People in privacy: New privacy pros

In the April edition of

we

“People in privacy: The new privacy pros.” This series-in-the-making looks at the privacy profession’s evolution and its resulting generation of privacy professionals—some less traditional than others—fulfilling roles in advocacy, policy, academia, publishing, recruiting and a multitude of other areas.

In this installment, you’ll meet two more of these professionals and learn how they found themselves working in privacy, why it matters to them and the impact they have on the greater goals of their respective companies.

K Royal absolutely loves working in privacy. In a phone interview, the excitement in her voice is palpable when she talks about her job and the road she took to get there. Though her path to privacy wasn’t a direct flight, she says she should have seen the signs that she was headed that way all along.

A nurse and a law student before finding her path to privacy, Royal started her privacy career at healthcare company Concentra. But working as a nurse before that really helped her understand the importance of healthcare privacy, she says.

“I don’t just speak from a theoretical viewpoint. I’ve been in the field; I understand how things work in the field,” she says. “Now I’m in a PhD program, and it’s all been building toward this. Every step just keeps dragging me toward this.”

She recently started at

as privacy counsel, a new position within the company itself.

Being new to the company, my activities are focused on learning more about the company in terms of its business interests and operations. Right now, I’m spending a lot of my day talking to colleagues around the world and just learning. I’ve also recently been drawn into some larger projects, such as looking at compliance with the UK cookie law that just went into effect.

Actually, I was first a mental health counselor, and my Bachelor’s degree was in psychology. I was a nurse when HIPAA came live. Coming at it from a mental health perspective, personal information was always very protected, very locked down. I remember 20 years ago I devised a privacy practice for an inpatient psych hospital that was replicated in multiple hospitals around the country. In law school, I focused on IP and health law, knowing I wanted to practice in that niche where technology meets healthcare. I did studies and research on telesurgery and cell phones, and both data privacy and security were major factors, so I should have known that I would wind up in privacy. Sometimes you can’t see the road that you walk. It’s all shadowy, and then when you get there, it’s like the heavens open and it’s like, “Ahhhh, this is where I’m supposed to be.”

It’s the challenges. It’s the fact that I’m helping people. They may not know it, but I’m still there helping them. And the field keeps me intellectually challenged looking at public policy, looking at law, looking at technology. And I was always one of those kids that could never refuse a dare, and so, every day I feel like someone is daring me.

It’s staying on top of everything. Privacy is pervasive. It’s HR. It’s in sales, it’s in new development, new business, accounts payable. It’s in everything. And it’s so much harder to go back and fix something than it is to do it right to begin with, and the consequences can be devastating both for the individual whose privacy is involved and for the business. To stay on top of everything, I’m getting to know people, making sure I’m out there, that people know me, that if I haven’t talked to someone in a particular department in awhile, that I’m reaching out to them and building those relationships. Not just with the department head and business leaders but with the workers on the frontlines.

Yes, I love that term. That says it all. I laugh because when I tell people now that I am “privacy counsel,” they say, “what’s that?” If you say you’re employment counsel, they don’t ask you what it is. The people around here get it. Privacy is something they’ve worked with for years; they understand it. But no matter where I work, or where anyone works, you have departments that are focused on different things: IT is focused on IT, HR is focused on HR; it’s completely understandable that they aren’t super-focused on privacy. So, when a company hires someone to work specifically on privacy, that’s a huge step in the right direction because this is such a growing field, and as long as companies acquire information and technology keeps advancing, you’re going to have more and more regulations on companies to protect that data. I feel very passionately that I’m there to protect individual rights, but part of my job is to know when other interests trump those, and as privacy ambassador, I hope to educate people I work with. If nothing else, I’m the one point person they can come to for questions and information.

I’m learning all the time. I’m really honing my knowledge of EU privacy along with other nations—Japan, Australia, other nations, plus the U.S. and state laws. But in addition to legal knowledge, you have to have tech knowledge. One of my favorite information security professionals used to laugh at me because I don’t use the correct tech lingo. But I understand the concepts; you just have to understand what I’m saying. I really rely on groups like the IAPP and Nymity.com that literally give me the information I need in a timely way and boil it down to where I get what I actually need to know and how to distill all the pieces out. If we didn’t have them, there’s no way we could function. It’s time management.

I look up at 6 p.m. and go, “really?” In my previous roles, it was nothing to be at work on a Friday until eight or nine at night because everyone else was gone, I could focus, I could work. At this job, I can’t say that. They are very huge here on quality of life, having that balance, getting outside while the sun is shining, so I’m trying to figure out what it is I’m going to be doing at 5 p.m. on a Friday. Napa Valley is right here. I have two daughters and they are in college now; one in Texas and one in Arizona. I’m in California, and it’s kind of whole new world. I don’t think I’m entering midlife crisis, I think it’s a midlife anti-crisis. This is a new world for me.

