“Today, data is like oil in the early twentieth century, when entire economies were built around discovering and monetizing a newly discovered resource,” says Pedro Pavón, director and senior corporate counsel at Salesforce. “Computer systems have always generated data, but due to the wide availability of the internet and the proliferation of the internet of things, data is now being generated 24/7 at an incredible scale. When you combine that with the increased computing power provided by the cloud, we can now unlock insights we couldn’t even have dreamed of just a few years ago.”
Following close on the heels of this deluge of data being collected and processed is a rapidly expanding crop of new data privacy and data protection laws and regulations, which present compliance hurdles for organizations that collect and process all this “new” data. Pavón, however, finds the challenge invigorating. “This is an amazing time to be a privacy lawyer,” he says, citing recently enacted laws in Europe, China, and Russia, and soon-to-be-enacted laws in India and Brazil. “Adding to the complexity is the fact that the US does not have a national privacy law, and some US states have decided not to wait and enacted their own data privacy laws. There’s also been a proliferation of state-level bills, and I expect more are on the way.”
While these data protection and privacy laws tend to have common themes and principles, there are also significant differences between them. Additionally, courts have been slow to interpret and expound upon many new laws.
“In some instances, there’s a widespread lack of clarity on how different laws interact and that makes it challenging to build a global data protection and privacy compliance program,” Pavón says. “In areas where we have a rule without a lot of guidance, privacy lawyers build a hypothesis of how we think a law will be interpreted and enforced, and we work with our stakeholders to implement a compliance strategy. Then we monitor the legislators and authorities and when there’s a new development, we have to act quickly to calibrate our approach. In the meantime, we’re planning contingencies in case there’s an unexpected or sudden regulatory development.”
“In areas where we have a rule without a lot of guidance, privacy lawyers build a hypothesis of how we think a law will be enforced or interpreted, and we work with our stakeholders to implement a compliance strategy.”
For instance, Pavón helps manage Salesforce’s efforts to comply with the California Consumer Privacy Act, which went into effect at the start of 2020. “We’ve worked really hard to prepare and implement our CCPA compliance strategy,” he says. “Regarding CCPA, the end of 2019 was a fun but grueling process to get through all of the work necessary to prepare. Adding to that is the fact that there’s no ‘mission complete moment’—you plan, you build a compliance strategy, and then you react to changes as they come once a law goes into effect.”
Pavón has been interested in the intersection of technology and law since he was a student at the University of Florida’s Levin College of Law. When he graduated in 2008, he was determined to go into tech-related law but took a brief detour as the recession made jobs scarce. He first worked as an attorney doing immigration work for the Department of Justice. In 2012, he joined Carlton Fields, a Miami law firm, to help with their immigration work. He quickly reoriented, offering to help build the firm’s privacy and cybersecurity practice. Within a year, the practice was growing rapidly.
He took a deep dive into data when he joined tech company Oracle in 2014. “I got to be on the ground level as Oracle developed its data monetization strategy,” Pavón says. By the time he left Oracle in 2019, Oracle’s Data Initiatives legal team (which he led) had grown to eleven lawyers who provided counsel on data licensing, data protection, and data governance.
Ready for a fresh challenge, Pavón joined the cloud-based software company Salesforce in mid-2019. His responsibilities at Salesforce are broad: in addition to being a leader on data governance matters and CCPA compliance, he leads Salesforce’s privacy compliance efforts for Latin America and the Caribbean and serves as the privacy liaison to the company’s executive data governance boards.
“We want diverse voices included in the design and decision-making process as new laws and rules come into effect to make sure all this rapid innovation does not harm or exclude disadvantaged groups.”
“Salesforce has some of the most interesting and complex data use cases in the world, and each one is scrutinized through Salesforce’s trust and transparency values to ensure we deliver the best possible customer solutions,” he says. “Part of my job is making sure that as we innovate, we remain consistent with our legal obligations, our values, and our promises to our customers.”
Pavón expresses a passion for ensuring that tech remains a force for good. He says data protection and privacy laws are an important step toward protecting individuals, but the legal field—particularly his area of practice—needs to work on including more people of color and people with unique backgrounds and experiences.
“We want diverse voices included in the design and decision-making process as new laws and rules come into effect to make sure all this rapid innovation does not harm or exclude disadvantaged groups,” he says. “To that end, I try to spark interest in young diverse attorneys and diverse attorneys looking for career changes to explore a career in data privacy law.”