on core competencies and manage privacy and data compliance costs. Ultimately, that may mean many companies will have privacy operations that do not necessarily report up to a CPO as we know that role today.
CPO’s are uniquely positioned to lead broad-based governance, compliance, and risk organizations. Privacy is just one view on data. Applying standards and producing evidence for audit/assessment are core CPO capabilities, as is leading business process improvements/redesign/transformations à la Privacy by Design, if nothing else. Successful CPOs also have keen business skills from strategy to operations across technical, business, and legal spheres. As privacy operations get pushed down, CPOs will need to evolve to be the go-to executive for the business and assurance of responsible data management. CPO’s are designers, assurers, and shepherds of Trust. In the future, I believe we will see more CPO’s moving into Chief Data Officer, Data Ethics and Assurance Officer, or Chief Trust Officer types of roles. Certainly, the field is full of talented CPOs and rising stars that are more than up to the challenge. Over time, this breed of experienced Data/Ethics/Trust Officers will go from being desired on Boards to being necessary. So, we talk about change and pace, but what we are really talking about is building the businesses of the future, today – in real-time.
Q: What are the key factors you look at in hiring outside counsel?
Pragmatism. And a clear interest in understanding where we are as a business, culturally, and our priorities. That goes for all legal services, be it litigation, regulatory support, compliance, or breach response. Most businesses are looking for a strategic partner, not a discrete services provider. That means a level of investment and pricing model that respects the partnership.
Q: Lots of new hiring these days. What is the top 1 or 2 must-haves when you look at a candidate? How do you know if a candidate is “doing privacy”? How much does exactly on-point legal experience matter compared to say project management or ability to craft a simple business solution? What advice would you give an up-and-coming privacy lawyer?
The “must-haves” for a candidate cannot be taught: integrity, passion, and perspicacity. Nobody is just looking at the candidate; we are looking at how the candidate complements the team. I am always balancing where we can bolster the team. Strength in technical areas and business are big pluses. In fact, and I may have some bias here, lawyers and privacy pros who spent time as operational consultants bring experience with method and a business operations acumen, which combined with legal training and firm experience yields a well-rounded professional that not only knows the legal universe but knows how to execute operationally.
In terms of gauging actual privacy work… I ask candidates to tell me stories about their successes, challenges, and events where they had to manage an issue of first impression. That approach always opens the conversation to the revelatory details that are probative. A lot of times, I learn something that helps me be a better privacy pro.
Two pieces of advice I would share with someone new to the profession are simple. Specialize. Know it as good as anyone. Write. Dig in, find your voice, and write. It’s a burgeoning field with increasing competition. Writing gets you engaged in the conversation. Writing gets you invited to speak. Speaking gets you into new fora. And those conversations create opportunity and the networks that build futures.
I know it sounds droll. I would not have a career without writing and speaking – in far less crowded rooms at the time. I didn’t have to be great, just present with a point of view and some knowledge. It served me well.
Q: Some clients see law firm training as a “must-have” when reviewing candidates. You don’t have that background and have reached the highest levels of privacy. What would you attribute your career success to? When hiring attorneys for privacy, how important to you is law firm training? What would you say to candidates who might be discouraged by clients wanting that box checked?
This is a great set of questions. Businesses will always need lawyers in each area of risk or regulation from litigation to employment to accounting to privacy and compliance. Lawyers are so enmeshed in privacy. I often hear non-lawyers start conversations with the disclaimer, “I am not a lawyer, but…”. It registers for me every time I hear it. This is no good. What I hear is, “I may be wrong and could get out argued, but here is a perspective.” This field needs perspectives and questioning from non-lawyers. And lawyers that think outside the bar. Barring compliance, this is a field desperate for new ideas and solutions for besetting societal and business challenges. The best privacy/data protection lawyers I know do 3 things well: Know the rules; tell stories about why “X” matter’s; and think outside the black letter law. Privacy and tech black letter law has yet to catch up to reality.
