Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

December 2018
The general counsel of the IAPP has a thing or two to say about that.
DECEMBER 1, 2018
It’s been a busy year for privacy attorneys. So it follows that it’s been a busy year for the International Association of Privacy Professionals (IAPP). How busy? Rita Heimes says they started 2018 with fewer than 30,000 members. At last count the organization, which was founded in 2000, was up over 46,000, and it could soon hit 50,000. “It’s been a mind-boggling year,” she says. And she should know. She’s the research director, and, like a lot of employees at small, growing companies, she has to wear more than one hat. A couple of years ago she added the role of data protection officer (DPO). A few months ago she added one more: general counsel. Based in Maine, near the association’s headquarters in Portsmouth, N.H., and close to the Canadian border, Heimes has achieved in three years the IAPP equivalent of ice hockey’s “hat trick” (three goals scored by one player, which fans reward by throwing hats onto the ice). She talked about the challenges and the excitement—and what she expects in the year to come.

CyberInsecurity News: Which job do you consider your primary one?
Rita Heimes: Presently I am still spending more time as the research director than anything else.

CN: Do they work well together?
RH: They do right now. [long pause followed by laughter] I wouldn’t recommend it to everyone, but we are a unique organization. And we’re also a very tiny company. We still have fewer than 200 employees. I don’t know of many companies that are organized like the IAPP, are growing like the IAPP or have the mission of an organization like ours. Which is why it’s such a great place to work.

CN: So far 2018 seems like it’s already been a huge year for data privacy. How does it rank in importance, as you look back over the years?
RH: It’s the No. 1 privacy year over the years. Only, I suppose, to be outdone by 2019. But 2018 is absolutely the biggest ever. Why? GDPR. Period. We could see this coming, because there was the announcement in 2016. There was that nice 24-month lead-up. We weren’t expecting to have the California Consumer Privacy Act come along right after the GDPR went into effect, but there it is. And when you see that Ohio and Colorado and Vermont and these other states—of course there’s the Illinois Biometric Privacy Law—we are starting to notice that even in the United States privacy law is growing in importance. And states are taking cues from the Europeans to apply their law to anyone who has residents’ data in their system. Everybody is trying to outdo each other in terms of jurisdictional scope. There’s Brazil, India. I mean it’s just not stopping.

The GDPR is one of the first laws that we know of to require that there be a privacy professional hired by the company.

CN: On a more granular level, the IAPP has conducted a survey for the past few years. What are some of the notable trends you picked up in the most recent one?
RH: I’m personally interested in the DPO statistics, and the finding that so many entities have appointed a DPO. In our survey [most members are from the U.S., the EU and Canada], three out of four companies have a DPO now. But here’s the other piece of that that I think is worth calling out. The GDPR is one of the first laws that we know of to require that there be a privacy professional hired by the company. It doesn’t have to be an in-house position. But you do have to have someone. You’re responsible for this function. There are very specific definitions of which organizations must have a DPO. If you don’t fall within those specific requirements, you don’t have to have one. I’m sure that many of the companies that appointed a DPO are not obliged by the law to have a DPO. Nevertheless, 52 percent thought that the law required them to have one.  The other half—48 percent—just did it anyway. This is an optics as well as a practical move. It looks good to your business partners. It looks good to your customers. It looks good to a regulator that you appoint someone not just to take care of privacy internally, but to understand the GDPR in particular. And to really know that law well enough to try to implement it internally, even if you’re a U.S.-based company, that’s huge. I don’t think that European law, in recent history, has forced U.S. companies to make such a big public display of compliance. Pretty cool! 

CN: I’ve been talking to privacy professionals who advise companies that are not under the jurisdiction of the GDPR, and they have been discussing whether it makes sense to adopt the most stringent standards across the board. Otherwise companies will constantly have to figure out, case by case, where their customers are located and which standards apply in each situation. Are you seeing a lot of companies taking that approach?
RH: Yes. It certainly is more efficient for a company, whether they’re in a B to B or B to C or blended environment, to approach their data subjects with a common set of operations rather than segregating their customers by geography. And that’s just pragmatic. If you’re going to build operational systems and protocols and even intake forms, it creates more work for people. If you can treat everyone the same, with the highest level of privacy protection, it can ultimately create massive efficiencies for you across the organization and probably reduce error.
     A huge piece of this is that in the business-to-business context, companies expect of their business partners that they will be GDPR compliant—or that they will at least look like they are. My assessment of what’s happening now is that it is business partnerships and vendor relationships that are driving GDPR compliance massively. It is expectations of having employees in Europe that is also contributing significantly to GDPR compliance, and that over time consumers will probably not assert their rights as often as they can, and that it will still be business-to-business relationships that support all of this privacy infrastructure and compliance activity.

