Apr 4, 2019
In this episode, I interview
Dennis, Director of Privacy and Counsel at Pharmaceutical
Product Development in North Carolina. Corey talks about his transition from
an associate focused on litigation to in-house corporate counsel
and how he leveraged his expertise in privacy to make this
I speak to a lot of lawyers about their careers and over the years, I have seen a number of themes. One recurring theme is that many lawyers express interest in transitioning into in-house roles. In-house is seen as a place where a lawyer can become more part of the “team”. It is also perceived as an opportunity for better work/life balance. Whether this is actually true is a good subject for debate but it remains a goal of many lawyers in private practice.
For corporate transactional lawyers, there is a path to in-house that seems clear and we have spoken about this in other episodes of Counsel to Counsel. But for litigators, the path is less obvious. Litigation is a service that many corporations outsource. While some companies regularly handle litigation in-house, there are fewer direct opportunities to apply these skills in a corporate environment.
Corey Dennis is someone who has successfully made this transition and he did it by establishing himself as an expert in privacy.
Since 2013, he has worked for
PPD, a global contract research organization provides clinical
research, laboratory, and related services to leading
biopharma and medical device companies. But prior to that, Corey
was an associate at midsized and boutique law firms in
Massachusetts focusing on corporate litigation, compliance, and
employment law. He is a graduate of Suffolk University School
Sure. I’ll start by giving a bit further background on my company.
PPD manages clinical research for pharma and medical device companies seeking to bring therapeutics to market, from small start-ups and biotechs to the largest pharma companies in the world. This includes clinical trial monitoring, conducting clinical trials, patient recruitment, laboratory testing, and post-approval/real-world evidence consulting services. We are a large organization of 21,000 employees in 48 countries. As you can imagine, this is a highly regulated industry, which is complex and evolving; to succeed in it, you must be analytical, collaborative, adaptable, and business savvy.
At PPD, I’m responsible for managing global data protection compliance, specifically focusing on the U.S./North America, Latin America, and Europe. After being promoted to the Director level in 2017, I took on additional responsibility, and am now managing a team of three attorneys reporting to me, who are based in the U.S. and Spain.
My role involves monitoring legislative developments and building/maturing our global privacy program in response to those developments. I work closely with our Chief Privacy Officer, based in the UK, who has been working in the field for over 20 years. I develop policies/procedures, training programs, and guidance to ensure compliance with the challenging regulatory framework in this space, manage privacy-related M&A diligence, and manage other privacy-related issues, such as security incidents.
PPD also offers an EU Data Protection Representative Services to our clients, which is akin to a compliance-oriented consulting service to ensure compliance with EU privacy laws. My group spends quite a bit of time focused on this, and EU General Data Protection Regulation (GDPR) related issues generally.
GDPR and global privacy law compliance has been a challenge for companies in our industry as well as industry wide. Suffice it to say, we’ve been very busy and there’s never a dull moment in this space.
I enjoy working in a challenging field, collaborating with bright and dedicated colleagues throughout the world in a growing and highly successful company, and being focused on the mission of improving health and helping our clients to deliver life-changing therapies.
I also enjoy being a subject matter expert in a niche area, and the challenge of staying on top of an evolving regulatory environment.
I’m fortunate that I’m able to use my subject matter expertise to help solve complex legal, compliance, and business issues, and ultimately facilitate our mission of improving health while helping the company to operate in a compliant, successful, and ethical manner.
The concepts of privacy and healthcare privacy in particular are not new, dating back as far as ancient times to the Hippocratic oath. What has changed over time, especially in the past 10 years, is that the regulatory framework in this space has rapidly evolving, in part in an attempt to keep up with the new technologies and greater uses of personal information.
There are many reasons why privacy is so important for companies, the most obvious being the need to remain compliant with law and avoid significant fines and liability. Data breaches have been a major area of risk/liability for companies for many years, and the risk of resulting litigation and regulatory enforcement continues to increase. The EU GDPR brought this prominently to the attention of c-suites and boards of directors, given the potential for fines of up to 4% of global revenue.
For many companies, it’s important to focus efforts on privacy to ensure customer trust and maintain a strong reputation from a PR perspective. Privacy-related issues, such as security breaches, tend to diminish consumer trust, company reputation and good will, so it is critical to invest in compliance and ensure a mature program is in place.
We face a number of challenging issues in our day to day work. Prior to the EU GDPR becoming effective on May 25, 2018, we spent many months preparing.
After May 25 came and went, there was a brief moment of respite, but we soon saw a new set of challenges in relation to other new laws enacted globally, including the recently enacted General Data Protection Law in Brazil and California Consumer Privacy Act of 2018 (effective January 2020). These laws have brought significant challenges, not only in matters of legal interpretation, but also simply due to the volume of work and resourcing (e.g., vendor diligence, contract review).
