The IAPP’s “Profiles in Privacy” series features a monthly conversation with a notable privacy professional to discuss their journey in privacy, challenges and lessons learned along the way, and more.
In his privacy journey, Harvey Jang, CIPP/E, CIPP/US, CIPT, has gone from being “a surgeon, to a dietician and strength coach.”
Jang described the start of his career in commercial litigation in the late 1990s as dealing with “a heart attack that has already happened. It’s open-heart surgery, spare no expense, keep that person alive,” he said.
After eight years as outside counsel, he transitioned to working as an in-house attorney focusing on compliance, privacy and security — first at Symantec, then HP and Intel Corporation. Currently, he is the vice president and chief privacy officer of Cisco. His focus now is to be "proactive and preventative" — "What’s the diet and exercise plan we need to implement to prevent a heart attack from happening?"
Jang orchestrates the global privacy strategy, vision and three-part mission — compliance, market access and differentiation — for Cisco, a multinational software development company headquartered in San Jose, California. He leads a “multi-disciplinary” team of 25 privacy professionals, program managers, lawyers and engineers to drive privacy as a business imperative. The team develops and operationalizes Cisco’s privacy policies and standards and represents the company among regulators, standards bodies, media and others.
“It’s evolving, constantly evolving ... What we thought were the rules last year are not the rules today,” Jang said of the global privacy environment as technology advances and new laws emerge around the world. “We need to accept the fluidity and evolution of these laws and try to understand what risks and interests they are trying to address. You have to delve into legislative history, culture and context. What makes privacy interesting and challenging is that there's a lot of judgment calls and interpretation needed — there's often no 'one size fits all' or clear answer for the 'best way to do things.' You really have to engage with privacy regulators to get a sense of what their priorities are and what they care about."
Jang said, "it takes a multi-disciplinary village" to get things right. His legal background along with economics and social psychology — both undergraduate majors — and an appreciation for technology have all played an important role in being able to, alongside other teams within Cisco, interpret what is required and develop internal processes to operationalize privacy within the company. His team — the Privacy Center of Excellence — is tasked with setting the standards, building tools, and working with business process owners to manage personal data within their organizations.
“For example, we have our privacy impact assessments as part of our product development lifecycle. The Privacy COE developed the PIA and questionnaire, workflow and controls library that engineers use when designing and building their products. Their engineers are ultimately responsible for their product, we, the Privacy COE, help them biuld with privacy by design so our customers can be confident our products can be used in a compliant and privacy respectful manner," he said.
The goal, Jang said, is to imbed privacy into every facet of the organization. "It's centralized in terms of setting the standards, but operationalizing privacy is everyone's responsibility."
Hundreds of the company’s 70,000-plus employees have been trained as "privacy champions," obtaining IAPP certification and serving as privacy leaders within their departments and teams.
"Privacy champions, training and playbooks are how we scale. We train privacy champions so they can handle 80 to 90% of the issues. Escalations back to my team should only come if it's a gnarly question of first impression," he said. "If my team can't answer the question off the top of their heads, then we didn't do a good enough job of training or writing the playbook."
Jang and his team are also looking to the future as technology continues to advance and new ways to use data are created. Internally, they are exploring automated data discovery and other privacy-enhancing technologies and tools. They also actively engage with regulators, industry groups and standards bodies on new frameworks for international data flows, responsible AI, data ethics, organizational accountability and more.
"Responsible AI/ML and data ethics are where privacy was a decade ago — it's just beginning. Regulators are very interested in this space and starting to pass laws to set the rules of the game. We're encouraged by the partnership and regulator engagement with industry. Together, we will enact smart legislation that encourages innovation while protecting and respecting privacy," he said.
Embedding human rights and data ethics into Cisco's privacy impact assessments "allowed us to leverage all the work we've done in privacy over the years to accelerate integrating requirements from new regulatory areas," Jang said.
While privacy is centered around protecting individuals' rights, the Privacy COE is partnering with Cisco's Business and Human Rights team to look at the impact of technology on society or humanity at large.
"The Privacy COE focuses on the grains of sand, and with the BHR team, we look at the entire beach," he said. "We need to pay attention to the macrolevel impact in addition to the impact to specific individuals. We're in unchartered waters ... In this world of complexity and change, we anchor our program on the core, timeless principles of transparency, fairness and accountability as our North Star."
Keeping up with the evolution and constant change makes for exciting work and is what makes privacy fun, Jang said.
"Privacy laws and what it means to 'get privacy right' are changing all the time. The rules are evolving and are sometimes inconsistent. If you're comfortable with the gray and are ready to defend your position, then you will do well in privacy," he said. "If you need black and white rules, stability, and consistency, then you are going to have a hard time. You have to be fluid and adapt. To quote Bruce Lee, 'Be water, my friend.'"
Photo by Christian Wiediger on Unsplash