Privacy in Action: Lessons from Data Privacy Heroes

Alright, I think we're all back from breakout.
Welcome back everyone.
Uh, if you don't know me already, my name's Ian.
You might recognize me from many of our customer
and community efforts here at Data Grill.
I am really excited to introduce you all
to our fantastic panel Privacy
and Action Lessons from the Data Privacy Heroes.
So before I do that, I do wanna tell you a little bit more
about the Data Privacy Heroes Program
and why these three individuals were selected.
We started this program back in 2024
because we noticed that as eager
as privacy professionals are to learn from each other,
they rarely notice their own value
and contribution to the field.
I'll often hear, I'm just doing my job right
after somebody tells me something amazing they're doing
that five other people have just told me
that they're really frustrated,
can't quite get across the finish line.
The trouble is, if we don't recognize our own excellence
within the field, we can't expect the world around us
to either, let alone our own leadership teams
that can have a genuine impact on
how privacy work is perceived within
and beyond the organization.
Enter the Data Privacy Hero Awards award candidates can be
nominated by a colleague, a manager, a tech partner,
a consultant, or even themselves
and nominees undergo a blinded
and standardized review process.
This year we were fortunate enough
to invite past award winners
and partners to help us select our semi-finalists as well.
So after all of these steps, today's guest stood out
for setting a new standard in data privacy excellence.
First, I'm gonna introduce you to Anna.
Anna was the winner in the innovator category, meaning
that Anna made a profound and direct technical impact
and her organization's privacy posture.
Anna, welcome and tell us a little bit about your
relationship to data privacy work.
Well, thank you Ian and thanks everyone for joining.
I'm happy to be here. My name is Anna Rogers,
senior Privacy Analyst at Encino.
We're a banking software company based, uh,
headquartered in Wilmington, North Carolina.
Um, and a little bit about how I got into privacy.
So I started at Encino two and a half years ago
and I was a corporate paralegal on the commercial team.
So I worked in sales and contracts
and I slowly started to get interested in the privacy work.
Um, so I would ask for work, I'd get handed work.
Luckily they needed me so they kept, uh, bringing me back
and as we, you know, realized that we needed resources
that could be full-time privacy, I ended up moving
to privacy full-time about a year and a half ago,
and I was able to assist
with creating the team we have today,
implementing new processes, getting new tools,
and it's been really exciting.
I absolutely love this field.
Um, new challenge every day, but it's a good time
and I'm happy to be here.
Thanks for having me.
Thanks. And I agree Caleb, Anna is a legend.
That's an apt word choice. Thank you.
Uh, next we're gonna meet Randy. Randy.
Randy won in the visionary category, recognized
for highly strategic and crossfunctional leadership.
Randy, tell us more about you
and how your role fits within privacy.
Hi.
Hi everyone. Thanks for having me. My name's Randy Wood.
I am at Cricket, the crafting company,
not the cell phone company.
Um, I am a lawyer, VP of legal and privacy here at Cricket.
And my happens to the privacy world kind of came
by accident being at two pre IPO tech companies
after private practice, um, moving in-house
to emerging growth companies.
Um, for those of you that are in-house
or work in the corporate sphere, know that, um, there are
small and nimble teams who do a lot.
And I have been in that type of a position now for,
um, nine years of my practice, uh,
where there hasn't been a dedicated privacy
professional for the organization.
So I serve that function, um, with dotted lines to a lot
of other cross-functional leaders in it, in, um,
information security data, um, product, et cetera.
Um, and so I came onto the scene, um, in in-house practice,
um, right after REMS one.
So I have been along for the ride trying to navigate
businesses through the complex web of European
and now American and now global privacy compliance.
Um, and I currently at Cricket
after being here seven years, um,
and assisting with their IPO run the compliance, um,
operations department.
So my skillset includes kind of building the privacy
function, um, from scratch
and as well as, you know, running lots of other things
that in-house lawyers do
and I'm happy to be here. Thanks Ian.
Thanks Randy. There's a lot I'm really
excited to dig into there.
But last, but not certainly,
certainly not least let me introduce you to Jennifer Dickey.
Jennifer was recognized as this,
as this year's champion celebrating her impact on the
field writ large.
In Jennifer's case. This especially meant her mentorship
and advocacy for the next generation of privacy leaders.
