Rita Heimes: Presently I am still spending more time as the research director than anything else.

RH: They do right now. [long pause followed by laughter] I wouldn’t recommend it to everyone, but we are a unique organization. And we’re also a very tiny company. We still have fewer than 200 employees. I don’t know of many companies that are organized like the IAPP, are growing like the IAPP or have the mission of an organization like ours. Which is why it’s such a great place to work.

RH: It’s the No. 1 privacy year over the years. Only, I suppose, to be outdone by 2019. But 2018 is absolutely the biggest ever. Why? GDPR. Period. We could see this coming, because there was the announcement in 2016. There was that nice 24-month lead-up. We weren’t expecting to have the California Consumer Privacy Act come along right after the GDPR went into effect, but there it is. And when you see that Ohio and Colorado and Vermont and these other states—of course there’s the Illinois Biometric Privacy Law—we are starting to notice that even in the United States privacy law is growing in importance. And states are taking cues from the Europeans to apply their law to anyone who has residents’ data in their system. Everybody is trying to outdo each other in terms of jurisdictional scope. There’s Brazil, India. I mean it’s just not stopping.

RH: I’m personally interested in the DPO statistics, and the finding that so many entities have appointed a DPO. In our survey [most members are from the U.S., the EU and Canada], three out of four companies have a DPO now. But here’s the other piece of that that I think is worth calling out. The GDPR is one of the first laws that we know of to require that there be a privacy professional hired by the company. It doesn’t have to be an in-house position. But you do have to have someone. You’re responsible for this function. There are very specific definitions of which organizations must have a DPO. If you don’t fall within those specific requirements, you don’t have to have one. I’m sure that many of the companies that appointed a DPO are not obliged by the law to have a DPO. Nevertheless, 52 percent thought that the law required them to have one.  The other half—48 percent—just did it anyway. This is an optics as well as a practical move. It looks good to your business partners. It looks good to your customers. It looks good to a regulator that you appoint someone not just to take care of privacy internally, but to understand the GDPR in particular. And to really know that law well enough to try to implement it internally, even if you’re a U.S.-based company, that’s huge. I don’t think that European law, in recent history, has forced U.S. companies to make such a big public display of compliance. Pretty cool! 

RH: Yes. It certainly is more efficient for a company, whether they’re in a B to B or B to C or blended environment, to approach their data subjects with a common set of operations rather than segregating their customers by geography. And that’s just pragmatic. If you’re going to build operational systems and protocols and even intake forms, it creates more work for people. If you can treat everyone the same, with the highest level of privacy protection, it can ultimately create massive efficiencies for you across the organization and probably reduce error.

     A huge piece of this is that in the business-to-business context, companies expect of their business partners that they will be GDPR compliant—or that they will at least look like they are. My assessment of what’s happening now is that it is business partnerships and vendor relationships that are driving GDPR compliance massively. It is expectations of having employees in Europe that is also contributing significantly to GDPR compliance, and that over time consumers will probably not assert their rights as often as they can, and that it will still be business-to-business relationships that support all of this privacy infrastructure and compliance activity.

RH: Oh absolutely. You can’t get anyone’s attention for legal compliance without real enforcement teeth.

RH: We should not overlook the California Consumer Privacy Act. California is the fifth biggest economy [in the world]. Its law is confusing, complicated and very, very broad. It applies to any business that processes the data of a California consumer, and that’s defined as a resident of California. It doesn’t exclude employees from that definition, so companies that are based in California or have employees in California think at the moment—and there’s no one to contradict them—that the consumer privacy act actually applies as well to their employees. It grants some GDPR-like rights of access and erasure to consumers and employees. It gives them the right to prevent the sale of data, which is going to gum up all sorts of commercial transactions from the financial technology sector and banking to ad tech. It will affect publishing companies that rely on ad revenue. It’s a big deal! It is a very close No. 2. 

RH: It sure could. It’s probably at least as likely as unlikely. It’s not a partisan issue, as far as I know. Industry wants it, which makes it all the more likely to happen. Obviously consumer advocacy groups do, too. If I was betting, I’d say sure we’ll have something. But will it be meaningful and truly protective of consumer privacy? That remains to be seen. I’m very interested to see if the U.S. also thinks of this as a trade issue, which is partly how I perceive of it. It would be neat to see if Congress considers legislation as a demonstration of the U.S. taking privacy seriously from a global trade perspective.

RH: The largest companies in the United States that are interested in privacy issues probably also have business interests in the European Union. So it’s not as if being legislated for privacy is new to them now. And one system is much more efficient than several different systems. Also consumers are paying some attention to the public perceptions of the privacy sensitivity of an organization. And they are sometimes willing to vote with their dollars on privacy matters. So who wants to come out against privacy law? It just looks bad. I do think that it will be an interesting space to watch in terms of these big companies that you were talking about taking a public stance for or against a privacy law when they already have to comply with one anyway.

RH: When I was working on the faculty of the University of Maine School of Law, running the Center for Law and Innovation. Our alumnus, Trevor Hughes [the IAPP’s founder and CEO], gave me a call in 2010, and I went down and met with him at the IAPP offices in York, Maine. At the time the IAPP had just a couple of dozen employees, and they were in this converted barn in rural Maine.

