In this seventh installment of our Privacy Protectors Spotlight series, we’re excited to feature Debbie Reynolds, known worldwide as “The Data Diva.” As the Founder, CEO, and Chief Data Privacy Officer of Debbie Reynolds Consulting LLC, Debbie has spent over 20 years at the forefront of Data Privacy and Emerging Technology. Her expertise spans industries including AdTech, FinTech, EdTech, Biometrics, IoT, AI, Smart Manufacturing, Smart Cities, Privacy Tech, Smartphones, and Mobile App Development.
Debbie is renowned for being able to transform data privacy challenges into business opportunities for companies navigating the regulatory complexities and risks of emerging tech. Her consultancy helps organizations bridge the gap between legal, compliance, and technical functions, ensuring that they are able to comply with privacy regulations while also building consumer trust.
Debbie’s influence goes beyond her consultancy work. She is also the host of the “The Data Diva Talks Privacy” podcast, a leading resource in the data privacy space, gaining significant recognition and a global following. With over 435,000 downloads and listeners in 120 countries and 2619 cities, the podcast ranks among the top 2% of all podcasts globally. It was recognized as the #1 Data Privacy Podcast Worldwide in 2023 by Privacy Plan and has earned accolades from platforms like Apple Podcasts, bCast, Goodpods, and Player FM. Debbie’s podcast features thought-provoking discussions with global leaders on privacy challenges, emerging technologies, and regulatory trends, making it a go-to resource for data privacy decision-makers and cybersecurity professionals alike.
Debbie is widely recognized as one of the top global experts in privacy, including being named one of the Top 8 Global Data Privacy Experts to follow by Identity Review, Global Top Ten Privacy Experts by MartechVibe, and one of the Top 30 CyberRisk Communicators by the European Risk Policy Institute. In 2022, she was appointed to the U.S. Department of Commerce’s IoT Advisory Board, and she has also served as the IEEE Committee Chair for Cyber Security for Next Generation Connectivity Systems.
Debbie is a highly sought speaker who has presented at prestigious events for organizations like McDonald’s, Coca-Cola, PayPal, Uber, and Johnson & Johnson. Her thought leadership has been featured in The New York Times, Wired, USA Today, and Business Insider, among other major outlets.
With over 200 media interviews, 200+ speaking engagements, and 20+ advisory board roles, Debbie Reynolds is a leading voice in privacy and emerging technologies, continually shaping the future of data protection.
Background
Debbie’s path to becoming a data privacy expert was somewhat indirect. She initially majored in philosophy, intending to go to law school. However, when her mother was diagnosed with cancer during her senior year of college, she chose a more flexible career path that allowed her to spend more time with her family. This led her to work in library science and desktop publishing, which eventually sparked her interest in data management when she was asked to help create a digital catalog of books for a university library. This early exposure to organizing data kindled her fascination with data, and she later transitioned to working on more advanced data projects.
Debbie’s interest in privacy specifically began when she read a book called The Right to Privacy co-authored by Caroline Kennedy, which outlined the gray areas in U.S. privacy laws. She was shocked to learn that privacy is not a constitutional right in the U.S., despite the common perception of the country as the “land of the free.” This realization fueled her desire to pursue a career in privacy protection and legal data issues.
Debbie’s Typical Day
Debbie Reynolds has since become a virtual encyclopedia of all things related to data privacy. Being able to keep up with all the emerging technologies, privacy regulations, and the current and future impacts of these is a colossal feat. To do so, Debbi spends several hours a day conducting research to stay up-to-date on the latest developments in data privacy, cybersecurity, and related regulations. She uses tools like Flipboard to gather articles and topics of interest and compiles them into a “research magazine.” She regularly reviews these materials, often reading for a couple of hours every evening.
To manage large documents like privacy regulations, Debbie uses tools like Speechify, an app that reads texts aloud. This allows her to multitask while staying informed, listening to documents while engaging in other activities such as household chores.
Her typical day involves self-learning, content creation, and staying informed through continuous research—a dedicated practice that has made her the leading data privacy and technology expert she is.
Reducing Privacy Risks for Organizations
Debbie Reynolds’ writings offer a clear roadmap for organizations to reduce data privacy risks. She emphasizes the need for proactive strategies that evolve with regulatory and technological demands. Organizations must stay ahead of the curve by adopting forward-thinking data protection strategies that anticipate regulatory changes and safeguard consumer trust.
In her article titled, “Three “Hard Truths” that will Greatly Reduce Organizations’ Data Privacy Risks, Debbie Reynolds shares pragmatic insights on how businesses can proactively manage their data privacy risks. She outlines three critical “hard truths” that can serve as guiding principles for organizations to improve their data practices.
