Podcast - Bowling with Bumpers: Using a Privacy Framework to Set Your Company Up for a Strike

Kevin Angle: Today, we're going to talk about privacy management. As data stewards, businesses have responsibilities to protect privacy, even in the absence of specific legal requirements. We'll discuss best practices for privacy operations and how compliance programs are informed by consumer trust and data ethics, in addition to legal requirements. I'm Kevin Angle, senior counsel for Data Strategy, Security & Privacy practice here at Holland & Knight, and my guest today has been developing privacy programs across multiple industries and companies, both big and small, for over a decade. Bethany Singer-Baefsky is currently the Group Chief Privacy Officer at National Grid, a multinational gas and electric utility company with operations in New York, Massachusetts and the United Kingdom. Before that, she worked as a DPO for businesses headquartered here in Massachusetts and in Canada, and even had time to get an LL.M. at Leiden University in the Netherlands. Bethany, welcome to the podcast.

Bethany Singer-Baefsky: Thank you so much for having me, Kevin. Really happy to be here.

Kevin Angle: Big picture question for you: You've been working in privacy for quite some time. How would you answer the question if somebody, you know, one of your business leaders asked you why is privacy important?

Bethany Singer-Baefsky: Yeah, I mean, it's a really great question. You actually get that a lot. I'm sure you've seen this a lot in your work as well, where you have aspects of the business where they just don't necessarily understand the value of having a robust privacy program in place. And it's almost like a multilevel thing, right? Because there's the value that comes from being compliant with the law, and, of course, that's always going to be of value with privacy. But the piece beyond that is really the consumer trust aspect of it. We are providing a — by "we," I just mean whatever business you're working for, the grand royal "we," are providing a service or a product to our customers. They are trusting us to deliver that product in a safe and secure manner. And as part of that, we have to collect their personal information. And so part of that safe and secure delivery is going to be protecting the privacy of their information and building up that trust. And it really is honestly good marketing, it's good sales practices. Well, even, you know, just, just getting into the business side of things to be able to have that rapport with a customer, that relationship with the customer where they trust you to protect the information that they're sharing with you as part of your product delivery.

Kevin Angle: So I'm 100 percent on board with you, not surprisingly. I do, particularly as outside counsel, often have the problem of, you know, businesses or others will come to me and they'll say, well, what are the fines out there? And you often look at privacy fines and sometimes they're not multibillion dollars, although there are some multibillion-dollar settlements. Do you people in your organization, I mean, do they buy what you're saying about consumer trust? How do you how do you get them on board?

Bethany Singer-Baefsky: So it is a cultural issue in a lot of places. I will readily admit that where I currently work, it's less of an issue because we are a regulated utility. And so there is an aspect there of you do the right thing and you comply with the law and it's just what you do. But I've worked at other companies where it is a little bit more of an uphill battle to get people to understand that it's not just about the fines. Right? The fines, that's one thing, that's the stick. But what about the carrot? The carrot piece is what people tend to forget. And so, yes,  you absolutely can take a risk-based approach and say, well, based on the size of our organization, where we're operating, what laws are applicable, the scrutiny that we've gotten from regulators before or not, you know, here's our likelihood of getting fines and here's what the fines would be for whatever category or class of violation. But is that really how we want to be thinking about our data management, is through that lens of what can we get away with? I mean, that's generally a slippery slope to all kinds of other unethical practices. You know, if you're OK with doing the bare minimum for data, what else are you OK with doing the bare minimum for?

Kevin Angle: So the company you currently work at is in multiple jurisdictions. You've got offices in Massachusetts, New York, obviously here in the U.K., too. How do you deal with diverse legal regimes?

Bethany Singer-Baefsky: So, you know, regardless of where a company operates, I've found that it's really effective to take a framework-based and principle-based approach to data privacy and data privacy compliance. You know, we are bound by the U.K. GDPR and the Data Protection Act 2018, PECR, these various rules in the U.K. There may not be a comprehensive data privacy law in Massachusetts or New York, but there are security laws there. And we do actually have an office in California for some of our people in the National Good Partners area where they kind of do almost like venture capital-style investments into green energy and other related, sort of, startup-y kind of projects. So we do have that California piece. It's small, but we fall under the scope of CCPA, CPRA for those purposes. So we do have a kind of a smattering of states, we have the U.K., we have some folks in Europe. So we do have to think about a range of laws, and of course, not diminishing the importance of regulatory compliance is absolutely critical. I think from the perspective of developing a privacy program, focusing on a framework is highly effective. You end up with compliance as the outcome rather than the driver, which is good for compliance, but it's also good for that cultural aspect we were talking about of doing the right thing and having strong personal data management. So for example, I'm a big fan of the ISO 27701 Privacy Information Management System that was published in August of 2019. It builds on top of the security standard ISO 27001, and it maps to the GDPR. So it takes a whole bunch of common privacy principles, builds controls around that, or it builds a control framework around that, and you can build your own controls within the context of that framework, and if you develop a program set of policies, practices that align with those principles and adhere to those controls with a framework that maps to the GDPR, first of all, you are already very close, if not compliant, with the GDPR by simply adhering to this framework, but because it's principle-focused, and these are the principles that underpin other regulations, you're already, you know, 80, 90 percent of the way there. There are four new laws that come your way. These new laws generally share the same kind of set of general ideas, you know, data minimization, consent requirements, transparency, these common privacy principles. And so if you take that framework-based approach, you get the basics all down, then you identify, OK, what are the key differences that are the riskiest for us and design specific practices or controls or policies around those key differences. Does that make sense?

