As part of the Top DPOs 2022 project, we’ve interviewed top privacy experts in the tech industry to unveil and share their practices with the community. Read how iRobot’s DPO leads the privacy operations of a successful organization by building a culture of privacy-by-design.
From implementing up-to-date privacy practices across the organization to handling a high number of data subject requests, a DPO has to overcome many challenges to succeed.
Bethany Singer-Baefsky, Data Protection Officer at iRobot, was recently named one of the top DPOs to follow in 2022 by the tech and privacy community. Bethany frequently speaks at events and tries to simplify complicated GDPR concepts whenever possible. Before joining iRobot, she served as the DPO of Unbounce and provided GDPR consulting services to clients across the country.
Do you regularly clean your digital footprint? (pun intended)
Ha! I may be a privacy professional, but I’m still human. If I happen to see an app I’m not using anymore, I’ll delete it, but it’s not with any regularity. To be fair, I’m not particularly active on social media and don’t have that many apps to begin with.
Glad we got the ice broken. In addition to your extensive legal background, you're also an expert at storytelling and simplifying complex concepts — Do you think these skills are essential for a DPO?
First of all, thank you for that kind characterization! My legal background is actually a bit unusual – I have an LL.M. in Public International Law but not a JD. So, while I have worked in human rights, asylum, immigration, criminal defense, intellectual property, contracts, and of course, privacy law, I haven’t done that as a counsel.
As for privacy specifically, I don’t believe it’s essential to be an attorney per se. Rather, it’s necessary to understand how to interpret laws and regulations, as well as the political, social, and economic factors that influence the legal and regulatory landscape, and to build and maintain strong relationships with your legal, product, and business teams.
<hl>Data Protection is, by necessity, a company-wide effort, so relationship-building across the board is critical.<hl> That’s where the storytelling part comes in. Narratives answer the “why” behind the “what” and are essential in cultivating a culture of privacy-by-design and by default.
In terms of privacy, what is iRobot's greatest strength?
iRobot is consumer-choice driven. Product features that require data processing (for example, smart home integrations) are fully opt-in. And as our connected capabilities advance, I am so proud of the work that our Product, R&D, and Product Security Teams are doing as it relates to designing products and features with data protection and consumer trust at the forefront.
iRobot is an interesting company when it comes to privacy, as it involves a unique set of personal data (maps and locations included). What are iRobot's legal and other methods for keeping its users' data safe?
Our mapping robots generate a floor plan of the robot’s path in the home, which, once set, allows the user to decide where they would like their robot to clean. The primary use of the maps is to allow the robots to more effectively and efficiently clean. iRobot is committed to the absolute privacy of customer-related data. <hl>We have implemented a wide variety of technical and organizational controls, including opt-ins to map- and location-based features, deidentifying our databases, encrypting personal data in transit and at rest, and collecting only strictly necessary data to help them do so their job and improve the product experience.<hl>
What are iRobot's methods for dealing with incoming data privacy requests (DSR, DSAR, etc)? Can you share some advice about that? We assume you get many of them as you have a large user base.
iRobot fully respects the data access and deletion rights of our customers. <hl>For example, any customer, regardless of where they are in the world, can log into the app or website and request account deletion.<hl> When this happens, the user will receive an email to the address affiliated with their account letting them know that we received their request and allowing them three days to hit the “cancel” button. If they do not cancel, their personal data will be permanently and irrevocably purged from iRobot systems within 30 days of the initial deletion request.
Can you share one challenge (or concern) you're facing when setting the priorities for the Privacy Program of iRobot?
At iRobot, we have adopted a principle-forward, framework-based approach to information privacy. This means we base our privacy policies and processes on the principles that undergird the privacy regulations to which we are bound (e.g., consent and choice, notice, transparency, data minimization, etc.). <hl>This has helped us address a major challenge facing many global companies: complying with rapidly changing privacy laws worldwide.<hl>
What do you look forward to most about going to work every day? What gets you excited?
I work with the best people. Privacy is, by its very nature, cross-functional, so I have the opportunity to work with and learn from tons of individuals with a wide range of expertise. I mentioned relationship-building earlier – it’s exciting to be able to connect with different teams working on innovative new projects and programs, learn about what they’re doing, and strategize together on privacy-by-design and compliance challenges.
What's the craziest thing that has happened to you as a DPO?
I really don’t want to jinx it, but thus far, I actually don’t have any wild DPO stories to share! Perhaps the most unexpected thing looking back at where I started was becoming a DPO in the first place!
Read more about our Top DPOs 2022 project here.