Operationalizing Privacy: A Blueprint for Success

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

 

Jodi Daniels  0:22  

Hi Jodi Daniels, here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

 

Justin Daniels  0:36  

Hello. I am Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm, Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade. 

 

Jodi Daniels  0:59  

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best selling book, Data Reimagined: Building Trust One Byte at a Time. Visit redcloveradvisors.com. Today is going to be fun, fun, fun. We’re going to — decided I need a haircut. I’m glad everyone needed to know that I thought we would have fun. We are having fun, but I thought we were gonna have fun more like with toys, because today we could all bring our sets and build with our bricks. 

 

Justin Daniels  1:58  

I’m just surprised you didn’t tell me I needed a haircut about a week ago, as is your wont. 

 

Jodi Daniels  2:03  

Okay, we’re going back to talking about privacy and cool sets, because we have Aaron Mendelsohn, who is currently the director and privacy officer at the Group in Denmark, where he leads data protection and privacy compliance within their digital technologies teams including insiders, marketing and retail. And prior to joining the Group, he had a series of leadership roles related to data protection, privacy and information security, including creating and managing the global data protection and privacy program at two Fortune 500 companies. Aaron, welcome to our silliness, also known as our show. 

 

Aaron Mendelsohn  2:45  

Well, thank you Jodi and thank you Justin, thank you for having me this afternoon. 

 

Jodi Daniels  2:49  

Absolutely. That’s where you go. Well, your turn. 

 

Justin Daniels  2:54  

See what I said audience as is her wont?

 

Jodi Daniels  2:57  

What if you have an intro, then you go with the next question I see. 

 

Justin Daniels  3:02  

So, Aaron, can you talk to us a little bit about your career journey into your current role? 

 

Aaron Mendelsohn  3:10  

Yeah, sure. So how much time do you have? No, I’m just kidding. So yeah, I’d be happy to. So I’ve been working in data protection and privacy for close to 15 years now, which sounds like a really long time. And when you start, stop and reflect on it, it’s, yeah, it’s a pretty long time. But I started my career actually in IT and in information security almost 20 years ago, working at a company called Eaton Corporation, EA, till E, A, T, O N. They’re a large industrial manufacturing company that was headquartered in Cleveland. They actually had a lot of operations in the Pittsburgh area as well. And I started as an intern while I was in university, and then went into their IT Leadership Development Program and very close very, very soon after starting the leadership development program, I kind of found my calling and information security and data protection and sort of the idea around controlling information. How do you protect information? How do you validate controls? And so I gravitated into there, and moved after I was out of that program, into their information security team, and I was the fourth member of the information security team back in the mid ops, and then did a little bit of everything. It was kind of like the IT security specialist for our CISO and the other managers within the team, and did email security, did pen testing, did some policy development, but they also asked me to take a look at data protection and privacy, particularly things around HIPAA and safe harbor, and to see, how do you sort of manage these, these compliance obligations. I was fortunate. I worked very, very good head of security, information security, who kind of saw the writing on the wall in the early 2000 Reasons that there was going to be this convergence of law and technology. And so at the same time, I started thinking, Maybe I should go to law school. I came from a legal family, and my father was an attorney and a prosecutor. I had an aunt that was a judge in Cuyahoga County, and I thought, all right, maybe there’s a way that I can take this, this sort of love of technology, and this IT background, and combine it into this legal area. I wasn’t quite sure it was always going to be privacy or was going to be sort of as a cyber security lawyer, but I thought there was, there was something there. So I developed a business case, I presented it to our CISO and took it to our CIO and all the way up the chain within Eaton, and said, Maybe we should send AR into law school. And I was very fortunate that that business case was approved, and I went to law school for four and a half years, while I was working full time and doing a little bit of everything related to information security, still and kind of started to gravitate more to the privacy side. I remember writing papers about every which way I could try to apply privacy to a course that I was taking, whether it was like workman’s comp or Jewish legal, Jewish Studies. And I always education law, and I just try to find a way to write papers that hide that topic or that class to privacy. So I graduated in 2009 passed the bar in 2010 and right around that same time, I started to develop a business case within Eaton that we should have a global data protection privacy program. Again, I had a new CISO that my previous one moved on to a new role within the organization, as the head of audit, and the new CISO that had come in said, Yeah, this, this. We need to do this. We should start moving on it. We knew we had to comply with things like Safe Harbor and the EU Data Data Protection Directive, and still had the HIPAA issues. But there was other other issues that were coming up throughout the organization, and so someone needed to manage it. And I found a lawyer that was working overseas in Europe that also sort of saw this risk, and together, we kind of tag teamed and made the business case and presented it to the General Counsel, the head HR, some of the business unit presidents, and said, we need to do this. And over about the course of 18 months, we kind of socialized that business case and got it approved, and I moved into kind of the first head of privacy at Eaton and did that for two and a half years, hired a team member that worked for me in Germany, and we kind of developed the all the policies, have some control framework, some training, and really set the stage for for the initial aspect of the data mapping as well for for building that privacy program. But around that time, I started to feel like I was needing to develop as a lawyer. I had never worked at a law firm. I never really got any true legal skills. I think I was learning a lot about navigating an organization and the politics within an organization, and how do you build something from the ground up. But I felt like there was a gap in my skills, and I needed to learn to be a lawyer. And Ethan itself wasn’t necessarily their legal department didn’t train lawyers. They usually hired lawyers 5-6-7 years out of law school, like a lot of companies do. And so I said, alright, well, go find a role within a law firm. Minimal fortunate, I had a colleague that I knew at a law firm in Cleveland called Bennett Friedlander, three, like 200 lawyer am law 200 size law firm. They were starting to build their privacy and cyber team, and he brought me over and really taught me how to be a lawyer in a lot of ways. And so I learned a lot around it, transactional work instead of response, helping around building compliance programs for really mid, mid cap businesses, some bigger businesses as well. And ended that for a couple of years, but never was really certain. I wanted to be a full time lawyer in a law firm. And no offense Justin, I think there’s a lot of value in doing that. And there’s, I mean, it’s a really interesting role, but I kind of wanted to go back in house and try to move after a while, to see if there was a good role that I could take. And I found a role with a company called Ingram micro, which is a big it distributor and helped create and manage their global data protection privacy again, from the ground up. This was around 2016 so they knew GDPR was coming. They knew they had some risks. They had a little bit of compliance here and there, but they never had anybody bring it all together. And so I did that for a little over six years. I led them through GDPR, hired a couple of people, went back and forth all throughout the world, pre-pandemic. It was a lot about diplomacy and building the knowledge within the organization, sort of maturing the organization, teaching around, what is it around data protection and privacy you have to know. And then, after working in global settings, off and on for most of my career, I always had the dream to work abroad, and I had a couple of opportunities that never really materialized. Just for whatever reason. And my wife, to her credit, was like, if the opportunity presented itself, like, Yeah, let’s let’s move abroad. And I’ve always been a huge fan of the brand. Remember playing with bricks as a kid and having the castle sets in, like the 80s and and then, like a lot of people, I came back to the brand when I had kids and started playing more with different sets and building, like you can see behind me my beautiful Daily Bugle. And we have sets all throughout our house. And during the pandemic, I bought way too many sets and places for them to go. But as a fan of the brand, and I saw a role that was posted, and I thought, huh, this is really interesting. It kind of seems very much written to what my background can help do. And so I applied. I went through several rounds of interviews. It was all virtual. It was at the end of 21 and 22 and I was offered the job almost two years ago. Was around April of 2022 and my family and I — we had a conversation. We said, let’s do this. Let’s move to Denmark. Let’s go work at the world’s greatest toy company. Let me go work at the world’s greatest toy company. And my wife and children have come along, and her big, fluffy white Golden Retriever is here too. And so here we are. I’ve been here almost two years now, living and working in Denmark.

 

Jodi Daniels  11:26  

Well, congratulations on the two year mark. And I have lots of questions about Denmark, but I think we’re going to have to keep them privacy focused now, before we do in our pre show, we had a big conversation, because many of us call them, and we’ve actually learned that I’m gonna try very, very hard in our conversation to call them bricks, or sets. We have a lot of sets that are all mixed together, which is why we keep calling them. But I’m gonna work very, very hard to say we just have a lot of combined sets in our house. So for everyone listening, that is your big non privacy tip for the day. Now, Aaron, you talk a lot about privacy operations, and you’ve started a really awesome LinkedIn newsletter. So everyone listening, you should go check out Aaron’s newsletter. Can you share what does operationalizing privacy mean to you

 

Aaron Mendelsohn 12:23  

Sure? Well, thank you for the plug on my newsletter. It’s to me, it’s really about, how do you implement data protection and privacy through an organization? How do you make it live and breathe within, within the company or nonprofit, or whatever your organization may be. I think a lot of times I’ve seen some lawyers. I’ve seen privacy professionals get so caught up in legal nuances and interpretations of the law. And I think you know, at least from what I can understand from your organization, your company, and how you approach this. It’s really about, how do you, how do you, how do you find a way to make it part of the day to day within the company, whether that’s through policies, different privacy, by design, program, training and awareness, it’s really about bringing that together and making it part of the organization. Because I think, to me, that’s where the rubber meets the road. We can look at the law. We can open GDPR and say article, whatever says this, yeah, but when it comes down to what does that mean to the day to day, what does that mean to the business? What does that mean to the corporate functions? How is their work going to change, and how do we support that change? We shouldn’t be necessarily dictating all of this. We need to find a way to make it work within the organization, so that, to me, that’s critically important. How do you operationalize it within the constraints of the organization you work in?

 

Jodi Daniels  13:52  

It reminds me of a conversation I had yesterday with the company who said, we have all these policies, and I hope all the policies are right. And how do I make sure that what is said in the policy is actually what the people in the business are doing? It’s a really, really important, important piece that you do. You have to get it down to what the people are actually doing in the business. Absolutely.

 

Justin Daniels  14:16  

What do you think makes a successful privacy pro inside an organization, given that you were in security, you went to law school, and then you got more involved in privacy, which is a very unique way of coming to privacy.

 

Aaron Mendelsohn  14:32  

Yeah, I think it’s about, how do you adapt? And as I reflect on this, it’s really, you know, organizations have been here before privacy was a topic, was a function or part of the organization, and they’re probably going to be here when privacy is just as they should. If they’re a well-run organization or company, we’ll be here far beyond us, whether we’re, you know, we leave the company, retire from the company, whatever it is, but we. Need, I think, as privacy leaders, as privacy professionals, to adapt what we want to accomplish and mold our vision to what fits within the company. And no two companies are really alike. No, no two organizations are going to be the same, but you have to be able to understand what the priorities are, what are the lines of business, what are their risks, what’s the culture like, and find a way to fit your program, to fit your goals, and develop your strategy towards that organization. If you can’t, you’re going to fall flat. I think you’re going to fail like, I mean, it’s, I think it’s almost as simple as that. Now you can try, and it might be like Sisyphean, and you’re going to push a rock uphill and feel like it keeps falling back on you, and sometimes even when you do well, you feel that way. But I think at the end of the day, you as a privacy professional, have to be willing to adapt to be successful within an organization.

 

Jodi Daniels  15:53  

I find privacy pros have a favorite part of privacy. My favorite part of how I got to privacy was through marketing, and as a result, I mean, I like all the parts, but I really love marketing and privacy. What might you say is one of your leading favorite areas of privacy? And why?

 

Aaron Mendelsohn  16:13  

Sure, so I think it’s really about making it, seeing it take life within an organization, or seeing it go from where it is today to where you can bring it in the future and helping it mature. And whether that’s through operationalizing a particular element, like privacy by design, or improving the training and awareness curriculum that’s there, it’s really about seeing it, I think, sort of take life. Maybe that’s a little bit more too generic. It’s not, you know, one specific component, but it’s really about, I think, breathing life into the program. And it could be from starting from scratch, where there’s no real infrastructure. It could be that there’s a company that you enter where they’ve done a lot over the last decade, but they sort of hit a stagnant point, and then maybe injecting it with new life and kind of maturing it and upscaling it as an organization.

 

Jodi Daniels  17:06  

I’m curious Aaron, from a training perspective, is there something that you feel like has resonated with people, just overall, all the different kinds of training, like, sometimes there’s the computer based training, sometimes there’s videos, sometimes there’s newsletters, there’s tips, there’s in person. You’ve probably been doing a lot of different privacy training and talk to different people. Is there a particular one that you find to be more successful than others?

