Alexandra Ross, Director, Global Privacy & Data Security Counsel at Autodesk
December 20, 2019
The OneTrust DataGuidance ‘Thought Leaders in Privacy’ interview series is filmed across the world with leading privacy professionals discussing their advice for staying ahead of the curve and how privacy connects on a wider level with businesses and society. The series captures ideas from a range of subjects including GDPR and CCPA requirements, data security and breach notification, risk & compliance, and emerging technologies.
We spoke to Alexandra Ross, Director, Global Privacy and Data Protection Counsel at AutoDesk in October 2019. Autodesk, Inc. is a multinational software company that develops software services for industries including architecture, construction, education, and entertainment. Alexandra spoke to us about the trends she has noted between data protection and third-party management, as well as the role of ethical principles in the development of a privacy program.
CCPA requirements for third-party risk management
Due to the introduction of new laws such as the GDPR and the CCPA, Alexandra describes that there is now an increased need to scrutinize vendors and therefore an increased need to have the correct processes around the management of third parties. Alexandra also notes that there are some key things to take into account;
“There are two things I think are important in terms of third-party management. One is knowing who your vendors are and making sure you have the right contracts in place with the vendors so you can potentially take advantage of the exception to the sale definition under CCPA for sharing data with your service providers. The second is, how do you manage the risk, in terms of security reviews and security assessments of your vendors to make sure that you are dealing with vendors who have the appropriate security controls in place when you are sharing data with them.”
Related: California: AG modified proposed CCPA regulations
Ethical principles in data protection
Whilst Privacy by Design continues to be a talking point for privacy professionals, Alexandra comments that there is an increase in conversation regarding Ethics by Design.
“There might be something that potentially you could do with data, that is legally compliant but wouldn’t be the right thing to do or wouldn’t be in line, ethically, with your company values. Some companies actually have stated public ethics principles that they have posted.”
Alexandra concludes that she believes ethics will be the next big step for companies beyond privacy compliance and risk management functions.
Related: USA: Senators introduce bill for the ethical use of facial recognition
Watch the full interview where Alexandra explains how data protection forms part of the wider risk and compliance function within the company, as well as the methodologies that have been implemented with respect to data protection risk management.
Further Reading:
- OneTrust DataGuidance Blog: The Definitive Guide to California Privacy Laws
- OneTrust DataGuidance Guidance Note: California- Data Protection Overview
- OneTrust Blog: What Are the Differences Between CCPA and GDPR and LGPD?
Follow OneTrust DataGuidance on LinkedIn to keep up to date with upcoming webinars, insights, and more.