Tell us about your role at Monetate and how you got here.

As Monetate’s Data Protection Officer (DPO) and General Counsel, I lead our legal, contracts, data privacy and HR teams. As DPO, I authored Monetate’s Data Protection Policy, developed internal General Data Protection Regulation (GDPR) best practices and launched Monetate’s data security training. My responsibilities as DPO fall under the compliance responsibilities of my legal role. Prior to joining Monetate in October 2014 as Vice President, General Counsel, I worked in the legal department of a Bay Area biotechnology company, and in law firms in both New York City and San Francisco for ten years before that. I became involved with data privacy immediately after joining Monetate.

What are the key tenets of your role as a Data Protection Officer and how do you fulfill them?

My main role as Monetate’s DPO is to ensure every single one of our employees is prepared for and educated on the General Data Protection Regulation (GDPR). It’s an initiative I have been managing since 2016, and it incorporates the following key activities:

Awareness: Everyone at Monetate is aware of the GDPR and knows that it does not just impact our European clients and colleagues. It is critical that all parts of the business are sharing feedback and questions from clients so that we are all on the same page on how to address any concerns and to head off a few worries before they arise.

Education/Training: The GDPR touches every part of our business, so we have to make sure that everyone understands what is required and how it affects them. Our teams also have to be updated whenever the authorities issue guidance in order to best understand how the GDPR is being interpreted.

Auditing/Updating: Once the processes are in place they have to be tested, reviewed and updated as necessary to ensure we are remaining within the GDPR compliance guidelines

Keep it Simple and Make it Relevant: An effective privacy program demands that anyone involved fully understands it. I try not to overcomplicate things and especially try to make things relevant to individual Monetate employees’ roles and our business model. I would love to say that I make compliance training fun, but that might be a stretch.

Do you think data management and marketing technology companies are prepared enough for GDPR?

Data management and marketing technology companies will never be prepared “enough.” Many companies are spending significant amounts of time getting ready, but whether that means they are actually ready is a different matter. This reminds me of something I learned a while ago: if you are nervous that you are not 100 percent prepared for something then it is likely that you have drilled down on the matter so far that it is the minutiae keeping you up at night. In comparison, someone who is confident that they are 100 percent prepared, might not have spent enough time on the matter and have a false sense of security. I think (and hope) a lot of companies fall into the first group – especially now that the compliance deadline has passed.

Someone in a compliance role will never be able to say they are prepared enough, as remaining compliant is a continual, ongoing job of ensuring everyone involved with the company (employees, customers, third-party vendors, etc.) is adhering to guidelines.

How would the American tech industry evolve with GDPR-like regulations?

The data privacy principles outlined in the GDPR are not new and they are not unique to the EU­. Many American best-in-class marketing organizations and tech companies have operated under similar principles for a long time. These principles may not track to be identical to those under the GDPR, but they are not all that far off.

One big evolution that the GDPR and other privacy regulations have sparked is in the technology and jobs created in the data privacy sector and privacy-related roles. We are definitely seeing a huge increase here already as the privacy field continues to expand globally.

Given the way B2B companies drill audience and customer data, what steps should data officers take to prevent GDPR fines?

It’s simple: keep the data secure. DPOs must make sure their companies are not using any of the data being processed on the customers’ behalf unless the customer has consented to it. Developers must ensure they employ privacy by design and by default early on when developing a product workflow.

They should also make sure to update the data privacy team during the development lifecycle if the treatment of personal data changes. Document everything!

Lastly, they must identify all of the company’s data flows, and not just focus on the company’s product. If the company has EU clients, then it is marketing in Europe and compliance obligations under GDPR have shifted from processor to controller (same if there are EU-based employees). Do not forget about these data flows.

What other data privacy regulations exist in the ecosystem? Do you see any more regulations coming by 2020?

Many regulations already exist, but the biggest is the EU ePrivacy Regulation. Data management executives have been waiting for this to be finalized for almost two years now, with no guidance as to when it will be completed. This was supposed to become effective simultaneously with the GDPR, but issues remain.

We also still need to see how some of the provisions under GDPR will be implemented. The supervisory authorities need to issue an opinion on certifications, codes of conduct, updated standard contractual clauses, etc.

There is some discussion among Canadian data privacy professionals that Canada will also need to update its data privacy law (PIPEDA) to maintain its adequate protection classification under the GDPR. Additionally, China passed its data security law last July and created a new agency to implement it. However, we are still waiting for that agency to provide final guidance on subjects like data export.