I also spend a lot of time on privacy/security diligence for M&A deals. I’m fortunate that PPD has grown through several strategic acquisitions over the past few years. These have been challenging from a resourcing and time-management perspective, but have been very interesting and rewarding experiences.
I’m actively involved in groups and associations in both the privacy and pharma/clinical research fields, including the Association of Clinical Research Organizations (ACRO) and the International Association of Privacy Professionals (IAPP). I regularly publish articles and speak at events on privacy and data security developments.
I obtained a certification in information privacy for the US in 2012 (CIPP/US), and for Europe in 2018. These have helped in terms of demonstrating the required subject matter expertise in this field.
I’ll be speaking on a panel on the extraterritorial applicability of the GDPR—i.e., in what circumstances the law applies to U.S. companies and what they should do about that—at the IAPP Global Summit conference in early May, along with a good group of co-panelists: Ruby Zefo (CPO of Uber), Ed McNicholas (Sidley Austin), and Felicity Fisher (FieldFisher). This is a very important and challenging topic, which is relevant to many companies, so it should be interesting.
I started my legal career as a law clerk in the Connecticut Superior Court, working on behalf of a panel of judges. This was a great learning experience and transition from the academic environment of law school to the law firm world.
I was first exposed to data privacy/security law when practicing employment law at Skoler Abbott Presser, which is a boutique management-side employment law firm based in western Massachusetts, with a national practice. When the Massachusetts data security regulations (which were the strictest state regs imposing data security measures generally) were coming into effect back in 2009-2010, our clients had many questions on privacy/security compliance, and I quickly learned how to provide solid advice in this area, at a time when there was little guidance on interpretation for them.
I later practiced litigation defense with firms in Boston, but continued to hone my expertise in data privacy compliance, regularly publishing and speaking on the topic, until I ultimately made the transition to in-house privacy at PPD nearly 6 years ago in October 2013.
No billable hours—that about sums it up. But in all seriousness, in-house roles can be demanding and challenging just as law firm roles are. In private practice, you have the pressures brought on by billable hours as a young associate, and later, for business development.
The day to day challenges when in-house in a global company include meeting time-sensitive business/legal objectives (e.g., urgent contract review and M&A deals), navigating the complexity of a highly matrixed corporate environment, and working with global colleagues (of different time zones and cultures), at times with limited resources. Work life balance and job security tend do to be better in-house.
Which environment is preferred will depend on the person, but I think most, including myself, tend to prefer in-house.
Yes—I would say so. I was very interested in transitioning into the privacy field, and I knew that much of the challenging and interesting work in the privacy was being done inhouse (and this has turned out to be true), so this transition was ideal for me.
I practiced primarily litigation while in private practice, and I’ve found that the skills I learned have been very helpful inhouse as well. I do handle some litigation matters now, so these skills have been useful there, and are also helpful in evaluating legal risk/liability and making risk-based judgment calls on important issues.
While in private practice, I was also involved in business development activities, including publishing articles on legal developments and speaking at seminars; these skills have also served me well in my career.
Primarily online. Networking is certainly important in any job search for a number of reasons; you will gain valuable advice, meet professionals/contacts in your field, and it will help you to better understand your career goals and objectives. But, at least in my case, I found the position itself online and applied through that channel.
Corey, we are just about out of time, are there any parting pearls of wisdom you’d like to share with our audience?
Well, in terms of career advice, I would reiterate the common advice that hard work, dedication, and developing a focused area of interest in a marketable area are important. Research your areas of interest, network with professionals in those areas, and try to find a position where you’ll get some experience in your chosen field, over time building your resume, credentials, and reputation.
The legal field has become more competitive in the last couple decades, so it’s important to find a marketable niche or focus on a growing industry. For me, developing a niche expertise in the growing areas of privacy and healthcare/pharma/clinical research has been useful in my career development. So, look for growing niche areas.
Aside from that, a lawyer’s role as a business partner and consultant has become more important than in the past, so be prepared to demonstrate that you have not only analytical legal skills, but also can succeed in a business capacity.
Corey, I want to thank you for taking the time to speak with me today. If anyone in our audience has follow up questions, how can they reach you?
Thank you Steve. I enjoyed the discussion with you today and hope it will be helpful to others. I’d be happy to address questions and can be reached at email@example.com.
This has been the CounseltoCounsel Podcast with Stephen Seckler. We’ll be back soon with additional episodes to help you sort out your own career and marketing questions.
Until then, thank for listening and please feel free to reach out with any comments to firstname.lastname@example.org . If you like this show, please review us on iTunes.