Kevin Angle: Yeah, no, that makes perfect sense. And actually, I was reading the FTC's recent publication, "A Look Behind the Screens," I'm not sure if you had a chance to, to do a deep dive on that.

Bethany Singer-Baefsky: I saw that it was published, but I haven't had a chance to dive into it yet.

Kevin Angle: It's only like 100-and-something pages, so it's light reading. One of the points they were bringing up was that so many businesses — and I'm obviously not speaking about any business in particular here, I'm just talking about what the FTC was saying — but struggled to implement those privacy principles like data minimization, that they didn't have clear policies. And so it sounds like from your perspective, following a framework like ISO 27701 is a way to really actualize those principles in practice.

Bethany Singer-Baefsky: I think it is. You know, these frameworks lend themselves to building out control sets, which allows for what you're doing to be more measurable, or to have those protection measures in place. And then the other piece of it that I think is really valuable is that you reduce the risk of compliance fatigue. I mean, nobody wants to go through a big, huge compliance initiative every single time there's a change in the law. So if you can do the big stuff and use a framework for big stuff, and there are other frameworks out there as well. You know, the NIST privacy framework is another one that's really becoming pretty popular. So, you know, whatever framework works for your organization, it helps you to get the big kind of boulders set, the foundation laid, and then it makes it easier to build from there. Like, you don't want to start with the roof, right? You want to start with the foundation, you want to build up, you know, strong walls. And then the roof to me is just kind of, if we keep with the analogy, it's kind of the little nitty gritty regional peculiarities that you might identify as being particularly relevant to your organization or particularly risky that you want to address on top of the key aspects of your program.

Kevin Angle: So, in terms of successfully implementing the program, I've seen you speak on this before, but what are some metrics you might use to sort of judge the success of your privacy program?

Bethany Singer-Baefsky: Yeah, it's a really good question because, you know, different organizations will handle the metrics questions differently. So we've done it in different ways at different orgs that I've been at. So for ones that have been a little bit more compliance focus, like where I am now, there is a, you know, we do have this framework-based program, but there is always that compliance piece because we're regulated and we can't ignore that. So we can take those, combined with those aspects of the roof, to go back to the previous metaphor, right, and say, OK, so we have X number of data subject access requests, and the metric we're looking at is the percentage that are completed within statutory time frames. We can look at — to bring it back to the to the framework rather than the compliance piece, privacy impact assessments. You know, how many privacy impact assessments do you have? What stage are they in? Are they in progress? Are they complete? How many of them, or what percentage of them, are up for review? You know, how many projects or programs companywide are ongoing? And out of those, the number of projects or programs, what percentage of them has involvement from the privacy team? How are your training completion rates? Are people engaged in your training? If you're hosting events at, you know, during, say, data protection month or cybersecurity month? Because sometimes it's fun to just sort of grab on to cyber's coattails and have a privacy event in there. How many people are attending? How many people are attending relative to other events at your place of business? Right. You can gauge how popular, how engaged the workforce is. Do you have a privacy champions program? If so, what does the recruitment of champions look like? Right. So there are a lot of ways you can approach it, whether it's regulatory, whether it's programmatic, whether it's cultural. There's actually a really great, and it's from couple of years ago, it's a handbook from the IAPP. It might still be available on their website, but it it's kind of a booklet that has some suggested metrics. I snagged it at a privacy conference a few years ago, and it's a good starting point for anybody who needs to kind of get some ideas.

Kevin Angle: So just a few more questions. We were talking about frameworks, and you mentioned ISO 27701, and then obviously NIST. The ISO framework you mentioned maps to the GDPR, NIST obviously takes more of a U.S. approach. What are some of the key differences you see in approaches between Europe and the U.K. and the United States, sort of the Atlantic divide to privacy?

Bethany Singer-Baefsky: Yeah. So one of the things that I've noticed is that the United States views data privacy through the lens of consumer protection. And in Europe and the U.K., data privacy is viewed through the lens of fundamental human rights. And you can kind of see that, if you look at the CCPA, the California Consumer Privacy Act, the definition of "consumer" is a California resident. You know, you're not looked at as an individual. You're looked at as a consumer of goods and services. You're an employee, you're a consumer, if you just live in your house and you're buying things online or in the store, you're a consumer. If you go across the pond and you're in France or U.K. or whatever GDPR country you're in, the terminology is data subject, which is also still kind of clinical in a way, but it means, you know, the individual about or from whom data is collected. You're not viewed as a consumer, you're the subject of the data. And so there are there are some academic debates that have been going on for a long, long time across the pond as to, you know, can you sell essentially your data? Right. We saw with the, you know, consent or pay model, the legality of which is being challenged, because the idea is that this is a fundamental human right and you can't sell your fundamental human rights. Whereas in the United States, there's this idea of, you know, the do not sell, do not track, so you're essentially opting out of having your data sold because you're not selling your rights, you're a consumer, and this is a commerce engagement.

Kevin Angle: Yeah, I mean, it's such a fascinating question. Obviously, Europe came out of the experience of World War II and Germany and communism and all of those, you know, very traumatic experiences, which shaped their conception of privacy rights. Whereas in the U.S., we have, you know, at least initially, somewhat more of a First Amendment approach to thinking about some of these rights. And so it's just fascinating to see the way the regimes are still diverging and where there is convergence. Let me just ask you, well, two more questions. And the first is, are you a lawyer, Bethany?

Bethany Singer-Baefsky: No, I'm not a lawyer. So you had mentioned my LL.M. from Leiden, and I went from a bachelors in government to an LL.M. in international law. And in Europe, you can do that without getting a J.D. So I did that. And it's been it's been a rather circuitous journey, but I think it was worth it.

Kevin Angle: OK. So now that you've established that, I am a lawyer, how can lawyers and privacy professionals, we can broaden this out, foster innovation within our organization?

Bethany Singer-Baefsky: I love that question. One of the things that I have come up against being legal adjacent is that people do see me in that lens of this is compliance, you're regulatory compliance, you're all about the law, right? And I'm like, look, I am about the law. Sure. You know, I'm not going to ever tell somebody, "Yeah, do whatever you want, you know, it's fine." But, you know, we are legal professionals, privacy professionals, compliance professionals, we are the ones who are providing the guardrails that I think actually enable innovation. So one of the analogies I like to give is that of a bowling alley. Bear with me here, I swear it's a good one. So you know how when you're at the bowling alley and the bumpers come up and people kind of roll their eyes and go, "Oh, you need the bumpers? Like, what are you, 5?" OK. Sure.

Kevin Angle: I have a 4-year-old. The bumpers are always up for the record.

Bethany Singer-Baefsky: But the bumpers are great because what you can do when you have the bumpers is you can do all sorts of fun things with the bowling ball that you could never do if you had to think about a gutter ball. You know, you have the bumpers down. You try to get that ball in as straight a line as possible and hit the pins exactly where you need to hit them to avoid a gutter ball and get that strike. Whereas if you have the bumpers up, you can do some fun zigzag stuff. You can bounce it across the walls. And if you still are determined to get a gutter ball or you're just like, I don't know, impressively bad at bowling, you still can get that ball in the gutter if you really want to. But it makes it easier to achieve your objective of knocking down those pins. And you can do it in much more creative ways because those guardrails are there to support you. And that is what I see is our role. We are the bumpers at the bowling alley. We're there to support you. And you might resent it at first because you want to look cool, you know? But let's be honest, how cool does anyone look bowling anyway?  Setting, that piece of it aside, that was mean. And I'm kidding. You know, it was.

Kevin Angle: The shoes are really cool.

Bethany Singer-Baefsky: You know, you may want to feel like you're really cool by, you know, bowling that ball, you know, bumpers down, get that strike. Sure. But ultimately, the moment that that ball starts getting closer and closer and closer to the edge there, you're probably to be glad that we're there.

Kevin Angle: That's great. I love that analogy. That's fantastic.

Bethany Singer-Baefsky: You can have it. Take it. It's yours.

Kevin Angle: Well, thank you so much, Bethany. That was fascinating, and I appreciate your time.

Bethany Singer-Baefsky: Thank you so much. I really appreciate you having me here today, Kevin.