I see we've got some parts in the chat,
maybe some of you know Jennifer already.
But Jennifer, tell us a little bit about your day job
and beyond.
Yes, thank you everyone for all of the hearts.
My name is Jennifer Dickey.
I'm a privacy associate attorney at dyma,
where I help advise clients on data privacy, compliance, AI
and um, emerging laws.
Um, outside of dyma, I serve on local, um, privacy,
um, organizations such as the IAPP
and women in security and privacy.
Um, I'm happy to be joining you all
and glad to see some familiar faces.
Um, usually my work tends
to start when something is big is happening
within an organization.
Um, whether, you know, a new law goes into effect.
Um, if a client is building out a product
that uses new types of data
or there's, you know,
been a potential incident within the organization.
And I really love the work
because that means I get to kind of see
how different organizations are building privacy programs at
very, uh, different stages of maturity.
Um, and just really love helping, um,
organizations turn privacy from a reactive function, um,
like after, you know, an incident happens into something
that actually, you know, supports the business.
Um, so yeah, glad to be here.
Perfect, thanks Jennifer.
Uh, with the introductions outta the way, we'll go ahead
and dig in on the panel.
So we heard today quite a bit about new challenges related
to ai, related to new regulation related
to increased litigation.
I think something that I really love about this cohort
of winners is that between the three of you,
you're really representative of
what typical privacy teams are resourced with
and are facing today, which can really vary.
So we'll start off
by talking about some practical implications
of the privacy litigation news piece.
Obviously we've heard a lot this year,
many different settlement names have been dropped.
Uh, when these types of events happen in, in the news
beyond your organization,
what is your response as practitioners?
How are you reframing those events
or u utilizing that news to advocate for privacy internally?
And maybe we can start with Jennifer.
Yeah, I think, you know, when talking
to clients about privacy, especially, you know,
in litigation, it's important to make it
as real as possible.
I think it's one thing to read about cases in the news,
but I think it lands a little bit differently
when a company kind of walks through that scenario, um,
and see how it actually play out for them.
I think, you know, one instance is doing a tabletop
exercise, which is just kind of a short focus session, um,
where you would, you know, assimilate what would happen
if they got into, you know, um, a data breach
or you know, something of that nature.
Um, you know, we talk about who would be involved,
what data they'd have to produce
and how long it would take to pull resources, you know,
off other projects
and really kind of the cost of that incident.
I think, you know, once leadership sees how disruptive,
you know, a single privacy claim can be, they kind of start
to understand why, uh, you know,
proactive processes really matter.
And then I think it stops being feeling theoretical
and starts feeling, you know, um, operational.
And I think also right now, one thing that's driven a lot
of awareness this year is the surge in ad tech
and, you know, website tracking litigation.
I think those cases have really surprised companies
because they're not, you know,
generally about traditional breaches
or about pixels, cookies
and analytics that, you know,
even smaller companies are using on a day-to-day basis
and, you know, have been quietly running for years.
Um, so I think those have been an eyeopener
for leadership teams who never really thought that
that could be an issue.
Um, so yeah.
Yeah, absolutely.
I think we're seeing more and more that there is no
real perfect size threshold for how big
or small you are to face an enforcement action.
Uh, Randy, do you wanna speak to,
or maybe Anna, do you wanna speak to
what this looks like for you both?
Yeah, I mean, when we had talked about how
to best answer this question, um, I immediately thought
of all the times I've tried to get executive stakeholders
to listen over the years or appropriate budget headcount
or even just support, um,
various initiatives already in flight and how tricky that is
and wanted to give a shout out to everyone here who's trying
to advance the ball because privacy always seems to be, um,
something that the ROI is very difficult to explain.
Um, it's kind of like my 72-year-old father
that I'm always trying to convince that it's time
to get life insurance, right?
But it's uh, it's one of those things
that sometimes is generational.
It's sometimes, um, up to the business
to take a liability only car insurance approach too.
Um, and I I like to bring it down to something
that they can understand, like car insurance
where I often will say like, I understand that, you know,
uh, the privacy police are pulling over cars
with tinted windows and that, you know,
quote unquote everyone's driving 20 miles
over the speed limit.
But I think some of the events as of recent are showing
that the privacy police are no longer
only looking at FANG companies.