In the United States, California residents will consider the CA Consumer Privacy Act this November, which will provide California residents with EU-like transparency into how their personal data is used. Other states might look to pass data privacy laws – particularly in light of the Cambridge Analytica findings.

These are just the laws, but what about the court cases, primarily the European Court of Justice decision on whether the Standard Contractual Clauses remain a valid method of transfer of personal data outside of the EU; will the US-EU Privacy Shield get renewed? And how will the UK be treated post-Brexit?

At Monetate, we are actively considering these questions and how the answers may impact our own compliance strategies as the impact of the GDPR and the era of data transparency continues to unfold.

What are your predictions on the future of data privacy? Could it fight the malice of e-terrorism and data stealing in any way?

More US citizens are starting to ask the questions that EU residents have been asking for years specific to what data is being stored and why. This has especially increased in light of recent high-profile data breaches like the Cambridge Analytica one.

As for fighting e-terrorism and data stealing, prevention starts with awareness for both the individuals providing data and the companies that process it. New data privacy laws are forcing companies to reevaluate and use best practices, such as company-wide data security training. Human error is a top cause for data breaches, and training and awareness will help cut down on these unforced causes and possibly reduce the harm done by them.

What startups in the data technology industry are you watching keenly right now?

While I’m not familiar with any startups in the data technology industry, I do follow International Association of Privacy Professionals (IAPP) – of which I am a member – for information on global privacy matters. I also follow One Trust, TrustArc and Data Guidance for information on compliance technology.

How do you prepare for an AI-centric world as a data protection officer?

The development of AI is having huge implications on not only marketing and business but also the role of the Data Protection Officer. At Monetate, we’ve responded to these changes by employing Privacy by Design and Privacy by Default. Privacy by Design is about ensuring that all of the data privacy principles are incorporated into our products, on top of guaranteeing security. Through this principle, we’ve been able to clearly establish what our product is able to do and confirm that it only collects as much personal data as necessary to accomplish that goal (otherwise known as data minimization). In my role, I’ve also helped us ensure that all possible safeguards have been considered in the design so that the impact on an individual’s privacy is minimized.

How do you inspire your people to work with technology?

I try to inspire people to consider how the technology we use may affect others, as well as affect our business. When I discuss using new technology with my colleagues I ask that they assess the good and bad (or the risks and rewards) of the proposed use.

In writing our Data Protection Policy and launching our data security training, I hoped to inspire Monetate employees to work with technology carefully. Having technology at our fingertips is extremely convenient, but it also makes it that much easier to mess up. Though email is the best channel for communication, its use can lead to unintended consequences. For instance, it’s easy to sometimes forward something to someone that you shouldn’t have, or copy the wrong email into the chain. I hope that Monetate employees can hone these lessons to use technology for its great advantages while keeping in mind all of its capabilities as well.

One word that best describes how you work.

Informed. Being informed allows me to collect as many details and assess the best course of action (which is crucial for a Data Protection Officer – especially in the age of the GDPR!).

What apps/software/tools can’t you live without?

Outside of my iPhone and laptop, I have a wireless sous vide that I use a few times a week. I am terrible with directions, so I rely heavily on my GPS, regardless of where I am going. I use the New York Times app and Twitter daily to read the news. YouTube lets me catch up on late night TV around my busy schedule.

What’s your smartest work related shortcut or productivity hack?

My smartest work-related shortcut is not to take any. This cuts down on errors and having to go back and do things over. It also lets me move on once I make a decision, rather than dwelling on it and letting my to-do list pile up.

What are you currently reading? 

Currently, I’m reading a biography on Ulysses S. Grant. I stick mainly to non-fiction with no preference for subject matter or time period. I try to rotate so that I do not stick to one topic or era for too long.

I consume information in a number of ways. I prefer to read books in paper format, I read the New York Times archive edition online and I follow a number of other news sources on Twitter.

What’s the best advice you’ve ever received?

Don’t be afraid (or ashamed) to admit that you are wrong or do not understand something.

Something you do better than others – the secret of your success?

I’m always open to learning and never discriminate as to who I can learn something from. While someone may be experienced in one topic, it does not mean people with less experience can’t enlighten them.

Tag the one person in the industry whose answers to these questions you would love to read:

Elizabeth Denham (UK Information Commissioner)

Thank you, Dave! That was fun and hope to see you back on MarTech Series soon.