With a background in the private and public sector, Simon McDougall, CIPP/E, CIPM, CIPT, said he has witnessed first-hand, on both sides, privacy's massive community of practitioners working to try to do the right thing day in and day out.

"Nowadays, the vast majority of big companies have some of those folks there. As a regulator, it's very easy to assume that there's something shady going on, or to have suspicions of the private sector, when in reality, there might be resource constraints, there might be confusion, there might be different things, but most people are trying to do the right thing," McDougall, ZoomInfo's chief compliance officer since January 2022, said.

Simon McDougall, CIPP/E, CIPM, CIPT, ZoomInfo's Chief Compliance Officer

The understanding that "the privacy community is a good community" is one McDougall said he sought to bring to his role at the U.K. Information Commissioner's Office, where he served as deputy commissioner, executive director — technology policy and innovation from 2018-2021. Returning to the private sector after his time at the ICO, which spanned the COVID-19 pandemic, McDougall, who is based in London, said he often thinks more now about the risk of harm to individuals, rather than concerns surrounding technical breaches.

"Every company has to be complying with the letter of the law and regulation. That's a given. But in terms of what actually matters, it's stepping back and saying what is the real risk of harm to people from the thing we might do and that gives you some perspective," he said. "And as a regulator you have to think about harm all the time. … Are people being denied services? Are their fundamental rights being harmed in some way? Are we putting somebody in personal danger or can they be discriminated against? Or are they a child or vulnerable? All those things are real things."

McDougall said his "chance" venture into privacy started at the Arthur Andersen accounting firm where he worked in technology risk. He singularly took on more of a privacy role in the early 2000s after expressing interest in the interaction between human rights, technology and regulation. When the firm was purchased by Deloitte, McDougall said he became part of a privacy team and later, in 2010, went on to join Promontory Financial where he set up a global privacy team.

In 2018, McDougall joined the ICO, establishing technology and innovation functions, including early work on artificial intelligence, and setting up a specialist team to handle the challenges of the COVID-19 pandemic, tackling questions and concerns around how the government, businesses and others were sharing and using health and other data to combat the virus.  

When the pandemic began in the spring of 2020, McDougall said the ICO spent a lot of time "saying yes," fielding questions about actions companies and individuals could take in addressing challenges and needs presented by the pandemic, while also meeting data protection requirements — from proposals for contact-tracing apps and vaccine passports, to supermarkets seeking vulnerable individuals' addresses to send food and other necessities.

"When I say we said yes a lot, it's because we got questions around can we do this thing which is clearly going to save lives, help us understand the virus better, work out where we have to set up makeshift hospitals or how we can get data for research, and we had a good look at these things and then most of the time we said yes, get on with it," McDougall said. "What we learned was that the GDPR, actually, is really good at this. It has lots of balancing tests and we never had to once say we're going to waive a bit of the GDPR in order to save people, to protect people."

A particular source of pride from his time at the ICO, McDougall said, is the agency's work on AI. It was during his years there that the ICO brought on board its first post doctoral research fellowship in AI, professor Reuben Binns, and launched its first guidance on AI as well as an AI risk toolkit.

“Reuben's an expert in AI and it was really interesting to learn from him, but also have the combination of somebody who was an academic by training working with other people who could turn his insights into easy to read, practical guidance," he said. "And if you go back and look at it now, it still stands up. And all the risks that we are discussing now are the risks we highlighted then."

Now, a member of the IAPP board of directors, McDougall is also serving on the IAPP AI Governance Center Advisory Board, working alongside privacy and AI leaders to advance the professionalization of AI governance.

"A lot of the tools we use to manage risk in privacy can be re-equipped to address a lot of the challenges of AI. It's not a simple swap, it's not an easy thing to do, but it's the best option we have," McDougall said.

He's pleased to be engaged in AI governance, and to return to the private sector with his work at ZoomInfo, where he serves in a broad role covering privacy, as well as government and regulatory relations, compliance, risk management and operations. He said it's a role that builds on his background experience.

"It's a really interesting, data-heavy company, at the same time it's a business to business company," McDougall said of ZoomInfo. "In the end, it's helping business professionals so it's a nice place for a regulator to be. And from my point of view, it utilizes my experience in privacy, but going to back to my time as a consultant and the wider workload in risk management and the like."

When he started in the field, McDougall said the U.K. privacy community "could all fit within one small room" and "most of the work we did had to be sold twice." He's watched interest in privacy grow gradually to now "massive" levels, through various breaches, an increasing use of data, regulations, and more.

And over that time, McDougall said he's seen hundreds of companies with employees "putting in really hard yards on the ground to make their organizations better" at privacy, often thankless work that protects individuals in ways they may never see themselves.

"I do really believe that one of the simplest ways to make people's lives better, from a privacy point of view, is to enhance the standing and the competency and the satisfaction of the privacy community," McDougall said. "If you do that, then you're obviously empowering the professionals themselves, which is great, but you're also making everyone's lives better. And that's better than just scolding big organizations and telling them they have to do better."

Looking to the future of privacy and AI, now is a time to "think far and wide" about information risks and what technology and data are going to do today and moving forward, he said.

"I think there was a phase, including the GDPR, where we really grappled with privacy as a siloed thing, in many cases. And in reality, privacy is now being absorbed into a much broader discussion around what we want technology and data to do for us. And that's a question for society, for philosophers, for businesses, and we've got some big hard challenges," he said. "I think if all you do is focus on privacy in its narrow sense, then you're going down a dead end."