Privacy Please

S5, E219 - Choosing the Right Privacy Ally: Counsel, Consultant, or a Secret Third Option?

Cameron Ivey

Send us a text

Ever wondered how evolving privacy laws impact your company’s risk profile and compliance strategies? Join us for a captivating discussion with Ray, the Chief Compliance and Data Privacy Officer at TopCon Healthcare, and K, a seasoned privacy attorney with a unique nursing background. Ray shares his journey from the early days of HIPAA to his current challenges at TopCon, while K offers insights on transitioning seamlessly between legal and non-legal roles. Together, they unravel the complex interplay between legal and consulting roles in data protection, offering valuable insights for anyone navigating the privacy landscape.

From the merits of hiring consultants versus law firms to manage privacy programs to the intricacies of data inventories and impact assessments, this episode tackles the pressing issues companies face today. We explore real-world scenarios, like the innovative Harmony platform at TopCon Healthcare, demonstrating how new business activities can shift a company’s risk profile. Ray and Kay provide a balanced perspective on when to engage consultants for their hands-on expertise and when to turn to law firms for their regulatory acumen.

But it’s not all serious business—Ray shares a hilarious anecdote about the precise positioning of toilet paper, adding a touch of humor to our deep dive into privacy tech evolution and the essential collaboration between privacy and security officers. Whether you’re a privacy professional or someone interested in the dynamic between legal and consulting roles, this episode is packed with insights, practical advice, and a few laughs. Tune in and gain a fresh perspective on the ever-changing world of privacy compliance and consultancy.

Support the show

Speaker 1:

All righty, then. Ladies and gentlemen, good morning, good afternoon, good evening. Wherever you are, cameron Ivey, here with Gabe Gumbs, privacy Pleased Live, welcome, welcome. I like the colors we got going on here. It kind of matches. Ray's got a good purple on.

Speaker 2:

It's the most interesting thing about me, I promise.

Speaker 3:

No, those frames are pretty interesting too. I like those specs, Thank you.

Speaker 1:

Kay Ray and Rhymes welcome.

Speaker 4:

Hi, how are you?

Speaker 3:

Doing well. Hey guys, it's a pleasure to meet you. Kay, it's good to see you again.

Speaker 4:

As always, Always a pleasure to be on with the two of you and when y'all proposed this topic, naturally, naturally, I had to reach out to Ray for it, right?

Speaker 3:

It's a hot topic. Right, it's a hot topic. This topic in particular got a little spicy in the community, and so we figured why not just throw a couple of hot tamales in the ring and see how it goes?

Speaker 4:

I love it. It got a little spicy. I think I must have missed that conversation. Gabe, You'll have to slow down. Did I make a bad choice in my current profession by going attorney rather than consultant?

Speaker 3:

I don't know. I don't think so, but why don't we do the following For those at home who have not had the pleasure of meeting either of you before? Why don't we start, as we tend to, with our guests?

Speaker 2:

Why don't you tell us about yourselves, ray, if you currently serve as the Chief Compliance and Data Privacy Officer for TopCon Healthcare. We are a manufacturer of various devices for the ophthalmic and optometry world, so basically, if you go to your eye doctor and put your head in a machine, we probably make one of those machines. Head in a machine, we probably make one of those machines. I have been in the privacy and data protection space for more than 25 years now, was one of the very first corporate chief privacy officers ever appointed back in the late 1990s. I've worked in healthcare, finance, communications, consumer technologies, advertising, fintech, you name it. I've been both. I'm an attorney by training. I try to not use that as much as I use my experience as an entrepreneur and an operator running and building businesses. But throughout my career I've worn both the legal hat as well as worked a lot in the consulting space. So in this discussion about consultants and lawyers and who to use and when to use them, I've been on both sides of that equation.

Speaker 3:

Wow, that's impressive and a storied career. You were appointed a privacy officer literally within years of HIPAA having passed. That was 95. And so you hit the scene in the late 90s. There was just much. We had no idea what we were doing.

Speaker 2:

Cut my teeth doing consulting in the early 2000s as companies were really seriously doing their first implementations of HIPAA. I spent far too much time in the northern New Jersey pharmaceutical corridor working for a lot of pharma companies and med device companies as they were building their very first HIPAA programs, hiring their first privacy officers. So my experience as one of the first privacy officers put me in good stead to help folks do those hires, build their teams and get their programs running at a time when people were like, what is this?

Speaker 3:

privacy stuff. So you're saying you were probably stuck behind me in traffic and parsippany at one point Probably yeah, All over Bridgewater and PAC and all of those places. I worked for a large pharma company during those same years also. I was still in InfoSec at the time, still hacking away, so I know the area well. Ray, it's a real pleasure to have you on the show today, and in this corner we have Jay.

Speaker 4:

Who always wore a shirt the same color as Ray's. But I was like no, they don't want me to wear a purple shirt on this, so I went with the boring black and gold. So I mean not that I ever wear anything Black and gold.

Speaker 3:

those are my go-to colors on the weekend, so I feel it.

