Posts tagged "IAPP"

Stonier_JoAnn_Aug-2019

Captains of Privacy Interview: JoAnn C. Stonier, Chief Data Officer for Mastercard

January 9th, 2020 Posted by Privacy 0 thoughts on “Captains of Privacy Interview: JoAnn C. Stonier, Chief Data Officer for Mastercard”

As part of our Captains of Privacy Industry Interview series, Lawrence Brown, Sr. VP Legal, Houston had the fortunate opportunity to connect with data privacy pioneer JoAnn C. Stonier, Chief Data Officer for Mastercard. JoAnn’s extensive experience in finance, law and technology, coupled with her proven success as Chief Privacy Officer, earned her appointment as Mastercard’s first Chief Data Officer. JoAnn is a highly recognized data and privacy thought-leader, and we’re thrilled to share her invaluable insights with you. Enjoy!

INTRODUCTION

Q: What does Mastercard do?

Mastercard is a technology company in the global payments industry. Our global payments processing network connects consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. Mastercard products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more secure and more efficient for everyone.

Q: Tell us about your background path to your current role?

My career reflects my desire to learn new skills and have new experiences. I started my career as an auditor and as a financial analyst, but shortly into my finance career I decided to go back to law school. After a brief stint as an employment lawyer, I was drawn back into finance and into designing new processes via acquisitions and mergers. My career took me through a range of companies including PricewaterhouseCoopers, PepsiCo, Waldenbooks and American Express. In each of the roles that I held in finance, law and technology, I learned different skills that I ultimately used both as a Privacy Officer and now as a Data Officer.

Currently, in my role as Chief Data Officer, my team and I are responsible for ensuring Mastercard’s information assets are available for innovation while navigating known and future data risks. This means understanding our business strategy and helping to create the corresponding data strategy. It means understanding our data – the data we currently have and issues like data quality, data governance, data policies and data use, finding and sourcing the data we need – and assisting our product development teams to utilize data in a safe, secure, privacy-aware and ethical and responsible manner to create new products and solutions. My team also identifies and creates new platforms and infrastructure that are needed to handle our evolving data profile. All of this supports current and future innovation. It really is a fun and challenging position.

FROM CPO TO CDO

Q: You have a long history and amazing reputation in privacy but you’ve moved on to a Chief Data Officer role. What does a CDO do? How is this role different?

Thank you Lawrence, I appreciate the compliment. It has been an interesting journey as I moved from an area where I had really strong knowledge to one where I had to create a new position for the company.

Typically the CPO role is compliance and legally focused as the privacy function ensures that an organization is complying with the ever-increasing privacy and data protection laws that relate to how organizations collect, use, retain and share personal and sensitive information about individuals.

The CDO role is a broader role focusing on all types of data that an organization collects, uses and shares. The role is more of a business and strategic role ensuring the organization has the right data for innovation. This means additional data skills – including creating programs that ensure good data quality, ensuring that the organization understands its data sources and lineage, creating good governance processes for data collection, data analytics and more recently data governance for Artificial Intelligence and Machine Learning. The Chief Data Officer also assists in creating the data strategy for the organization which is derived from an organization’s business strategy – so how will data be used not only to improve efficiencies in operations but as an enabler for the next generation of products and services. While the role of the Chief Data Officer started to emerge in the early 2000s, we have started to see more of them more recently as organizations are beginning to recognize that they need someone focused on both opportunities and risks.

The roles work together, as both teams manage different aspects of data risk and are important in ensuring that data innovation is balanced against risk and that the rights of individuals are at the center of the organizations’ design methods.

Q: Cross-functional communication and collaboration are obviously key in a successful data & privacy program. What players need to be peers? CISO? Others?

I think that every organization has to create an organization that matches its data profile. I am not sure that we understand who are peers or who are subordinates, but what is most important is that an organization understands its data practices, understands its data risks and has the right professionals to navigate both its risks and opportunities and then places them so they can succeed. That is what is most important.

