With all the new privacy regulations, it can feel like we're always playing catch-up. In our new IAPP webinar, we discuss How to future-proof your privacy program. Angelique Carson, TerraTrue’s director of content strategy, sat down with Uber CPO, Ruby Zefo, and TerraTrue’s co-founder and COO, Chris Handman, to learn how to build a sustainable, long-term approach to privacy that insulates you from this constantly changing privacy landscape.
Privacy's main painpoints today
Privacy pros and teams often face three main challenges:
Visibility into product planning
The first challenge is trying to get visibility into the product plan early enough in the development lifecycle to make meaningful changes. Without adequate visibility, privacy professionals are forced to just give a yes or no answer instead of tweaking the product to be more privacy-friendly.
Insights into data flows
As privacy professionals, we often don’t have the necessary information to fully understand how data flows within your organization. Without continuous visibility into what data your organization collects and how it uses the data, privacy can slip through the cracks, leading to unnecessary compliance risks.
Articulating privacy’s benefit to the business
The legacy image of privacy as a simple compliance function is also a major problem. As we all well know, privacy can be a strategic tool that improves UX and profitability along with mitigating risk. But when privacy is treated as a mere compliance checkbox exercise or, worse, an obstacle to development, it limits the team’s ability to make a positive contribution.
To overcome these problems, we have to address the way the business views privacy and highlight our true value to the bottomline.
Takeaway: Privacy pros struggle with product visibility, understanding data flows, and the legacy image of privacy as a compliance check. It’s up to you to highlight your value.
How can privacy pros change our longtime image?
Shifting the business’s legacy perception of privacy starts by getting to know stakeholders in your organization better. Start by getting to know the key players. How do they communicate? What’s the business’s risk tolerance? You should find common ground – shared initiatives and goals – to build trust before you start laying down the rules.
As you get to know your partners, emphasize the role of privacy in improving customer experience and other priorities. Privacy’s not always an easy or concise message to get across, but using metaphors and telling privacy’s story can help get the message across.
For example, you could compare privacy to the safety features on a high performance car. Features like airbags, five-point harnesses and a roll bar don’t slow a car down or ruin the design — they enable the driver to enjoy going fast without stressing about the risk. In the same way, privacy protections let users more fully enjoy all the great features of your products.
Takeaway: Make friends before laying down the law. Use storytelling to highlight how privacy improves UX and other priorities.
How do I sell vitally important privacy changes to product?
To successfully work with product, you need to become part of the team. That means coming in with a sense of humility, learning how the product works, and internalizing the priorities of the product team.
Find a technical stakeholder who can explain it to you, and ask questions. People love when you take an interest in what they’re good at. Asking internal product managers or engineers to explain the process not only helps you learn — it can also build strong relationships and win privacy evangelists.
Once you understand what they’re trying to accomplish, you can propose changes that address your concerns without undermining their priorities. Explain how your changes can make the product safer without undermining functionality. There may be times when you have to say a firm “no,” but whenever possible, you should try to work with the product team to accomplish their goals.
Takeaway: Get to know the product, and the product team’s priorities. Explain how your changes can strengthen privacy without undermining their goals.
How can I stay ahead of regulatory changes & quit playing catch-up?
When you’re just starting out in a small company, it’s okay to be reactive. Chaos is normal in a new privacy job, and you’ll probably struggle just to keep up at first. As you get more comfortable with your job, things will get easier. You’ll develop a sense of the regulatory environment and your company’s risk appetite. Over time, pattern recognition will kick in, allowing you to make judgment calls more quickly and easily.
To get there, you need to put in the time to keep up with the privacy landscape. Read about new legal developments, enforcement actions, proposed changes, and other developments every day.
It also helps to build on a particular regulatory foundation. For example, if your company has invested heavily in GDPR compliance, use that as your foundation. As you strengthen their GDPR controls, you can add tweaks to address other privacy laws like the CCPA. That will prevent you from duplicating work, enabling you to scale up your privacy program efficiently.
Takeaway: In a new privacy job, chaos is normal. It will get better as you gain experience with the client. Stay on top of privacy news, and build on the company’s previous compliance work to avoid duplicating functionality.
How can I prepare for future privacy developments?
Messaging is very important. As you start to anticipate where the law is going, start preparing your company to rethink core issues. What information you need to disclose, which jurisdictional controls you’ll need to implement, or how to improve your overall data storage and collection practices are all issues you can tackle ahead of time once you see where the laws are trending.
Conversely, if you explain privacy as a series of a thousand subdivisions of requirements, your team just won’t get it. They’ll never be able to implement it, and they’ll probably just go around you. Simplify privacy to a few core ideas that get your team 90% of the way there. Then they can come to you for the trickier questions that make up the other 10%.
Takeaway: Focus on communicating a few core priorities as simply as possible.
How do I teach employees good privacy practices?
Privacy starts with onboarding, but it can’t end there. Give employees a privacy primer when they join, along with periodic refreshers, but don’t assume those lessons will stick with them. You need to repeat the message in a way that will be accepted and retained.
One method is to have brown bag lunches where you discuss privacy news. Look for regulatory developments that will impact product, marketing, and other teams. Then sit down with your team to discuss what the change is about, and how it will impact them.
Don’t be afraid to talk about unresolved questions you’re grappling with — instead, have a brainstorming session with your team. A lively discussion is more likely to make a lasting impact than a lecture, and great ideas can come out of those privacy conversations.
Takeaway: Regular discussion boosts retention. Hold brown bag lunches to discuss how new privacy developments will affect product and other teams.
How important are automation tools in scaling privacy?
The larger the organization grows, the more essential automation becomes. Even at well-resourced organizations, privacy is still grossly outnumbered by product and engineering. To keep up, you need tools that can flag risks for privacy review.
Technology improves visibility, giving you a better grip on what’s coming down the pipe, and enabling you to review changes more quickly and reliably. That lets you make tweaks quickly, so your product team can avoid bottlenecks. It also helps you triage efficiently, identifying high risk and low risk activities, so you can prioritize changes.
Finally, it enables you to future-proof your program. You can perform ongoing maintenance more effectively, maintaining data maps and road maps. It also makes it easier to perform retroactive checks, reviewing existing infrastructure for compliance with changing laws and enforcement priorities.
Takeaway: Technology boosts visibility, helps you triage privacy issues, and powers ongoing privacy maintenance.
For more advice on future-proofing your privacy program, check out the full webinar, featuring Ruby Zefo, Uber’s CPO, and Chris Handman, COO at TerraTrue.