- Hard Truth 1: “Organizations that collect too much data collect evidence against themselves.” Debbie warns that companies hoarding data without clear purpose or proper consent are essentially holding evidence that could be used against them. She emphasizes that having a living data management plan that tracks the entire data lifecycle is crucial. As she puts it, “Fancy explanations and high-brow arguments will not help you dance around the fact that ‘yes, you did it’!” This reflects her insistence on purposeful and accountable data handling practices.
- Hard Truth 2: “Privacy is a data problem that has legal implications, not a legal problem that has data implications.” Debbie highlights that data management is the root of most privacy issues, not legal missteps. Many organizations get fined not because of poor legal counsel but because they fail to change their business operations related to data handling. She underscores, “Actions matter more than words with data” advising organizations to focus on operational changes before legal troubles arise.
- Hard Truth 3: “Low business value data has a high Data Privacy and Cybersecurity risk.” In this point, Debbie highlights how data once considered valuable but now perceived as having low business value can become a significant cybersecurity risk. Cybercriminals target this underprotected data, as seen in breaches like the T-Mobile incident. Debbie stresses the importance of properly handling low-value data by moving it through its lifecycle to reduce risks.
In another article, The Three Most Important Privacy Intelligence (PQ) Success Factors for Organizations, Debbie stresses the need for businesses to develop “Privacy Intelligence” (PQ) to navigate the growing complexities of data privacy. She defines PQ as an organization’s ability to anticipate and adapt to external changes in regulation and technology that impact data privacy practices. Debbie outlines three key success factors for mastering PQ:
- PQ and Individual Rights:
Debbie argues that organizations must recognize individuals as key stakeholders in the data they hold. As privacy regulations, such as the CCPA and CPRA, expand individual rights to data correction and deletion, companies must stop operating on “auto-pilot” and evolve their processes to meet these new obligations. Reynolds advises companies to assess whether they can effectively communicate how they protect individual data, meet transparency obligations, and manage processes to fulfill new privacy rights. She cautions: “Saying yes to any of these questions without a rethink of your operational ability to execute in these areas may indicate that your organization has rising risks that are growing daily.” - PQ and Emerging Technologies:
Embracing new technologies brings both opportunities and risks. Debbie emphasizes that organizations must be vigilant about how emerging technologies, such as facial recognition or biometric systems, collect and store data. She warns that misuse of such technologies can lead to significant privacy breaches and reputational damage. She advises companies to ask: “Would the news of data uses of emerging technology damage our organization’s reputation if written about in the press?” - PQ and the Right Expertise:
Debbie emphasizes that organizations must leverage the right expertise—both internal and external—to bridge the gap between legal requirements and the technical realities of data privacy management. She insists that privacy must be addressed at the operational level, not just in legal policies, and underscores the importance of aligning business actions with promises made in privacy policies: “Promises written in legal policies will not help organizations that cannot ensure their paper promises match their true actions.”
“Although there is nothing wrong with leveraging new technologies, it can become a Data Privacy Risk when new capabilities are used that may impact the data collector’s duty and the data stakeholder’s rights. In these situations, companies must evaluate the features of these new products and the risks. Organizations must not use every feature in a new product to reach their goals. Think about ways to limit data collection when possible by either disabling certain features or looking for privacy-preserving products that fit your needs.” – How Can Managing Three Underrated Data Pitfalls Help Organizations Avoid Epic Data Privacy Risks? — Debbie Reynolds Consulting LLC
In her article, What are the Five Fundamentals of Data Privacy and Data Protection Regulations?, Debbie introduces her framework called “PPARR,” which she developed to help organizations better understand data privacy regulations and improve their data management. PPARR stands for Protection, Purpose, Accountability, Rights, and Retention, which Reynolds identifies as the core principles behind most privacy laws worldwide.
- Protection:
Debbie explains that the fundamental aim of privacy regulations is to ensure organizations take concrete steps to protect individuals’ data. She points out that organizations must not only have policies in place but must also demonstrate that they have implemented safeguards, such as access controls and data minimization strategies, to protect data.“Regulations around protection are about not only saying that you protect data but also having evidence of how you protect data.”
- Purpose:
Reynolds stresses that organizations must clearly define the purpose for collecting and retaining data. Regulators are scrutinizing how organizations assess and justify the need for the data they collect. Collecting data for vague or undefined reasons should be a red flag, as it increases the risk of violating data protection laws.“Collecting data for which the purpose is not clear should be a red flag related to Data Privacy and Data Protection Regulations.”
- Accountability:
This principle emphasizes that organizations must have designated roles responsible for overseeing data privacy practices. Debbie highlights how regulations such as GDPR and China’s PIPL require companies to assign someone to own the responsibility for data privacy. Without this accountability, organizations are at greater risk of regulatory breaches.“No longer is it appropriate for organizations to have all these responsibilities disregarded so that no one individual has any idea about how data is handled.”
