Anju Khurana, head of data privacy at the Bank of New York, Mellon Corp (Photo: Courtesy Photo)BNY Mellon's Anju Khurana Explains How to Build a Data Privacy Program In-House
Bank of New York Mellon Corp.'s head of data privacy Anju Khurana shared her experience building internal company privacy programs, adapting to meet changing regulations worldwide and growing a career in data privacy.
August 16, 2019 at 01:00 AM
8 minute read
The original version of this story was published on Corporate Counsel
Anju Khurana is the head of data privacy at the Bank of New York Mellon Corp., a New York-based role that keeps her in the thick of changing data regulations worldwide.
Next month, Khurana will be speaking about the impact the European Union’s General Data Protection Regulation is having on security standards globally at the General Counsel Conference in New York. Corporate Counsel asked Khurana about her experience with privacy in-house and her advice for lawyers looking to enter the practice space.
Corporate Counsel: How can lawyers develop and implement a privacy program at their companies, as you did at BNY Mellon?
Anju Khurana: Before implementing a privacy program, I would take some time to really get to know the organization and become familiar with its products, services, business priorities and strategic roadmap. It’s important to really understand the business’s needs or risk profiles, avoid a “check the box” mentality to compliance and pursue a strategy that is more closely aligned to the business’s needs.
BNY Mellon’s current focus is on digital transformation and the global privacy office strategically sits within digital and data strategy so that we can help facilitate this transformation by enabling the appropriate use of data to develop new products, automate and digitize core activities, and improve the overall client experience.
CC: Did you start from scratch?
AK: When I joined BNY Mellon, there was a small privacy team and BNY Mellon had just hired its first global chief privacy officer. We focused mostly on GDPR compliance, but we used this as the impetus to create a global privacy office and enhance our global privacy program. We took some time to assess our current level of maturity, understand the regulatory environment and our risk profile, establish a privacy framework and governance structure, and update internal and external policies and training. We conducted a data inventory to better understand where personal information was located, how it was shared, protected and flowed through the organization. We implemented changes to our controls and processes and focused on privacy by design by ensuring these changes were properly embedded into existing business processes.
CC: What were some of the biggest challenges you faced building that program and how did you address them?
AK: One of the challenges, particularly with large organizations, is that businesses tend to operate in silos across various data disciplines. Thus, it is important to take a multi-disciplinary and cross-functional approach and partner with key stakeholders in data security, data governance, records management as well with the business units, technology, risk and compliance.
We are now focused on developing a more sustainable global privacy program and delivering on a fast-changing regulatory portfolio which includes Cayman DPL, California Consumer Privacy Act and the Brazil [General] Data Protection Law. We are driving more accountability in the various lines of business through our privacy steward and privacy champion program and implementing privacy management and privacy-enhancing technologies to automate several privacy processes across the enterprise. There is never a dull day in privacy. It is an ongoing journey and the work is never done.
CC: How can in-house counsel be proactive with privacy-related matters? Should they be?
AK: Absolutely! Too often legal and privacy tend to be called in when things go wrong or are brought in as the final step in the launching of a new product or right before something is to “go live.” They are subsequently viewed as “blockers” or showstoppers” with legal wondering why they are only now learning about this new product or initiative. If privacy by design is properly embedded into the culture and DNA of an organization, privacy considerations are top of mind before a company implements that new technology. Privacy and legal should insist on having a seat at the table early during the design phase of products, systems and new initiatives.
CC: How has your team adjusted to meet standards set by new privacy laws, such as the CCPA, and educated employees? Are there strategies you can share to help in-house counsel currently struggling to make sense of compliance?
AK: There are now over 100+ privacy laws in the world and GDPR is driving other countries to adopt similar regulations. Our privacy team is leveraging much of the work that was done for GDPR and thinking about how we can apply it elsewhere as other laws such as Cayman DPL and Brazil LGPD follow similar models. We have created enterprise-wide privacy training and are promoting awareness through privacy working groups, and our privacy steward and privacy champion network throughout the lines of business.
There are differences between the laws, particularly with the CCPA and other U.S. states drafting their own privacy laws, and the possibility of a U.S. federal law in the future. Thus, it’s important to design a sustainable global privacy program that can account for the similarities in all the laws and apply certain baseline standards to comply with basic privacy principles and best practices.
If an organization is compliant with GDPR it does not mean it will be compliant with the CCPA. There are parts that are similar and straightforward but there are also many ambiguities and implementation challenges with the CCPA, which was hastily drafted and rushed through the legislature. Thus, we are working very closely with several trade associations and outside counsel to benchmark and better understand how other industries are approaching and interpreting CCPA requirements.
CC: What advice do you have for law students interested in pursuing a career in privacy law?
AK: Privacy is a hot field right now and the demand for lawyers who understand privacy is very high. I would encourage law students to learn as much as they can about this field by taking privacy-related courses, such as privacy and data protection, international law, constitutional law, employment law, intellectual property, health care, marketing and behavioral advertising and cybercrime, and taking courses outside of law school, such as technology, computer science, cybersecurity, data science, data analytics, and business and finance.
I would also recommend joining privacy industry associations such as the International Association of Privacy Professionals and obtaining a Certified Information Privacy Professional certification. Privacy is an innovative field, and it is important to stay abreast of what is happening in this space through blogs, LinkedIn and Twitter, attend relevant conferences and seminars, network with other privacy professionals, and apply for internships and externships while in school.
