Interview with Cloudflare's DPO Emily Hancock
As part of the Top DPOs 2022 project, we’ve interviewed top privacy experts in the tech industry to unveil and share their practices with the community. Read how Cloudflare’s DPO tackles common privacy challenges while achieving team alignment.
From implementing up-to-date privacy practices across the organization to handling a high number of data subject requests, a DPO has to overcome many challenges to succeed.
What do you look forward to most about going to work every day? What gets you excited?
I like that my days are never routine. There are always new challenges in the privacy space — whether it’s a new regulation (there is no shortage of those!), an issue a customer has raised, or an internal compliance task we’re working on.
I am excited to be surrounded by an entire company of smart people who understand that privacy and compliance are core to Cloudflare’s mission to help build a better Internet. <hl>It’s so rewarding to be at a company where we make products that actually have a measurable impact on people’s privacy<hl>, like our 126.96.36.199 public DNS resolver, investing in Oblivious DoH (DNS over HTTPS), and investing in privacy-first analytics that don’t rely on tracking end users.
Let’s step back for a moment. What roles have you fulfilled before becoming a DPO?
Before joining Cloudflare as its first DPO in 2018, I was VP of Legal at Evernote. In that role, I focused on data disclosures and privacy matters and headed the legal team. Prior to Evernote, I was a Senior Legal Director at Yahoo! overseeing law enforcement data disclosures, cross-border data transfer, and child protection matters. And before joining Yahoo!, I was an associate at Steptoe & Johnson and Covington & Burling. The common thread through all my roles has been a core interest in protecting the privacy of people’s data online–and that is also what inspired me to join Cloudflare.
What is the single thing about Cloudflare that you are proudest of (privacy-wise)?
The businesses that rely on Cloudflare have had to navigate an ever-evolving privacy landscape in the past several years. <hl>I am especially proud of working cross-functionally with our legal, policy, security, sales, marketing, product, and engineering teams<hl>.
This included addressing many of the EU GDPR-related questions our customers were raising regarding the explanation of data flows, our supplemental measures in light of the Schrems II decision, and how Cloudflare’s services help our customers comply with data protection laws. A new Data Localisation Suite, GDPR FAQs, and a new Cloudflare Trust Hub were just a few of the deliverables that came from this team’s work.
Can you share the top concern or challenge you're facing as a DPO in the tech industry?
While the increasing number of privacy regulations is a huge challenge, it’s not what concerns me the most. I’m more concerned about the trend toward data localization as a proxy for privacy protections. <hl>Keeping data in a certain location is not what keeps it private and secure<hl>. While we understand that our customers have to comply with localization requirements–and we are building compliance solutions for these requirements–we should make sure that consumers understand that real privacy protections come from technological tools like encryption, ODoH, and the use of privacy-protective VPNs.
When it comes to regulating data privacy laws, what don't regulators understand about the business side of things?
Regulators are in a tough position. They are being asked to come up with rules and regulations for today’s technology, but by the time they are able to actually develop those rules, the technology has already started to move on.
I don’t think it's necessarily a lack of understanding from regulators, but <hl>regulators have to be open to hearing from a variety of stakeholders–not just a handful of big companies–about how a variety of technologies work and about how regulations can impact those technologies<hl>.
Let's end with a personal note. Do you regularly delete digital accounts or apps that you are not using anymore (to keep a lean digital footprint)?
Yes–I definitely delete apps that I know I’m not going to use again. And I’ve disabled location sharing on most of the ones I still use. I’m also that person who will actually go through the process to opt-out of cookies when a cookie banner pops up.
Read more about our Top DPOs 2022 project here.