Q: How has the 2020 pandemic and work from home changed your hiring/staffing approach? What is different about managing a team and program in this current reality from pre-pandemic circumstances? What challenges should privacy professionals be preparing for?
The pandemic has changed everything. It is currently at the top of every single-privacy-conversation over the last year. It should be. That is our job to be part of the solution. I know, and am so grateful to, so many of my peers and friends having done a great service in meaningfully addressing the data and privacy obstacles of fighting and recovering from pandemic – quiet heroes, really. From a business perspective, as mentioned before, the challenges of moving on a dime from secure on-site environments to home/remote environments are broadly shared. We are all on a learning curve. Having led global teams before the pandemic, the biggest remote/WFH issues typically revolved around logistics and team efficiency. Improved collaboration tools have been a boon here. This is very different.
Now, it is the human dimension that I spend the most time focusing on. Building allyship is so much more important in a pandemic world. That is meeting the work, health, economic, and emotional and mental needs of teams. My teams and I are engaging and trying new approaches. We don’t have the answers, but we are building knowledge on what works and what doesn’t work as well. Again, it is so individualized, what works for one person may not work for another.
Q: What is the top data (privacy or security) issue that keeps you awake at night?
Bad guys. But bad guys will be bad guys. Can’t “solve” for that. If something kept me up at night, you’d better believe I’d be prioritizing to meet that challenge until I could sleep again. To be sure, there are incremental challenges ahead. We’ll be spending more and more time creating artifacts and reporting. Certainly, scrutinous 3rd party “privacy agents” and “privacy-enhancing tech” will become disrupters. Regulators will adopt better privacy forensics tools. Remedies that have been available, such as disgorgement, may get more attention creating design imperatives allowing the unpacking of data. Cookie deprecation, “necessary and proper’ limitations potentially affecting affiliate ad networks, and new opt-in/opt-outs will torture the ad ecosystem for some time – especially combined with those 3rd party agents. We will adjust. Happily, privacy-by-spreadsheet is being replaced by solid privacy management solutions. Many will thrive in this environment. We will unlock new opportunities to build closer relationships with customers and business partners in both B2C and B2B spaces. These opportunities and challenges will become more addressable as privacy comes of age as a business function and not just a compliance function.
What does makes me sleep fitfully isn’t an issue. It’s a place. A state. That is the technification and datafication of inequity. Vision and opportunity have yielded incredible innovations, yielding yet more opportunities and innovations. Even with the best of intentions, from edtech to fintech to healthtech and to facial recognition and AI, we have an inclusion and equity problem. We have a design problem. You and I have engaged on this several times. So many people and organizations have leaned in to address this problematique with unprecedented focus. Still, as a profession, we must recognize this skewing, keep it front of mind and commit to equity-and- fairness-by-design. It has to become praxis.
Q: What is the “value add” for a company to invest in and have a strong privacy organization?
I love this question. It is interesting to have heard how that question has been answered over decades. If you ask a European, they might say it is not a “value add”. It is a value. It is a fundamental human right. It is important to say because that is truly the starting position for privacy in Europe, whatever else one might say. From a purely business perspective, all business is data-driven at this point. The best data comes from the data source or data subject. While there are plethora of value-adds from a strong privacy organization, the role privacy teams play in promoting and preserving Trust will yield the highest dividends. The problem for privacy teams is that Trust is really hard to measure, attribute and therefore resource allocate. Trust is also really easy to lose – and that often comes with attribution.
Q: I routinely hear from candidates that “their company isn’t serious about privacy” or that the company talk s about privacy but won’t provide budget to actually back it up. What advice would you share with folks who have to set budgets? Do you have a strategy for determining what the budget ought to be?
I’ve had this question a lot from mentees, on panels, and in sessions like this for years. Going to flip the usual script on this, which consisted of mostly sagely, balanced, premium “free” advice. If your company does not value privacy in this day and age, you have two choices. Option 1: stick around until the company does see privacy as a business function worthy of investment. Option 2: find a company that invests in privacy and recognizes the value you bring. There is no dearth of companies seeking great privacy teammates.
