We’d like to introduce you to San Diego-based attorney Julie Bishop. She provides legal advice to FSFP about our customers’, partners’, employees’ and job candidates’ data. Julie’s expertise in information security and data privacy fits nicely with our Women of Information Management article series, even though Julie isn’t an information management practitioner in the typical way we describe it.
Meet Attorney Julie Bishop
Julie’s law practice, which celebrated its first anniversary last month, includes a team of legal professionals focused on technology contracting, third-party risk, security assessment and compliance engagements.
Before running her legal practice, Julie led the data security and privacy functions at Avanade, a provider of digital and cloud services and business solutions delivered through the Microsoft ecosystem.
Julie’s experience as an attorney dates back 27 years. For the past seven years, her primary focus has been on data privacy and security-related legal matters.
Before graduating from the California Western School of Law with her Juris Doctorate, Julie studied biology at UC San Diego. She didn’t consider being an attorney until her senior year of college. That’s when she realized she ultimately didn’t want to go to medical school or get a PhD in science to work in a lab, even with her pre-med degree in biology.
Soon, Julie’s focus shifted to biotechnology law when she started working for the University of California, licensing their biological technologies to other companies.
Experience with GDPR and CCPA Compliance
Fast forward to 2012, when Julie joined Avanade. She ran the legal team when compliance with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) became priorities for the company. No surprise, Julie remembers these being huge initiatives for Avanade. “My team and I, along with the information security area, worked many hours to make the necessary compliance assessments and changes,” Julie says. “What compounded the efforts was that the company had 23 worldwide affiliates.”
Today, Julie’s GDPR and CCPA work is with generally smaller clients where she helps them assess their security compliance and data privacy practices to meet those regulatory requirements. “Many companies know these requirements are out there, but they’re not sure about how to get to ‘good,’” she says. “Some want to put their heads in the sand, others want to offload everything to a third party to fix, and others want to take on the work themselves without fully realizing it’ll be a massive undertaking.”
What Comes Next After GDPR and CCPA
Julie says the international privacy landscape will continue to evolve as countries introduce new compliance obligations, coming out with GDPR-like regulations. She describes Brazil’s General Personal Data Protection Law, which took effect last August, as being similar to GDPR
Here in the US, Julie believes the Biden administration will prioritize the need for a federal privacy regulation sometime in the next two years, which could bring the nation into more alignment with other countries’ mandates. “Historically, we’ve created our regulations by sector,” Julie says, “such as HIPPA is for healthcare and PCI compliance is for credit cards. We don’t have an overarching privacy regulation and need one.”
Keeping current with regulatory changes and addressing new ones is a recurring part of Julie’s job. She receives almost daily emails from other law firms and privacy organizations, with messages about new regulations in the works messages — or revised ones, such as when CCPA was revised last November.
Even with privacy breaches and regulatory decisions remaining almost front-page news, getting organizational buy-in can be tough. “I find that it’s the rare CEO or COO who’s truly concerned about privacy and security,” Julie says. “Without buy-in at the highest level, getting the needed changes in place is a much more challenging exercise.”
Data Governance’s Inherent Value
Julie believes that organizations with a strong data governance program in place are better positioned to address privacy and security compliance, saying the two focus areas are complementary. “Once a company has developed its rigor around governance,” she says, “they’re in a much better position to determine what’s needed from operational and policy standpoints to say the organization is GDPR or CCPA compliant.”
Companies without a strong data governance framework will have a harder time answering some of the fundamental privacy-related questions, such as do you have a data inventory and how does data flow as it travels throughout the organization and outside it? “Being able to answer those questions alone can be challenging for most organizations,” Julie says. “The data governance work that FSFP is doing with its clients is critical, and there’s some nice synergy in what both our companies are focused on.”
A Career in Data Privacy and Security
Julie enjoys being self-employed and having the opportunity to get back to some of the legal work she did more than 20 years ago. “Back then, I spent time negotiating contracts,” she says, “and now I’m doing that work again and also helping clients with privacy and security. It’s a nice mix.”
Being away from the corporate environment has its perks (“I’m rarely sitting in meetings for 4-5 hours each day,” Julie says), and there’s a special feeling of satisfaction where she’s making a difference for her clients.
Today, Julie’s data privacy and security work has her interacting with more men than women. “It would be great to see more women involved in information security,” she says. “The work is not just technology-focused. There are programmatic and operational challenges that women would enjoy and excel at.”
Is a Federal Regulation on the Horizon?
When Julie thinks about what the future holds for people who work in data privacy and security and whether they’ll see a federal privacy mandate any time soon, here’s what she had to say: “Time will tell, but many US corporations could find themselves trying to operationalize compliance with a new US Federal Privacy regulation, which may end up being the Safe Data Act, introduced by Sen. Roger Wicker’s, R-Miss., in 2020.”
If you’d like to read more Women in Information Management feature stories, you can find them here.