Influential Women in Privacy: Sheila FitzPatrick

Welcome to our video interview series: Privacy Leaders! We interview the best and the brightest minds in the privacy space to get their insights on all things privacy and regulation including the infamous EU General Data Protection Regulation, California Consumer Privacy Act (CCPA), the future of privacy, how to automate your privacy program and more.

Today, in honor of International Women’s Day, we have Sheila FitzPatrick Worldwide Expert in Data Privacy and Sovereignty Laws at FitzPatrick & Associates.

Read on to see Sheila’s insights and advice, or if you prefer video you can watch the highlights video below.

How has the GDPR influenced the Privacy landscape?

Sheila: Well, I think it’s definitely had a very strong influence. It’s moved the conversation from one purely about data security, which in the past, I think when people think about data protection laws, they automatically think security and locking down data and infrastructure. And they don’t think about the foundation of privacy, which if you’ve heard me speak before my big pet peeve is people not understanding privacy and what it means. And I think GDPR has finally – not to the level I’d like, – but it’s finally getting people to think about the data. You know, what they’re collecting, why they’re collecting it, what they’re doing with it, how long they’re maintaining it, who has access to it, do they even need it? So it’s a more thoughtful dialogue and analysis of what they need as opposed to, how do we lock down this data that we may not even need?

So it’s, that’s, that’s one very positive thing. The other thing that’s good is that it’s influencing laws around the world that have looked at some of the shortcomings of GDPR and have built upon that. So if you look at the Japanese act on the protection of personal information, they released theirs last year, they, they obtained an adequacy rating from the EU. And the good part is they actually assessed the EU to see whether or not the EU is adequate for Japan. So we’re seeing a tremendous growth in privacy laws as a result primarily in Asia Pacific region, including Australia, New Zealand, and certainly in Canada, in Latin America, people talk about the U.S. but U.S. privacy laws are kind of a joke.

Evin: It’s a great insight. I think you summed it up pretty well.

Sheila: I know people get mad cause they talk about CCPA and CPRA in the, in the, in California, which are, it’s a great start, but it’s nowhere near as complex as the data protection laws outside of the U.S. I mean, it’s an assumption that you can process the data. You just can’t sell it. So it’s, I think people are trying to make it more of a revenue generator than it is. Yeah.

Evin: Very well said. Do you think the U.S. will ever get an adequacy decision to replace SchremsII?

Sheila: Highly unlikely. I would love to see that happen, but it means a lot of the foundational beliefs on, on the right to privacy will have to change in the US we obviously are very technology driven state or country, and there’s a lot of power in the technology companies. And when we have some of the tech companies who are great, by the way, it’s just privacy is not their model, but when they’re the ones leading the privacy discussions with our Congress, that gives me a very uncomfortable feeling.

Why is privacy the place to be for women and predominantly women in tech?

Sheila: I think it’s interesting because privacy is still a fairly new area. I mean, it wasn’t around 50 years ago. I’ve been in privacy law for 40 years. Well before anyone even cared about it. And it was probably one of the few privacy professionals, privacy attorneys out there, but over the years, because there haven’t been really barriers that have had to be broken in a purely male dominated environment. Privacy has opened up opportunities for women that inherently are, I think are, and I don’t mean this in a demeaning way to men by any means, but I think women inherently care more about that fundamental right to privacy, you know, human rights issues the protection of individuals, whether it’s protection of your family protection of your employees, protection of your customers, that privacy is a great space for women to be in. It gives us a chance to raise concerns, to share expertise, to be technical, but also to balance that compassionate need for data with the abuses of privacy that have, you know, come as a result of expanding technology. So it’s a wide open field. There are more female CPOs out there than there are males. The males still tend to, to migrate towards the CSO role. And in some ways that also causes a problem because you see many CISOs that think they’re CPOs and that’s a direct conflict interest. You can’t be a privacy officer and a security officer because they are two diametrically different ways of looking at data.