Speaker 2:

She's a raider, is what she is.

Speaker 4:

Saints, sorry, saints.

Speaker 2:

Saints. Oh, thanks, Ray Black and silver raider. Well, they're dead to us in the Bay Area now.

Speaker 3:

Sure they are.

Speaker 4:

So I haven't been in privacy near as long as Ray has. I'm Kay Royal, I'm also an attorney and I actually have been in privacy 15 to 20 years, not near as long as Ray. But what's funny is I should have known I was going to be in privacy many, many years before I actually entered it officially. I was a nurse when HIPAA came effective and I was one of the ones explaining what it meant to the hospital administration where I worked into the nursing school, where I was going to nursing school in the mid 1990s. So it's interesting that I should have known that this is where I was going to wind up in privacy. But, as such, I graduated law school in 2004. So I've officially been a lawyer for 20 years, which seems crazy because I don't. I feel like 20 years says that, yes, I am experienced. Yeah, I'm not feeling that I'm feeling like there's a lot left to learn. But, like Ray, I've also been both in an attorney role and in a non-attorney role and I have to say that, working in-house, I didn't feel like there was much of a difference between the two. I seem to do the exact same things and I do recall and we can get into this more as we talk.

Speaker 4:

So y'all don't let me just steal the thunder now, but I remember actually calling my state bar when I was in Arizona and asking them because there were state bar opinions on if you were a real estate attorney and also a realtor, how did you draw those ethic lines between your areas of practice? Same thing if you were a tax attorney and a CPA. How did you draw those ethic lines between your areas of practice? Same thing if you were a tax attorney and a CPA. How did you draw those lines between your two areas of business? And so I asked them well, what would I do for privacy? How would I draw those lines between the two areas of where I do business?

Speaker 4:

And they couldn't even understand what I was asking when it comes to being a privacy attorney and a privacy consultant, versus they understood real estate, they understood tax. So it was still an area that was very much a developing field of law. I mean, it still is a developing field of law and very much so a developing career field. So I love the fact that the topic got spicy, because this is something I've talked to my clients about before when there was an option Do you want me to be a privacy attorney for you, or do you want me to be a privacy consultant, as opposed to working for a company where I could only be a consultant or I could only be a lawyer? So I like the spice there.

Speaker 3:

So let's, let's. I love, I love that. You got right into it oh yeah, y'all know me yeah, no for sure, let's go. Let's get right to it. The glove of rage. She didn't even give you a chance to come out the corner, so let's back it up half a step though. So first and foremost, thank you, kate, for always gracing us with your time and your knowledge. I really appreciate it, and I understand. You either stay in your chosen profession long enough to regret it or you leave early enough to consider yourself an expert.

Speaker 4:

Right, and if anybody in privacy calls themselves an expert, I'll call them on it.

Speaker 3:

Right, exactly. But here's the spicy topic for those that are also trying to figure out kind of where we were going with some of this. As Kay mentioned, we've received both a lot of questions, comments, and we've also witnessed a lot of conversations around exactly that what do I need to help improve my overall privacy position as an organization? What do I need? Do I need people, process, technologies? Yes, of course you need all three of those things. But where do I start? And who helps me start? Which is usually where this conversation comes from is who can I call to help me begin?

Speaker 3:

And so a number of people think that you really should just call a consultant first, because, in their purview, what you want to do is just kind of get a lay of the land before you commit to something, right? By contrast, a number of other people in the opposite corner would say are you kidding? Like this has real implications that can come back to be a problem for your business, and so you should seek counsel right off the bat. And man, were some people really dug in on either side of this? And so you weighed in a bit there, kay, and so, ray, I'll turn the table over to you and ask before you get into the answer of which one should choose what are those early problems that you would even help someone address, regardless of whether you were a consultant or you were straight counsel? What do they need to address first?

Speaker 2:

First, I think any organization needs to understand where their risks are, how they're using data and how that implicates the and how that puts them in the crosshairs of regulators, how it implicates certain data protection laws, how it implicates certain data protection laws. And you can only really understand how to build the right sort of program and policies and procedures if you understand what your risk profile is. You know, a company who is maybe much more squarely consumer oriented is going to have a lot more risk than one that is maybe more B2B-oriented Not to say that B2B doesn't carry its own risks and concerns with data but you have sort of a different framework that you need to think about building. And so in order to understand how to build that program and who you need to help you with that, you really need to understand how to build that program and who you need to help you with that. You really need to understand your risk. And that's where an initial sort of engagement with a privacy lawyer, maybe an outside law firm, is going to be fairly useful. They can help survey the scene, understand your business a little more and maybe write you some good opinion memos of the applicability of this or that regulation to your particular situation.

Speaker 2:

But what I've found is that law firms don't always have the practical experience of building a program. They can help you define policies. They can tell you what your obligations are. Working with all the stakeholders and developing policies and procedures that not only meet the legal requirements but actually meet the operational requirements of your organization tends to need someone who has that experience. Consulting firms and independent consultants are often in those roles because they've left a career as a privacy officer or as a compliance person or a data protection person in some larger organization.