 

Aaron Mendelsohn 17:33  

Yeah, I think we all have to do the online training. I mean, it’s almost a check the box exercise, but it helps to set the baseline in the organization, I think what really helps companies mature is targeted in person trading. And I know over the last four years, we’ve gotten so used to Zoom and Teams meetings. But if you have the culture that supports it, and you have the ability and or budget to support it as well, I think there’s no real replacement to getting in front of a room, whether it’s 25, 30, 50 people, and communicating sort of and targeting your training to their risk. That could be engineers. It could be HR professionals, it could be marketing professionals. But when you can speak to what their risks are and translate the training into, oh, yeah, that is something we need to think about. If it’s marketing, it could be around making sure you have the right consent or not misusing data that you don’t have a proper purpose for. I think that just allows, allows the topic to resonate and connect much stronger than it would through a screen, through a generic online training and whatnot. And I know getting in front of a crowd is then everybody’s thing, but if you can do that, if you feel comfortable, I think it pays tremendous dividends.

 

Jodi Daniels  18:48  

I want to echo the idea of that role-based training. I see that to be incredibly successful, because what happens is you get that group to share all their questions, exactly what they’re doing that you might not have gotten otherwise, and you’re able to hear more of the details and then work with that person and also get them to understand why privacy matters to them in their role, what they do all day long. Absolutely.

 

Justin Daniels  19:18  

So a lot of people think I’ll just get some privacy software and that’ll take care of it. No problem. What are your thoughts about people who rely on this software? Intensive shift in privacy programs?

 

Aaron Mendelsohn  19:37  

I think it can be a piece of it. You know, software can be very powerful, but, yeah, I think you have to be aware of what’s the problem or what’s the challenge that software is trying to solve. And I go back to sort of my IT background and working in an enterprise, IT organization was always people process technology you need, I think, all three to be successful. Just throwing technology. Technology at, you know, against the wall. I’m saying, Well, now that I have a privacy program management platform and it’s going to help me keep track of my data maps and my assessments and maybe my dsars or whatnot. Well, no, it’s not. You still need people to manage it. You still need people to configure it and implement it. Don’t underestimate any type of change management exercise and changing the shift in culture that’s using it. If teams, you know, used to doing a Microsoft forms or an Excel document for the PIA now you want them to work in an assessment tool, will they even know where to start? They even know how to access it? So I think, you know, technology can help solve some of those challenges. I think where they really help is in maintaining records and having demonstrable proof of what you do. Now, that could cut both ways, because if you’re not using it properly, and then you have no assessments, nothing’s there, then you know what, what good is it? But if you’re using it well, and you’re using it throughout the organization, having, you know, 50 100 the PIAs, or assessments you know, easily accessible very quickly in a tool. It’s also if you ever have to be prove your compliance. But technology itself is not going to solve anything unless you have the other pieces in place to

 

Jodi Daniels  21:14  

What advice would you give those people, those privacy pros, a practical tip that they could take to help improve the privacy ops in their organization?

 

Aaron Mendelsohn 21:29  

So spend time meeting people, I think, listen to the business, understand the risks, but get out from behind your desk or just doing emails and whatnot, and connect and learn the pain points, learn the process. Nothing good, I think, comes from sort of do what I say, top down approach. I think, particularly with data protection and privacy. We oftentimes we’re smaller teams. We have to affect a lot of change in a little bit of manpower, but if you can learn the organization, if you could find what’s going to bring them value, what’s going to help enable their success, and you can kind of, again, you know, adapt and support what they’re doing, I think you’ll be a lot more successful than if you just say, Well, my colleague over there told me to use This. He said it worked in his organization. Now, I’m gonna try it here, and I think it’s, you know, it’s, it’s what we need. No, that’s, that’s, that’s not gonna necessarily fly. 

 

Jodi Daniels  22:29  

I love that right sizing for you, what actually works in your company, because the culture is really different. What works in one company is not necessarily going to work here. And actually talking to the humans, talking to the people who are doing things very, very, Sometimes simple is important. All right, we have to ask, well, you know, I’m gonna flip this around. I’m gonna say, Justin, we are talking about sets today. Justin, what is your favorite set?

 

Justin Daniels  22:57  

My favorite set? It’s a tough question.

 

Jodi Daniels  23:05  

Not many pick for 

 

Justin Daniels  23:07  

I don’t know, growing up over the years, you know, you have the ones that are Star Wars, but then you have the ones where you can build a house or a boat, I don’t know, you just start playing with, and it’s just fun as to which one is my favorite man. I’ve had them since I was a kid. It’s like a rite of passage. I love going to the store and seeing all the cool stuff. I can’t pick.

 

Jodi Daniels  23:25  

You can pick, okay, Aaron, you said you built a lot of different sets.