It's no longer just the big guys.
I think in years past when, you know, GDPR came out
and we all were touting that it's 2% of global revenue, 4%
of global revenue, right?
Um, that only went so far until the reality of some
of us in house, it's like, oh, well we're a small fish
or we're a medium fish,
they're only going after the big fish.
But some of the more recent news, like even as of September
of this year where it was announced that, you know,
various state ags are joining to gather to do joint
investigative sweeps on things as small
as GPC signals from browsers, um, that has been able
to get the ears
and eyes of some of my executives, um, in ways
that in years passed by saying, look at this fine on Apple,
or look at this fine on Google, have not,
or, um, finding that, you know, regulators after going
after some of these big fish for a year are now starting
to go after dental SaaS companies, right?
Um, and so I have found that, um,
utilizing those sort of, it's not just the cars
with tinted windows approach, um,
and we can't just have liability insurance bringing it
to a level of understanding
that non privacy professionals would understand, um, really,
uh, has moved the needle more than it has in years past.
I'm still hoping for my dad
to get Penn life insurance, right?
Um, and all jokes aside,
but I do think that those types
of analogies really have helped.
I really like that analogy because it is so relatable.
I think, you know, when my city started
to do more automated speeding ticket enforcements
and I would hear about my friends getting more tickets in
the mail, things like that, you know,
that did make me slow down in a school zone more,
which I should have been doing already.
So I, I think that's a really perfect and apt example.
We heard a sort of similar flip side of
that metaphor earlier today of, you know,
traffic laws make people feel safer driving.
Um, we can't innovate if we don't feel like there's some
kind of security in place.
I think your flip side to that of, well, yes,
everybody does take risks,
but we can also talk about how the,
how enforcement is happening will happen more
and make more informed decisions.
That's super apt.
Uh, Anna, do you have anything you
wanna add on this subject?
Yeah, so I think obviously keeping leadership
and the executive level aware of, uh, these fines coming out
and, you know, seeing those scary headlines kinda kind
of help our work become more and more relevant.
But I also think it's helpful to take these things
or at least talk about them, um, beyond just the legal team.
I get to work with our, with our marketing team and,
and sometimes it's really hard to be like, we're doing this
for a reason, I promise.
And then we see that headline and it's like, this is why.
Um, and then they, they become aware and they understand it
and they become, you know, that kind
of first line of defense.
I've worked with a team for a while now
and she's brought things up
before they've even hit our legal team.
So to have
that awareness across the company I also think is awesome
because it can begin with them
and it's not always like bringing in scary legal
to say something, which I think is really beneficial.
That's great. And maybe you can help me as sort
of my first tribute on my next question here, uh,
which is one of the trends I noticed in this year's award
nominations, I do read through them all,
even if I'm not the one selecting the winners, um,
is pretty much everybody described being in a position
where they needed to produce more with fewer resources.
I imagine you all have felt that pressure as well.
And when you're under those constraints,
where are you actually finding success?
What are the tools that you're using to
meet these pressures?
Maybe I'll start with this one Ian.
Um, you know, I think a lot of us, especially for the,
the attorneys on the call, I know we have a wide variety
of audience that's not just attorneys,
but, um, whether you need
to get CLE training as an attorney
or you need, um, you know, IAPP credit
for your certifications
or you're just a privacy practitioner
or someone interested in privacy, um, at the end of the day,
you know, there's not always budget
to buy all the amazing bells
and whistles, um, that people have.
I have been, for example, looking at data grail since
2020, um, and it took two
and a half years for my company to finally like, give me
back to my cars, give me enough money to, to buy a vehicle.
Um, and I know that a lot of us in these CLEs,
et cetera have always said, you know, hear a lot
of things like start out with data mapping, start out
with something easy, use Excel, use Google Sheets,
whatever your company is using.
Um, I think that's very helpful.
But I also definitely think that there are a lot
of free services that don't provide a ton of value
or that you can get in, uh, trenched
with a process that's not scalable.
And so I do think it's important that when you want
to do more with less, that you can work with either an
outside resource, whether it's, you know, outside counsel,
um, whether that's a temp agency
who specializes in this field
or a vendor like data grow, that they understand
and meet you where you are rather than trying
to sell you an SUV right out of the gate.