Speaker 2:

Running the consulting team at TrustArk and we had a great team of consultants that I built, basically by yanking as many of the former privacy officers that I knew from across the industry who were 10, 12, 15 years into their time at certain businesses and were ready for a change and dangled a little consulting opportunity, a little travel, a little, you know, not a lot of money, but a chance to actually try and do, you know, replicate their success for other organizations, face new challenges in a way that you know being in an organization for many, a way that you know being in an organization for many, many years, you know has its own challenges but to build something new and fun can be really interesting, and so that was part of the allure, of the glamour of consulting.

Speaker 1:

Does that? So that kind of goes along with the lines of thinking to so that kind of goes along with the lines of thinking as a business. It sounds like it's smarter to if you can have maybe both perspectives, because obviously if you hire an inside counsel, someone that's like a general counsel or someone that's inside, they know the business, but are you saying that they could also be blinded by some of the outside things or some of the legal?

Speaker 4:

Yeah.

Speaker 2:

Go ahead.

Speaker 4:

Kate, some of the opinions you get from outside counsel, as Ray said, may not be very practical or pragmatic. They are going to be the letter of the law. The law says you must do X, y, z, and they're going to usually take the most conservative viewpoint on it. They're not usually geared to be very creative or very problem-solving, as it's tailored to your business.

Speaker 4:

Not all attorneys make good privacy attorneys. Let's be honest. They can all read the law. They can all tell you if something's missing that the law says you have to have and you say you don't have it. They're very good at making that conclusion of you're not in compliance If the law says X and you don't have X. What you're looking for is that next practical step of going. What should I do if I don't have X? I don't have budget, I don't have resources, what are the risks that I'm running and what could the repercussions to my company be? And what is a way that I could take first step, second step, third step to build up to that X that the law says I need to have? Probably the most exciting time in privacy consulting ever was when Ray and I worked together. Twenty sixteen to twenty eighteen was a madhouse. Gdpr had been passed, it was going to go into effect and those two years were spent with privacy consultants, privacy law firms, privacy, everybody with not enough privacy, everybody to go around to get the privacy programs built.

Speaker 1:

Yeah, that's interesting. So I mean so fast forward. I know that we're unless there's something you guys want to cover from that past, but like fast forward to today, you said. You said that was probably the most exciting time. So what is it like now? What are the new challenges that we face? What should companies be looking for? How should they approach things in today and into the future?

Speaker 4:

Well, I'm laughing out loud because I just threw out at my company next week trying to get some technical people to do a proof of concept. I said look, if I ever ask you to do something and you're really overworked, overcapacity, you have way too much on your plate. Rather than telling me no, which nobody wants to tell me no just say cupcakes and that will be code word of I am overcapacity, there is too much on my plate, so we're a whole bunch of cupcakes out there right now. Everybody there's no longer. People keep saying job security. There's no lack of job security. There's really not. So what does it look like now?

Speaker 4:

Most of us have a pretty good idea what we're missing in a program and what we need to have to put it together. Do we need extra hands on deck to get that done, and does that then turn to a consulting agency or to a law firm? Absolutely, and depending on what it is that we need done. But you still got startup companies. You've still got services companies who may just now be entering an industry where they're subject to privacy laws. Maybe they weren't before, but now they're being bought by a hospital system or something like that. So you've still got businesses coming into new to privacy law day in and day out.

Speaker 4:

And yes, ray, I know there are those companies that are already subject to it and they just never realized it. Yeah, we know those two, but it's a case of they're still going to need someone to help them build the program and I'm going to side with Ray on this I'm not convinced that that will always be a law firm. I think a consultant is going to come to you maybe not necessarily cheaper sometimes, but maybe sometimes it is and you can generally book a lot of services now by the project rather than by time and materials, and so if you know what you need to have done, or they can do an evaluation of what you have in place and then come up with a project based approach to get the work done, that's probably the best route to go.

Speaker 2:

Yeah, you know, when Kay and I were working together, we did these a whole slew. I'm hesitant to go back in there. My therapist says I need to keep looking ahead. What Kay says is exactly spot on. You know consultants who have experience building these programs, implementing policies, because we knew how to do these things, we knew what it took, we knew the timelines, we knew the steps along the way.

Speaker 2:

You had some wiggle room at the edges, but a consultant is going to know how these things come together and will often have experience in where things go off the rails and where you're going to spend extra time.

Speaker 2:

So you know those sorts of things get factored in and built in, and so you know it was a big selling point for us to be able to go in and say, yes, we can do X, y and Z. Here's the list of all the deliverables and here's the timeline that we anticipate. And if you commit to doing these things, we'll commit to doing these things in this time on this budget. And that was a very different approach than a law firm who's going to be focused on billable hours and not to say that a law firm who's going to be focused on you know billable hours and not to say that a law firm can't assist with that. But, again, a lot of law firms are not going to have folks who have been deep in the bowels of an organization, building these, negotiating between a product team and an engineering team, you know, and a compliance team, and that's going to be the big difference between a consultant's experience and a law firm's experience.