What does a typical day in the life of a privacy professional look like?

Sheila: That’s always a great question because I think, if I just use myself as an example, my day-to-day can be completely different. I mean, obviously the foundation of what we do is to ensure that whether it’s me working with multinational companies all over the world, or whether you’re a CPO within an organization first and foremost, you want to know about what personal data is being collected. So what are you collecting? Why are you collecting it? Who are you getting it from? Why do you need it? Understanding the business challenges and understanding why business functions within an organization believe that they need personal data. And so it’s part education where you might think you need that data, but if you can’t articulate it, you probably don’t need that data. So it’s part education, part building policies and procedures and documentation around the protection of personal data and the balance of that life balance between needing data and wanting data.

Sheila: It’s working with regulators to ensure that your organization has the proper data, privacy notifications, policies, consents terms and conditions in place. It’s making sure you can address the rights of individuals. So having the right team in place to address things like right of access, right to erasure, right to object automated processing and it’s working very closely with every business function and IT, because it’s assessing new technology that’s being implemented in, in an environment, not to say, no, you can’t implement that. But to understand what’s the objective of implementing this new technology or this new process, or this new procedure defining what data is absolutely necessary and putting sort of the guard rails around what is acceptable and lawful and make sense versus what’s far too excessive and maybe just because it’s nice to have doesn’t mean you necessarily have to have that data. So you know, it is a big partner it’s partnering with the CISO to make sure that once you legally allowed to have data, you have the right security infrastructure in place, which is critical. It also involves executive management and educating executive management on the importance of privacy and how privacy compliance can be a competitive advantage within an organization rather than a negative.

Evin: Yeah, definitely. What are some of the typical pushback you’ve heard from management on some harmful mentalities around why they should care about being compliant in privacy?

Sheila: Oh absolutely. Absolutely. you know, certainly it’s more when you’re in the CIO realm, there’s sort of a pushback of, “Oh, privacy is an obstacle for us getting work done”, but the closer you work together, the more solid the relationship becomes. And the more you can work as a team, because, you know, the chief privacy officer is not in a position to say, no, you can’t roll out that technology, the chief privacy officers in a position to understand why you need it and figure out how you can lawfully roll out a new system and not infringe on the rights and freedoms of individuals. So I would say two-three years ago, it was butting heads continually with senior management because privacy is not a revenue generator, you know, it’s it’s overhead. They viewed it as an obstacle, but in the last, probably two to three years, I’ve been able with a lot of my clients to position it as this is a competitive advantage. You’re actually going to win opportunity with clients. When you talk about your privacy program, because every company talk about security, but very few companies can talk about privacy. So if the mindset is changing and I’m seeing more board of directors interested in privacy programs,

Evin: That’s good to hear. We hear a lot of, especially from people that we talk to, around well, why should we care about privacy? If we’re never going to be hit by a fine, or we haven’t been hit by a fine thus far, why should we care?

Sheila: Yeah, there’s a lot of that. And that’s when, you know, you bring out all the examples of, you know, they, they sit there and think it’s the big comp companies, the big giants that we’ve heard about that had been hit with the, you know, hundreds of millions of fines, you know, or, you know, the $6 billion in the US you hear about those. But when you start to point out the fact that no, wait a minute, it’s not just a bad a breach. If you have fraudulent terms and conditions, that’s a privacy violation. There’s been companies, the size of 20 people that have been fined $25,000 for fraudulent terms and conditions that might not seem like a lot, but when you’re a 20 person organization, that’s a lot. And it hits reputation.

Evin: Exactly. I think the reputational side of things is very important, especially as a consumer, you want to know that the companies you are working with and buying from value their reputation and will actually take the necessary measures to protect your data.

