Greg Anderson, a DPO based in the US, shares his thoughts on the role of a DPO and how the privacy outlook is looking from a US perspective.
While not entirely new, the role of DPO has certainly seen a meteoric rise in visibility since being enshrined in the GDPR. What was your path to the position?
I have been with Lexmark for fourteen years serving in both Finance and Legal positions. In my role as a customer-facing attorney supporting Enterprise Sales, I became very familiar with Lexmark’s business, how we interact with our customers and vendors, the services we provide, and the systems that support those services. In the process of negotiating complex service and software agreements, I was able to create strong relationships across the business in every department and around the world. The technical side of the business was always of great interest to me and I became very focused on how we were exchanging data with our customers, meeting confidentiality obligations, and solving those complex technical problems for Lexmark and our customers. The combination of this experience with my international background – I spent over eight years prior to my time at Lexmark studying and working abroad, am fluent in French and dabble in several other languages – positioned me well for the role of DPO. For me, it was the unique requirements and challenges of the position that sparked my interest. The combination of business process, legal, and technical issues that we see we see every day make DPO a great job – it is certainly never boring.
Many people like yourself come to the DPO role with a legal background. Do you feel it is a requirement to be DPO?
Is it a requirement? No. But it is a very helpful background to have, especially at this point in time. Even with the long history of the [Data Protection] Directive behind us, the GDPR is a new and complex piece of legislation and we are just now beginning to see how it is going to operate in the real world; take CNIL and Google for example. Given that the responsibilities of the DPO include advising on compliance with the regulation, supervising the PIA process, and acting as a point of contact with both data subjects and supervisory authorities, a legal background is a strong foundation for a DPO. The ethics training one receives as an attorney lends itself to understanding and helping meet the intent of the GDPR. As I alluded to earlier, however, the role is a lot more than a traditional ‘lawyer-job’ and the right person for the role at a particular company could certainly come from other disciplines such as privacy, audit, compliance, or contract management. The role is certainly not just a normal compliance role either. To be a truly effective DPO, you have to be an advocate for the concept of privacy.
What other skills do you think are valuable to look for in a DPO?
Passion for the work and for the opportunity to make valuable changes to your organization are vital - not everyone will believe in what you are doing and there can be some very difficult conversations. Personally, I am genuinely ADHD and my natural propensity to multitask is a benefit to the role of DPO. I have the privilege of working across every business and area across every geography and to be very creative and innovative in our problem solving. There is also (ironically?) a very social / interpersonal component to privacy, given the necessary interactions with business leaders, product owners, customers, employees and regulators. I completely understand and respect those who prefer being the expert on one specific issue or who enjoy staying in a narrow lane, but in my experience that is the antithesis of the DPO role.
Lexmark is a U.S.-based company and you are a U.S.-based Global DPO, Lexmark was early in appointing a DPO and seems to be somewhat unique in placing the position in the U.S., can you comment on the decision process?
I mentioned the CNIL Google decision; one of the very interesting discussions there revolves around the concept of main establishment and the idea of the one-stop shop mechanism – that decision makes it clear that there is still a long way to go before we have a true understanding or consensus on the way those concepts will be applied. What has always been a certainty, in my opinion, is that to be truly effective the DPO must be located near the decision makers and the decision making. As I mentioned, I was an expat for many years and would move back to Europe in a heartbeat but to represent the best interests of the individuals whose data we collect, externally and internally, and do the best job for Lexmark there was no question that our corporate headquarters in the U.S. is where I needed to be based, at least at the outset. Having said that, I am in constant contact with members of the team around the world and spend as much time on the ground in Europe as possible. I am highly accessible to all parts of the organization.
What are the more interesting things you have seen since GDPR became effective?
Aside from the specific decisions that have come out, one of the more interesting issues I have seen is in Italy between the Supervisory Authority and the Tax Agency related to the latter’s electronic invoicing requirement. As of January 1st the eInvoicing obligation, requiring all B2B and B2C invoices to pass through a government portal, became applicable outside of the public sector but the Supervisory Authority issued a decision that indicates the portal and its implementation are not compliant with the GDPR. The ultimate outcome will be interesting to watch as privacy requirements certainly apply not only in the private sector but to government organizations as well.
The other development that we are paying attention to is the DSAR [data subject access request] as a security threat vector. We have already seen a few instances of the DSAR process being used for marketing purposes and a few where we believe the request may have been a form of pretexting. It is potentially very dangerous – not to mention ironic – as Controllers work hard to respond to legitimate requests.
Are their specific practices or accomplishments at your organization that you can share?
I am very proud of our awareness program – we have actually been recognized with an industry award for our efforts – it is a good example of the opportunity to be creative within the role. We have a branded program, Privacy@Lexmark with a mascot in the form of a German shepherd puppy, P@L, that is on everything we do including laptop stickers, whiteboards around the world, everything. He is the face of the program and has been well received around the world. It is our way of reaching out on a daily basis and keeping our commitment to the program top of mind.
Privacy by Design is fundamental to any privacy program and our efforts there have been substantial. Lexmark has been able to not only formalize our PbD activity in every one of our development frameworks but we have coupled PbD with our enterprise and product level security offerings to become a true leader in our industry.
Switching gears, there seems to be a lot of movement in the US in terms of privacy legislation – what should European or UK based practitioners know or be aware of?
There has been a lot of focus on the introduction of new laws at both the state and national level as well as an uptick in visible enforcement actions. The Federal Trade Commission has been involved in large privacy-related settlements with OATH and the social media service directed at children, Musical.ly (now TikTok). States have been active before and after the passing of the California Consumer Privacy Act of 2018 (CCPA); Colorado, New York, New Jersey, Oregon, North Carolina, South Carolina, Massachusetts, and Vermont, to name just a few, have passed or are considering privacy-related laws.
It is hard to tell if this will be the year that the U.S. sees a uniform privacy law but there is certainly a lot of movement in that direction. Several draft bills have already been tendered for consideration and there are many other proposals on the table from both the industry and [privacy] advocate side. I have had some involvement in one of those initiatives and there is a lot of attention being paid to both the language of the new California law, the GDPR, and the balance between meaningful protection and operational challenges. Interestingly, I have seen more than one call for the eventual investigation or enforcement levelled at individual corporate officers; Intel’s proposed bill contains the potential for both civil and criminal penalties. Eventually, a new federal privacy law will get passed and it is interesting to watch the development. Hopefully the drama of the CCPA is not repeated.
Possibly, the biggest question to be resolved will be that of preemption, that is, how any new federal law will affect existing state laws and what the interaction will be with federal laws such as COPPA and HIPAA-HITECH. Peter Swire has written an excellent two-part article on the issue which is available on the International Association of Privacy Professionals website, IAPP.org.
Thank you Greg!
Find Greg on LinkedIn.