Ep. 07

Alexandra Ross,

Director, Global Privacy and Data Security Counsel at Autodesk, Inc.

Dec 1, 2020

Alexandra Ross shares how global companies are leading with privacy and what the CPRA means for executive teams.

Text Transcription

Daniel Barber  0:16  

Welcome to the GrailCast. Today, we’re thrilled to welcome another industry leader in privacy. Alexandra Ross, Director of Global privacy and data security at Autodesk. Welcome, Alexander. Hi,


Alexandra Ross  0:27  

Daniel. Thanks so much for having me.


Daniel Barber  0:29  

Yeah, no, thanks for joining us. So you’ve been in this, this industry for quite some time, maybe you want to give us just a brief intro, and then we can get right into it.


Alexandra Ross  0:38  

So as you said in your introduction, I’m Director of Global privacy and data security at Autodesk which is a software company for the architecture, engineering, construction, manufacturing, media and entertainment industries. And at Autodesk, I lead the data protection legal team, where I provide strategic policy governance and legal support for our global privacy and security programs. In that role, I sit on our Incident Command team managing security incidents. I’m also part of various privacy governance groups. And recently, I became an advisor to breach Rx, which is an incident readiness and response platform company. 


Daniel Barber  1:18  

Awesome. Yeah. I mean, I was really excited for our conversation today. If I’m, if I’m being honest, you know, I’ve followed your blog and your writing for quite some time. And I feel like you’re really in privacy long before it was cool. What led you down this path?


Alexandra Ross  1:33  

That’s funny. I tell people, I was practicing privacy before privacy was a thing, you know, in quotes. So I was an early adopter, I think I was, you know, in the right place at the right time, I started working on privacy issues when I was a junior associate at a law firm in San Francisco. And I was an intellectual property group. There wasn’t even, you know, a privacy or data protection group at law firms at the time. 


But as an associate in the IP group, I supported many technology and startup clients who had data issues. So I worked on a variety of data protection issues at the time, drafting privacy statements working on can spam and marketing issues capa security and incident response. And I saw an opportunity and the work would come across my desk from the partners and I sort of was one of the go to people at the firm at the time to work on privacy issues, just because I had an interest in and I thought it was it was different. And it was creative. And it was something that was adjacent to intellectual property, but it was this emerging issues. And I liked working with the technology and startup clients. So it was an opportunity to create a career in that emerging space. And it was really taking the opportunity and following sort of my intuition, that there was something there. 


And you know, originally, there wasn’t a privacy bar, there were no privacy professionals, there was a small group of us that we sort of grown up with the emergence of privacy law and privacy being an industry or being a career. But at the time, there wasn’t a large body of regulation. So part of my interest was really this intellectual challenge of applying existing law to new areas of technology to the internet, to cloud computing, and trying to sort of fit these various, sometimes very ancient regulations into this modern data driven society, which was, you know, very, very challenging and very interesting. 


And it’s also just a way for me to be creative. And it satisfies this emotional need to connect with people, because there’s a lot of collaboration with a wide variety of stakeholders. Being a privacy professional, you’re working with engineers, you’re working with architects, you’re working with security professionals, you’re working with marketing, you’re working with sales, you’re working with all your other legal colleagues. So there’s that diversity of opinion. There’s a diversity of projects and initiatives that I get to work on. And I just, I’m helping solve these business and technology and legal problems.


Daniel Barber  4:10  

Yeah, that’s awesome. So you’ve seen a lot right from your time at Walmart all the way to to Autodesk, what has been a surprise for you in what we’ve seen in the last couple years.


Alexandra Ross  4:20  

It’s been interesting to track the progression of privacy as a kind of social phenomenon, as well as the privacy industry itself. So I think on the positive side, I’m pleasantly surprised that consumers and society at large are more aware of privacy issues and understand how it’s important to protect your data and where there’s opportunities for bad actors to compromise your data, you know, some of the social media things that we’ve seen in the past. 