Sheila: Exactly. And I think as people get more educated too, they’re starting to read the terms and conditions like I’m the only one who reads terms and conditions on every site. I’m not agreeing to that at all. And I think a lot of people just say, well, they forced me. I had to give consent in order to use their service. And then I go back to, well, that’s a privacy violation right there. The minute you’re forced to give consent, that’s a violation of privacy laws. So yeah, it’s, it’s changing a little bit, it’s still an obstacle.

Evin: Definitely. Fully agree with that. As a woman in Privacy can you shed some light for women interested in a career in Privacy?

What advice would you give to women that are interested in a career in privacy? What is the best way to build a career in privacy?

Sheila: So as a woman, I think that, I always like to tell people, you know, never turn down any opportunities. So if there’s a opportunity that sounds like it could be challenging. And maybe it’s something that you think, I don’t know anything about this, but be willing to put yourself out there and to try. I mean, I started out in international employment law and privacy was not even at the top of my mind, but you can’t work on HR in Europe 40 years ago and not deal with privacy. And I fell in love with the privacy side. And that was a stretch for me, there wasn’t any information out there. There wasn’t any websites you could go to find out about privacy. You had to read the constitution of different countries and find out what was going on. So it’s matter of asking a lot of the right questions, networking, find a mentor in the privacy space. Who is willing to answer questions, you know, join certain privacy groups, but, you know, be careful not all of them are great out there. A lot of them are more, you know, into generating revenue than actually to privacy, but it’s to, you know, ask questions within your organization you know, I would like to say, start with HR because HR is dealing with some of the most sensitive data of the employee data. So if their opportunity to get into HR, you know, do that. If there’s an opportunity to get into sales, to look at customer data, do that, get out of your box and push yourself to experience new things, ask a lot of questions. You know, you probably feel like you’re gonna drive people crazy, but ask a question. If somebody doesn’t want to answer it, they’re not going to, but it’s the only way you’re going to really learn.

What are some of your top tips for success?

  1. Be passionate, absolutely be passionate about what you do. So don’t, if you think you want to get into privacy and you get into it, and it’s just a job, you’re not in the right space. You have to actually live and breathe privacy. I am so passionate about privacy. I love speaking about it. I do keynote speeches all over the world. I’ve worked with all different types of clients. I am fully committed to privacy and will do anything in my power to make sure that we as individuals own our personal data and that we understand what organizations are doing. So find your passion and then it won’t be a job or a career it’ll actually be part of your life. And it’s something you love.
  2. Fully commit. Once you decide if you’re half in and half out, it’s probably not the right place for you. And also to, you know, look at all aspects of privacy, don’t just focus on technology. Don’t just focus on security, but really focus on that full life cycle of personal data.
  3. Ask yourself, start by asking yourself what data am I comfortable with sharing and what would be the impact on me? If someone were to get information about me that I don’t want them to have, so you start to get the wheels turning and then you find out whether or not it’s something you really love.

Evin: Very well said, I love that!

Final thoughts?

Sheila: I just think this is great. I mean it’s, I love that people are getting into privacy now. I think it’s, you know, such a great field. There is a part of me that’s still a little bit skeptical when I hear people that, you know, come from a purely technical environment that identify themselves as data protection officers. And I go, yeah, not quite the right place to be, although I know there’s a lot out there. I just think there needs to be more guidance. There needs to be a lot more experienced CPOs out there which is definitely necessary. And it’s going to come. I mean, obviously it hasn’t been around as long. I caution people to, you know, don’t say you’re an expert if you’ve only been doing it for six months. Because you have legal liability with it and you don’t want to accept that legal liability if you truly don’t understand it.

Evin: Yeah. There’s a lot of pressure on their shoulders, isn’t there? They’re representing the company.

Sheila: Exactly. And if there’s going to be any kind of sanction, it’s going to hit the CPO first.


Stay tuned for the next Privacy Leaders post by following our LinkedIn and Blog. 

Join your peers and get the latest GRC, Privacy, Security and Regulatory updates delivered straight to your inbox

Read more about our tailor-made software for data privacy and integrated risk management

Relevant news & insights: