When Maureen Dry-Wasson founded Allegis Group’s global privacy office, she didn’t initially expect to run it. The idea for the office started as a pitch to Allegis Group’s executives in May 2017 to formally separate the global talent-solutions firm’s privacy and information security departments—two areas that were previously combined under the Information Security Office. “They really are two separate but related disciplines,” Dry-Wasson says.
She’d already been with the company for a decade as group general counsel, where she was responsible for all employee benefits law issues at Allegis Group; as the general counsel for Major, Lindsey & Africa, an Allegis Group company; and as the attorney lending support as needed on privacy issues when they arose. Today she pulls extra duty with the additional title of global privacy officer, and her and her team’s work is keeping Allegis Group ahead of rapid change in privacy law worldwide.
Dry-Wasson’s passion for learning various areas of law started after she graduated from law school and joined marketing communications firm Vertis. Over the course of her eleven years at the company, she became an all-purpose in-house attorney, taking on “almost anything and everything”—including contracts, employment, employee benefits, real estate, intellectual property, SEC work, and corporate and M&A work.
She continued to hone her skills when she had the opportunity in 2009 to assist Allegis Group with its first Safe Harbor certification, which allowed her to dive into the world of privacy law. After tackling what was to be an isolated project related to Safe Harbor, she continued to help with privacy issues over the years, including helping Allegis Group form an information security office. Key regulatory changes, like the passage of the General Data Protection Regulation (GDPR), led her to pitch the company on adding a global privacy office that would operate separately but in close partnership with the information security office. “The impact of the GDPR on global companies was profound,” Dry-Wasson says. “We knew we needed to increase our investment in data-privacy efforts, and the GDPR was the impetus to deepen our investment and formalize a privacy office.” Dry-Wasson also invested in her privacy education, seeking certifications through the International Association of Privacy Professionals (IAPP) to obtain her CIPP/US, CIPP/C, CIPP/E, and CIPM. She also helped establish the Baltimore KnowledgeNet chapter for IAPP and served as the first cochair from 2015 to 2017.
To ensure compliance with GDPR regulations and commit better resources to data privacy for all privacy regulations worldwide, the global privacy office sets strategic direction and partners with dedicated privacy personnel at each of Allegis Group’s specialized companies to help implement and oversee strategy. The privacy office focuses on privacy-related policies, privacy notices, handling data-subject requests, data-inventory and mapping efforts, conducting DPIAs, negotiating data-protection language in contracts, providing training and awareness across the company, and more. Much of the privacy office’s personnel is based at Allegis Group’s headquarters in the US, but key staff lead certain efforts from an office in London, and there are plans to add dedicated privacy resources in the Asia-Pacific region.
For a global company such as Allegis Group, ensuring compliance with different regulations in different jurisdictions is one of the global privacy office’s greatest challenges. “Anyone who tries to comply with the minutiae of every country’s privacy laws all the time would go mad,” Dry-Wasson says. The key, then, is to find commonalities between the laws of the regions in which Allegis Group works and to focus on areas where there is regulatory and privacy-principle overlap. “It will almost never be perfect, so you focus on achieving the best you can,” Dry-Wasson says.
The history of a company’s data-collection practices and the continued use of older technology can also be a hurdle for privacy compliance—and Allegis Group is no exception. Its data-management systems have evolved over time, and data collected in the past isn’t always aligned with the demands of current regulations. To this end, the privacy office forged an invaluable partnership with the information services team, which committed to adding dedicated resources such as privacy architects for privacy by design, enterprise architecture, business-analyst and business-process design support, and project management. Most recently, it added a records manager for data-retention issues and a change-management resource to help employees adapt to changes in process and technology specifically related to the initiatives of the privacy office.
Nearly two years in, Dry-Wasson is looking to continue to add personnel to the privacy office while exploring tools and resources to help address security, consent and preference management, data mapping and data inventory, data-subject request tracking and fulfillment, privacy-notice management, and security and privacy incident tracking. However, the work the office has done to date has already been an enormous aid to Allegis Group’s ability to maintain privacy standards and compliance. “The amount of information we’ve learned about how to address specific privacy issues has been staggering,” Dry-Wasson says, adding that her office facilitates a better company-wide understanding of what privacy is and why it’s important.
The overall success of the office is due in large part to a global commitment to strong partnerships with the information security and information services teams and the support of Allegis Group leadership and the operating companies in dedicating resources. By working in close collaboration as a unified cross-disciplinary team to align efforts, it’s achieving faster, more-efficient success with its privacy initiatives.
While the GDPR presented a significant challenge for Allegis Group, the company feels more prepared than ever to establish and build upon privacy best practices. Such practices will help it, its customers, and other business partners in the future, especially as the California Consumer Protection Act and other new US-based privacy laws add to the ever-growing global regulatory complexity of the privacy arena.
Alston & Bird LLP:
“Maureen is exceptional among in-house counsel for several reasons. She is certainly expert in employee benefits, where we work with her, as well as both careful and practical. However, one of her outstanding qualities is her thoughtfulness in mentoring young lawyers, both within her organization and in the law firms she works with. She gives a lot of thought to assignments and staffing not just to finish the project right in front of her, but to set up her organization, and her people, for success in the future. It has truly been a pleasure for us to work with her.”
-David Godofsky, Partner