So there’s a more informed public and a more general awareness of privacy and security issues, do wider news coverage and just you know, things that have happened Good and bad, that companies are making mistakes or consumers are just more generally aware of privacy. So that has been surprising, I think just to see the evolution of privacy and data and the way our society has evolved over the last 10 or 15 years, you know, it’s also just surprising that there has been such an evolution in the privacy sort of industrial complex, you know, that what was once a very niche area, a lot of, you know, former intellectual privacy attorneys or former engineers who went to law school, you know, we are now privacy professionals in a group that is expanding. And you know, I don’t know the numbers, but there’s so many more people now that are practicing in the privacy space than when I started. 


And that’s, that’s actually very heartening that there’s this enterprising space for attorneys and program managers and privacy engineers, and advocacy groups and all the service providers, you know, in the privacy space, that are that are supporting the protection of personal information. So I think that’s been surprising, but also a very good sort of societal progression.


Daniel Barber  6:15  

Yeah, no, I definitely agree. There’s been a trend that’s been emerging for quite some time and sort of aligning towards transparency and control for the consumer, which is great to see. So sort of along those lines, you know, how do you see global companies leading with privacy?


Alexandra Ross  6:32  

That’s a great question. I think it’s such a wonderful opportunity for companies to really connect with their customers and their users. Your customers now expect a certain level of privacy and security standards, both in the b2b and b2c relationships. It’s really table stakes. It’s just you got to do it. 


You know, there’s not a question in terms of basic levels of compliance to meet that customer expectation. And a global technology companies, if they’re developing global privacy programs to manage compliance. There’s also the companies that are leading with privacy, that are stressing that Privacy Practices establish trust, they ensure transparency, like you said, and they provide customer choice and preferences. And I think it’s really turning that thinking that regulation and innovation cannot coexist. But I really believe that strong Privacy Practices enable innovation and the creation of data driven solutions, and that it’s not a position that’s contrary to the ability to innovate. Right.


Daniel Barber  7:35  

Yeah, that’s a consistent theme. We’ve heard from some of the speakers, which is, which is great to see. So we were talking about it right before we got on today. So November has definitely arrived. And, you know, for folks, in California, there was a proposition proposition 24, which is the cpra. What does this mean for the executive team, perhaps for folks that maybe are in privacy or maybe in engineering or other areas? To your your point earlier? What What should they be aware of in terms of cpra?


Alexandra Ross  8:06  

So I think we’re all taking a deep breath, I think it’s not surprising that the initiative passed, and we can all sort of have our opinions on whether we agree or disagree or agree, or, you know, with the content or the process, but it’s a reality. 


Now we have ccpa, 2.0, that we all need to address. So you know, I think first off for the legal and privacy ops team, it means another round of review of the final text of the legislation and updated gap assessment to see sort of where your current privacy program is, and what’s new and different about the cpra. And then in terms of the executive teams and data governance stakeholders, it’s a continuing conversation. I mean, hopefully you establish your your communication upwards to your executive teams about risk and about your privacy and security programs. 


So it’s, it’s updating them on what are the necessary improvements and adjustments to your privacy program that needs to be put in place to take into account these new obligations under the cpra. But, you know, for those companies that have already addressed GDPR, ccpa, other global laws and regulations, they should have a foundation in place. But I think what’s important to notice these cpra really raises the stakes, there’s a removal of the cure period, that was part of ccpa, there’s going to be enhanced scrutiny by this new privacy regulator that will be established in California. 


So I think it’s important to note that the stakes are higher the risk is potentially greater in terms of enforcement and liability.


Daniel Barber  9:42  

Right? these updates are fairly consistent at this point. I mean, we saw Brazil’s regulation move forward earlier this year. How do you you know, keep up to date and keep on top of things and we think about your sort of top three sources as a privacy Pro. Where do you go To keep up to date.


