Interview with Outschool's Global Privacy Officer Dr. K Royal
From implementing up-to-date privacy practices across the organization to handling a high number of data subject requests, a Global Privacy Officer has to overcome many challenges to succeed.
Dr K Royal is a respected authority on privacy issues and the host of the popular podcast "Serious Privacy." In her role as Global Privacy Officer at Outschool, she is responsible for ensuring that the company complies with data privacy regulations. She is also a frequent speaker on the topic of data privacy, and her work has been featured in The New York Times, The Wall Street Journal, and Forbes. Dr. Royal is a trusted voice on the topic of data privacy, and her insights are invaluable for anyone who is concerned about protecting their personal information.
What inspired you to pursue a career in privacy?
I was born for this. Being a registered nurse before getting a law degree lit the pathway ahead of me. People are usually baffled by my transition from nursing to lawyer, but privacy is a helping profession. We're there to protect the people - that's how we protect the company. I've been in privacy long before most recognized it as a career.
I've established privacy programs as well as worked with teams at some of the world's top companies to enhance and expand existing programs. I carry the honor of filling the first dual application for BCRs for both controllers and processors in the EU (binding safe processing rules for processors). I've been the privacy and security officer; I've been DPO; I've been privacy counsel. Every day, I love what I do and look forward to doing more.
So what inspired me to be in privacy? - the people, the challenge, the innovation, the fun (my trainings are always fun), the colleagues, the ever-changing laws - it's everything. Everything about this profession inspires me from infancy to maturity to phenomenal growth.
Can you give us an overview of Outschool's approach to privacy? Can you share any best practices that Outschool has developed when it comes to privacy?
As a lightning-fast-growing company in a burgeoning field, Outschool is built on trust. Our learners are from 3 to 18 years old, plus we have data on and from parents, partner organizations, and teachers (who are independent contractors). We take our mission seriously to protect their data. That's our approach to privacy.
Best practices: I dislike the word "best" in this context, because there is always something to improve. One of our fundamental actions is baking the laws we are subject to into our daily work. From teacher credentials to content moderation, privacy is an active part of the design, requirements, tech specs, and QA. We work hand-in-hand with the business teams and core infrastructure, especially our Trust and Safety department.
Another aspect is content moderation. Given our focus on privacy and safety, we have to be incredibly adept with moderating content in our classes and activities, including AI. We've also had to deal with sensitive situations, but we have well-established protocols in place for a wide range of potential events. So our privacy and trust activities go beyond what most privacy officers / DPOs have to manage and it's an absolutely fascinating niche field.
What do you think is the most important thing for companies to keep in mind when it comes to data privacy?
People come first.
Take care of the people: their data and their honor.
There is an interesting dichotomy between innovation and privacy, that is built on perception rather than reality. Both can co-exist and also be used as leverage for the other. Large, global companies are actively marketing their privacy efforts as a market differentiation from competitors. And we have young, hungry companies innovating privacy tools and software. There is almost always a way for companies to do whatever it is they are trying to do as long as they put people first.
Can you give us an example of when you had to deal with a difficult privacy issue?
Thorny problems (I'm hearing Michelle Dennedy in my ear now). We in privacy deal with thorny issues quite frequently. In general, it's not usually the precise privacy question that is difficult, it's how to solve for the holistic situation. There are trade-offs, risks that must be considered. Resources are finite, including privacy professionals' wisdom and ability to see the future. So much is new in our world that the limited guidance there is has not addressed everything. Literally, it's unprecedented.
However, my experience with difficult issues have less to do with privacy and more to do with the other people involved. We in privacy have the most challenges convincing others that what we are advising (or warning against) is accurate and should be taken seriously. We are rarely alarmists and frequently savvy professionals.
The PrivacyTech (SaaS and tools dedicated to privacy management) industry is booming. Do you think it's essential for businesses to use privacy software? How do you see this industry in the future?
Absolutely! I cannot emphasize this enough. Let the software do whatever you can get software for and save your efforts for the aspects software cannot replace - your strategic plans, how data can be used legally for innovation, problem-solving thorny issues. I do caution, however, that not all software is equal. Make sure the the vendor is someone you'd want to continue doing business with in the future.
I see the PrivacyTech world continuing to grow and perhaps grow even faster than what we have seen to date. We are at the toddler stage, where from here we will see huge spurts in growth as well as growing pains. Naturally, the market will start condensing the number of companies over the next 5 - 8 years, because mergers and acquisitions will also happen faster and more frequently. I hope it's the good ones who are still standing in a few years.
What are your thoughts on the future of privacy in general?
Oh, we have not yet seen the height of the privacy field. I foresee privacy becoming a fundamental right worldwide, with interoperable standards and meaningful enforcement. HIPAA (the Health Insurance Portability and Accountability Act) is proof that it can be done. Basically every medical entity subject to HIPAA in the US complies. Of course there are still violations, but no one likes the ramifications of being caught. Privacy needs to be that way for everyone, everywhere. This all said with the caveat that government will still find ways to access data and conduct surveillance - and bad actors will become even badder.
Privacy professionals will be a main part of the c-suite. Every board will have at least one privacy professional on it, who is a woman as well (to kill two birds with one stone).
And apps do not use any permissions not needed. All ad tracking online is clearly presented to individuals and operates solely on consent, which can be completely withdrawn as easily as it was given.
Let's end with a personal note. Do you regularly delete digital accounts or apps that you are not using anymore?
Ummmmm - No, not completely. I should, I know. I do delete apps, but I also don't install many. I am good at checking permissions on apps.
Read more about our Top DPOs 2022 project here.