In this Volunteer Spotlight, The Privacy Advisor caught up with Abhishek Agarwal, CIPP/US, chief security and privacy officer at Fresenius Medical Care North America, where he serves to communicate security risks to key players and ensure adherence to regulatory requirements. As chair of the San Francisco Bay Area KnowledgeNet, Agarwal provides privacy leadership in the Bay Area, speaking on operationalizing requirements and best practices of the EU General Data Protection Regulation. Agarwal reflects on his growth in the profession, the expansion of tech in health care, and the importance of taking a wide approach to include privacy and security. 

Privacy Advisor: You have been both a chief privacy officer and chief information security officer — does the title change your approach to privacy?

Agarwal: It has only changed from the operational aspect. [The Health Insurance Portability and Accountability Act] has always been a very technical law, but with increasing data protections regulations across the globe such as the GDPR in the EU, cybersecurity law in China and new privacy regulations in the other parts of the world, I think it has become evident that an internal privacy policy has to evolve from being merely a one- or two-page document to more of an operationally involved policy — it’s an extension of a security operating framework into a privacy framework or vice versa.

Privacy Advisor: Does your current role as both a privacy and security officer provide a lesson for other organizations to learn from?

Abhishek Agarwal, CIPP/US

Agarwal: In my previous job, I was the first CPO with no legal background. Based on the prevailing risks factors, the leadership made a calculated, conscious decision by appointing someone with business and technology experience that understood the global legal privacy framework, and as a result, together we were able to make a ton of progress by developing risk-based practical solutions. This is a learning lesson for us in the health care industry. The world of privacy has moved beyond just legal advice provided by legal counsel, or a privacy policy guiding business and technology teams. Now, it is about getting under the skin, into the nitty-gritty of operations, and developing practical solutions for the business. The partnership between privacy and security can drive simplicity and improve productivity.

From an accountability standpoint, I have both security and privacy responsibilities. When I was evaluating the opportunity with my current company, I asked management to think about aligning the privacy and security function together. It doesn’t mean that the accountability or responsibility walks away from either the legal or IT department; instead, it involved combining them from an operational point of view to assess and mitigate the risks. The leadership really got behind it because they understood the challenges and foresaw the healthcare industry trending towards it. The decision making, investments based on capabilities, and managing daily privacy operational risks were a few of the reasons that led them to the decisions.

Privacy Advisor: What challenges do you continue to face in the health care industry, how has that shifted, and what is left to improve the health care regulatory space?

Agarwal: Regulations such as HIPAA or the EU Data Protection Directive were passed more than 20 years ago and have gone through numerous revision cycles. Within that time frame, technology has evolved exponentially and continues to digitize healthcare services. I believe we have barely scratched the surface. From a privacy regulations aspect, more effort is needed to drive clarification on topics such as cross-border data transfers, encryption, data anonymization, data residency and so forth. However, the regulations should be written from point of view of improving human condition.

Healthcare is related to people's lives. It takes time to fully realize an impact of a privacy regulation. I think we will see the continuous evolution of privacy laws as it refines itself by finding a balance between rights to safeguard personal information and how to protect that personal information. From a purely legal standpoint, the definitions of covered entity and business associates or controller and processor are fully clear now; companies understand their obligations.

Now, the question is, where do we go from here as the technology evolves? Cloud computing, data lakes, machine learning and artificial intelligence are developing fronts for data privacy.

There is an opportunity for public-private sector partnership, not just in the US, but at a global level, where we can bring great minds together to develop solutions of the future. A better solution, a global solution, for people that safeguard their privacy rights and protect their personal information.

Privacy Advisor: What's the privacy pro community like in San Francisco?

Agarwal: I was in Chicago for more than 20 years. It's very different here in the Bay Area. A metro area with midwest culture and global connectivity, managing a privacy portfolio for a Chicago-based global company, requires a special skill set. Someone with international experience, bilingual with global education, who understands the local pulse can have a successful corporate career in Chicago. San Francisco and the South-bay area is very different. It is a global technology melting pot where results are expected quickly. The global pace doesn’t necessarily sync with the expectation in the Bay Area. There is also a lot of passion behind the work here, and people are committed to solving global problems rather than local issues. They go for the world.