CN: What about the GDPR’s fine of up to 4 percent of a company’s annual global revenue. Do you think that’s why we’re seeing such a robust response immediately?
RH: Oh absolutely. You can’t get anyone’s attention for legal compliance without real enforcement teeth.

CN: Sometimes the year’s biggest development is so big, it’s not even worth talking about what’s in second place. Is that the kind of year it’s been? Or are there other developments we shouldn’t overlook?
RH: We should not overlook the California Consumer Privacy Act. California is the fifth biggest economy [in the world]. Its law is confusing, complicated and very, very broad. It applies to any business that processes the data of a California consumer, and that’s defined as a resident of California. It doesn’t exclude employees from that definition, so companies that are based in California or have employees in California think at the moment—and there’s no one to contradict them—that the consumer privacy act actually applies as well to their employees. It grants some GDPR-like rights of access and erasure to consumers and employees. It gives them the right to prevent the sale of data, which is going to gum up all sorts of commercial transactions from the financial technology sector and banking to ad tech. It will affect publishing companies that rely on ad revenue. It’s a big deal! It is a very close No. 2. 

It would be neat to see if Congress considers legislation as a demonstration of the U.S. taking privacy seriously from a global trade perspective.

CN: But it doesn’t come into effect until 2020. And it could be pre-empted by federal legislation. Speaking of which, do you think a federal privacy law will be passed and signed into law?
RH: It sure could. It’s probably at least as likely as unlikely. It’s not a partisan issue, as far as I know. Industry wants it, which makes it all the more likely to happen. Obviously consumer advocacy groups do, too. If I was betting, I’d say sure we’ll have something. But will it be meaningful and truly protective of consumer privacy? That remains to be seen. I’m very interested to see if the U.S. also thinks of this as a trade issue, which is partly how I perceive of it. It would be neat to see if Congress considers legislation as a demonstration of the U.S. taking privacy seriously from a global trade perspective.

CN: But most of the big tech companies have lots of reasons to be wary, don’t they?
RH: The largest companies in the United States that are interested in privacy issues probably also have business interests in the European Union. So it’s not as if being legislated for privacy is new to them now. And one system is much more efficient than several different systems. Also consumers are paying some attention to the public perceptions of the privacy sensitivity of an organization. And they are sometimes willing to vote with their dollars on privacy matters. So who wants to come out against privacy law? It just looks bad. I do think that it will be an interesting space to watch in terms of these big companies that you were talking about taking a public stance for or against a privacy law when they already have to comply with one anyway.

CN: When did you first get interested in privacy and what was the appeal?
RH: When I was working on the faculty of the University of Maine School of Law, running the Center for Law and Innovation. Our alumnus, Trevor Hughes [the IAPP’s founder and CEO], gave me a call in 2010, and I went down and met with him at the IAPP offices in York, Maine. At the time the IAPP had just a couple of dozen employees, and they were in this converted barn in rural Maine.

CN: Is that where it started?
RH: Actually, it really started with Trevor as a part-time employee working out of a little rented office in York with his coffee maker and his dog. And to this day, the IAPP is a dog-friendly, casual office. It was important to Trevor that life be part of work, and work be part of life. So it’s a pretty big part of our culture. He and I talked quite a bit about how the law school should be thinking about helping the students prepare for careers in privacy, either as a component of what they do in private practice or even to take in-house positions. So that was my first significant exposure to the subject.

CN: What made you veer in this direction?
RH: I have been a lawyer interested in technology and tech companies since the mid-1990s. And I’ve constantly struggled—especially since moving to Northern New England—to find the sweet spot for where my interest in science and technology could be continuously engaged with my legal skills. But when I was thinking about helping my students get careers in privacy law, it suddenly occurred to me that maybe I wanted one of my own.

