Back in 1998, I was working at Novell, Inc., as a clerk for our litigation team and the legal department webmaster. The still-new internet was starting to generate privacy-related concerns. We also had some issues with junk-fax litigation, and leaders in Novell’s Legal Department were interested in figuring out what customer information was being collected throughout the company, who had access to personal information, and how that information was being used or shared. Legal also wanted to draft Novell’s first online Privacy Statement. They asked me if I was interested in leading this “privacy” work.
I had no idea what “privacy” meant in the business context, but thought it sounded interesting, so I signed on. With E&Ys help, I directed Novell’s first data mapping exercise and established a privacy-compliance program. We trained our associates about this new thing called “privacy” and signed up for TRUSTe’s privacy certification.
After running Novell’s first privacy office, I was interested in getting more experience in the privacy field as well as in getting the chance to live on the East Coast. I took a job with a global telecom venture called Concert Communications (an AT&T & BT joint venture) out of Reston, VA. Concert hired me as a contractor to get their HR systems and processes compliant with the EU Data Protection Directive.
I didn’t have any experience dealing with EU privacy issues, very few did in 2000, and couple of years at Novell was good enough experience for Concert to offer me the job. Fake it ‘till you make it! It was great exposure to global privacy issues, employee privacy and the U.S.-EU Safe Harbor framework.
Once I completed the project at Concert, in the spring of 2001, I was hired as a privacy consultant at the newly created Privacy Council, Inc., out of Dallas, Texas. Our leaders included pioneers in privacy, including Gary Clayton and Larry Ponemon. The EU Data Protection Directive, Health Insurance Portability and Accountability Act and Gramm-Leach-Bliley Act started generating a good amount of work for us during my consulting years at Privacy Council. I worked on privacy projects with global companies such as Cisco and American Airlines and worked on privacy issues in various industries. During this time, I attended some of the IAPP’s very first conferences and was a part of the IAPP's inaugural CIPP certification class in 2004.
In 2005, after having our first child, I decided to take a privacy position in-house at Countrywide Financial. I can’t really speak to our home lending practices, but Countrywide’s Privacy Office was top notch. I worked with Christine Frye, our chief privacy officer, and was able to focus on the privacy risks financial institutions deal with on a daily basis. In 2008, I made a move to Capital One, where I’m currently managing the company’s Compliance Privacy Office team.
It’s been a terrific journey in a field I had no intention of being in. It’s meant moving forward in uncharted territory and making things up as you go. Even though I’ve been in the privacy field for 17 years, I still feel like it is new and we are in the beginning phases of addressing privacy risk and establishing best practices. That said, it is nice that the blank stares I used to get when I told friends and family I worked in “privacy” have, for the most part, been replaced with a general understanding of risks involved whenever we share our personal information and a reply that this work must be keeping me very busy.
No matter what you're currently doing for your company or no matter what level of privacy experience you have, if you want to get involved in the world of data protection and privacy, there are so many opportunities. I recommend reaching out to your company’s privacy officer (if one exists) and offering to become a champion of privacy in your current department. There are privacy risks in virtually every aspect of a corporation and no doubt your privacy officer wants and needs as much help as possible from anyone willing and able. Also, get involved with the IAPP. Subscribe to the IAPP Daily Dashboard, join the Privacy List, attend KnowledgeNet chapter meetings and become privacy certified.