Speaker 4:

Or being technologically capable of doing so. Let's be, honest. You need a lot of tools with this. You don't want to work harder, you want to work smarter. And I'll throw this one out at Ray Ray what was the number one project that we never could get done on time, that companies never wanted to do, and you couldn't devote enough resources to it? Data inventory.

Speaker 2:

Exactly that's. That was. That was the source of the therapy. Really, yeah, performing data inventories is a never ending task. Never-ending task. I used to always say. You know, if you really want to drive someone out of your organization, get them to look for another job and quit, assign a data inventory project to them. That's going to drive them away. But you know it's a never-ending battle there. It's a never-ending battle there, followed closely by developing a program for PIAs and DPIAs, the impact assessments and risk assessments. That has only gotten more complicated.

Speaker 2:

And to go back to an earlier question, you know have figured out that privacy is something they need to deal with.

Speaker 2:

You know they know when GDPR applies or HIPAA or CCPA or whatever the case may be, but oftentimes they have.

Speaker 2:

They may have a new line of business or a new set of activities that changes their risk profile, or a new client or a new client.

Speaker 2:

I've been on board at Topcon Healthcare now for just about six months and they had a very strong privacy program before, focused on the fact that they were building medical devices that you know live in hospitals and doctor's offices.

Speaker 2:

But what was new and different for them was they developed a data interchange and data sharing platform called Harmony that allows you to link different devices together so that you know you do one scan on one device and all of that comes over to you know an electronic medical record system or goes into another device so that you can add additional information and focus on you know some issue that they're looking at, and all of that needs to come together, and in a lot of organizations those devices were very disparate.

Speaker 2:

They're all sitting behind firewalls or completely air-gapped from their networks, and this was a new and exciting new area. And the Harmony platform has just been a rocket ship for TopCon. But it also changed their considerations around privacy and data protection and security, and so they brought me in to really help them get their arms around that, because it was such a new and different set of concerns than they had previously dealt with for the last many decades. And that's the kind of challenge that a lot of organizations are facing. They get into new markets, they acquire a company, they add a feature to a product and that changes their whole outlook and their whole need to assess risk.

Speaker 1:

Yeah, those are such good insight. Ray, I'm gonna add on to what you're kind of going into. If you guys can think about in the past, you don't have to go in full detail but just for those listening you know in what scenario could you give an example? It would benefit your company or someone's company to hire a consultant versus a council or vice versa. Is there a scenario where you can kind of give the comparison of what's the right way to start at least?

Speaker 4:

Yeah, I'll give you the perfect example. Breach response.

Speaker 1:

Okay.

Speaker 4:

Breach response. You want it underprivileged. You want to hire an attorney, not a consultant. Now, privilege isn't the same in all countries, so you do want to make sure you look at that as well. But a consultant cannot be under attorney client privilege. You need an attorney for it to be under attorney client privilege. Could you gain that privilege by it being your, but you really want the outside person's opinion and directions on what to do to fall under attorney-client privilege in that circumstance. So that's probably the number one reason that you would. But that speaks to the reason as to what are some of the pros or cons of hiring attorney versus consultant, not looking at the work being done, but just the qualifications of them.

Speaker 4:

You might not want an attorney when you don't want something to come from a law firm. So if you're being told to do something and there's very little chance that your company is going to actually do it, that is much more powerful coming from a client attorney than it is coming, or coming from an outside attorney than it is coming from an outside consultant. If you were to get in trouble for not doing that thing, it's worse for you if you have an opinion from an attorney that told you to do it, rather than an opinion from a consultant. Now, that's not true all the way across the board. None of these are true all the way across the board, but that's one of the things you want to look at when you're trying to decide do you want to hire an attorney or do you want to hire a non-attorney consultant? Look at those two. Do you need it under privilege? Do you need it to be binding guidance and it's not necessarily binding, but that's the way, the best way I know how to put it.

Speaker 4:

A court or a regulator is going to look from an attorney telling you to do something differently than from a consultant, because they assume that the attorneys is based in law and they're going on their legal opinion. Like I said, not true across the board, but those are some of the points you want to think of Do you want to hire a consultant or do you want to hire an attorney? Some of the other things Ray and I have already touched on the practical experience, the fact that, again, not all attorneys make good privacy attorneys. You really do have to have a practical mindset, you have to be creative and you really have to be supportive of the business goals in order to be a a really good privacy attorney. You cannot be a litigator that believes the entire case turns on an A and D or a placement of a comma and be a successful privacy attorney. Because we don't care. We're comfortable living in ambiguity.

