In the newest episode of his "Two Byte Conversations" podcast, Data Strategy, Security & Privacy attorney Kevin Angle is joined by privacy officer Aaron Mendelsohn to discuss the ins and outs of building a privacy program and how to work with internal stakeholders and clients to build trust and respect. They also talk about Mr. Mendelsohn's new book Operationalizing Data Protection & Privacy, his experience teaching cybersecurity and privacy law at Cleveland State University, and their views on what makes an effective legal counselor and privacy officer.
Listen to more episodes of Two Byte Conversations here.
Podcast Transcript
Kevin Angle: Today, we're going to discuss privacy management and operationalizing privacy programs. I'm thrilled to be joined by Aaron Mendelsohn. Aaron is currently a privacy officer at the LEGO Group where he oversees data protection compliance within the digital technologies teams, including LEGO.com, LEGO Insiders and LEGO Retail. Before that, he was director and chief data privacy officer at Ingram Micro. And from 2018 to 2022, he was adjunct faculty at the Cleveland-Marshall College of Law, where he taught privacy law and management. And Aaron, you only stopped that because you moved to Denmark, is that right?
Aaron Mendelsohn: That's correct. Yeah. Sadly, I had to give that up.
Kevin Angle: Yeah, pretty fun gig. But picking up on teaching, I suppose, he recently authored the book Operationalizing Data Protection & Privacy, which provides readers with a framework for developing and managing privacy programs from foundational principles to operational components. The bricks, if you will, to use a Lego analogy, used to build your privacy program. So thank you so much, Aaron, for joining the podcast.
Aaron Mendelsohn: Yeah, thanks for having me, Kevin.
Kevin Angle: So yeah, I wanted to kick off. I have my own copy of this book, and I've read it and really enjoyed it. You do a great job of laying out, you know, I used the analogy to the bricks, all the different things you need to do to build a privacy program. And I know you did teach in the past. What inspired you to put this book together?
Aaron Mendelsohn: It really started actually, you talked a little bit about my teaching at Cleveland State University, and it really started with that course. I was brought in as an adjunct professor in 2017, right at the beginning of the GDPR (General Data Protection Regulation) era, and Cleveland State University School of Law was looking at developing a specialized certification program within the J.D. program to provide students with a background in cybersecurity and privacy law. When I went to law school, almost 15 years before that, there wasn't any concentration in this area. I was a night student and I was looking at how can I incorporate privacy law and cyber law into areas like workman's comp or Judaic law or some area where I always try to pull this thread of privacy and cyber into what I was doing. But fast forward to 2017, and they really thought, all right, this is an area that we can build competency in and provide our students a foundation. So they developed a core set of courses around what do students need to learn around cybersecurity and privacy to have that concentration. And I was asked to teach this course about privacy law and management, which wasn't intended to be a course on the fundamentals of data protection and privacy law. We weren't getting into the text of GDPR, we weren't going to read large treatises or the legal regulations. We really wanted to teach the students, what does it mean to be a privacy professional? What do you need to know if you were to work in a healthcare organization, a financial institution or another large type of company? What are those foundational elements to help you hit the ground running? And that I could teach the students to sort of have a leg up on their peers, to be privacy professionals out of university or out of law school. And so we built that course, and it was built with a lot of the elements that went into the book, one or two classes on areas like, we did get into the foundational law of like GDPR in the European perspective and the U.S. perspective. But then we talked about things like incident response. We talked about, what do you do with a contract? What do you do with crisis management? How do you deal with relationship management? And really trying to teach those little elements – I called it an inch-deep, mile-long view on data protection and privacy professions. And as you said, I taught that course for about five years, and I had to say goodbye to being a professor when I moved over to the LEGO group and moved to Denmark.
And I miss teaching, I enjoyed sharing my knowledge with college students, with law students, and that teaching environment. And I started a LinkedIn newsletter at the beginning of '24, kind of pulling in my old syllabus. It had been a couple of years since I taught, so I rearranged that syllabus. And I shared a LinkedIn newsletter with my LinkedIn network, basically a topic a week, that I just wrote about and developed that newsletter over the course of six months in 2024. I was really fortunate and pleased to see that it had found an audience in a large distribution beyond really what I intended. And I got really positive feedback on that newsletter. People enjoyed the way that I was sharing that information just in short bullets.
