Rachel is Chief Privacy Officer at part creative agency, part consultancy and part technology company, Wunderman Thompson. As an attorney and certified international privacy professional, Rachel has an extensive background in digital marketing, advertising technology and compliance. She is responsible for leading Wunderman Thompson through a period of change and transformation in order to better serve clients, educate staff, and align with various data protection laws, including the GDPR.
1. Tell us a little bit about Wunderman Thompson and your role at the organisation?
Wunderman Thompson is a full-service advertising agency—we provide a wide range of services including consulting, commerce, CRM management, creative, technology, production, and of course, data. My role within Wunderman Thompson is to ensure that we are working within privacy best practices, policies, and laws and regulations, particularly when it comes to the collection, use, and overall processing of consumer personal information.
2. How did you get into your current role?
I started my career working in media. I managed accounts and serviced clients for paid search and social media. It was about a decade after I graduated undergrad and was working in media that I decided to go to law school part time at night. Whilst at law school I managed to land numerous internships that were all around data privacy. At the time they were the closest thing I can find that was related somehow to media. And given I was working full time and in law school at night, I did not have many options to be choosey about what types of internships I could have. I needed experiences that allowed for flexible working since my only free time was the weekends. I sort of fell into privacy by accident, as that was what was available at the time. I am very lucky it worked out that way. And happy.
3. Thank you for participating in Exterro's recent "Legal Leaders" webinar series and speaking on our panel "Data Inventory and Mapping to Operationalize Global Compliance and Risk Management." What are your key takeaways from this session?
I think the biggest think I learned is that compliance and risk management cannot happen unless you have support throughout the organization and from senior leaders. I also took away the key point that compliance is not a single person’s role. It is the role and responsibility of everyone in an organization. A group effort.
You can watch the on-demand version of this webinar panel featuring Rachel here.
4. Which areas of Legal GRC (Governance, Risk and Compliance) do you find particularly rewarding in your role?
I love having to find creative solutions. Often governance and compliance requirements can limit engagements. Being able to think of alternative solutions and work hands on with different teams and departments in most interesting to me, as it allows you to think creatively and work within different disciplines of your organization.
5. Which areas do you find most challenging?
I often find it challenging to change certain mindsets. This idea of data privacy in some jurisdictions is a newer concept, and helping individuals understand these changes and why they are important can sometimes be challenging, particularly if there are changes to processes and policies that have been in place for a long time.
6. How has the recent COVID-19 situation impacted your Legal GRC activities at Wunderman Thompson?
If anything it has made us realize how important it is to ensure your employees understand what modes of communication are approved and sanctioned by your organizations. For example, perhaps you are not permitted under company policy to communicate using chat services like WhatsApp. It is also a good reminder that we have to be careful in what types of data we ask for from our employees and why. While we may have good intentions in wanting to know if an individual is infected by COVID—perhaps we should not be asking so directly. And consideration should then be given to what happens to that data once it is collected? How long is it retained? Where is it stored? With whom is it shared? It is a great reminder of our basic privacy best practices and fundamentals of data minimization and retention.
7. What advice would you give to yourself if you had to start again in your career?
Trust your instinct and your gut—but make sure you can back up that instinct when you need to. And, something my grandmother always used to say—right foot first!
8. How do you see the Legal GRC landscape changing in the next few years?
I see this becoming more important in industries where there has typically not been much regulation—like in advertising or marketing for example. I anticipate we will see more proposed data protection laws in the United States, more enforcement of the regulations abroad, like GDPR, and that will only help organizations realize and understand the importance of these functions. While Legal GRC functions are overhead—they can save you a lot in the long run, in terms of dollars, and reputation.