Chris Brannigan, CIPP/G, CIPP/US, joined the United States Postal Service (USPS) Privacy Office in March 2002 and has been knee-deep in data protection and privacy ever since. As a research analyst, Brannigan manages privacy office programs for business impact assessments, compliance reviews and privacy risk assessments, among other tasks.

Brannigan was one of six co-inventors of the U.S. Patent for the USPS Business Impact Assessment (BIA), which won the 2004 HP/IAPP Privacy Innovation Award.

As part of his work at the USPS, Brannigan provides a broad range of input on privacy issues to a variety of offices within the organization. He says one of the most important aspects of this has been the ability to communicate to USPS employees newly assigned to the privacy office that their experiences in unrelated fields will bring great depth to the privacy profession.

No one who joined the USPS Privacy Office in the past decade had previous experience, Brannigan said.

“Many that I trained were told on their very first day that we could teach them privacy but that their own knowledge of how the organization really functioned was the primary skill set they brought to our mission because all they had to learn was the privacy message and they would be able to deliver it in terms their fellow employees would understand.”

Brannigan says that as the field expands, this is a message that should be passed along to new privacy pros “who may feel a bit overwhelmed by the avalanche of new information that is ‘privacy’ in 2012.”

I'm personally responsible for several privacy office programs including the BIA reviews, which combine a privacy impact assessment with mandatory security controls; compliance audits; reviews of very large archives for PII related to FOIA requests and privacy incidents; legislation, research and  media tracking; policy review and development, and customized privacy training.

Since I joined the privacy office in 2002, almost every aspect of my job has involved data and data protection/privacy. But in recent years, my job has become more focused on compliance audits, archive reviews and forensic file reviews.

The compliance audits of IT services contracts ensure the required privacy and IT security clauses are included in all contracts with firms whose support of USPS programs may include access to sensitive information.

The file reviews directly involve the analysis and redaction or extraction of sensitive information from very large data archives, and I also provide communications support to our data loss prevention program, which directly protects sensitive data from being transmitted or removed from within our network environment.

It was, especially since it was first developed in 2002, and we first applied for a patent in 2004, which was finally granted in 2011. During those years, the privacy office worked closely with the computer information security office (CISO) to continually upgrade the BIA to adapt it to new technologies and programs. The most rewarding part of the whole effort was the cooperation between the privacy and IT security groups. That’s what made it work so well.

The most important part of the marketing/e-commerce philosophy I brought with me was the same philosophy I learned in R&D in the ‘80s, when the USPS first developed and implemented whole generations of automated mail-processing systems that used IT technology in countless new ways to solve old problems.

The philosophy is based on the endless waves of technical innovation. Every day, someone somewhere is inventing some new technology, and sometimes you can use or adapt that technology in a small way to solve an old problem or in a big way to create an entirely new way of doing something that never existed before. All you have to do is keep learning about what's new and keep thinking of new and different ways to use what someone else has invented.

Keeping up with the latest in privacy and IT security-related technologies, regulations, incidents, litigation and policy changes in the public and private sector. It’s a nearly impossible task. You never know when something you read in one area will become useful knowledge in another.

I have worked as a full-time “privacy professional” in the USPS Privacy Office since 2002. I first earned the CIPP and CIPP/G certifications in 2005, and I do what I can to support the IAPP certification program. In recent years, I have noticed that these certifications have become more frequently listed in vacancy postings for “privacy professionals” as “desirable” or “required.”

But it’s not an either/or situation. In my case, privacy is one aspect to a broader job that also includes part-time roles as an instructional development specialist, forensic analyst and what's known inside the Beltway as a "policy wonk." This just means I get to read, analyze and write the kind of complex verbiage that is frequently criticized as overly complex and wordy. But if you want to be certain you do due diligence and address all the responsibilities and risks in protecting sensitive information, sometimes there’s no substitute for including all the details.

In recent years, I’ve also been fortunate to be able to contribute to several official publications produced by the Federal CIO Council Privacy Subcommittee, including the Privacy Controls Appendix that has been adopted and included by the National Institute for Standards and Technology (NIST) for the latest draft of the Federal Government’s mandatory requirements for federal agency information systems (SP 800-53 Rev. 4). I’m proud to have contributed to the security control family, but even prouder of the fact that NIST reached out to the CIO Council for this input and that this is the first time privacy has been included both in the title and the requirements. The final version is still in the public comment stages, but this is a major step forward for the inclusion of privacy requirements in the federal IT security universe.

Digital forensics and IT security metrics are just two items on a growing list of disciplines that are becoming more essential in doing my job well.

After many years of spending Friday afternoon in traffic, I now have a short commute past the monuments and across the Potomac to a cozy cottage in the wooded hills above Rosslyn that I share with my wonderful family; I’ve got a basement full of vintage brass model locomotives and trolleys that I restore and run for fun.

But truthfully, the first thing I usually do on my way home on Fridays is stop and pick up some carry-out dinner to take home because I’m the family cook, and Friday night is my night off!