Speaker 2:

I would just pin it and add you know, from a practical experience I'll try and leave some of the details out of this. But you know, from a practical experience I'll try and leave some of the details out of this. But you know, I had a situation where we were looking at the applicability of certain data protection laws and we went to outside counsel to sort of do a survey of, okay, here's our product, to sort of do a survey of, okay, here's our product, here's our activity that we're going to be engaged in, here's the markets where we're going to be operating or hoping to launch and operate this product or service. And a law firm was great for being able to reach out and talk to, maybe their local council, that from you know, their office in Singapore or their office you know in Seoul, south Korea, to get the lay of the land and latest inputs from data protection authorities et cetera, on how they were interpreting, you know, provision XYZ. And then we turn that information over to a consultant who can assist us with developing the policies around those activities that are driven by the opinions and inputs from the law firm, that policy development process involving a lot of talking to stakeholders and talking to the product owners and development teams and really getting into the weeds on how those particular provisions would translate into real impacts for future development of the platform, of the tools that were being built.

Speaker 2:

And that kind of direct engagement is something that is very difficult for a law firm to do. But a consultant can spec that out, as you know, maybe a fixed price project or as a you know sort of chunks of time that were, you know, fairly predictable, based on their past experiences with similar development of a you know, of a you know privacy by design guidance program for a particular product. That is where you get, you know, the value of a law firm and the practical hands-on experience of a consultancy. To work together and to do it in the right tool for the right job is what I'm trying to say.

Speaker 4:

Agreed, and you're right. A consultant can usually dedicate. They can come on to you full time, 40 hours a week for three months. A lot better than an attorney can free up that kind of time. So that's usually better. You can get an attorney to do it. If you do a, you know a secondment or something to get it, but otherwise you're asking them to give up their other clients. So consulting usually has more flexibility to do that and the operationalization is key.

Speaker 1:

Yeah, those are good points and, ray, you basically kind of answered my next question. That was going to be around like what would be a quick example of a quick win for a consultant hiring a consultant.

Speaker 1:

I gave you a quick win right there before you got to the next question. I gave you a quick win right there before you got this. That was perfect. But for councils and consultants, when it comes to do, you guys worry about providing a way to show an organization, your ROI, on why you should hire a privacy consultant or privacy counsel. Is that something that you guys worry about Usually?

Speaker 2:

you can demonstrate, you know a savings from one versus the other. So you know you say, look, in our experience we built, you know, 15 of these programs. It's taken this amount of time. We can bid this out at a fixed price. And if you took those same number of hours over to your friendly neighborhood, you know multinational law firm, you add, you know, one or two zeros to the bill and so that that, by comparison, is a way to sort of, you know, trying to manage this in-house versus bringing in a consultant.

Speaker 2:

That can be a little more challenging. But usually the team, the internal team, can say, you know, as Kay was saying, cupcake, cupcake, cupcake. We've got way too much on our plate as it is today and to take on this additional initiative is just going to completely destroy, you know, our ability to deliver this thing on time or to even begin this other critical project. And so you know, and the cost of a consultant is almost always going to be a fraction of the cost of an FTE to bring someone in and a consultant can usually get going right away, versus bringing in another body to do that At the end of the process you may realize that you need that body eventually, but that's how you build the case.

Speaker 4:

And another example of when to bring in a law firm was when we did binding corporate rules and we actually did the first dual application for binding corporate rules and binding safe processor rules back when I was at Align Technology in Europe, back when UK was still part of Europe. I guess it's still part of Europe, not part of the European Economic Area or the European Union. So, but bringing in a law firm, Do what it's, all right.

Speaker 3:

They've been expelled.

Speaker 4:

Well, I gather there's still some tension there, but they're technically still part of Europe. But doing BCRs, that dual application, was absolutely something we would hire a law firm for and not a consulting agency, just simply because of the nature of the work and the relationships and the experience that a law firm would have doing that versus what a consulting company would have Very much a big difference.

Speaker 1:

So, before we move on to talking a little bit about, like a third option around, privacy tech and I'm sure that plays a pretty big role, like you were mentioning before, ray um, and I think you mentioned it too k, but are there any common misconceptions when it comes to privacy attorneys or counsel or consultants? Any misconceptions we should know about that just aren't true.

Speaker 2:

That you have conceptions yeah, I mean, you know privacy attorneys are generally, you know, assumed to be handsome and charming.

Speaker 2:

Beyond that, you know, I think that there are some misconceptions, that they can only sort of interpret the law and give you an opinion, I would say, in favor of Privacy Council.

Speaker 2:

They have, particularly folks that I work with, have a very wide net in terms of the expertise that they can tap into.

Speaker 2:

They are oftentimes engaged with regulators can tap into they are oftentimes engaged with regulators. They are very familiar with other firms or other companies, sometimes even competitors, who you can sometimes learn from. You know they won't tell you anything, that's privileged, but they can oftentimes see how other organizations have handled certain problems and bring some of that knowledge to the table, as they will certainly have a lot of experience with seeing how it was done poorly elsewhere or seeing how a regulator responded to something, and indeed sometimes they can even leverage some of those connections and get some informal thoughts from data protection authorities or leaders in the space, just to get kind of a sense of how this would go over and that kind of thing is. You know some consultants have that as well. But you know you get one of the big partners at a big multinational law firm and they've got a lot of really great people on their speed dial and they can reach out and get you tidbits of information that are going to be super useful for sort of shaping your approach.