Q: Is the proper scope of the role “just privacy” or a broader umbrella that might include data governance, data ethics, InfoSec, data monetization, privacy compliance, consumer trust & safety, law enforcement response, privacy public policy, etc.?

I think that many organizations are trying to determine what is the right span of control for their Privacy Officer and/or Data Protection officer, and I think that is a good thing. But that being said, you need to look at the skill set of that individual and their team. What does the organization need? What is their data profile? If the organization has a smaller data profile and doesn’t use data for innovation perhaps one individual can handle all of the responsibilities. But, if data is core to the organization’s business strategies, it might be better to expand the data knowledge of the organization by adding a Chief Data Officer or a Chief Data Analytics officer to begin to add additional knowledge and skills. Sometimes one person simply cannot do it all and shouldn’t be asked to.

Q: The pace of change in privacy is accelerating, and yet the more things change, the more it seems basic data hygiene stays the same. Are you concerned about the pace of change? Broadly speaking, what is your strategy for change so that you don’t have to iterate the program for every slight difference?

I think this is a great question. We will always have change; the question is can you design a program that is flexible enough so that it can handle change as part of its built-in methodology. I agree that the basic information principles have remained the same, but the pace of data and the volume of data that many businesses use have increased. This means data management practices have to be able to grow and expand with the changes in business practices. It also means you have to understand not only how your business is changing but how the external landscape is changing as well – what is happening with regulation, with your industry, with your value chain and data eco-system, as all of these elements will also impact your data practices. Like any other aspect of business, these factors must be built into both your privacy and data programs.

TEAM & STAFFING

Q: What are your key factors for determining staffing levels? Department budget?

I have a global team that is continuing to grow and we have open positions…if your readers are interested. The positions range from data strategy positions, to data quality and acquisition roles, to data management and governance positions, to teams that support AI and analytics and teams that build data platforms. It’s really is a diverse group.

Q: Lots of new hiring these days. What is the top 1 or 2 must-haves when you look at a candidate? How much does exactly on-point legal experience matter compared to say project management or ability to craft a simple business solution? What advice would you give an up and coming privacy lawyer?

When we are recruiting for my team we look for folks that can speak multiple skill languages – data, business and technology – we call these folks data bilinguals, as they have to have the ability to translate requirements between different teams. So I really need folks who are multi-skilled: First, an understanding of business strategy and how data is a key element to achieve that strategy. Second, an understanding of systems and processes and controls so that data can be put to use. Third, an understanding of data risks – privacy, security as well as what an organization or initiative is trying to achieve. So that you can determine what is in and out of bounds.

Don’t get me wrong, my legal background helps everyday – it helps me understand the regulatory landscape, guides how to create the next generation of solutions and makes me mindful to create ethical solutions.

TACKLING DATA VALIDITY

Q: What is the top data issue that kept you awake at night as CDO?

I think one issue that we are just beginning to really solve is the issue of data validity, which is one form of data quality. In this age of fake data and data that can be manipulated, how do you ensure that the information you are using is accurate, complete, consistent and from the source that you believe it has originated. While there are techniques to validate lineage, as non-ethical actors continue to manipulate data for their own purposes, we are beginning to push on this issue.

Q: Is this something that only Mastercard peers need to be thinking about or is this role something that every company should be considering?

Any company that has anything to do with data, which is almost every company today, should consider having a Chief Data Officer. The most essential and obvious industries are those in technology and data analytics. In addition, we are seeing CDOs in financial services, larger multinational retail organizations and health organizations begin to be senior roles. The Chief Data Officer’s role is becoming a strategic role that not only assists with innovation but also ensures that data is handled properly and with the consumer always in mind.


 

ABOUT JOANN C. STONIER

JoAnn C. Stonier serves as Chief Data Officer for Mastercard
JoAnn C. Stonier serves as Chief Data Officer for Mastercard, charged with assisting the organization to innovate with its data assets while navigating current and future data risks. She oversees the curation, quality, governance and management of the company’s extensive data assets as Mastercard increasingly looks to deepen the strategic value it can provide its merchant, banking and government customers and cardholders through its data analytics capabilities and other data services.