- Rights:
As privacy regulations continue to evolve, individuals are gaining more rights to their data, and organizations must be prepared to handle these rights, including requests for data access, correction, or deletion. Debbie advocates for viewing individuals as “data stakeholders” rather than mere customers.“Organizations must anticipate and act on the fact that they must be transparent with their data stakeholders to remain aligned with the existing and rapidly evolving regulatory landscape.”
- Retention:
The final fundamental focuses on data retention. Reynolds explains that retaining data indefinitely is no longer an acceptable practice. Many regulations now require organizations to delete data after a certain period or once it is no longer necessary for the original purpose. Failure to comply with data retention rules increases privacy risks.“Data held too long by organizations may decrease in terms of business value, increasing their Data Privacy risks.”
Navigating the Broad Spectrum of Data Privacy Challenges
In her interviews, writings, and presentations, Debbie Reynolds explores an extensive array of issues and technologies that impact privacy at both organizational and individual levels. Her insights range from corporate accountability and emerging privacy laws to ethical concerns around AI, biometrics, and data brokerage. Below is a selection of some of the key topics she addresses:
Privacy by Design
Debbie discusses the importance of privacy by design, where systems and technologies incorporate privacy measures from the start rather than retrofitting them later. This approach ensures that data governance frameworks are robust enough to handle the increasing complexity of global data regulations and ethical requirements.
Global Privacy and GDPR’s Influence
Debbie highlights the influence of GDPR as the most comprehensive privacy framework globally, noting how its language and structure have influenced privacy regulations in other countries. She mentions that GDPR has set a global standard, pushing other nations and even U.S. states to adopt similar principles regarding data controllers, processors, and data subjects.
Impact of the California Consumer Privacy Act (CCPA)
When it comes to U.S. privacy laws, Debbie emphasizes the importance of the CCPA, noting that it has set a de facto standard for data privacy in the U.S. Other states and companies outside California have started adopting similar privacy protections, like the “Do Not Sell My Data” buttons on websites. This trend has raised awareness about data privacy issues across the U.S., even in states without strict privacy laws.
Personal Responsibility and Corporate Accountability
Debbie emphasizes the role of both individuals and companies in protecting data. While individuals should be vigilant about sharing their data and how it is collected and used, Debbie believes that companies must communicate clearly and take responsibility for data practices that might affect their customers in unexpected ways.
Data Brokers and Hidden Data Practices
As organizations grapple with privacy accountability, Debbie Reynolds points to the unchecked practices of data brokers, who collect and use personal data without individuals’ knowledge. One example she cites involves car manufacturers gathering driving data, which is then sold to data brokers and used by insurance companies. This practice leads to decisions (like increasing premiums) based on information that individuals aren’t even aware is being collected. She views this as a prime example of over-collection of data and stresses the need for greater transparency.
In an interview with Cyber Work Podcast, Debbie cited an example from a friend and fellow data expert whose insurance premium rose by 30% due to behavioral data collected by his car. Despite having a clean driving record, he discovered that his premium increase was attributed to data points like his frequent travel through certain neighborhoods and occasional hard braking. This data, collected by his car, was shared with insurers through third-party brokers and used to assess his driving “risk” without any consent or awareness on his part. Such a lack of transparency and consent, she explains, is a central issue with data brokers:
“We have problems around privacy because we have companies that are using our information without our knowledge, without our permission. That’s what the data broker industry totally is. And what happens is they are using this data and are selling it and are making decisions about you that you may not be aware of, that may be harmful to you.” – Risk and Reels: A Cybersecurity Podcast | Positivity, Privacy, and Pressure (transistor.fm)
Debbie points out that the data broker industry’s unchecked access and inadequate protections, as seen in high-profile breaches, expose systemic gaps in privacy regulations, leaving individuals vulnerable.
“National Public Data, the data broker company that got breached. Just that breach in itself is indicative of the problem or the huge loophole we have in our privacy regulation. First of all, I don’t know these people, do you? Why do they have my data and why aren’t they protecting this data the way they should be? How on earth did this company get data on almost everyone in America? This type of data you would only assume a government would have or a credit reporting agency. This data broker industry can collect the same types of data but they aren’t held to the same standard and we don’t know who these people are…This is a national problem. This is a societal problem. We need more than just saying ‘best of luck, hopefully you don’t get scammed, I don’t know what you’re going to do.’ That’s the wrong answer!” – (4) Privacy Overheard – Ep #1 | LinkedIn
Corporate Action and Trust Wars
Reynolds points out that companies like Apple are leading the charge in offering transparency and control over personal data, as seen in features like iOS 14, which alerts users to app behaviors like tracking or recording. She believes this trend will lead to a “trust war” where consumers, increasingly educated about their data, will only share information with companies they trust. Smaller companies that can’t gain consumer trust may struggle as a result. Debbie predicts that Apple’s success in profiting from privacy-focused measures will push other companies to follow suit.
