We recently had the opportunity to interview Christine Huang who is a Senior Expert in Data Privacy at SAP. Christine started her career in the telecommunication sector. She worked for various mobile technology companies globally. She was responsible for aligning with local regulatory bodies, such as the Ministry of Industry and Information Technology (MIIT) of China. Also, she has recently worked for one of the leading semiconductor companies, leading enterprise data protection and compliance which encompasses Export Control, Trade Secrets, HIPAA, Data Privacy etc. We are sure you will find this interview insightful.

1. Firstly, thank you for taking part in this campaign. Can you give us an introduction about yourself, Christine? How did you venture into data protection and privacy world?

The pleasure is mine. I started in the telecommunication sector, specifically in mobile technology. At the start of my career, the mobile value-added service market was very lucrative, many new technologies tried to be part of this emerging market. And for many countries, there were three main players, regulators, network carriers, service or content providers (SP/CP). I worked for the service provider but inevitably dealt with the regulators and carriers.

As we have seen, with any new monetization models, there are always regulations being put in place to protect consumers; ensure the new technology is regulated, and market competition is fair. Due to hardware and network capabilities in the pre-Wi-Fi era, the most popular monetization model was via user subscription, advertising, and data volume, and digital traffic sharing. My responsibilities then are actually very similar to some of the responsibilities that I have now.

Because of technological advancement, many business models are now built on more types of data. Ultimately, it is always to protect the data that companies are profiting from, foster transparency in the way that data is used for,  whether is today SaaS, Confidential Computing, Artificial Intelligence, etc. or tomorrow’s Quantum technology, Supe Computing, Artificial Super Intelligence. My per se privacy-centric career started right before the enforcement of the GDPR that brought global privacy awareness to a defined level.

We are now in the data economy, data plays a critical role in every aspect of our lives. The speed and volume of data processing that is enabled by 4G and 5G have turn personal data both into assets and liabilities.  Privacy is now being measured on the same level as the traditional highly regulated domains such as financial and healthcare.

2. Can you discuss the evolution of people’s concerns about privacy and what do you think has changed in terms of these concerns over the last 5 years?

I think, because of the geo difference in the perception of privacy, what 5 years ago in privacy heavy EU may be different from the rest of the world, especially in non-democratic countries. But generally, 5 years ago, or before the GDPR, most concerns were “after the fact”, after a data breach, what happened to my data? These days with various big-tech making headlines, either negatively in mishandling our data, profiting from our data in what is marketed as “free service”, or positively by putting privacy as a competitive advantage.

We start to realize the value of our data; the imbalance of data privacy standards; and the scary fact that we could be living under various surveillance tools, our social profiles can be built from ways that are beyond our abilities to understand and control. Lastly the ultimate question on how much we are willing to trade convenience with our data.

3. What can we integrate into our daily tech habits in order to better protect our privacy?

These days the line between reality and virtuality is blurring. We realize how we are tracked across different products and services with iPhone IOS updates. The majority of us are not technology savvy enough to understand what is being done behind various services. Thanks to the GDPR and other regulations alike, there are laws in place to regulate technology and the virtual world. However, humans are creatures of habit, for example, we weren’t used to all the COVID hygiene and masking wearing at first or when seat belts were first mandated, but now they become ritual.

So I would encourage everyone to take a moment and understand the choices or legal notices such as consent that the website provides and remember there are no free services, when something is free you are the product. 

4. What are the biggest issues that small businesses should tackle from a privacy perspective when they suffer a data security incident?

Privacy should not be an afterthought, I hope you have already had some sort of frameworks or programs in place before such an incident. Depending on the industry vertical you are in, you may have different incident plans. Very broadly speaking, first, you need to understand the scope of the incident, size of the contamination;  secondly, determine if your incident protocol is followed, what system and data are impacted or infected, and what the root cause is. And work with legal to determine which breach obligation such as notifying your business partners, regulatory authorities, or data subjects are required.

Lastly, a collaborative incident review, how can you prevent such incidents? Where are the weakest links? Does your security program or employee training program need to be updated? We all learn and improve from our falls and crisis.

5. How do you stay up to date with industry news and updates regarding data protection and privacy?

Companies that I work for, usually provide first-hand resources of the latest requirements or security standards which can come from legal guidance or security requirements; IAPP, One Trust, and some other privacy and security expert network groups also provide very timely info, industry discussions, webinars. Lastly, as I work closely with customers who communicate with us about their latest compliance concerns that often require them to revise their data protection postures in their existing business processes. So I gain different compliance insight from our customers too.

6. What work-related hack do you follow to enjoy maximum productivity?

My current employer offers a flex working policy, which requires robust infrastructure to support such a model.  I am very fortunate that the systems and processes are there long before the pandemic to make collaboration with my teammates very efficiently anywhere with good Wi-Fi.

Ironically there is something non-tech that I cannot be productive without, that is my notebook. I take physical notes, it has to be pen and paper, but thank goodness they can be transferred and shared easily and digitally when I am on the go!

7. What do you think organisations should be doing more to encourage more women to consider a career in data protection?

Interestingly, I actually have a lot of female friends and colleagues in data protection – but I think data protection is traditionally seen as a security job, which is used to be a male-dominated domain, any security job is. Personally, I think organizations should not associate any job with gender or race. One’s capabilities shouldn’t be restricted by his/her origin, gender, or accent. Thus HR privacy technology, such as using unbiased AI to combat the hiring Blackbox. I also encourage women to step up to the jobs that they want.

8. Lastly, if you could give your 25-year-old self just one piece of career advice, what would it be?

I am a very realistic person, there is so much advice I would give to my younger self. But my then self would probably not listen. So, if I have to pick one, I would say, don’t define your ultimate goal, be open to alternatives, learn to be flexible, but have a direction.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.