If you find yourself in an Option 1 scenario, a word of caution. 8 times out of 10 (fuzzy fact), companies are more likely to hire externally (or worse, lateral/elevate another executive) after deciding privacy is an investment even with an incumbent privacy pro or team in place. Rightly or wrongly. I have seen great talent leave positions that did not value (nor understand) their contributions, institutional knowledge, relationships, and passion for the business. All (not a fuzzy fact) have gone on to bigger and better. (And I just now got a text from a former mentee saying exactly this). For organizations that bring in a privacy star, it’s usually 2 or 3 privacy “stars” before the fit has some durability. This is often because while the decision was made that privacy is now a priority, the company doesn’t have a clear view of what privacy success means – and the privacy star absolutely does.
Q: Any insight for peers or up and coming folks on how to “manage up” generally and, tying to last question, how you make the budget pitch to the powers that be?
Another perennial question spawning innumerable privacy trade group sessions. Heard it all; tried most. Let’s start with the board. The most skilled privacy pros I have heard in front of boards (who hear scripted, rote presentations regularly) do one thing well. That is tell stories. ‘Privacy’ is an abstract. It is hard to measure and evaluate trade-offs. We all hear the arguments like “millennials don’t care about privacy” or “customer behaviors don’t support (privacy).” Stories can be powerful tools in contextualizing the abstract, resetting preconceived ideas, and opening up possibilities. Yes, talk about budgets and risks and gaps and audits. But make the issue real. Because it feels real for the customers whose trust you want to earn.
Managing up in privacy professions is the same as managing up in non-privacy professions. Understand your company’s priorities. Understand your direct leadership and management’s priorities. Solve problems. Proactively if you can. Be a fount of knowledge. But most importantly, be pragmatic and build a reputation for discerning judgment. See, I said same as anywhere.
Q: With work from home being a new normal for many companies, what considerations you might highlight? How, if at all, would this new work from home era change your thinking/strategy on privacy issues?
Again, moving wholesale from secured environments to less secure remote work and Work From Home (WFH) environments does present some new security and privacy tests, especially because many companies turned on a dime without transformation or change plans. Several folks are focusing on these issues. Thoughtful guides are coming out to help identify and close gaps or improve design for a remote workforce.
Issues like records management may need some tuning. Privacy and security associated with now off-network collaboration and communications tools also require attention from contract to operations. I have been mindful of the need to strike the right balance between the benefits of productivity and performance analytics, and privacy. Some organizations have seen a spike in productivity associated with the move to remote work. I suspect we will see some differentials between organizations. Over time productivity in any organization could show some peaks and valleys. In any case, if productivity is higher than usual or lower than usual, business teams will want to make sense of it. I am somewhat concerned that increased employee monitoring may be the result. There is evidence that some outcomes from these activities result in disparate impacts, even where ethnicity is not a data point. Employee monitoring is an area where best practices are still developing. On a positive note, the move to WFH may permanently upend our relationship with paper and speed organizations to a paperless environment.
Q: Anything else you’d like to share?
Sorry, there is no TL:DR. We are doing important work that will define our society – civil and commercial; we are building the future. I am grateful to play a small role in it. Thank you for the opportunity to share. And a big thank you to all the mentors, mentees, supporters, colleagues, teammates, and even detractors that got me here.
Michael ‘Mac’ McCullough is a long-time privacy practitioner, thought leader, and speaker on data privacy management, data risk/compliance, and building trust environments. Mac’s career spans over 20 years of executive roles from tech start-ups to industry-crossing global consulting practices orchestrating compliance, value-added data services, and future-proofing data assets and programs. He currently serves as CPO and GRC leader for Macy’s, Inc. Mac’s comments are provided in a personal capacity only.