JoAnn previously served as the company’s Chief Information Governance & Chief Privacy Officer and within that role she was responsible for worldwide privacy and information governance as well as leading regulatory engagement for data compliance.

JoAnn is a recognized data and privacy thought-leader. She has served on a number of industry boards and organizations in leadership roles. Currently she is on the Board of Advisors for the United Nations Information Governance and Artificial Intelligence Council, the World Economic Forum’s Council of the Future regarding data consumption and she serves on the board of Truata, a trust co-founded by Mastercard and IBM that offers a new approach to handling data anonymization that meets the highest regulatory standards established by the EU-General Data Protection Regulation. In the past JoAnn has received honors and recognitions including being named an Aspen First Movers Fellow, serving on the Board of Directors of the International Association of Privacy Professionals (IAPP) (Chair in 2017), Centre for Information Policy Leadership (CIPL) and the Information Accountability Foundation (IAF).

JoAnn received her Juris Doctorate from St. John’s University and her Bachelor of Science degree from St. Francis College. She holds memberships in the Bar of the State of New York and the Bar of the State of New Jersey. She is based in Purchase, N.Y.

 

To learn more about how JW Michaels can assist with your privacy searches, please contact Lawrence Brown on LinkedIn, Twitter, Email, or Call (832)819-3580.

anne fealey

Captains of Privacy Interview: Anne Fealey, Global Head of Privacy for Citi

November 18th, 2019 Posted by Privacy 0 thoughts on “Captains of Privacy Interview: Anne Fealey, Global Head of Privacy for Citi”

As part of our Captains of Privacy Industry Interview series, Lawrence Brown, Sr. VP Legal, Houston had the fortunate opportunity to connect with privacy evangelist Anne Fealey, Global Head of Privacy for Citi. As a proven leader of privacy and information management, Anne is passionate about privacy, the appropriate uses of personal data and the exciting power of data to do great things. Rather than opposites, Anne views these as aligned principles. And her impressive career path with American Express, Prudential and Citi reflect that. We’re thrilled to share Anne’s invaluable insights with you. Enjoy!

Introduction:

Q: What does Citi do?

Citi is a global bank with a mission to provide financial services that enable growth and economic progress. We have over 200 years of banking experience and serve both consumers and institutional clients in more than 160 countries and jurisdictions around the world.

Q: And tell us about your background / path to your current role?

While I was working at American Express in the merchant business negotiating contracts for the sales and marketing teams, privacy increasingly became a key component in many of the negotiations. I later moved from that role to become the global head of privacy for that business and established its privacy program. After seven years, I left American Express for an opportunity to take on the role as the first global Chief Privacy Officer (CPO) at Prudential Financial. In 2018, I became the global CPO at Citi.

Privacy Team Structure and Management Best Practices

Q: You clearly have experience setting up several privacy teams from the ground up. If you were to design a privacy team from scratch, where would the role report? General Counsel/Chief Legal Officer? CCO? COO? Chief Risk Officer? CEO? Etc.

I believe that where the privacy team sits within the broader organization will vary depending on the company. Ultimately, the CPO function should be in the area where it can be most effective, whether that is within the business, in operations, information security or risk and compliance. In very large companies with many different businesses, it is very difficult for a single team to understand the many components and complexities when it comes to personal data. As a result, it is critical to build out a privacy team across the businesses and functions. I believe that buildout is the foundation for a good privacy program. A central privacy team that provides a comprehensive framework and structure (policies, training, tools, etc.) should support the business privacy team. And the cross-functional partners support both teams.

Q: Cross-functional communication and collaboration are obviously key in a successful privacy program. What players need to be peers? CISO? Others?