 

Aaron Mendelsohn  23:29  

Yeah, so I can’t pick just one either. So I have four that I will tell you about, all right, so you know, and they’re all different. I love the partnership that the Group has with different IP partners, whether it’s Harry Potter or, you know, Star Wars. Just this past weekend, it was May the fourth so we celebrated the 25th anniversary of the partnership between Star Wars and Group. So my favorite Star Wars one is the most Isley cantina that came out a few years ago. So if you ever seen that, it’s a pretty cool reproduction. I love this Daily Bugle set behind me, which is a marvel Spider Man collab. I’m a big Batman fan, so they came out with a few years ago, the 1989 like the Michael Keaton Batmobile, which is really cool. And then, more recently, as well. My entire family, we built, they came out with a Nintendo Entertainment System, like an actual replica, I think, a true to size NES with a little TV, like a old style kind of, you know, console TV, it has animation in it, so you can make Mario actually move through, like, part of the first level of Super Mario Bros.

 

Jodi Daniels  24:45  

That is really neat. I’m actually excited. I’m sorry. Wait, did we hear all of them? Or do you have one more? 

 

Aaron Mendelsohn  24:52  

No, no, that’s all my for but I was just gonna say, I think we’re in like, peak creative period for the Group right now. So just personally, that’s my. Yeah, like, we have so many cool things.

 

Jodi Daniels  25:01  

You do have a lot of really cool things. And what I think is also really fun and fascinating is there’s a lot of toys that come and go in kids’ lives. And we have two, we’ve had a variety of different sets that have been purchased, and then they kind of sat there for a while, but we were not going to part with them. And they’re easily locatable. They’ve just sort of been there. And I’m so excited that our youngest daughter has found them again. And now every day after school, she’s going and she sorted them all. We have all different colors. She’s sorting by set. And I was sharing with Erin in the pre show. There’s a list of all the pieces that have to be ordered to be able to put them all back together for anyone listening. If you have kids and your sets are just sitting and you’re thinking, are they ever going to be used again? Just put them in a strategic place, and they will, they will be found again. And that is very fun. All right, back to privacy. Aaron, you know lots about privacy and security, and when you’re hanging out with your friends, maybe they turn to you and say, What should I do? So what is your best personal privacy tip?

 

Aaron Mendelsohn  26:12  

It’s probably to use a strong password manager. I think that’s probably my number one tip to simplify your life when it comes to, I think it’s security and privacy, but don’t reuse passwords. Don’t, don’t, you know, use your kids names and things like that. You use a strong password with a password manager. It doesn’t matter which one, whatever you know your preference is Google or others or whatnot, Apple. But use one.

 

Justin Daniels  26:39  

There we go. Okay, so Aaron, when you’re not operationalizing privacy or building a set, what do you like to do for fun?

 

Aaron Mendelsohn  26:51  

So pretty much spend time with my family. I’ve got two children, and we’d like to travel. Part of the reason we wanted to move to Europe was to explore Europe, and so we spent a lot of time visiting other countries. And luckily, they have those low-cost European airlines where you can look up and say, what’s on sale this week, and where are you going. So we’re actually headed to Poland this weekend. It’s a long holiday weekend in Denmark, and we’re going to go visit — that’s a new country for all of us. And then I love to watch which is a little harder because I live abroad, and you may have comment about my Cavs hat Justin, but I love to watch Cleveland and Ohio sports. So I’m a big guardians Cavs and browns fan, although that gives most of those give me a lot of heartache, and also an Ohio State fan too, which, believe it or not, I found some fellow Buckeyes here in Denmark. Not too many Clevelanders, but definitely some fellow Buckeyes and but I’ll watch football when I can and basketball when I can, maybe an occasional baseball game. So

 

Jodi Daniels  27:55  

lots of sports. Well, Aaron, thank you so much for sharing all that you have today to help people operationalize privacy. It really is more than just, more than just the law, more than just the software, and we appreciate the tips that you shared. If people would like to learn more and to connect and find your newsletter. Where should they go? 

 

Aaron Mendelsohn 28:15  

You can find me on LinkedIn. Just search my name, Aaron Mendelsohn, and feel free to connect, follow or subscribe to the newsletter. So yeah, easy as that wonderful.

 

Jodi Daniels  28:27  

Well, thank you again. We really appreciate it. Thank you.

 

Outro  28:35  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.