I got some feedback, too, like, hey, maybe you should make this into a book. And as I was nearing the end of that experiment, I said, all right, maybe I really do have enough to make this into a book, and I took a moment to kind of reflect after I ended that series and said, all right, how could this look as a book? And I didn't know how to transform it myself, but I was fortunate, my wife actually has a first cousin that is a business writer and business book editor. And I reached out to him. His name is Dustin Klein, and he has a side business. He works for some business journals but does the editing and ghost writing on the side and said, you know, I think you have enough here, let me help you transform it. And so really, for about a year, we worked on it together. We collaborated pretty much every weekend. We would have assignments. We took the content that was there already, transformed it into its own chapters, organized the material by sections, and then we started writing new material together, basically going back and forth on information that we thought would be valuable to add to that initial body of knowledge that we shared and that I wrote in the newsletter.
I wasn't quite sure what it would look like at the end, but at the end I think it came together quite well. And I've been surprised to see it find an audience. I'm pleased to see people like yourself that have found it valuable. I think it could be basically read from cover to cover if you're new to the profession and trying to understand what does it mean to be a privacy professional in 2025. And I think it could be valuable in that way just for more seasoned professionals to just have to refer to. And yeah, and so here it is.
Kevin Angle: That's great. You were talking about teaching the foundations of data protection and operationalizing the program. And one of the keys that you highlight there is relationship management and the importance of that, I think, both with product teams, but then also with senior management and even people outside the organization. So, just focusing on the organization first. As a lawyer, one issue you always face is there's always some sort of internal resistance when the lawyers are coming in, because people think you're always going to be saying, no, no no no. How do you overcome that type of internal resistance within the organization?
Aaron Mendelsohn: Yeah, I do think it goes to a lot about being a valued and trusted partner with your internal stakeholders or internal clients. When I join any organization or when I come into a meeting having not known the people in the room, I think it's important to build some sort of relationship or find some commonality that you can have, whether it's through sports, or it could be something else. And I think you have to build that trust. And I never want to be the person that says no. Obviously, I think as legal counselor, as a privacy officer, you have to be willing to put your foot down if it comes to that or escalate to those that have the power to really put the kibosh on a high-risk issue. But generally, you want to find a path to how can we do this? What are your goals? And I think if you can meet the business where they are and understand what is it that they're trying to achieve. If it's a marketing campaign and they want to market to a select group, has that group agreed to be profiled? Has that group agreed to receive marketing messages based upon that profiling? And if not, how can we do that? Or how can we get somewhere close to that without maybe infringing on individuals' rights when it comes to that? So I think you have to be able to communicate very strongly that value that you bring and that you're not just saying no, that you're trying to say, how can we get to your business objectives and meet those goals while still managing risk, minimizing any type of regulatory risk and showing compliance on our part within the organization.
Kevin Angle: Yeah, I had Bethany Singer-Baefsky on a previous podcast, she gave this great analogy too, if you're bowling, you know, if you're bowling down, you'll hit the gutter an awful lot. If you put bumpers up though, you can hit the ball around all the way and have more fun potentially and knock over more pins and those bumpers can actually be freeing in a lot of ways. So yeah, three things you mentioned in the book, "empathy, patience and the ability to listen." I wonder if you could just speak to that a little bit more about, you know, really listening.
Aaron Mendelsohn: Yeah, I mean, ultimately data protection and privacy, we're not driving revenue through the organization. We're there to help support your business in being compliant, managing risk, exhibiting trust, demonstrating compliance. Unless you understand the business, like I was just saying a minute ago, or you've heard the business as to what is it that they're trying to achieve, you can't come in and be like, this is what we're going to do, and I got the plan and you're just going to outline this [plan]. You want to know what is the business trying to achieve? What are their goals? And then you need to build upon that to achieve a compliant position. So I think you have to be able to hear what the business is trying to achieve and you have to be able to be agile and react to what they have as their requirements. And if it's to drive a large campaign throughout the United States that meets a certain segment like we were just using as an example before, then how can we do that? If it's to have a new product that captures certain amounts of data for a specific use case, you have to be able to hear why is that use case important to them, and is that able to happen, and can you do that? So our role shouldn't be as a dictator or the privacy police necessarily, although, as I said, sometimes you do have to come in and say no to things, but you want to use that as infrequently as possible to really, again, be a trusted partner with the business. And I think you have to hear them and you have understand where they're coming from.