I’d recommend becoming an expert in a niche area of privacy to distinguish yourself in the field, such as a specific piece of legislation, artificial intelligence, internet of things, smart cities, connected cars, blockchain and others, and consider publishing on the topic. If you have already graduated, it is not too late to pursue a career in privacy. You can break into the field through post-graduate fellowship opportunities, which are offered through IAPP, Future of Privacy Forum, [nongovernmental organizations], corporate in-house positions, law firms, consulting firms and government agencies.
Finally, I would not recommend picking the practice area just because it’s “hot” or in demand. Law students are much more likely to find success as a privacy attorney or professional if they are truly interested and passionate about the field.
CC: How can in-house counsel without a privacy background start learning more about the space?
AK: Most of the advice above for law students would also apply. … There are also good privacy and security [continuing legal education events] offered by organizations such as Practising Law Institute.
Finally, I’d volunteer to take on more privacy-related issues in your current practice area. Privacy law touches nearly all aspects of general law practice today and most attorneys will inevitably encounter privacy and security issues in various contexts such as data security and risk analysis in an M&A transaction, assisting with vendor due diligence in an [information technology] outsourcing or technology procurement matter, marketing and behavioral advertising, and advising with respect to cross-border data transfer issues or responding to a data breach.
Join hundreds of general counsel and senior legal leaders at the General Counsel Conference 2019, the premier forum designed for general counsel to learn, network and evolve in their roles.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Women of Legal Tech: 'People Are the Most Important Part of the Equation' Advises Katherine Lowry
Cleary Sees AI as 'Co-Pilot,' Among Growing Client Eagerness for Legal Tech
5 minute read
Reed Smith's New Emerging Tech Partner Sees 'Much Overlap' Between AI Regulation, Privacy Laws
'Disclose, Disclose, Disclose': A Conversation With Stradley Ronon's David Piper on the Rise of CIPA Claims
Trending Stories
- 1The Law Firm Disrupted: Playing the Talent Game to Win
- 2GlaxoSmithKline Settles Most Zantac Lawsuits for $2.2B
- 3BD Settles Thousands of Bard Hernia Mesh Lawsuits
- 4Preparing Your Law Firm for 2025: Smart Ways to Embrace AI & Other Technologies
- 5Inside Track: Late-Career In-House Leaders Offer Words to Live by
Who Got The Work
Eleanor M. Lackman of Mitchell Silberberg & Knupp has entered an appearance for Canon, the Japanese camera maker, and the Brooklyn Nets in a pending trademark infringement lawsuit. The case, filed Sept. 16 in California Central District Court by T-Rex Law on behalf of technology company Phinge Corporation, pursues claims against the defendants for their ongoing use of the 'Netaverse' mark. The suit contends that the defendants' use of the mark in connection with a virtual reality platform will likely create consumer confusion. The case, assigned to U.S. District Judge Consuelo B. Marshall, is 2:24-cv-07917, Phinge Corporation v. Yankees Entertainment and Sports Network, LLC et al.
Who Got The Work
Fox Rothschild partner Glenn S. Grindlinger has entered an appearance for Garage Management Company in a pending lawsuit over alleged wage-and-hour violations. The case was filed Aug. 31 in New York Southern District Court by the Abdul Hassan Law Group on behalf of a manual worker who contends that he was not properly compensated for overtime hours worked. The case, assigned to U.S. District Judge Analisa Torres, is 1:24-cv-06610, Bailey v. Garage Management Company LLC.
Who Got The Work
Veronica M. Keithley of Stoel Rives has entered an appearance for Husky Terminal and Stevedoring LLC in a pending environmental lawsuit. The suit, filed Aug. 12 in Washington Western District Court by Kampmeier & Knutsen on behalf of Communities for a Healthy Bay, seeks to declare that the defendant has violated the Clean Water Act by releasing stormwater discharges on Puget Sound and Commencement Bay. The case, assigned to U.S. District Judge Benjamin H. Settle, is 3:24-cv-05662, Communities for a Healthy Bay v. Husky Terminal and Stevedoring LLC.
Who Got The Work
Caroline Pignatelli of Cooley has entered an appearance for Cooley, partner Matt Hallinan, retired partner Michael Tu and a pair of Cooley associates in a pending fraud lawsuit related to the firm's representation of startup company Carbon IQ and founder Benjamin Cantey. The case, filed Sept. 26 in New Jersey District Court by the DalCortivo Law Offices on behalf of Gould Ventures and member Jason Gould, contends that the defendants deliberately or recklessly concealed critical information from the plaintiffs regarding fraud allegations against Cantey. Gould claims that he would not have accepted a position on Carbon IQ's board of directors or made a 2022 investment in the company if the fraud allegations had been disclosed. The case, assigned to U.S. District Judge Robert Kirsch, is 3:24-cv-09485, Gould Ventures, LLC et al v. Cooley, LLP et al.
Who Got The Work
Attorneys from Skadden, Arps, Slate, Meagher & Flom have stepped in to represent PDD Holdings, the operator of online marketplaces Pinduoduo and Temu, in a pending securities class action. The case, filed Sept. 30 in New York Eastern District Court by Labaton Keller Sucharow and VanOverbeke, Michaud & Timmony, contends that the defendants concealed information that rendered the growth of PDD unsustainable and posed substantial risks to PDD’s business, including merchant policies that made it unprofitable for vendors to do business on PDD platforms; malware issues on PDD applications; and PDD’s failure to implement effective compliance systems. The case, assigned to U.S. District Judge Pamela K. Chen, is 1:24-cv-06881, Macomb County Retiree Health Care Fund v. Pdd Holdings Inc. et al.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