And that would be probably my advice is find one
of those people or places, um, that has the scalability,
um, but is willing to meet you at the ground floor.
I think another thing is, um, making sure
to design any systems to be more
of the future default rather than a afterthought.
And what I mean by that is start
with the kind of cradle to grave approach.
And that's not, oh, I'm gonna catch all the data mapping
after all the services were purchased.
It's understanding, oh,
maybe I should learn more about something
before it's purchased
and then that will inform me
to even just put it in Excel, et cetera.
And so I think, um,
it's looking at a garage big enough that to fit all of your,
uh, car eventual cars
and start small, um, with scale in mind,
but then, you know, trying to do more
with less means, you know, not always budget and headcount.
It can mean finding a large garage with a tiny car.
I'm learning a lot about cars
today. Thank you. Randy, I know
Nothing about cars or sports by the way, so
We're gonna learn together.
I feel like when you mentioned outside counsel there,
it was almost like you called Jennifer in.
So Jennifer, what are, what are your thoughts here?
How are you encouraging teams to make,
make do when they're getting this pressure?
Yeah, I think, you know, the bus biggest success
that I've seen probably organizationally is really breaking
privacy outside of its silo.
You know, rather it sits within legal
or you know, a dedicated privacy team.
I think that's when you see again, everything kind
of becoming reactive If other, um, parts
of the organization are involved.
I think, you know, when you bring in procurement product,
you know, security and you know, give them the tools
that they need, whether it be, you know, escalation,
checklist, um, you know, impact assessments
and things of that nature, they can start catching issues,
you know, before they, they reach legal.
So, you know, it doesn't, um, blow up
and I think it saves a lot of time
and reduces, um, the need, you know, to come to legal.
Um, but also, you know, I've seen clients
use automation carefully, um, kind of like Randy said,
you know, using compliance software to do more with less.
But um, also echoing, I saw a comment that, you know,
some people feel like there's just kind of a lot going on,
but I think also working with, um, the vendor to make sure
that everyone is trained
and you know, to keep following up if there's something you
don't understand, if there's tools, um,
that you don't understand, you know, just following up
with your vendor, making sure
that you understand the processes.
Um, and I think also, um, you know, it frees up the team
to focus on judgment calls that matter
and then, you know, um, just making sure
that the resources are available.
Um, and I think that's what the privacy
internal privacy teams or outside counsel can help with.
I really like what you brought up Anna,
around just empowering other teams outside of privacy
to help flag the risks as well.
I think Anna, you mentioned earlier that is essentially
how you got into privacy from another team, right?
Yes, I came from our commercial team
and when I started, um, there we had processes,
but they were very manual, a little bit siloed if we,
you know, we had to work with multiple teams through,
through email and we just had
to figure out a way to streamline the process.
So to kind of echo what some of, some of the things that my,
um, panelists have said, um,
we've definitely relied on automations
and I've worked with teams to set this up
so they're familiar with it as well, um, which been,
which has been really helpful.
And it's nice, um, when you can lean on other people
to help you not only on your,
the teams that have helped you set it up,
it just makes it easier to make sure you can process quickly
and efficiently and takes
that all the manual parts out of it.
Still some, but
Yes, that absolutely makes sense.
I see too, we have a question here.
We might answer this Async Virginia, uh,
but I will definitely be getting back to you
before we jump in on Virginia's question about budgeting.
I wanted to ask you all, we've obviously spent a lot
of time today talking about ai, talking about AI governance.
I know the three of you have strong opinions as well,
but outside of simply writing your governance policy,
from your perspectives,
what is the single most important thing a privacy
professional can do to get ahead on AI privacy risk?
No pressure.
I mean, I think one thing, um, is
if you don't have a technical background, which I do not, is
learning how to speak technical speak.
And what I mean by that is if you don't know
what a tech stack is, go ask your your CTO,
go ask your understand the systems
and architecture that your company has.
Again, back to data mapping
and why a tool like data grills, data mapping is so powerful
because I think that if you don't have a working
understanding of the main places for data,
it will be very difficult for you
to even wrap your head around it.
Um, the other thing that I think is important is
find ways to throw a big
net out and capture just the fish that you want.
And what I mean by that is, um, you know,
the great thing about that I love about Data Grill is it's
constantly sniffing my SSO, right?