Kevin Angle: And hopefully you can say, no, but here's what we can do.
Aaron Mendelsohn: And I think in those rare circumstances where you do, you have to be like, guys, this is off the table, this is entirely inappropriate, I think they'll value you and respect you a lot more in that situation when that's the last card that you play at the table.
Kevin Angle: So there's much more to the foundations of data protection than we just got into there, but the next part of your book is about program development. And one piece of that that I found very interesting was about, basically, all that you need to do to get buy-in from senior management and demonstrating the value of an effective privacy compliance program. What are some ways that you do that?
Aaron Mendelsohn: I think the best way to do that is to show how do you embed into the organization and the operations. And that's why I wrote the book to begin with, I think a lot of privacy professionals – and there's others that write on this, I'm not unique to this – try to articulate that you have to be able to demonstrate your level of compliance. You don't want to just say, we're going to do X, Y and Z and that's it. I think you want to be able to show how you get to a compliant position, sometimes I call it a defensible position, like we're never going to be perfect. I think no organization can say they're 100 percent compliant 100 percent of the time to 100 percent of all the requirements. So what do you do to demonstrate that to the organization? And I think you show, all right, well, here are the different elements we have in our program. You can kind of use it like a Swiss cheese model too, like if you layer enough pieces of Swiss cheese on top of each other, you don't have any holes left in the cheese, right? And if you can do that with your data protection and privacy program, you can show your leadership, all right, well, we have strong training, we have some policies, we have embedded operations into our development process and we have a complaint line and we can deal with these DSARs and all this.
I think you have to be able to be a strong narrator to the teams to show how you're putting that all together. But then you have to be able to also show them what you're doing. And some metrics are helpful, like, you know, maybe how you respond to DSARs, how many you get, how you are embedding into the operations around maybe impact assessments or risk assessments, how you deal with third parties. But I think you have to be able to show like, we aren't just sucking life out of the teams, we're trying to deliver some value to and make them quicker, more agile. We give them the decisions earlier in their development process by embedding earlier into the development process, so that we can design and go to market faster and quicker.
Kevin Angle: You mentioned one metric being just the number of DSAR requests you're getting and the number of responses. Are there things like that that you can use that help to show the value of privacy itself? Like people really care about this.
Aaron Mendelsohn: I mean, it's hard to measure like near misses, right, or anything like that. And that doesn't necessarily materialize in a scorecard. I think what you can also show, though, is as your organization matures, the more things that you get reported to you as maybe minor incidents – the errant emails or the spreadsheet that had bad access rights or things like that – 10 years ago, no organization, probably very few, had visibility to what those were within their organization. But I think maturing organizations start to see those surface to them, you know, if they maintain some sort of breach notification line. So I don't always look at the number of incidents reported as a bad thing. I think mega or major incidents obviously are, but most of those don't require any type of reporting. They're just levels of non-compliance or bad access rights that can show that an organization is maturing in terms of its employees understanding the risks.
I think the proactive outreach by product teams also shows that level of maturity. You can count how many risk assessments you do, and that doesn't necessarily always demonstrate compliance, but when you have proactive [teams], the questions originate with the product owners, or the business shows that you're seen as a value to them and they want to engage earlier in their process as well. It's hard to always show leadership, but I think you can explain it as look, you know, this month we had four proactive inquiries into our privacy office, or three came from this product and two came from this one or, you know, whatever it may be. Or maybe your legal counsels that you also support as second line sometimes, they're more likely to get engaged because you're helping them return the answers to their teams quicker as well and that helps everybody.
Kevin Angle: So I want to get into some of the operational components that make up a privacy program. Obviously, we don't have time in this podcast to get into all of it. And I do encourage folks to take a look at your book to learn more, but just to pick one out, PIAs. Can you explain what a PIA is and how you use them?