Speaker 4:

Yeah, and I wholeheartedly second that. You're going to hire a law firm if there's going to be an inquiry from a regulator. So usually only the law firms are going to have that inside knowledge as to how something was handled with a particular regulator and what happened with that. I was laughing earlier when you're like what are the misperceptions? One of my funny stories is my daughters bought me a shirt that said trust me, I'm a lawyer, and I was wearing it while I was grocery shopping and the cashier started cracking up. She said that shirt is only funnier if you were a lawyer. I'm like you've known me for two boxes of Cheerios and a pack of cheese. What makes you think I'm not a lawyer? And a pack of cheese, what makes you think I'm not a lawyer. So who would say that's?

Speaker 2:

trouble. Sorry, I left my powdered wig at home.

Speaker 4:

I don't think I'm cute as much. Right, I think we both have a little bit more gray hair than we used to have. But yeah, that's. The only misperception is lawyers are fun.

Speaker 1:

Yeah, they can be fun too. I was going to say if you wanted to do a hot take, which one cares?

Speaker 4:

Between a lawyer and a consultant.

Speaker 2:

I think they're both paid to care a lot.

Speaker 4:

Well, here's the one thing Consultants aren't usually in being a privacy consultant for the money, true, true. A lot of people become attorneys for the money. I've met a lot of lawyers who don't actually enjoy being a lawyer. They're just good at it and it pays well. Most of the privacy attorneys, I know we're not here to make money either, especially if we're in-house. We're not here to make money, we're not making the big partner salaries, but we're here because we love privacy and we're passionate about it, so I think they both care.

Speaker 3:

I've heard that from lawyers. I have some lawyers in my extended family and they literally say the same thing and I'm always blown away by that.

Speaker 4:

That they don't care or they do.

Speaker 3:

No, that they don't really love being a lawyer.

Speaker 4:

They're just yeah.

Speaker 4:

And I see that you'll see lawyers, usually around the 20-year mark, that are telling younger professionals don't go to law school, don't become a lawyer, you're going to hate it. My daughter had the same thing with the doctors. Doctors were telling her don't go to med school. You're going to hate being a lawyer. Really. You hate it so much. Why are you still in it? Because it's still a good profession to be in. But I don't understand unless you have to to support your family, why you would be in a job that you don't really enjoy.

Speaker 1:

This isn't a job, it's a calling. I mean, I think that even if you love something and you do something that you love, it's, at the end of the day, it's always going to turn into a job. So, um, I don't know.

Speaker 2:

Well, that's actually one of the reasons why I've always sort of returned to consulting at various points in my career, because, um, uh, you know, you, you do get at least for me I do get a bit of you know, maybe it's just my ADHD or something but I get bored after a while.

Speaker 2:

I got, you know, I put together the program and it's working great and everything's chugging along, and then I'm looking for the next interesting challenge.

Speaker 2:

Everything's chugging along and then I'm looking for the next interesting challenge in the consulting world. You know I had five challenges running concurrently at any given time of you know, five different clients with different expectations and projects, and you know you'd wrap one up and then something new would come across the transom up, and then something new would come across the transom and you'd be in a whole different world, a whole different set of issues, trying to, you know, sort of adapt your past experiences to the new challenge. And that, for me, was what always drew me back to the privacy consulting space and made it very interesting. But you know, after many years of doing that, then there is something to be said to go in-house and, you know, have a regular you know vacation and be able to turn off the phone on a Friday afternoon and, you know, whatever the case may be, can we turn off the phone? Well, I turn off the ringer anyway.

Speaker 4:

I will say that that made its way into a security desktop testing. Kay lost her phone on a cruise ship and I'm like, oh, let's just be honest. Kay threw the phone off the side of the ship in the middle of the Atlantic. Let's not even build this into the desktop exercise. It was deliberate, but no, that is the thing. Your responsibilities don't go away, regardless of what role you play.

Speaker 1:

Yeah. So, moving on to privacy tech, how have you guys seen that evolve? I mean, going back to 2018, even to the years when you first started how have you seen privacy tech evolve and the whole intersection of you know, security and privacy and how they're working together today? What do you look for in the tool that an organization should have? What are those traits that you're looking for that help a counsel or a consultant better?

Speaker 4:

do their job, the big green button that you can press that says easy solution.

Speaker 1:

Yeah, I'm still missing that now. Yeah.

Speaker 2:

I can tell you. So I was doing privacy at Yahoo, running their advertising businesses privacy privacy activities, and got reached out to by the product team at TrustArk. They were called trustee back then. This was about 20, 2014, 2013, 14. 2014, 2013, 2014. And they were pitching me on some idea around I think cookie preferences or something and I said, yeah, yeah, yeah, this is all great, but what I could really use is some tools for helping with data inventory and some risk assessment stuff. And I kind of made a pitch for what some products would look like and the head of product came back to me a few months later and said, hey, I pitched your idea to the board. They want to get going on developing this. When can you start? And that led me to hop over from sort of more of a privacy practitioner role at Yahoo to being part of the product team at TrustArk and we developed one of the very first.

