Margaret Alston, CIPP/G/C/M
Consulting Program Director
Initially, I came into the privacy profession by accident – it was a happy accident! I came from the consulting world and I hired by a boutique consulting firm for a privacy project. That was 18 years ago, and I have been hooked since then.
Favorite GDPR Article and why
Article 33 – Notification of a personal data breach to the supervisory authority. Incident response and planning for an incident is near and dear to my heart. Incidents can be incredibly painful; most are “pants on fire” events. However, I’ve seen that careful planning can make a big difference on how quickly your pants burn. Article 33 gives companies a great reason to spend time on careful incident response planning that will make a huge difference. Planning will not only help the organization meet the 72 hour requirement, but it will also help dealing with incidents faster, more efficient, and less laborious. In today’s data driven world it is not a question of whether an incident will happen, but when it will happen. Companies should be prepared.
One thing you’ve noticed that has changed about privacy since you’ve started
I have notice two big changes since I started:
- When I first started, there weren’t many privacy rules in the US. The main “privacy” issues that people worried about were GLBA and Europe – that was it. Now we have new developments in regulations, expectations, and best practices every year. The amount of regulations out there for privacy has changed enormously.
- Today everyone has heard of privacy, but when I first started most organizations, especially those not in highly regulated industries, had never heard of it. Now almost all companies think about privacy and have people dedicated to privacy. Today privacy has evolved into a real field now, as opposed to something that companies never really thought about.
Advice for new privacy practitioners
Privacy is a fun, fast changing challenging field. I highly recommend it because it is one of the few fields that touches upon every part of a company’s activities. A privacy professional has opportunities to talk to marketing, legal, corporate communications, product, security and more. That’s a lot of fun and a lot of responsibility. Having said that, I would give this advice: don’t be afraid to do outreach across the entire organization, because everyone has a stake in the game.
Margaret has more than 15 years of Privacy experience, much of that at the VP level. She started out in the consulting world, managing a privacy boutique firm’s consulting organization, Privacy Council. She scoped, bid, planned, resourced, managed, and in some cases performed hands-on for EU, HIPAA, GLBA, COPPA, and Web site privacy projects. She is IAPP certified for basic, Government, Program Management, and Canadian privacy, she has covered a broad range of data stewardship issues in the US, India, EU, Australia, and Canada.
Most recently employed as a Senior Privacy Manager for Intuit, as well as Intuit’s Canadian Privacy Officer, Margaret helped create privacy sensitive strategies, business models, and products. She also has set up and managed privacy by design and privacy compliance programs in both the technology realm as well as for specific sets of rules, such as HIPAA, 7216, Safe Harbor, and GLBA.