Ethical Use of AI
Debbie raises concerns about AI’s growing role in decision-making, especially in hiring algorithms or insurance adjustments. She argues that AI should assist rather than replace human judgment, warning of the dangers of making biased or incorrect decisions based solely on algorithms. Her stance calls for more responsible AI deployment, particularly in contexts directly impacting people’s lives.
Biometric Security Concerns
Reynolds is cautious about the growing use of biometric data (e.g., fingerprints, facial recognition), pointing out that once such data is compromised, it can’t be changed like a password. She stresses that while biometrics can enhance security, they also carry significant risks if stolen. Reynolds calls for stronger methods of ensuring that identities are verified in ways that cannot be replicated or stolen, as this would help curb identity theft.
Debbie Reynolds’ Foresight
Debbie Reynolds demonstrates an acute prescience regarding privacy risks tied to technological advances. Reflecting on when microchips were first implanted in pets, she noted, “I thought, oh, this is bad, because people are going to put chips in people at some point.” This foresight reveals her anticipation of privacy concerns and her awareness of the broader future ethical landscape—specifically, the potential for invasive monitoring, loss of personal agency, and the widespread misuse of data and technology by malicious actors or organizations or governments. Her prescient outlook on technology trends and their impacts on privacy has been a hallmark of her work, guiding her in advising organizations on the future risks of unchecked data collection and emerging technologies.
The Future of Privacy Regulation, Privacy Risks, and the Role of Consumers
When it comes to where Debbie sees the future of privacy going, she sees both positive and negative trends on the horizon:
“From a regulation standpoint, for privacy, I think there will be more regulation for privacy. We definitely see the states in the U.S. being very active on privacy because they feel like they don’t want to wait for what’s happening on a federal level. That may never happen. And what that is doing that people didn’t expect is it’s creating a de facto standard in the U.S. So California has their law and you may not be in California but we have companies like PayPal saying whether you’re in California or not you can exercise your rights just like you were in California because it’s easier for them to do that.” – Risk and Reels: A Cybersecurity Podcast | Positivity, Privacy, and Pressure (transistor.fm)
“Because technology is advancing so rapidly and people are really adopting it really rapidly and not really caring about the risk, the risks are going to rise exponentially and it will be a problem. We’re generating data and we’re creating data that was never collected before so the risks are gonna go through the roof.” – Risk and Reels: A Cybersecurity Podcast | Positivity, Privacy, and Pressure (transistor.fm)
“Consumers are getting wiser so maybe some of this awareness is actually helping where people are like ‘wait a minute, what are you doing with my data?’ So consumers can vote with their feet and they can vote with their wallet. And if companies feel enough bottom-line pain or people are like ‘hey we don’t want to use your service because we think you’re shady or creepy’, they’re gonna have to change their business practices.” – Risk and Reels: A Cybersecurity Podcast | Positivity, Privacy, and Pressure (transistor.fm)
Conclusion
Debbie Reynolds, “The Data Diva,” is a remarkable figure in the field of data privacy. Not only is she able to keep up with, process, and analyze enormous amounts of complex information with ease, she breaks it all down in accessible, down-to-earth ways that anyone can understand. Through her consultancy, she and her team are able to take the organizational challenges posed by the intersection of data privacy, regulations, and technology, and turn those into business advantages. Debbie’s foresight enables her to anticipate future risks and trends related to data privacy and emerging technologies, empowering individuals to become more vigilant and organizations to act appropriately. Debbie’s work exemplifies her deep commitment to helping others understand, prepare for, and navigate the evolving data privacy landscape.
At Optery, we are greatly inspired by Debbie’s work and are happy to spotlight her for her outstanding contributions to data privacy.
Join us in recognizing Debbie Reynolds’ important work. You can follow Debbie on LinkedIn here, read her articles here, listen to her interviews here, and follow her YouTube channel here, where she posts short (5 minutes or less) videos on a variety of issues related to data privacy such as “Data Privacy and Smart Glasses,” “Data Privacy and Shadow AI,” and much more.
Debbie also publishes “The Data Privacy Advantage Newsletter,” a monthly resource hub of practical information, advice, and content that helps organizations make Data Privacy a business advantage.
Stay tuned for more features in our Privacy Protectors Spotlight series and follow Optery’s blog for further insights on safeguarding your personal information.