April 17, 2024•8 min read
Originally published at LegalTech News by Cassandre Coyer.
On March 14, data privacy and compliance solutions firm Transcend hired Ron De Jesus as the company’s—and industry’s—first “field chief privacy officer.”
Most recently, De Jesus was the chief privacy officer at Grindr. Previously, he held several head of privacy roles, including at Tinder and Match Group, and oversaw privacy programs at organizations like Tapestry, Coach and PwC, among others.
Below, Legaltech News caught up with De Jesus to discuss how his approach to privacy governance and compliance changed throughout his different roles, the evolving data privacy regulatory patchwork, and the balance between companies’ privacy policies and practices.
The interview below was edited for length and clarity.
De Jesus: I am actually surprised that a role like this hasn’t come out sooner because I think what’s missing in the market is definitely that bridge between operational experience of the CPO, and then bridging that gap between what vendors think the CPOs want and what CPOs actually want in a privacy platform.
I’m just incredibly humbled and honored to hold that title. And then to me, the FCPO is an individual that possesses that end-to-end privacy, program, development and operationalization experience. I’ve been in the privacy industry now for more than 15 years, both assisting clients with developing and implementing privacy programs. Now what I get to do is focus more on interacting with chief privacy officers out in the field—hence, field CPO—learn from them, learn what their pain points, what keeps them up at night when it comes to emerging privacy legislation, and how can the privacy tech community, specifically privacy platforms, improve.
I definitely think we’ll see more roles pop up like this. It definitely takes a certain skill set. Traditionally in CPO roles we’re behind the scenes, we don’t typically engage with the broader community, if you will, or even with the press. So I’ve actually spent the last year of my career building up my social media presence, sitting on panels, developing a privacy series that evangelizes privacy rights for consumers.
I’ve actually been a huge proponent of folks getting into this industry who don’t have a legal background, given my own non-legal background. Growing up consulting for the Big Four, I was always kind of knee-deep in reading and interpreting privacy laws and regulations—obviously under the guidance of actual lawyers—so I’ve always been very close to the legal function, even when I went in-house. I think that we as nonlawyers bring a definitely unique perspective to privacy program implementation and developments.
I think, and again, I’m generalizing here… I feel that lawyers definitely have a certain perspective when it comes to what businesses can do based on privacy requirements. And I think being a non-lawyer, I’ve been exposed to just working with folks outside of the legal function: with product, with marketing, with engineers, and the exec team as well. And so I think I have a really good balanced perspective.
I think just given the amount that I’ve learned over the past decade, for me, I love focusing, being in the weeds and being more operational. So yes, I’ve thought about it, but I feel like I’m at a point in my career now where it just comes second nature, and if I need legal guidance or support, there’s always outside counsel.
At the board level and the executive level, privacy has become top of mind for any company. … It’s really amazing to see our profession emerge out of the backwoods, if you will, and become top of mind for every company when it comes to wanting to enhance their public image and their reputation. … Having me come into this role as a FCPO I think is such a watershed moment because now I’m at the forefront of these issues, helping CPOs with the EU AI Act and its compliance requirements, the FTC just released their privacy and security update. So there’s lots of stuff coming down the pipe that I think CPOs need to be aware of and engaged with.
We already have a solid framework with which to work with when it comes to how data is used from a generative AI perspective or other machine learning uses. We already have the GDPR. We already have state laws that speak to how personal data should be used. Of course, AI is the buzzword of the moment. Remember a decade ago it was big data, right? There will always be new technologies, but I think it’s really important to focus on the fact that we have a solid foundation with which to work with.
We have requirements to do data protection impact assessments, for example, that doesn’t change with an AI system. We have requirements to delete data, to provide rights of access, that doesn’t change with the data that you’re using for machine learning. So I think it’s really critical for us to just take a step back with this technology of the time and realize that we still have requirements with which we have to abide by. We should be enhancing our current programs to actually solve those problems.
What would be top of mind for me is the fact that there’s increased enforcement that is going to steadily increase. Again, you’ve seen the FTC focusing on health information and then also AI. We see a lot of regulatory activity coming out of the EU itself. The CNIL is very active, the [U.K.] Information Commissioner’s Office is very active. They’re doing sweeps of websites when it comes to cookie technologies.
I wonder, when are we going to get a national privacy legislation? I wouldn’t be able to bet on when we’re getting a national law. We’re waiting for it. But I think when it does come it’s going to be such a great kind of thing for U.S.-based CPOs. And then as you had mentioned, data brokers, I think the Delete Act is a really groundbreaking piece of legislation for consumers. And then something that also popped into my head recently was the Washington My Health My Data Act, which is kind of a misnomer when it comes to the name because you would think it only applies to a certain set of businesses but the scoping of it is still very, very wishy-washy.
You still have transparency requirements around privacy notices, you still have to conduct data privacy impact assessments [DPIAs]. Those core first principles components don’t change. It’s just maybe the amount of DPIAs I’m doing for these “riskier” companies might increase. I also might have to be a little bit more cognizant of what the product team is doing, for example, and make sure that they’re well-tuned into our privacy expectations. So making sure they have, for example, role-based training. … The groundwork is the same across industries. You just have to adjust your policies and procedures slightly based on the types of data that you’re collecting.
It’s such a balancing act between what legal is telling you as an operational professional, and then what regulators might be recommending. There’s definitely sometimes a conflict between legal functions who say, “hey, we need to abide by the letter of the law when it comes to, for example, our CCPA privacy notice” and it might be very legalese, and they’re fine with that. When you have regulators and the general consumer advocacy community saying, these things should be easy to read … which I’m a huge proponent of. But sometimes doing that balancing act, it could result in conflict. You have folks like me, who want to be very transparent and very user friendly, and then it goes to the legal team, and they’re striking through or saying things differently. I think that’s where sometimes there’s a bit of conflict between what we really want to say, and then what we’re allowed to say.