Aaron Mendelsohn: Yeah, so at its core, you need to do some sort of risk assessment around when you collect and process personal data. And I think the goal is to engage in some sort of development cycle, early in it, to do some basic risk assessment. That's how I view PIA as –
Kevin Angle: Privacy Impact Assessment.
Aaron Mendelsohn: Yeah. But in my view, it's just, you know, an acronym we use for some sort of risk assessment so that we can understand what is it that that team or that product development organization is doing when it comes to personal data. And it could be as simple as just embedding into their requirements stage or when they go to secure funding, does it impact the processing of personal data in any way? And have a broad definition and just have it be a yes or no. If you don't have the resources, at least start to ask that question. And then if they answer no, OK, they can move on, and if they answered yes, maybe you move them into a separate workflow where they engage with your team at a very basic level so that you can do some sort of understanding of what is that risk? Is it going to impact children? Is it going to impact any protected class? Is it going to collect any personal data that's sensitive in nature? Whether that's health information or financial account information, ethnicity, religion, anything that's defined sensitive under GDPR, so that you can say, OK, if it is going to impact that way, then what do we need to add on to their development process? What do we want to see? Maybe it's a couple of checks along the way to ensure that they're only collecting what's necessary, and we want to understand that there's a legitimate business purpose, but if there isn't, how can you push back and say, all right, maybe you need to think through this in a different way.
I've been in organizations most of my career where individuals want to do the right thing and I'm fortunate for that, but I can imagine in more startup organizations or early-stage companies or ones that want to just go fast and break things, that sometimes that doesn't always happen. So I think you need to engage as early as possible and start to understand what that risk can look like so that you can provide the support back to them. I think one of the benefits, too, is, if there is no risk, or there is a very low risk, that you don't need to put the same level of scrutiny on everything. So you can start to categorize, and if you just keep it low, medium and high for lack of trying to get super fancy. Low risk is maybe internally facing and only keeps certain low-risk data elements like name and email address for authentication purposes and that's it. You know, let that move on without a whole lot of scrutiny. But if it is, as I said, children's personal data or sensitive personal data, then that maybe gets escalated into high and you have to go through a higher touch assessment or support workflow. And the harder part is everything in between. How do you group everything in that medium? But I think, you know, organizationally, you have to develop that sort of framework for what you'd categorize as high, medium and low and sort of create your own calibration as to where you want things to fall out.
Kevin Angle: And if you have that process in place, your teams can move forward with more confidence that you are acting within those guardrails. So children's privacy, here in the United States there are a number of newer laws that are expanding the scope of data protection requirements applicable to children, often expanding them to include minors. So the LEGO Group, and I'm not asking you to speak to your particular privacy program, but you have experience dealing with children. Obviously, it's a product that is directed to children in many cases. Do you have any recommendations for people who are really new to children's privacy and data protections issues about how to deal with that unique set of data subjects?
Aaron Mendelsohn: The first thing I always tell people is to look at the principle of data minimization. If you don't need children's data, don't collect it. So you can offer a lot of products and services to children without needing their personal data. And so really question yourself, what do we need and why do we need it? Do we need it for a specific purpose? What is that purpose? Can we achieve it in some other way with anonymized data or deidentified data, whatever it may be. Pseudo-anonymized data. That's the first thing I would say. Do not collect children's data unless you absolutely need it. And when you need it, and there are circumstances, you have to look at things like VPC or verifiable parental consent processes and make sure that you get the right level of consent from the parent. And it's sometimes a bit of a Catch-22 because you need some actual data then from the parent. And you generally need something that proves their identity. But once you do that, you can always get rid of that data, you don't need to store it long-term. But I think you have to look at, you know, what do you need and why do you need it. If you actually need children's data and you need to know who they are, then you have to look at those mechanisms around VPC. I think explaining privacy concepts to children is extremely difficult. There are examples out there on how to do that. But I don't claim necessarily to be the subject matter expert in children's development and how you communicate, but I think it's important, where children's personal data is necessary, to not just speak to the parent, but also to communicate in a way that the child understands what it means. There are good actors out there and there are bad actors out there, and I think you have to look at yourself and your own organization and say, we value children just as we do adults and we don't want to misuse their data. And if we don't need that data, don't collect it.