Depending on where the privacy team reports, the cross-functional partners will differ, but Information Security and Legal will always be essential to an effective privacy program. Compliance and Risk enable the privacy program to align with methodology around reporting for how a company complies with privacy laws and regulations and how it identifies and controls for privacy risks. Other groups that often get overlooked but are just as important are the Government and Public Affairs teams since they often work closely with the privacy team to understand emerging privacy laws and regulations. The Marketing teams also help the privacy professionals understand how their company collects and uses personal data in marketing campaigns. It really does ‘take a village.’

Q: Many companies have moved to having a lawyer in the top privacy spot. Why not Chief Privacy Counsel? Or General Counsel for Data? Does “CPO” title create an expectation that there is no attorney/client privilege? Does the ‘counsel’ add on generate the expectation of privilege?

I believe that counsel’s role is to provide advice, not make decisions. The CPO similarly provides advice, but often will be asked to make or assist the business in making decisions. For that reason, I believe the roles should remain separate. Traditionally, CPOs have had legal backgrounds because the initial understanding of how companies managed privacy risks was based on laws and regulations. So that legal background helped (and still helps) with that understanding.

Q: Is the proper scope of the role “just privacy” or a broader umbrella that might include data governance, data ethics, InfoSec, data monetization, privacy compliance, consumer trust & safety, law enforcement response, privacy public policy, etc.?

Again, I believe this will depend on the company. That said, I believe the scope of the role has to change as technology changes and the use of technology increases across all areas of business.

Q: In light of this shift, is “Chief Privacy Officer” still the right title?

I think we already are seeing a shift in titles, but for now, the CPO title still works.

Management and Operations:

Q: The pace of change in privacy is accelerating, and yet the more things change, the more it seems basic data hygiene stays the same. Are you concerned about the pace of change? Broadly speaking, what is your strategy for change so that you don’t have to iterate the program forever slight difference?

This question reflects a big part of my planning for the next few years. The pace of change today is intense. Companies can’t simply react to those changes, but must be more proactive. I believe that a privacy program should be assessed against a desired privacy framework (the new NIST Privacy Framework, for example) to determine where the program can and should mature. The levels of maturity desired may differ between companies and industries depending on risks and risk appetites, but creating project plans for reaching that desired level of maturity helps privacy programs to manage change more proactively.

Q: What are the key factors you look at in hiring outside counsel?

Hands-on experience in the field and in the industry – every law firm now has a ‘privacy practice’ but there’s a lot to be said for experience. It is not easy to craft a good outward-facing privacy notice!

Q: Lots of new hiring these days. What is the top 1 or 2 must-haves when you look at a candidate? How much does exactly on-point legal experience matter compared to say project management or ability to craft a simple business solution? What advice would you give an up and coming privacy lawyer?

The experience will depend on the role, of course, but I always look for interest in learning and the ability to work with ambiguity. Right now, privacy professionals are in demand. Something I do is to consider how experience in other areas can be leveraged, and then training someone on privacy specifics, especially when hiring at the entry level. I believe that on-point privacy experience is not as important for someone just out of law school or in the early years of their career. For someone who wants to enter the field or make the switch, I would recommend that they join the International Association of Privacy Professionals (IAPP) and utilize the tools and the community that the IAPP has to offer.

Q: What is the top privacy or data security issue that keeps you awake at night?

I tend to sleep pretty well but the risk of a data breach would disturb that. Breaches are difficult to avoid completely and they must be managed quickly and effectively to ensure that any potential harm to customers and employees is mitigated. In a breach situation, the effort needed to get the situation under control is time-consuming and replaces all other work. But that doesn’t mean the other work goes away.

Q: Anything else you’d like to share?

When I was in law school, I was the student who was looking into ‘alternative’ or ‘non-traditional’ legal careers. So landing in the place I am, where I have found great job satisfaction and enjoyment in working in the privacy field, has been fabulous. But the best part for me is working with such a diverse group of professionals – my colleagues across the world from many different companies are extremely intelligent people who are passionate about their work, and are always willing to share their knowledge and experience. They inspire me every day. I encourage anyone considering a career in privacy to come join us.