Speaker 2:

Tools has just exploded and expanded tremendously and there are really spectacular tools out there now. An entire industry of tools and I have I've always been impressed with how how things have evolved. But I also find that you know, tools are sort of a double edged sword because you need to have the programs in place to be able to make good use of them. To you know you've got a set of policies and procedures to help you know, guide your use of a tool and how you assess risk or how you build that data inventory in a way that will be useful and meaningful. You need to have all of that sort of in place to begin with.

Speaker 2:

That's why we built a consulting practice at TrustArc years ago to help folks build the programs. But then you know there is tremendous value in having an organization that can help you implement the tools beyond building a program just how to turn it into sort of a practical, useful tool for your organization. And that's where I think sometimes the consulting can be leveraged. To do that, there are a number of consultants who are specialized in various of the tools out in the marketplace or, in some cases, are just familiar with many of the tools out in the marketplace and or, you know, in some cases are just familiar with many of the different tools and can help you identify the best solutions for your use case. So leveraging that knowledge can be super helpful in choosing the right solution as well as then going through and implementing it.

Speaker 4:

Yeah, and whereas I may have been facetious for the easy button, no, that's seriously. We see companies move from privacy technology to privacy technology because they're looking for that easy button. Even if they bring in consulting to come in, implement it, get it going for them, they're at a complete loss of how to maintain it moving forward and it usually takes about a year for them to figure out. They really have no idea what to do. This hasn't made their job any easier in about a year to move to another technology. So we're seeing a lot of technology flipping every two to three years across companies and this is something both Ray and I have watched, given our involvement with privacy software. But it will say what do they need? They need something that is user-friendly.

Speaker 4:

Automation is fantastic if they know how to interpret and use the automation, but it's getting their hands in. It's getting their hands dirty in the software, using it every day, knowing what they need to do in the software, using it every day, knowing what they need to do in the software, even if they have different members of their team responsible for different aspects. Maybe they've got one person doing DPIAs, they've got another doing ROPAs and data inventories, but those people really need to be in the software using it. This isn't privacy. Software isn't going to come with an easy button and it's not going to be something that you can set it and forget it and then the alarm's going to go off in an hour and tell you that your casserole is done. It doesn't work that way. It is really working smarter, not harder, but you still have to invest the time and the effort into using the technology learning to use the technology, but actually using it as well.

Speaker 2:

But I would also add to that that you know solutions, like you know, like Transcend, there's such a variety of components there to get the most out of it. You know, obviously, like you know, sales engineers and the product teams can help support that, and the you know your own consultants, sort of in-house consultants, can help with that. But again, if you've got a consultant that you have built a relationship with or has some knowledge of how your organization works with or has some knowledge of how your organization works, they can absolutely help you get the most out of solutions. Particularly Transcend's got so much going on there.

Speaker 2:

Y'all have built some amazing technologies and to get the most out of it you need someone who can help you really get under the hood of your organization and figure out how to leverage those tools to the best ability. Because you know, I've seen organizations bring tools in and after you know a year or two they get rid of them because they weren't ever able to get the full value out of it. So you know, leverage that capability of you know, of consultants and experts to really get the most out of of it, because otherwise it's a waste of everyone's time and money, time and money and you will just never see the benefit that you can get if you haven't really you know made that effort and good customer service.

Speaker 1:

Yeah.

Speaker 4:

You got to have really good customer service and please, God, have some actual experts.

Speaker 1:

That know the tool and just I mean, yeah, it helps that there's a combination. There's so many things that uh have to come together to have something successful. Obviously, having a tool that's a little bit more modern nowadays, I think, with the automation like you said, kay, that's huge. Automation is everything. If you have it set up correctly and you have the right programs in place, it can go a long way because you can take away from using so many engineering resources or outside resources. So it's having that all in place is it can be hard, but once you do it, um, you kind of just man it from there and uh and grow. You need, because the way that privacy is going, it's always changing. You guys know that, oh yeah, but you I mean tools have to be able to adapt as well, to adapt to your customers yeah, we have 20 state privacy laws now, 20 omnibus state privacy laws.

Speaker 1:

I mean it's awesome, but it's also a lot.

Speaker 4:

I didn't see that coming this year. Sorry, I was a bad prognosticator on that one. I didn't see that.

Speaker 1:

What do you guys think about the state law and the whole talk about that? Do you think it's just? I mean, could we have a GDPR type of thing here one day?

Speaker 2:

no-transcript.

Speaker 4:

You've got to work to a framework.

Speaker 2:

Yeah, and it's always been the case where, under GDPR, that was set kind of a good high water mark for a lot of stuff, but you'll always have outliers. Similarly, I think in in like the California law sets a pretty good high bar for a lot of stuff and if you can clear that then you're mostly good in most places, but there's always going to be some outliers. Um, and that kind of broad look across uh, the, the, the global requirements, uh will help you build a program that you know should meet or exceed those. You know those requirements wherever you might go.

