Anju Khurana, head of data privacy at the Bank of New York, Mellon Corp (Photo: Courtesy Photo)

Anju Khurana is the head of privacy for the Americas within the global privacy office at the Bank of New York Mellon Corp., a New York-based role that keeps her in the thick of changing data regulations.

Next month, Khurana will be speaking about the impact the European Union's General Data Protection Regulation is having on security standards globally at the General Counsel Conference in New York. Corporate Counsel asked Khurana about her experience with privacy in-house and her advice for lawyers looking to enter the practice space.

Corporate Counsel: How can lawyers develop and implement a privacy program at their companies, as you did at BNY Mellon?

Anju Khurana: Before implementing a privacy program, I would take some time to really get to know the organization and become familiar with its products, services, business priorities and strategic roadmap. It's important to really understand the business's needs or risk profiles, avoid a "check the box" mentality to compliance and pursue a strategy that is more closely aligned to the business's needs.

BNY Mellon's current focus is on digital transformation and the global privacy office strategically sits within digital and data strategy so that we can help facilitate this transformation by enabling the appropriate use of data to develop new products, automate and digitize core activities, and improve the overall client experience.

CC: Did you start from scratch? 

AK: When I joined BNY Mellon, there was a small privacy team and BNY Mellon had just hired its first global chief privacy officer. We focused mostly on GDPR compliance, but we used this as the impetus to create a global privacy office and enhance our global privacy program. We took some time to assess our current level of maturity, understand the regulatory environment and our risk profile, establish a privacy framework and governance structure, and update internal and external policies and training. We conducted a data inventory to better understand where personal information was located, how it was shared, protected and flowed through the organization. We implemented changes to our controls and processes and focused on privacy by design by ensuring these changes were properly embedded into existing business processes.

CC: What were some of the biggest challenges you faced building that program and how did you address them?

AK: One of the challenges, particularly with large organizations, is that businesses tend to operate in silos across various data disciplines. Thus, it is important to take a multi-disciplinary and cross-functional approach and partner with key stakeholders in data security, data governance, records management as well with the business units, technology, risk and compliance.

We are now focused on developing a more sustainable global privacy program and delivering on a fast-changing regulatory portfolio which includes Cayman DPL, California Consumer Privacy Act and the Brazil [General] Data Protection Law. We are driving more accountability in the various lines of business through our privacy steward and privacy champion program and implementing privacy management and privacy-enhancing technologies to automate several privacy processes across the enterprise. There is never a dull day in privacy. It is an ongoing journey and the work is never done.

CC: How can in-house counsel be proactive with privacy-related matters? Should they be?

AK: Absolutely! Too often legal and privacy tend to be called in when things go wrong or are brought in as the final step in the launching of a new product or right before something is to "go live." They are subsequently viewed as "blockers" or showstoppers" with legal wondering why they are only now learning about this new product or initiative. If privacy by design is properly embedded into the culture and DNA of an organization, privacy considerations are top of mind before a company implements that new technology. Privacy and legal should insist on having a seat at the table early during the design phase of products, systems and new initiatives.

CC: How has your team adjusted to meet standards set by new privacy laws, such as the CCPA, and educated employees? Are there strategies you can share to help in-house counsel currently struggling to make sense of compliance?

AK: There are now over 100+ privacy laws in the world and GDPR is driving other countries to adopt similar regulations. Our privacy team is leveraging much of the work that was done for GDPR and thinking about how we can apply it elsewhere as other laws such as Cayman DPL and Brazil LGPD follow similar models. We have created enterprise-wide privacy training and are promoting awareness through privacy working groups, and our privacy steward and privacy champion network throughout the lines of business.

There are differences between the laws, particularly with the CCPA and other U.S. states drafting their own privacy laws, and the possibility of a U.S. federal law in the future. Thus, it's important to design a sustainable global privacy program that can account for the similarities in all the laws and apply certain baseline standards to comply with basic privacy principles and best practices.

If an organization is compliant with GDPR it does not mean it will be compliant with the CCPA. There are parts that are similar and straightforward but there are also many ambiguities and implementation challenges with the CCPA, which was hastily drafted and rushed through the legislature. Thus, we are working very closely with several trade associations and outside counsel to benchmark and better understand how other industries are approaching and interpreting CCPA requirements.

CC: What advice do you have for law students interested in pursuing a career in privacy law?

AK: Privacy is a hot field right now and the demand for lawyers who understand privacy is very high. I would encourage law students to learn as much as they can about this field by taking privacy-related courses, such as privacy and data protection, international law, constitutional law, employment law, intellectual property, health care, marketing and behavioral advertising and cybercrime, and taking courses outside of law school, such as technology, computer science, cybersecurity, data science, data analytics, and business and finance.

I would also recommend joining privacy industry associations such as the International Association of Privacy Professionals and obtaining a Certified Information Privacy Professional certification. Privacy is an innovative field, and it is important to stay abreast of what is happening in this space through blogs, LinkedIn and Twitter, attend relevant conferences and seminars, network with other privacy professionals, and apply for internships and externships while in school.

I'd recommend becoming an expert in a niche area of privacy to distinguish yourself in the field, such as a specific piece of legislation, artificial intelligence, internet of things, smart cities, connected cars, blockchain and others, and consider publishing on the topic. If you have already graduated, it is not too late to pursue a career in privacy. You can break into the field through post-graduate fellowship opportunities, which are offered through IAPP, Future of Privacy Forum, [nongovernmental organizations], corporate in-house positions, law firms, consulting firms and government agencies.

Finally, I would not recommend picking the practice area just because it's "hot" or in demand.   Law students are much more likely to find success as a privacy attorney or professional if they are truly interested and passionate about the field.

CC: How can in-house counsel without a privacy background start learning more about the space?

AK: Most of the advice above for law students would also apply. … There are also good privacy and security [continuing legal education events] offered by organizations such as Practising Law Institute.

Finally, I'd volunteer to take on more privacy-related issues in your current practice area. Privacy law touches nearly all aspects of general law practice today and most attorneys will inevitably encounter privacy and security issues in various contexts such as data security and risk analysis in an M&A transaction, assisting with vendor due diligence in an [information technology] outsourcing or technology procurement matter, marketing and behavioral advertising, and advising with respect to cross-border data transfer issues or responding to a data breach.

Join hundreds of general counsel and senior legal leaders at the General Counsel Conference 2019, the premier forum designed for general counsel to learn, network and evolve in their roles.