Alexandra Ross  10:01  

So I love this question because I’m a news junkie. And I do follow a lot of privacy news because it’s part of my job, but also just because I’m interested in the societal impact of all these privacy regulations. 


So my top three are the International Association of privacy professionals, there’s, you know, great newsletters and podcasts and blogs that they’re generating general information and analysis. And also, you know, at some point in time, when we can all be face to face, they have, you know, wonderful conferences, and some of their conferences they’ve been doing virtually. So I would say, definitely, for privacy professionals of all stripes. 


The IAPP has some some really wonderful content and is a great information source. The second one is the future of privacy forum. They’re a nonprofit advocacy group. There’s there’s membership. Autodesk is on the advisory board. But there’s also a lot of free information on their website. They offer a lot of really practical solutions and benchmarking and policy. And you know, what, sort of looking at legislation or upcoming legislation and really digging into some of the policy impacts. 


And then the final one that I’ll say is the business software Alliance. And that, you know, for Autodesk and other software companies, it’s a really good group that that pulls together a lot of information that’s of interest to companies in that space, particular layer, particularly around policy and government affairs. And then, you know, I know you asked for three, but also sort of throw in there. There’s a lot of law for newsletters, about privacy. There’s a lot of journalists who write about tech and privacy. Now I follow Kashmir Hill, who I think is wonderful, and does a lot of good investigative journalism, around privacy. 


And then also I write a blog, the privacy guru, I’ve been a little busy lately. So I haven’t published in a few months, but I will get another blog post out there before the end of the year. So if people are interested they can they can take a look at my blog on the privacy


Daniel Barber  12:11  

Fantastic. Yeah, I do have a bookmark. And I’d advise folks to also check out Alexander’s blog. It’s insightful, and you’ve been in the industry for a long time. So unclosing,


Alexandra Ross  12:23  

as we sort of think about folks that are perhaps starting their career, where they journey and privacy, a lot has changed. And I feel like you have a wealth of information that you could share. But if you were to think about like your one piece of advice you could provide for listeners, what would that be? It’s a really good question. 


And I’m very invested in mentoring sort of younger group of privacy professionals who are just starting out, especially women in the field, and I’ve done a lot of speaking engagements and roads, written some blog posts about, you know, just how to how to get into privacy and diversity in the privacy field. So I would say, first of all, the good news is there’s so many opportunities right now, for privacy professionals, there’s so many jobs in various areas related to privacy, you know, being a program manager working on policy, working in house or outside counsel in a privacy group, working on advocacy issues.


 So the good news is, there’s a lot of opportunity out there in terms of a piece of advice, I would say, take a really wide view and try something in the area of privacy in one of those, you know, organizational areas that I just listed off, get acclimated, try something, see what’s a good fit, you know, there’s so much flexibility and actually mobility in the privacy sphere right now, because there’s so many different aspects of privacy. 


You know, if you’re an attorney, you can work in a law firm providing outside counsel, legal advice, but you can also be in house, you can also work in the government, you could also work in an advocacy organization, there’s just so many opportunities, but I think my my piece of advice to someone starting out would be don’t sort of get stuck in a narrow view of what your potential career path can look like, if you’re interested in privacy, do something that has a privacy component, or is adjacent to privacy and find a way to sort of figure out the right way to get into privacy, but also the right aspect of privacy, just because there’s so many different permutations of professional advancements, and ways to really contribute to the privacy ecosystem.


Daniel Barber  14:31  

That’s good advice, keeping a wide perspective on things so that eventually, you know, you end up on the right path. I would hate that in most professional path for people early in their career. Yeah, that’s great. And really enjoyed our conversation. Alexandra today and I hope listeners did too. And, you know, keep an eye out for the next session of Grail class, which will come out in about two weeks. But thanks again, Alexandra, and look forward to chatting again soon.


Alexandra Ross  14:57  

Thanks so much.