RH: Actually, it really started with Trevor as a part-time employee working out of a little rented office in York with his coffee maker and his dog. And to this day, the IAPP is a dog-friendly, casual office. It was important to Trevor that life be part of work, and work be part of life. So it’s a pretty big part of our culture. He and I talked quite a bit about how the law school should be thinking about helping the students prepare for careers in privacy, either as a component of what they do in private practice or even to take in-house positions. So that was my first significant exposure to the subject.

RH: I have been a lawyer interested in technology and tech companies since the mid-1990s. And I’ve constantly struggled—especially since moving to Northern New England—to find the sweet spot for where my interest in science and technology could be continuously engaged with my legal skills. But when I was thinking about helping my students get careers in privacy law, it suddenly occurred to me that maybe I wanted one of my own.

RH: After spending 14 years in academia, including as a clinical professor, which allowed me to continue to practice, I hadn’t lost my skills. And after spinning out into private practice briefly, just to remind myself what it felt like, this job at the IAPP turned out to be a perfect fit for everything that I’ve been doing in my legal career. As research director, I am responsible for continuing to do essentially scholarship—thinking about how the law works and how you apply it on a daily basis, and writing it for the benefit of others. I get to teach because the people who work with me are junior lawyers or even law students. We work with three law schools in our region to bring students in to work in internships or externships or co-ops with us throughout the semester. So I always have students working with me. And I get to practice because I’m the DPO and the general counsel now. It’s like the three things that I’ve been trying to be good at in my professional life I get to do all at the same time—in a field of law that is fascinating, dynamic and hopefully growing enough to carry me through the rest of my legal career.

RH: My first role here was the research director title. There had never been one before. So the position was created for me. It took a little while for me to figure out what I could contribute and how to do it well. About a year into the job, Trevor asked me to consider actually being a privacy professional as well as writing about them. And his pitch was: If you are a privacy pro for the IAPP, it will make you better at being research director, because you’ll have an empathy and understanding for what it is that our members do all day. And it turns out he was totally right about that.

RH: That began just in the last couple of months. We decided that the IAPP probably should have someone filling the general counsel role, and that I was really the only logical choice internally to fill that position. There are only four lawyers here.  Most of our members, by the way, are not attorneys.

RH: [laughs] Listen, we are growing so rapidly that each of us has had to take on more and more responsibility simply to make sure that everything gets done. For now, it makes sense for some of us just to balloon out a little bit in terms of our operational responsibilities. And when one of them becomes too all-consuming, potentially split that off, or find ways to delegate pieces of our responsibilities to others. I’ve never worked at an organization that has grown at the pace of the IAPP. I don’t think many people have.

RH: Most of what we do scales incredibly well. We may need to have more people in our member services unit, because there are many more inquiries coming in. But when you want to take an IAPP exam, any number of people can take that exam all at the same time. We don’t need to add other people for that. Many of our trainings scale incredibly well. Once you’ve built and developed training, you can offer it—especially the recorded versions—to as many people as you want. However, as more and more companies desire privacy training, and GDPR training specifically, that means more deals. More contracts to review. So it turns out that the deal flow that comes from growing as a company that has products and services in high demand is what really tipped the scale in the need for someone to play the in-house GC role.

RH: Of course. I think the biggest ones are practical. Privacy is a specialty area. It requires pretty deep and wide knowledge of a lot of different legal regimes and technical processing. It requires a lot of team building and communication internally. The privacy position is usually the privacy leadership position. And so you’re coordinating, and training, and communicating and crowdsourcing all the time. That takes time and it takes a certain skill set. And it may or may not be something the general counsel has time for. That’s probably the biggest reason why general counsel and privacy folks would not be the same person. Now that I am the general counsel, it’s a very narrow set of responsibilities and it has almost nothing to do with privacy.

     If you’re asking about the ethical considerations, I have to say I think that depends. The GDPR expects that the DPO will not have a conflict of interest when it comes to making decisions about how data is processed by the company. They’re ideally to represent the consumers—the data subjects—as well as the company in making risk   decisions on data processing. So if your exclusive perspective is that of the company’s risk profile, then maybe you’re not representing the data subjects as thoroughly as you ought to, according to the way the GDPR conceives of the position. So there’s a potential for the general counsel and the DPO roles to be in conflict, and that would mean then that it’s not suitable for the GC to be the DPO. I tend to think that in many companies, especially small ones, you just have to work with what you’ve got. And it’s more important, on balance, to have someone with subject matter expertise and a legal background making those decisions and working through the risk assessments. [Jason Straight also addresses this issue in our related article.]

RH: Having enough resources to get done the mountains of work on their desks. Because there is so much happening right now. It’s not as though you get up to GDPR compliance and then you go on a three-month vacation. GDPR compliance is not a May 25th thing. It is a constant responsibility. You always have new risk assessments. You always have new data subject requests. You always have new issues come up that you have to go back and read the law all over again. Just having support from their leadership and having enough financial and staffing resources to make sure the balls don’t get dropped is the No. 1 issue that everybody faces. Me included.

December 2018