Building a Data Privacy Program In-House: BNY Mellon's Anju Khurana Weighs In
Anju Khurana is the head of data privacy at the Bank of New York Mellon Corp., a New York-based role that keeps her in the thick of changing data regulations worldwide.
August 15, 2019 at 11:36 AM
8 minute read
The original version of this story was published on Corporate Counsel
Anju Khurana is the head of data privacy at the Bank of New York Mellon Corp., a New York-based role that keeps her in the thick of changing data regulations worldwide.
Next month, Khurana will be speaking about the impact the European Union’s General Data Protection Regulation is having on security standards globally at the General Counsel Conference in New York. Corporate Counsel asked Khurana about her experience with privacy in-house and her advice for lawyers looking to enter the practice space.
Corporate Counsel: How can lawyers develop and implement a privacy program at their companies, as you did at BNY Mellon?
Anju Khurana: Before implementing a privacy program, I would take some time to really get to know the organization and become familiar with its products, services, business priorities and strategic roadmap. It’s important to really understand the business’s needs or risk profiles, avoid a “check the box” mentality to compliance and pursue a strategy that is more closely aligned to the business’s needs.
BNY Mellon’s current focus is on digital transformation and the global privacy office strategically sits within digital and data strategy so that we can help facilitate this transformation by enabling the appropriate use of data to develop new products, automate and digitize core activities, and improve the overall client experience.
CC: Did you start from scratch?
AK: When I joined BNY Mellon, there was a small privacy team and BNY Mellon had just hired its first global chief privacy officer. We focused mostly on GDPR compliance, but we used this as the impetus to create a global privacy office and enhance our global privacy program. We took some time to assess our current level of maturity, understand the regulatory environment and our risk profile, establish a privacy framework and governance structure, and update internal and external policies and training. We conducted a data inventory to better understand where personal information was located, how it was shared, protected and flowed through the organization. We implemented changes to our controls and processes and focused on privacy by design by ensuring these changes were properly embedded into existing business processes.
CC: What were some of the biggest challenges you faced building that program and how did you address them?
AK: One of the challenges, particularly with large organizations, is that businesses tend to operate in silos across various data disciplines. Thus, it is important to take a multi-disciplinary and cross-functional approach and partner with key stakeholders in data security, data governance, records management as well with the business units, technology, risk and compliance.
We are now focused on developing a more sustainable global privacy program and delivering on a fast-changing regulatory portfolio which includes Cayman DPL, California Consumer Privacy Act and the Brazil [General] Data Protection Law. We are driving more accountability in the various lines of business through our privacy steward and privacy champion program and implementing privacy management and privacy-enhancing technologies to automate several privacy processes across the enterprise. There is never a dull day in privacy. It is an ongoing journey and the work is never done.
CC: How can in-house counsel be proactive with privacy-related matters? Should they be?
AK: Absolutely! Too often legal and privacy tend to be called in when things go wrong or are brought in as the final step in the launching of a new product or right before something is to “go live.” They are subsequently viewed as “blockers” or showstoppers” with legal wondering why they are only now learning about this new product or initiative. If privacy by design is properly embedded into the culture and DNA of an organization, privacy considerations are top of mind before a company implements that new technology. Privacy and legal should insist on having a seat at the table early during the design phase of products, systems and new initiatives.
CC: How has your team adjusted to meet standards set by new privacy laws, such as the CCPA, and educated employees? Are there strategies you can share to help in-house counsel currently struggling to make sense of compliance?
AK: There are now over 100+ privacy laws in the world and GDPR is driving other countries to adopt similar regulations. Our privacy team is leveraging much of the work that was done for GDPR and thinking about how we can apply it elsewhere as other laws such as Cayman DPL and Brazil LGPD follow similar models. We have created enterprise-wide privacy training and are promoting awareness through privacy working groups, and our privacy steward and privacy champion network throughout the lines of business.
There are differences between the laws, particularly with the CCPA and other U.S. states drafting their own privacy laws, and the possibility of a U.S. federal law in the future. Thus, it’s important to design a sustainable global privacy program that can account for the similarities in all the laws and apply certain baseline standards to comply with basic privacy principles and best practices.
If an organization is compliant with GDPR it does not mean it will be compliant with the CCPA. There are parts that are similar and straightforward but there are also many ambiguities and implementation challenges with the CCPA, which was hastily drafted and rushed through the legislature. Thus, we are working very closely with several trade associations and outside counsel to benchmark and better understand how other industries are approaching and interpreting CCPA requirements.
CC: What advice do you have for law students interested in pursuing a career in privacy law?
AK: Privacy is a hot field right now and the demand for lawyers who understand privacy is very high. I would encourage law students to learn as much as they can about this field by taking privacy-related courses, such as privacy and data protection, international law, constitutional law, employment law, intellectual property, health care, marketing and behavioral advertising and cybercrime, and taking courses outside of law school, such as technology, computer science, cybersecurity, data science, data analytics, and business and finance.
I would also recommend joining privacy industry associations such as the International Association of Privacy Professionals and obtaining a Certified Information Privacy Professional certification. Privacy is an innovative field, and it is important to stay abreast of what is happening in this space through blogs, LinkedIn and Twitter, attend relevant conferences and seminars, network with other privacy professionals, and apply for internships and externships while in school.
I’d recommend becoming an expert in a niche area of privacy to distinguish yourself in the field, such as a specific piece of legislation, artificial intelligence, internet of things, smart cities, connected cars, blockchain and others, and consider publishing on the topic. If you have already graduated, it is not too late to pursue a career in privacy. You can break into the field through post-graduate fellowship opportunities, which are offered through IAPP, Future of Privacy Forum, [nongovernmental organizations], corporate in-house positions, law firms, consulting firms and government agencies.
Finally, I would not recommend picking the practice area just because it’s “hot” or in demand. Law students are much more likely to find success as a privacy attorney or professional if they are truly interested and passionate about the field.
CC: How can in-house counsel without a privacy background start learning more about the space?
AK: Most of the advice above for law students would also apply. … There are also good privacy and security [continuing legal education events] offered by organizations such as Practising Law Institute.
Finally, I’d volunteer to take on more privacy-related issues in your current practice area. Privacy law touches nearly all aspects of general law practice today and most attorneys will inevitably encounter privacy and security issues in various contexts such as data security and risk analysis in an M&A transaction, assisting with vendor due diligence in an [information technology] outsourcing or technology procurement matter, marketing and behavioral advertising, and advising with respect to cross-border data transfer issues or responding to a data breach.
Join hundreds of general counsel and senior legal leaders at the General Counsel Conference 2019, the premier forum designed for general counsel to learn, network and evolve in their roles.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLitigation Leaders: Quinn Emanuel's Michael Carlinsky on Training Associates to Think and Act Like Trial Lawyers
Innovation Award Individual Finalist: Charlie Hernandez, My Pocket Lawyer
1 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250