Speaker 1:

Yeah, it's, I don't know. This is Gabe. Do you have anything on the tech side, anything else that we haven't covered that you're curious about from a biotech?

Speaker 3:

perspective. I think that are the most important from a tech perspective. The tech has to actually work. That's always a good checkbox.

Speaker 4:

That's a good one.

Speaker 3:

That's a good one, right. You certainly need to be able to empower the people to use the technology. That's also important. I think the only thing that I haven't touched on there that aren't the obvious we haven't luckily seen this is don't default to technology. That sounds like the answer to a problem that hasn't actually been created yet. Right, like I think cookie tech is probably the best example of that. It has since matured, but there was such a rush to tech in those early days that I think a lot of people just didn't understand their needs first.

Speaker 4:

Yeah, like the global privacy consent thing.

Speaker 3:

That's the one. That's the one.

Speaker 4:

That's just like the do not track thing of two decades ago.

Speaker 3:

There it is, that's the one, that's the one and same, yeah.

Speaker 4:

Yeah, it does. It makes a difference. But one of the things that I will say, especially for Gabe here, is no privacy officer can truly be successful if they don't have a good partnership with the security officer.

Speaker 3:

Absolutely.

Speaker 2:

And that's actually. I'm sorry, I just jump in and say that's super important because you know the security officer is, there's so much overlap and it's so important to work hand in glove there. But there's also, just from a practical perspective if you find a solution or a set of tools that really can help you in doing risk assessments, oftentimes those have great value to a security organization. Oftentimes those have great value to a security organization, maybe to a big data officer or you know other sort of non-privacy data governance type roles, and you can oftentimes find interested stakeholders who might even have some budget to assist with purchasing a tool. So you know you've got a solution that crosses into you know more data governance as well as security. Explore how to leverage those, because you might find an interested audience elsewhere in your organization. That's a great point.

Speaker 1:

We're coming close on time. Anyone that has any questions, please submit them. We'd love to try to chime in. We can always reach out to any of us after the fact. But between you guys, kay Ray, man, that'd be fun just being at a party or drinking and just saying Kay and Ray all the time.

Speaker 4:

We've been in that situation, have we not, Ray?

Speaker 2:

We have. We have had a drink or two. I do believe we have. I see a comment in the comment stream from Christy Benfolio, who I worked with years ago at Blackhawk Network Good to hear from you, christy. And a comment about a records retention program is so important. Records retention is such a challenge to organizations and any tool that can help you manage that, any tool that can help you understand your obligations and then actually follow a policy.

Speaker 4:

The distinction policy part you mean.

Speaker 2:

Exactly, yes, exactly. So that's a very important point that Christy called out. Appreciate that.

Speaker 1:

Absolutely. Is there an industry in particular that that means more to? I would?

Speaker 2:

say that both healthcare and financial services have some of the most complex and stringent data retention requirements. You know, if you're filing for compensation for reimbursements from Medicare Medicaid You've got to retain certain documents, you've got to keep all of those consents and doctor's authorizations, because those, I can promise you are getting audited at some point. And in the financial services space you've got records retention regarding things like anti-money laundering laws and rules and you know that work against what you would think would be the intentions of privacy laws where you know you look at how the regulators in Europe deal with privacy versus, you know, law enforcement, anti-money laundering and it's like, oh, get rid of the data as soon as possible, but oh no, absolutely hang on to it because we've got to be able to unwind crazy terror financing things or whatever it's. Those interactions are super complicated and implicate compliance issues outside the privacy space but have impacts on privacy security, on your operational team, as to when you actually need to delete stuff, how you need to retain stuff. It's super, super complicated.

Speaker 1:

It's good to know. Thank you, Christy, for that, and both of you, Kay Ray. Thank you so much. Before I let you go, Ray, since this is your first time, got to ask you a funny question. It's super serious, though. When you put your toilet paper on the roll, is it on top or are you grabbing it from the bottom?

Speaker 2:

So you know this might determine our friendship. I, you know, as a lawyer. You know my law school. I went to George Washington, which has a very strong intellectual property program, and one of the patent professors in a very early class handed out a little Xerox sheet of the patent application for toilet paper perforated toilet paper on a roll, and it goes over the top.

Speaker 3:

That's all we've gotten as designed. So in all the number of times you've asked that question is plentiful and no one has ever busted out the patent. Leave it to an attorney to do so.

Speaker 4:

If I could roll this over here to Ray yes, nice work, nice work.

Speaker 3:

I love it. Good job, Ray. You win the internet for today, Ray.

Speaker 2:

Seriously. Thank you both. Thank you, I got turned down for the VP job, so I got to get something.

Speaker 1:

Really appreciate both of your times. Thank you so much. Thank you for what you do.

Speaker 4:

Thank you all for having us.

Speaker 3:

Thank you so much, enjoyed it.

People on this episode