Legal GRC catchup with CenturyLink's chief privacy officer, Hugo Teufel III and Exterro
1. Tell us a little bit about CenturyLink and your role at the organisation?
Well, actually, we’re now Lumen Technologies, Inc. You may have heard that this week (September 14), the company announced that it has transformed and rebranded with a new name and a bold new purpose: to further human progress through technology. Lumen will help lead enterprises through the challenges and opportunities of the 4th Industrial Revolution – a time when smart, connective devices are everywhere. The 4th Industrial Revolution has dramatically changed the business landscape and what our customers demand from us. Lumen encompasses three brands: Lumen, Quantum and CenturyLink and is a company rooted in a rich historical legacy that stretches back nearly 100 years, unifying approximately 30 different companies and extensive global infrastructure. This vast collection of talent, experience, assets, and capabilities has been brought together to create a new kind of company designed specifically to address the dynamic data and application needs of the 4th Industrial Revolution.
My role is Chief Privacy Officer, but my responsibilities include more than privacy. My team and I focus on cyber and data security; privacy/data protection; records management; and legal reviews of security service requests for data.
2. How did you get into your current role?
Most immediately, I applied to CenturyLink, now Lumen, after seeing a job posting on LinkedIn. The position, as advertised, called for a number of skills and experiences I’ve picked up over the years working in the public and private sectors. From a longer-term perspective, I have Michael Chertoff, former Secretary of the U.S. Dept. of Homeland Security, to thank. I had been the senior legal advisor to the Chief Privacy Officer (CPO) at the Department of Homeland Security. When the prior CPO left for the private sector, I was asked if I had an interest in applying to be the Department’s second CPO. I said yes and then interviewed with the Deputy Secretary, Michael P. Jackson—who stood up the Transportation Security Administration at the Department of Transportation before DHS was created—and Secretary Chertoff. Both interviews were brief, and both wanted to be sure that I understood what I would be getting into if I took the job. The position required inner strength and determination, as well as an appreciation of others’ points of view. As with the DHS CPO position, my job at Lumen requires an understanding of the global privacy environment, an appreciation of the interests of internal and external stakeholders, and a love of learning about and mastering new and emerging subjects that impact the privacy of our employees, business partners, and customers.
3. Thank you for participating in Exterro's recent "Legal Leaders" webinar series and speaking on our panel "Data Inventory and Mapping to Operationalize Global Compliance and Risk Management". What are your key takeaways from this session?
Thank you for inviting me! I really enjoyed being part of the panel and talking about the issues. What are my key takeaways? Really, just one main takeaway: It’s always all about the fundamentals. There’s no magic, just hard work in properly executing the fundamentals of inventorying and mapping data. The data inventory and data mapping is the heart or the core of any privacy program. Everything flows from the data inventory and if you get it wrong, everything that flows from a flawed inventory will likely be off. You can’t take shortcuts and you can’t outsource, but you can enable technology to help you to better execute the fundamentals.
4. Which areas of Legal GRC (Governance, Risk and Compliance) do you find particularly rewarding in your role?
All of them. Seriously. Breaking down each of the core disciplines and focusing on the components of each—strategy, processes, technology, and people—for each discipline to align with the company’s risk appetite, is immensely satisfying. We help the company be more efficient, effective, legally compliant, and ethical.
5. Which areas do you find most challenging?
Right now, understanding the written and unwritten lines of communication, the products and services, and the key people within the company are a high priority for me.
6. How has the recent COVID-19 situation impacted the Legal GRC activities at CenturyLink?
We’re a technology company with a global fibre network, so we’ve adapted to and overcome the challenges of working remotely, rather than at company offices. We’ve proven that we and the technology upon which we rely are resilient and scalable.
7. What advice would you give to yourself if you had to start again in your career?
There are two things I would say to myself, or anyone else thinking about going into the privacy field. The first is to master at least one other language: French, German, Spanish, Italian, Korean, Japanese, or Mandarin or Cantonese. The 4th Industrial Revolution means living in a global information society and working in a global information economy. Speaking another language gives one insight into other cultures and lands and gives one a competitive advantage over those who only speak English. Second is to spend more time learning about information technology. Privacy engineering is the future, and that requires a deeper understanding of technology than most privacy professionals have.
8. How do you see the Legal GRC landscape changing in the next few years?
I wouldn’t be surprised to see big companies moving to across-the-board controls to minimize the time spent responding to different functions’ data calls and internal assessments for their individual compliance programs.