Today we share an interview with Chris Babel, the CEO of TrustArc, a leading technology compliance and security company. Chris shares his background in the industry, offers insight into key risks facing the GRC profession today and explains how TrustArc meets a growing need.
CCI: How did you get started on a career in privacy?
CB: I’ve spent more than two decades building online trust for customers like Apple, Alibaba and IBM, most recently in the security industry working on VeriSign’s worldwide Authentication Services business, where I was responsible for strategy, sales, marketing, product and support. In these roles, I helped grow the businesses through the launch of new products to enterprise and small/medium businesses, international expansion in EMEA and Asia and through acquisition and integration of a number of companies.
My experience working in the security industry paved the way for work in privacy – an industry evolving along the same trajectory as security. The market is powered by increasing demands to use personal data, mounting user privacy concerns about the use and handling of their information, an increase in regulatory requirements and the need to operationalize privacy controls to ensure business continuity.
CCI: Who helped shape your views on data privacy?
CB: I think one of the great things about the privacy profession is that there are so many people to learn from. The breadth and depth of knowledge you can hear at an IAPP event is tremendous, whether that be from CPOs at companies, law firm partners, privacy consultants or regulators.
One person I’d point to in particular is Hilary Wandall; as she was the CPO at Merck, Chair of the IAPP Board and a customer, we had many debates on the trajectory of the privacy profession and company needs. We shared a similar vision for the market and were fortunate to have her join TrustArc in 2016.
CCI: How do you stay current on ethics and compliance issues?
CB: Regular conversations with customers, consultants and law firm privacy professionals is a great way to get an “on the ground” sense for what issues are top of mind. There is a growing list of sources to follow in order to stay current – whether it be from one-on-one conversations, attending an IAPP or other privacy conference or, increasingly, security conferences like RSA.
CCI: How do you see the CCO role evolving within the next three years?
CB: An increase in the number of international and domestic privacy regulations are impacting the way businesses make decisions and will continue to do so. Successful organizations must now weave consideration of personal data usage into the fabric of their company and services due to increasing regulatory requirements and concerns regarding the use of consumer information. The role of the CCO will become a much more strategic one, with CCOs working to ensure the organizations they work for take these privacy concerns into account from day one. Privacy is not a project with an end and a beginning; it is an ongoing task the CCO will be responsible for and a key factor in the strategy and execution plan necessary to drive success.
CCI: What do you see as the greatest regulatory risks facing companies, and how might they impact business as a whole?
CB: Companies are facing unprecedented expectation for data privacy compliance with both international regulations, such as GDPR, and domestic laws, including the California Consumer Privacy Act (CCPA). We are starting to see the ramifications of GDPR violations, and they are not just monetary fines. In some cases, companies have even been asked to cease operations in a specific geography. These types of consequences can severely impact a company’s ability to operate. Businesses must be aware of changing regulations to ensure they are compliant moving forward, in part by thinking more holistically about security and privacy. Operationalizing privacy at scale will be the best path forward for any organization as it contends with the changing regulatory risk landscape.
The more innovative companies will look to differentiate themselves from their competition by setting up ethical review committees, ethics teams and data ethics officers to formally consider the implications of algorithms and machine learning on customer trust and business outcomes.
CCI: How might CCOs, CROs and CISOs prepare to face these risks?
CB: CCOs, CROs and CISOs should consider leveraging technology to enable compliance solutions that 1) can effectively scale across the organization and 2) are in accordance with multiple privacy regulations. Connecting the dots on one centralized back end will allow continued scalability and flexibility, particularly since data protection regimes increasingly require documentation and recordkeeping for each distinct business process. Centralized solutions are emerging that can not only help businesses map and monitor the flow of sensitive information through networks, data centers and web-based software, but also provide platforms that help respond to data breaches.
Technology alone is not enough, however. Privacy officers should put existing resources toward individual rights management, operationalized data governance (mapping data flows, recordkeeping, data retention/deletion policies), and “privacy by design” to enable companies to make the leap from reactive to proactive, conserving budget in the process.
CCI: How does your company help its clients mitigate risk?
CB: TrustArc offers an unmatched combination of innovative technology, expert consulting and TRUSTe certification solutions. Together this combination addresses all phases of privacy program management. The TrustArc Platform, fortified over eight years of operating experience across a wide range of industries and client use cases, along with our extensive services, leverage deep privacy expertise and proven methodologies, which have been continuously enhanced through thousands of customer engagements. With a wide range of modules, the TrustArc platform supports several privacy management initiatives, including CCPA, GDPR, EU-U.S. Privacy Shield, Swiss-U.S. Privacy Shield, APEC CBPR and COPPA. The platform can also be integrated with GRC platforms, such as the Archer GRC Suite and ServiceNow.
CCI: Compliance departments are often asked to accomplish their work with limited resources… do you see this situation changing any time soon?
CB: I’m not certain I know many situations inside any company where budget and resources isn’t a problem. According to a joint report that the IAPP and TrustArc released in December, budget is the largest reported barrier to adopting privacy management solutions. Irrespective of whether you are a Fortune 100 company or have less than 100 employees, both are still turning to third parties for their compliance needs. Limited resources and the complexity around privacy management is causing firms to look outside their walls for scalable compliance support.
For instance, with the increased sophistication of privacy technologies, a small company located anywhere in the country will now have access to third-party solutions at a price point that fits them and makes it worth their while to comply with a law such as the California Consumer Privacy Act to reach even more customers.
So, while compliance departments may not necessarily see the increase in resources they request, it is becoming easier for these departments to do more with the resources they do have though the help of third-party technology offerings.
Chris Babel is CEO of TrustArc, where he has led significant growth, transforming TrustArc into a leading global privacy compliance and risk management company. Before joining the company, Chris spent over a decade building online trust, most recently in the security industry as senior vice president and general manager of VeriSign’s worldwide authentication services business. He holds a B.A. in Mathematical Methods in the Social Sciences and Economics with Highest Distinction from Northwestern University.