ABOUT ANNE FEALEY

Anne Fealey

A proven leader of privacy and information management, Anne Fealey provides business consultation to businesses on privacy controls, conducting privacy impact assessments, creating privacy control testing and monitoring, and developing privacy training while enabling the appropriate use of data to help customers and clients. As the Global Head of Privacy at Citi, Anne sets the strategy around the appropriate use of personal data.

Prior to joining Citi, Anne served as Chief Privacy Officer for Prudential Financial, in which she directed Prudential’s global businesses and functions in privacy program management, data analytics projects and digital initiatives. Prior to that, Anne served as the data governance lead for the merchant and network businesses at American Express. Anne received her JD from the College of William and Mary, and has written several published articles including one discussing privacy as a property right. Click to read IAPP contributions by Anne Fealey.

 

To learn more about how JW Michaels can assist with your privacy searches, please contact Lawrence Brown on LinkedIn, Twitter, Email, or Call (832)819-3580.

A Conversation with Orrie Dinstein (1)

A Conversation with Orrie Dinstein, Global Chief Privacy Officer at Marsh & McLennan Companies (MMC)

July 23rd, 2019 Posted by Privacy 0 thoughts on “A Conversation with Orrie Dinstein, Global Chief Privacy Officer at Marsh & McLennan Companies (MMC)”

One of the many high points of JW Michaels is partnering with the most sought after and talented leaders across a range of industries. Recently, Lawrence Brown, Sr. VP Legal, Houston had the fortunate opportunity to connect with privacy icon Orrie Dinstein, Global Chief Privacy Officer at Marsh & McLennan Companies (MMC) and former Chief Privacy Officer at GE Capital. As a proven expert in Privacy and Data Protection Law, Cybersecurity law, Information Governance, Data Analytics, and AI, Orrie shared invaluable insights from his impressive history working with complex organizations in the financial services industry.

Introduction

Q: What does Marsh & McLennan Companies do?

A: We are a global professional services company with a focus on risk, strategy and people. We have 75,000 employees in over 130 countries, so this is a large organization with clients literally all over the world.

Q: And tell us about your background

A: I started my legal career as an IP litigator. My privacy journey began in 1998, writing privacy policies for websites, but it really took a more serious turn when I joined GE Capital in 2001. Over my 13 years there, I set up and ran three privacy programs, ultimately serving as the CPO of GE Capital. In 2014 I moved to MMC as their first global CPO.

Privacy Team Structure and Management Best Practices

Q: Orrie, you clearly have experience setting up several privacy teams from the ground up. If you were to design a privacy team from scratch, where would the role report? General Counsel/Chief Legal Officer? CCO? COO? Chief Risk Officer? CEO? Etc.

A: My short answer is the role should report where it can be the most effective and that will differ between companies. In my first CPO role at GE, I reported to the CCO, and then I got moved under the GC. In my current role, I first reported to the Chief Risk & Compliance Officer, but now I report jointly to the CIO and the CCO. No matter who you report into, I would say that you want two key elements from your placement in the organization: (1) being visible and effective and (2) being in a position where you are keyed into what’s going on. To me, the first element usually supports a reporting line into Compliance, and the second element means having a reporting line into IT. I have that dual reporting structure in my current role, and it works really well.

Q: Cross-functional communication and collaboration are obviously key in a successful privacy program. What players need to be peers? CISO? Others?

A: Privacy touches all parts of the organization because there’s data everywhere. I see IT and Operations as the core partners. Information security is a second key partner because privacy and security go hand in glove, and when things go wrong, we need to be aligned and work together. The other key partners are HR for employee data, Vendor management for all vendor interactions, and of course the broader Legal and Compliance team provides a lot of our core support in terms of resourcing and support with our day to day work like contracting. While not one of the key players we regularly interact with, I’ve also found Internal Audit to be a really effective partner. So it really takes a village, and here at MMC, these are all great partnerships that help me do my job effectively.

Q: Many companies have moved to having a lawyer in the top privacy spot. Why not Chief Privacy Counsel? Or General Counsel for Data? Does “CPO” title create an expectation that there is no attorney/client privilege? Does the ‘counsel’ addon generate the expectation of privilege?

A: This is a tough question! Let me start by saying that I would not put a “chief privacy counsel” in charge of a privacy program because, at its heart, the CPO role is not a legal role. So the question then becomes should a CPO always be a lawyer. As a lawyer, I have always had a bias for hiring lawyers to my team in the senior roles because a CPO needs to be able to give legal advice and be able to interpret the law, and I always found it a bit of a strange construct where a CPO needs to consult the privacy counsel in order to give advice. But the reality is that many non-lawyer CPOs know the law as well as the lawyers (if not better) and they rarely go through the formality of consulting legal unless they need to issue formal advice. I have also found that privacy professionals with compliance orientation tend to have a much stronger operational sense and business understanding compared to lawyers. And I can tell you from experience in my own team that our non-lawyers bring a level of business and operational savviness that really brings great value. So at the end of the day, I think there’s no right answer here – there are great CPOs out there who are lawyers and great CPOs who aren’t. The key is to get the right person and if there’s a need for a CPO to work closely with a “chief privacy counsel” to make sure their roles are well defined and there’s no competition over who does what.

As to the attorney/client privilege, clearly where you have a lawyer in the role, it is easier to assert the privilege but let’s not forget that the privilege doesn’t apply automatically to everything I do or say simply because I’m a lawyer. A lot of the CPO work is not privileged by nature. And where it’s important to assert the privilege, companies can easily get the work of the CPO covered by attorney-client privilege (usually through what we call in the U.S. an “Upjohn letter”).

Q: Is the proper scope of the role “just privacy” or a broader umbrella that might include data governance, data ethics, InfoSec, data monetization, privacy compliance, consumer trust & safety, law enforcement response, privacy public policy, etc.?

A: This is a great question, and it is actually part of a transition that is occurring in the way CPOs are looking at their roles and the way companies are looking at the CPO role. Basically, this is all driven by the rise of the importance and value of data. Most companies don’t have a data czar, and they also don’t have a data lawyer, so on both sides when they look around, often all they see is the CPO. And this means CPOs are increasingly asked to weigh in on broader data questions like governance and quality and ethics. But in the last few years, there’s been an emergence of a new role of the Chief Data Officer or CDO. These come in many flavors with some focused on technical elements like building data lakes and managing the data, others are data scientists and focus on the analytics, and others come from a data governance angle. These are all different disciplines, and they require different skills, and sometimes these roles don’t sit under the same structure, leaving a gap in coordination. Add the CPO, the CISO, and maybe a few others who have a stake in data, and it can get messy quickly. So sometimes someone emerges as the leader of the group. And if that leader is not the CPO, then the CPO needs to make sure that his/her role in this structure is understood and valued. The risk CPOs face is that the data discussion is moving away from a privacy/compliance-driven discussion to more of a technical or operational discussion where the CPO’s role is reduced. And of course, the CPO should always make sure he/she is involved in the data strategy and planning discussions with all of these players before the final strategy becomes crystalized so they can make sure to build in privacy by design elements before it’s too late.

Q: In light of this shift, is “Chief Privacy Officer” still the right title?

A: For now it is but as noted above there’s a change happening and I think that in the next 2-3 years we will see more variability in the titles. It reminds me that when I started working at GE, my title had “e-commerce” in it, and GE had a “chief e-commerce lawyer.” One day in 2003 he told all of us that he was changing his title to “chief privacy officer” and we were all shocked that he was not going to have “e-commerce” in his title. Now you would be hard-pressed to find a lot of people who even understand what e-commerce means! So I predict that in a few years we will see a change and maybe “privacy” won’t even be part of the title. And then I have to wonder what the IAPP will do to its name…

Q: How does the CPO role sync with GDPR’s DPO? Different roles or semantics and the same person?

A: Great question. I think the jury is still out on what the European regulators expect from the DPO role. We see a lot of variability in how companies have defined the role, where the DPO sits and what they are expected to do. Some companies are clearly treating the role as a strategic one, and on the other end of the spectrum, I see cases where it is treated as a somewhat junior, bureaucratic one, and most DPOs fall somewhere on that spectrum. I think the DPO title will remain and the DPO role will remain a somewhat narrow role simply because the obligations of the DPO are prescribed in the GDPR and that includes a need to avoid conflicts of interest. So I think it will be hard for DPOs to evolve into a broader data-driven role that the CPOs seem to be pulled into.

Management and operations:

Q: The pace of change in privacy is accelerating, and yet the more things change, the more it seems basic data hygiene stays the same. Are you concerned about the pace of change? Broadly speaking, what is your strategy for change so that you don’t have to iterate the program forever slight difference?

A: The pace of change is my number one concern. We all emerged from a two-year blitz to comply with the GDPR just to fall right into CCPA and LGPD, and of course, there’s new laws all over the world and changes to existing laws, and in the U.S. there’s a constant barrage of new state-level laws. Just reading all the alerts I get requires a few hours every day! And then actually doing something about all these laws feels like an endless game of whack-a-mole. So to me and many of my peers I think the path forward is emerging in the form of a set of global principles we apply everywhere with modifications on unique elements like appointing DPOs or dealing with data localization restrictions on a case by case basis. And that, of course, is easier said than done but as a concept, I think it is where we are heading, and we are spending a lot of time on defining this path forward.

Q: What are your key factors for determining staffing levels? Department budget?

A: I think any CPO on the planet will tell you that they are short on staff and their budget is tiny. Certainly, if we compare ourselves to the information security teams, we fall short by a lot. But to me, the answer is not to think about this narrowly. Going back to the partnerships I mentioned, the key to success is leveraging these partnerships. Getting people from other functions to help champion privacy and to support our projects and to pay for things is the way forward, and it doesn’t all have to fall under the CPO. For example, for GDPR, we had some 700 people working on the project, and we spent in the seven figures. This was not my team and not my budget. But we got the work done, and that’s what matters. And now for CCPA, we are similarly marshaling resources and budgets well beyond the core privacy team and budget.

Q: What are the key factors you look at in hiring outside counsel?

A: I have two core requirements — first – expertise. If you don’t know the answer when I call or within a short while afterward, then you’re probably not the right lawyer. Second, practicality. Privacy laws are often really hard to apply in reality, and there’s a lot of creativity that needs to go into translating what the law says into what we think the regulators expect and what is practical in a business setting. Most regulators I have spoken to are practical and rational, and they apply the law based on something other than a dry reading of the words. I like to work with outside counsel who understands that and ideally have those insights from the regulators. Just telling me what the words are in section X of the GDPR or the CCPA or telling me how big the fine will be if I’m not in compliance doesn’t provide any value.

Q: Lots of new hiring these days. What is the top 1 or 2 must-haves when you look at a candidate? How much does exactly on-point legal experience matter compared to say project management or ability to craft a simple business solution? What advice would you give an up and coming privacy lawyer?

A: My view is that experience matters, but there’s a shortage of experienced privacy professionals. We have a huge amount of newbies in the profession, and that means you sometimes need to compromise on experience. The two things I find most valuable are brains and attitude. A smart person who likes and wants to do privacy will learn what they need to be successful. An experienced person who is not as smart or motivated will often not be as productive. I should add that a CIPP certification helps because to me, it shows a commitment to the profession. It’s not about studying and passing the test; it’s about the need to maintain your certification through constant CPE credits. That tells me this person is invested in privacy as a career. And then, of course, we get to more specific needs so, for example, I strongly value the need to have a good PM on my team, and that’s a unique skill set. A good PM is worth more than just adding another privacy person to your team because they bring unique skills and so much of what we do these days is a project by nature and requires the right skills to manage it and move it forward. So my advice to new privacy professionals is to make sure you can show how you will provide value day 1. Companies aren’t law firms – we don’t have time to teach you and grow your skills and knowledge over several years. We need people who can function well from the day after they walk in the door.

Q: What is the top privacy or data security issue that keeps you awake at night?