I don't know what I'm like, what is this random CAD software
that the industrial design team bought?
Or what is this? And being able to just kind
of cast a wide net
but then pick the fish out that have high risk.
So, you know, it's stuff like what's the finance
team buying, right?
And other things that are, um, important
to get ahead of are not just the ones that the company buys,
but the free services
that everyone's using, myself included.
And so I would partner with other cross-functional leaders
to if, if you have a VPN as a company, hey,
can I get a monthly output of, you know, top
VPN traffic to, you know, all of the AI models?
I wanna know who's using chat GPT versus Gemini versus
Claude versus Grok versus whatever, right?
And then potentially using that data to say, Hey,
it looks like, you know, which we just did.
60% of this team is using chat GPT, maybe it makes sense
to go buy an enterprise license
so we get the contractual protections that we need.
So my, my, my two pieces
of advice are cast a wide net on your tech stack
and know how to speak in that
language even though you might not understand it.
And then the second one is not to be big brother,
but to have a clear understanding of what everyone is using
and where available push people away from.
I mean, it's still pretty crazy out there,
but push people away from free services
that have extreme levels of leakage to enterprise level
purchases that may have already been made,
or ones that could be streamlined into an enterprise
contract with the right types of indemnities.
Great. Call out. Anything you wanna add, Anna or Jennifer?
Okay. Um, oh God, please.
Yeah. Uh, just to build off of Randy said, I think again,
bu visibility is really important.
I think a lot of organizations don't actually know
where AI is being used across their business.
Um, you know, I think people like to experiment,
whether it's like market marketing,
plugging in customer data into a model
or like vendor, um, adding an AI feature to a product
where you've kind of already contracted with them.
You know, I've seen where vendors will say they're not
using, you know, AI in a product
and then six months later, you know,
they start experimenting.
So I think just keeping up with vendors, um,
and, you know, these aren't, you know,
malicious decisions that they're making.
I think they just kind of happen faster than, you know,
the governance can catch up with.
Um, and also, you know, just building a culture where,
you know, employees can use, you know, AI instead of,
you know, locking everything down.
Um, I think, you know, once you know it's out there,
you can start practically layering on the safeguards,
whether it's like vetting the vendors,
adjusting the contracts at renewal once, you know, um,
you know what is happening, you know, with your vendors
and then you can set the internal guardrails around,
you know, how data is being used, you know,
within these products.
I love that. I know we did a, we did talk
to Randy quite a bit
as we were telling our award stories about just sort of
how personal you can get to in those interviews, right?
Instead of asking people, yes or no, are you using ai?
You can get a lot more nuanced.
You can learn more intimately what their approach is
and better understand the risk.
I see. Randy, you were in the chat about this even now.
Uh, in our last couple minutes here,
does anyone wanna share any final advice
that you would give towards others hoping
to grow their career in privacy?
And then I will move to wrap.
I'm happy to jump in here first.
As I think I'm on the, the newer side of entering the world
of privacy, um, I would suggest getting some kind
of certification.
I got the CIPP us through the IPP
and I just think it was really helpful to get
that foundation to, to learn from, um,
super comprehensive on US regulation
and kind of the story of US privacy.
Uh, I would, I would recommend starting there
and just getting a good foundation
and you'll learn plenty more, but that's a good place to.
Thanks Anna. Great.
Well, as we wrap today, let me thank again, Anna, Randy,
and Jennifer for joining us and sharing your expertise.
And again, huge congratulations on being this year's Data
Privacy Hero award winners.
It's a massive accomplishment.
I'm so excited we get to recognize the three of you.
Uh, for those in the audience,
if you are interested in nominating yourself
for someone you know, awards will be back in 2026.
You can join our Slack community privacy based camp
to be the first to know when a, when nominations are live.
This session will conclude the general sessions for today,
but we do have one more session starting in just a minute.
Exclusive for Data Girl Customers.
That is a fireside chat with Data Girl, CEO, Daniel Barber,
and our Chief Product Officer Eric Brinkman
for All Data Girl Customers.
You can head to that Zoom session using a separate link on
your calendar invite Unique to that session,
and once again, thank you all for joining us today.
All of the recordings will be available by the end
of the week and we'll send a follow up email with the link.
Have a great day every.