Kevin Angle: What is next for the privacy profession? I hear some people telling me that we're all going to become AI lawyers, or just data lawyers generally...
Aaron Mendelsohn: Yeah, I do think there is a convergence of all these digital risks that would require us to become what I call digital compliance experts. I do think the privacy profession is evolving. I think we've reached a level of maturity within the data protection and privacy profession where this field didn't exist 20 years ago, and I think if you look at the late aughts, early 2010s, it sort of started to hit its stride and really came to, I think, maturity during GDPR and sort of the pandemic period. But now with AI, with online safety, with content moderation, with emphasis on children's data protection, I do think we have to become almost digital generalists, digital compliance generalists, where these issues are not mutually exclusive anymore. I think you will still have privacy specialists. I think we will still have heads of privacy and chief privacy officers. You may see some siloing and cross-functional collaboration. But if you look at the evolution of roles that are being posted and people's career development across bigger businesses, I think you see that the privacy professional leading on this, which I think is awesome, if you look at what the IAPP is doing, they are transforming from the trade group representing privacy professionals to really leaning into digital compliance. And I think those of us that are leaning into that, and I think we'll have a leg up on those that just want to stay in the privacy lane. And cyber is part of that as well, but I think you really have to understand all these issues around data. Data security and digital compliance and not just focus on personal data. I've always felt like the data is the data. It really doesn't matter if it's personal data, if it's trade data, if it's, you know, commercially sensitive information. The controls that we've learned in the program elements that we have learned as privacy professionals are directly applicable to developing programs that are broader in scope.
Kevin Angle: Yeah, no, I think that's great. You moved from information security to privacy, and I feel like a lot of us who've been doing this for a long time, we were privacy and cybersecurity lawyers, and then people became more specialized, and in a way, now the reverse process where we're learning more and more in different fields as well. OK, I ask all my guests this, how can privacy professionals help to foster innovation?
Aaron Mendelsohn: I think it goes back to the earlier questions: to try to participate in the development process as early as possible and not be that person that's seen as the one that's going to say no to everything. I think you want to be trusted, you want to be valued and you want to be available when the innovators within the organization have an idea that they come to you and say, is this a good idea? Would this be OK? In Denmark, they call it "sparring." Maybe in the U.S. it's kind of like "pick your brain." But you want to be able to have someone come to you to say, you know, is what I'm thinking crazy? Does it create too much risk? Is it going to create value for the organization if we start collecting all this on individuals? Maybe you could help them find a way to do it where it's not identifiable or it's only kept for a short period of time and then aggregated with other data sets. I don't know, but you want to be available and open to new ideas so that you can provide your feedback and [be] seen as that trusted partner.
Kevin Angle: So my last question for you, and I'll begin this by telling you that last night I was building the LEGO horse castle with my 5-year-old son. And then I told him that I was going to be interviewing somebody from the LEGO Group and that was like the coolest thing ever. So what is the greatest LEGO set of all time? And the correct answer is the LEGO Trevi Fountain, but you can give me your answer.
Aaron Mendelsohn: I don't know. The one that I probably built in the last few years since I moved here – I'm a big superhero fan, so I'll give you two that I really love that I built. One of them is retired and that's the Batcave. It retired last year. So I'm big Batman fan. It's a shadow box that they design that opens up and it's based on, I think, Batman Returns or sort of the original Tim Burton type of Batman style. And it's very cool because the shadow box, I don't know if you've seen it, has like the bat symbol in there. And then the other one I would say is the Daily Bugle. It's like the Spider-Man universe and it's a skyscraper and it's pretty tall and that's still available actually. But it's very cool. I've given that as different gifts to family in the past, and I think everybody that gets that is like, whoa, it's really cool. It's got a lot of minifigures. It combines like the original Spider-Man universe with like the Miles Morales Spider-Man universe. It's pretty cool. And there's cool Star Wars ones as well. I mean it's hard to pick just one but those two really, I think, have nailed it in the last few years since I've been here.
Kevin Angle: Well, it certainly brings a lot of people joy. So thank you so much, Aaron, for joining the podcast. This was really interesting. I really appreciate it.
Aaron Mendelsohn: Yeah, thanks, Kevin. Thanks for having me.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
