Global technology company IBM recently named Cristina Cabella as its chief privacy officer, taking over for Christina Peters, who is moving on to other data-related responsibilities, including data ethics, within IBM Legal. But Cabella isn't new to the company; in fact, she joined in 1999. The majority of her career has been spent in the company's European legal branch, and she got her start as European data privacy officer back in 2005.
At first blush, IBM's appointment of Cabella as its CPO isn't so newsworthy. She's a logical choice for the position, with a strong background in both European law and IBM itself. But what's interesting, and perhaps indicative of a coming trend given the EU's pending General Data Protection Regulation, is that IBM is a company headquartered in the United States with an EU-based CPO.
"It's quite unusual for an American company to have a European in that role," Cabella recognizes. But she said it's strategic. There's a lot of mistrust regarding American companies' data privacy practices these days.
"It's a recognition of the importance for IBM to be really representing a global company," she said. "In Europe, it is very much the perception that American companies are belonging to different systems and different privacy regimes. In Europe, we are respective of the laws in Europe ... and we want to develop trust in IBM as a company that is present in Europe and wants to do business in Europe as elsewhere. It's a message of recognizing the importance of understanding European data privacy protection's background and understanding that global law needs to be part of the company."
Cabella said she's serving a truly global role, responsible for data privacy in all IBM's geographies, which includes Latin America, Asia, and the Middle East, in addition to the U.S. and EU. But she said IBM's decision to name her CPO integrates "a single IBM vision," and indicates IBM's sensitivity to data privacy perceptions in European culture.
"I think having a European background is helping me because, of course, Europe is considered to be one of the most advanced and respected regimes," she said. "So having that background in mind, I think, is helping to drive the company and to ensure that company-wise, geography-wise, we are aligned to a harmonized profile."
Cabella's time, like most privacy pros of late, is occupied mainly by preparing IBM for the GDPR. She said she spends about 80 percent of her time on GDPR-related projects. She's managing data privacy lawyers both in the U.S. and EU and a number of her team members are covering developments in Latin America and Africa. She's also managing business lines in health data, as well as team members who are focused on certain business models as they relate to particularly sensitive data.
Cabella said success as to this point has come from a varied background at IBM, which enabled her to have a deep understanding of how the business really works. She said that's going to be increasingly critical as companies establish data protection officers under the GDPR.
"I think I represent the logic of a data privacy expert that is really understanding the company," she said, adding that she's able to really contribute to GDPR principles like privacy by design because she has a strong understanding of how IBM's systems work.
DPOs will really "need to have a good understanding of the processes and how the company is organized," she said. "Being purely an expert without having that understanding and knowledge, in today's world, in the complexity generated by the GDPR, the challenges would be extremely difficult."
Asked whether Cabella will serve not only as CPO but also as, officially, the company's DPO under the GDPR, Cabella said she's not in a position to answer that at this time, as the company is still developing its strategy there.
In the end, Cabella sees herself, and her homebase in Europe, as revelatory in regards to the global nature of commerce today and the privacy concerns that have proliferated alongside its growth.
"I view my role is really in a sense to bridge between what maybe years ago could have been perceived as two worlds," she said. "Our idea is for IBM to be a single world in the protection of customers' data."