CN: How did it all come together?
RH: After spending 14 years in academia, including as a clinical professor, which allowed me to continue to practice, I hadn’t lost my skills. And after spinning out into private practice briefly, just to remind myself what it felt like, this job at the IAPP turned out to be a perfect fit for everything that I’ve been doing in my legal career. As research director, I am responsible for continuing to do essentially scholarship—thinking about how the law works and how you apply it on a daily basis, and writing it for the benefit of others. I get to teach because the people who work with me are junior lawyers or even law students. We work with three law schools in our region to bring students in to work in internships or externships or co-ops with us throughout the semester. So I always have students working with me. And I get to practice because I’m the DPO and the general counsel now. It’s like the three things that I’ve been trying to be good at in my professional life I get to do all at the same time—in a field of law that is fascinating, dynamic and hopefully growing enough to carry me through the rest of my legal career.

CN: How did your role evolve?
RH: My first role here was the research director title. There had never been one before. So the position was created for me. It took a little while for me to figure out what I could contribute and how to do it well. About a year into the job, Trevor asked me to consider actually being a privacy professional as well as writing about them. And his pitch was: If you are a privacy pro for the IAPP, it will make you better at being research director, because you’ll have an empathy and understanding for what it is that our members do all day. And it turns out he was totally right about that.

CN: And what was the evolution that occurred when you added the general counsel position?
RH: That began just in the last couple of months. We decided that the IAPP probably should have someone filling the general counsel role, and that I was really the only logical choice internally to fill that position. There are only four lawyers here.  Most of our members, by the way, are not attorneys.

CN: And why you? Because you had so much free time, with only two jobs?
RH: [laughs] Listen, we are growing so rapidly that each of us has had to take on more and more responsibility simply to make sure that everything gets done. For now, it makes sense for some of us just to balloon out a little bit in terms of our operational responsibilities. And when one of them becomes too all-consuming, potentially split that off, or find ways to delegate pieces of our responsibilities to others. I’ve never worked at an organization that has grown at the pace of the IAPP. I don’t think many people have.

CN: How has that affected the work?
RH: Most of what we do scales incredibly well. We may need to have more people in our member services unit, because there are many more inquiries coming in. But when you want to take an IAPP exam, any number of people can take that exam all at the same time. We don’t need to add other people for that. Many of our trainings scale incredibly well. Once you’ve built and developed training, you can offer it—especially the recorded versions—to as many people as you want. However, as more and more companies desire privacy training, and GDPR training specifically, that means more deals. More contracts to review. So it turns out that the deal flow that comes from growing as a company that has products and services in high demand is what really tipped the scale in the need for someone to play the in-house GC role.

CN: Are there reasons it may not make sense for the general counsel of a company to also function as its data protection officer?
RH: Of course. I think the biggest ones are practical. Privacy is a specialty area. It requires pretty deep and wide knowledge of a lot of different legal regimes and technical processing. It requires a lot of team building and communication internally. The privacy position is usually the privacy leadership position. And so you’re coordinating, and training, and communicating and crowdsourcing all the time. That takes time and it takes a certain skill set. And it may or may not be something the general counsel has time for. That’s probably the biggest reason why general counsel and privacy folks would not be the same person. Now that I am the general counsel, it’s a very narrow set of responsibilities and it has almost nothing to do with privacy.
     If you’re asking about the ethical considerations, I have to say I think that depends. The GDPR expects that the DPO will not have a conflict of interest when it comes to making decisions about how data is processed by the company. They’re ideally to represent the consumers—the data subjects—as well as the company in making risk   decisions on data processing. So if your exclusive perspective is that of the company’s risk profile, then maybe you’re not representing the data subjects as thoroughly as you ought to, according to the way the GDPR conceives of the position. So there’s a potential for the general counsel and the DPO roles to be in conflict, and that would mean then that it’s not suitable for the GC to be the DPO. I tend to think that in many companies, especially small ones, you just have to work with what you’ve got. And it’s more important, on balance, to have someone with subject matter expertise and a legal background making those decisions and working through the risk assessments. [Jason Straight also addresses this issue in our related article.]

CN: What do you think the biggest concerns of IAPP members are right now?
RH: Having enough resources to get done the mountains of work on their desks. Because there is so much happening right now. It’s not as though you get up to GDPR compliance and then you go on a three-month vacation. GDPR compliance is not a May 25th thing. It is a constant responsibility. You always have new risk assessments. You always have new data subject requests. You always have new issues come up that you have to go back and read the law all over again. Just having support from their leadership and having enough financial and staffing resources to make sure the balls don’t get dropped is the No. 1 issue that everybody faces. Me included.