A: I tend to sleep quite well, but obviously, I worry the most about data breaches. They are hard to totally avoid, and when they happen, you can find yourself in a world of hurt from clients, regulators, and other constituents. That will totally destroy your ability to do anything else while you’re managing the crisis and therefore breaches are a huge disruption to your work. So that keeps me up, not just because of the fear of having to deal with the fallout from a breach but just as much because I fear it will take me away from doing my day job.

Q: Anything else you’d like to share?

A: I started my career as an intellectual property litigator. I morphed into an e-commerce lawyer, and from there, I shifted into technology and privacy work with a short stint working on Y2K matters. Along the way, I worked on a lot of new and emerging issues, and I have to say that of all the things I worked on the privacy work has been by far the most interesting and also the most satisfying. When we do what we do as CPOs, we have a unique role because we are always keeping one eye on what’s right for the company, one eye on what’s right for the individuals whose data we manage and a third eye on what the regulators expect from us. It’s never just about the bottom line, and that’s very satisfying. Additionally, emerging technologies are giving rise to new issues, and that keeps us constantly on our mental toes and makes it so much fun. When I think of the issues I handled 5, 10 and 15 years ago, some of them haven’t really changed much, but there’s a lot of fresh and challenging concerns to contend with (such as AI, Blockchain, Internet of Things) and even more new things heading our way in the coming years. So I think this is the best legal profession to be in and the best time to be in the privacy field.

ABOUT ORRIE DINSTEIN

Orrie Dinstein is the Global Chief Privacy Officer at Marsh & McLennan Companies (MMC). He has global responsibility for data protection, and he works closely with the Legal & Compliance, IT and Information Security teams, as well as other functions, to establish policies, procedures, processes and tools related to privacy and data protection matters. Prior to joining Marsh & McLennan, Orrie was the Chief Privacy Officer at GE Capital.

Orrie received an LL.M. degree in intellectual property from NYU School of Law and is a graduate of the Hebrew University of Jerusalem School of Law. He is a member of the New York State Bar and the Israel Bar. He is a Certified Information Privacy Professional (CIPP) and a frequent speaker on privacy, security, technology and social media matters. Click here for IAPP contributions by Orrie Dinstein

To learn more about how JW Michaels can assist with your privacy searches, please contact Lawrence Brown.

IAPP New York KnowledgeNet

Lawrence Brown Joins Speaker Line-up for IAPP New York KnowledgeNet

September 6th, 2018 Posted by News 0 thoughts on “Lawrence Brown Joins Speaker Line-up for IAPP New York KnowledgeNet”

IAPP New York KnowledgeNet
Date: September 12, 2018
Topic: DPOs Wanted: Making Your Next Move?
Time: 5:30 – 7:30 p.m.

Speakers:
Lawrence Brown, VP, JW Michaels & Co.
H. Leigh Feldman, CIPP/US, CIPM, FIP, Managing Director, Head of U.S. Privacy, Promontory Financial Group, an IBM Company
Jo Ann Lengua Davaris, CIPP/US, CPO, Mercer
Michelle Perez, CIPP/US, CIPM, Head of Privacy, Samsung Electronics of America
Harry Valetk, CIPP/E, CIPP/US, CIPM, Of Counsel, Baker McKenzie

Thank you to our meeting host, Baker & McKenzie, for providing refreshments.
Capacity for this meeting has been reached. If you would like to be added to the waitlist, please email knowledgenet@iapp.org.

About IAPP
The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally. To learn more visit: https://iapp.org/

JW Michaels & Co. is an executive search firm dedicated to serving the specialized recruiting needs of top-tier financial services, legal, technology and business institutions.

Crain’s NY Business consistently ranks JW Michaels in the top 10 Executive Recruiting Firms – with good reason. We get results.

Newsletter

Locations

JW Michaels is headquartered in New York City, with teams based in Atlanta, Austin, Chicago, Denver, Greenville, and Houston.

For general inquiries please contact Jillian McElroy 646-624-2305