As part of the Top DPOs 2022 project, we’ve interviewed top privacy experts in the tech industry to unveil and share their practices with the community. Read how Udemy’s DPO tackles common privacy challenges while achieving team alignment.
From implementing up-to-date privacy practices across the organization to handling a high number of data subject requests, a DPO has to overcome many challenges to succeed.
Edward Hu, Data Protection Officer and Senior Corporate Counsel (Product & Privacy) at Udemy, was recently named one of the top DPOs to follow in 2022 by the tech and privacy community. Edward regularly speaks at events about privacy regulatory developments and operational best practices.
We are pleased to share the interview we conducted with him, and hope you'll find his actionable advice valuable as well.
Tell us a bit about your journey: What roles have you fulfilled before becoming a Data Protection Officer?
I’ve had the opportunity to explore several areas in my somewhat circuitous career path. Initially, I started in information technology, working as a network administrator and network engineer in a software development environment where I got my first exposure to some of the technologies we rely on today for privacy and security.
Then, I decided on a career change, went to law school, and for years after I became a licensed attorney, my practice was almost exclusively in the area of criminal law, both as a private practitioner and a public defender. Eventually, I decided to move away from litigation, so I started thinking about other practice areas that might be a good fit. <hl>That’s when one of my good friends introduced me to privacy law, which was a perfect match<hl>.
I sought to learn everything I could about privacy law, earned several IAPP certifications, and started working at a privacy compliance company that offered SaaS solutions and certification services. My first job there consisted of certifying and validating companies against various privacy laws and frameworks, including GDPR, Privacy Shield, APEC CBPR and PRP, and COPPA. It was the perfect job for someone starting in the field because not only did I get to learn about the laws and frameworks, I got to see how companies in all manner of industries approached compliance. Eventually, I took on the role of privacy counsel and DPO, where I oversaw the company’s personal data processing operations, and in 2020, I joined Udemy in a similar capacity.
It's exciting to see how your career has led you to your current position at Udemy. In terms of privacy, what is Udemy's greatest strength?
Our greatest strength and the thing I’m proudest of is our people. Privacy is a company-wide responsibility, and whether we’re talking about our product engineers designing privacy features or support staff fielding data subject access requests, my teammates at Udemy make me proud every day.
As any privacy professional knows, while policy may originate from the privacy team or DPO, privacy happens on the frontlines. I was fortunate to join a company with a culture built around the mission of improving lives through learning. <hl>The people at Udemy understand that respecting privacy as a right is an indispensable part of achieving that mission<hl>.
Udemy is an interesting company when it comes to privacy, as it protects the personal data of both instructors and students. Can you share how you manage privacy with this duality? Do you have different privacy procedures for each type of user?
The advantage of using a principles-based framework to design a privacy program is that the core requirements will be the same for any individual, whether they’re an instructor or a student. There are some obvious differences between instructors and students in terms of what data we need to collect to provide our services, as well as the processing purposes, but all these differences still fit neatly into the broader framework.
What are Udemy's methods for dealing with incoming data privacy requests (DSRs, DSARs, etc.)? Can you share some advice about that?
Udemy operates as both a data controller and data processor. We’re a data controller with respect to our direct-to-consumer business, and we’re a data processor with respect to our Udemy Business corporate customers.
For our direct-to-consumer business, we receive data subject requests either through a webform or via email, both of which get routed into a ticketing system. Some of the more common request types are handled directly by our support team, who follow a documented process and utilize some in-house tools to effectuate the request. The more complicated requests get routed to the Udemy Privacy Team, and we handle these on an individual basis. For requests we receive in our capacity as a data processor, we notify the data controller and follow their instructions.
<hl>In terms of advice, for companies with a medium or high volume of requests, I’d recommend using a third-party solution. I’ve managed data subject requests manually, using only email and spreadsheets, and the difference is huge. Having a third-party solution also centralizes all of that information into a single place so that you can demonstrate your compliance should the need arise<hl>. I’d also recommend developing customer self-service tools. In addition to achieving a scalable solution and reducing operational burden, customers like having the ability to directly access, correct, or delete their own data or opt-out from marketing communications.
Can you share the top concern (or challenge) you're facing as a DPO in a company with more than 50 million users?
The size of the user base is less challenging than the fact that those users come from diverse places. <hl>I’d say the most challenging part of being a DPO of a global company is keeping up to date with the privacy laws and regulations from around the world and making sure our policies and processes stay compliant<hl>.
Speaking of regulation, when it comes to regulating data privacy laws — what don't regulators understand about the business side?
While I don’t think it’s wrong to say that there is tension between businesses and regulators, I think that tension tends to originate in the laws themselves. It’s not unusual to have drafters with little experience in the tech world writing or amending privacy laws. I think regulators are doing the best they can with the resources they have, and for the most part, they interact with businesses enough to understand the realities on the ground.
What do you look forward to most about going to work every day? What gets you excited?
Personally, I look forward to working with the Udemy legal team every day. Our team has a spirit of camaraderie like I’ve never experienced, and the intense work ethic is balanced by good-natured humor and a love for fun times. Professionally, I look forward to seeing what new ideas Udemy’s product and engineering teams have come up with and being a part of the process to turn those ideas into a reality.
Let's end with a personal note. Do you regularly delete digital accounts or apps that you are not using anymore (to keep a lean digital footprint)?
Yes, I do try to keep a lean digital footprint, and I try to only use services that use my personal data in a way that I’m comfortable with. We live in an exciting time in terms of how technology and information are transforming nearly every aspect of our lives, and <hl>we, as consumers, have an opportunity to shape that by choosing whether to participate in aspects of it<hl>.
Read more about our Top DPOs 2022 project here.