How to prove your privacy program's a strategic differentiator, not the 'House of No'

Chris Handman is co-founder and COO at TerraTrue. Before that, he worked as Snapchat’s GC, and spent 14 years as a partner at Hogan Lovell’s. Ron DeJesus is founder of DeJesus Consulting, the former CPO at Grindr, and he previously served as head of privacy at both Tinder and, before that, Match Group. The two have extensive experience in developing privacy programs that complied with applicable laws and regulations, but also allowed the business to maintain speed to market. Here are their insights on how to implement a program that scales and acts not as a blocker, but as a strategic differentiator.

As privacy professionals, all of us know the privacy function isn’t a bottleneck or a “house of no.” In fact, strategic privacy programs have a positive impact on their organizations. But that requires embedding privacy into product and engineering teams to get the visibility you need, having a single source of truth on data flows, and gathering metrics to prove your program’s having a strategic impact on business initiatives.

Here are some strategies for how to do it.

Strategies for getting visibility into product & eng

Before you can really have an impact, you need to have your eyes on what’s happening with data at your company. The best way to do that is to work with the teams building products that will collect and use that data.

Here’s the reality: You can't do your job in privacy if you can’t see what the business is planning to do. A lack of visibility results in two scenarios that may sound familiar: Either things are going out the door that you're not aware of, or the coming-in-hot request. It sounds like this, “By the way, we’re shipping this tomorrow. Have any issues? And then you’re reduced to a yes/no answer, where either you must swallow the concerns you have about certain privacy risks, or you’re designated as the bottleneck or the blocker. And no one wants to feel like that, especially in a fast-moving company.

But visibility can be tough because historically, privacy has operated in a silo. It’s suffered from a reputation that it’s a mere compliance function, the place where good ideas go to die, or at least slow down.

To change that legacy image and to get the information you need about how your technology uses data, you’ve got to develop and nurture relationships with key stakeholders across the organization – especially with profit centers like sales, and supporting departments like product and engineering.

A tactic De Jesus has found helpful is to align your goals with theirs (to the extent you can). If you’re aligned with the profit centers, that helps you gain visibility as something other than a cost center. Rather, you’re aligned with the business goals and working to be a strategic enabler. In addition, you should try and leverage what historical artifacts those groups already have in place. For example, if you’re developing ROPAs or data maps, work with the teams that have existing data inventories to figure out what you can use. But to do that, you’ll need to have strong relationships with them.

“It’s going to be a lot more efficient to leverage what these folks already have in place,” De Jesus said. “When working with these teams who already have existing PRDS or that might have existing inventories of data, finding out what they have and what you can leverage is going to be critical. But also you're only going to be able to perhaps get those artifacts if you have really strong relationships with those folks. And by building those relationships with those profit centers, you can align your own KPIs with their KPIs.”

To gain those relationships, start at the top. For example, aim to get 15 minutes on the CEO’s calendar. Aim to leave the office with their buy-in as to why you exist at the organization. And if you can’t get the CEO’s ear, go for the most senior executive you can book.

When you get in the room, give them your elevator pitch and ask for them to communicate to the rest of the business that privacy is a priority. Support from the top, especially from senior VPs and the like, will be a game-changer for your ability to affect strategic change.

In De Jesus’ case, he arrived at Tindr just in time to implement the GDPR in 2018. He asked his CEO at Tindr to send a message to the company introducing him as CPO and explaining why privacy was important to the company.

“I said, ‘Hey, in order to get this moving, a communication from the top would really help. And he actually sent out the communication. I thought it was going to come from his SVP, but apparently I made an impact on him and he, through his own volition, sent out an email. Every VP was super gung-ho to meet me to talk about what they were working on,” he said. You never know until you ask!

Once you have some endorsement from the top, Handman suggests you start meeting with senior leadership in key groups to unlock the visibility you need. Explain to them that all of you can do your jobs better the more proactive you can be as a partner to the business.

Handman suggests approaching it like, “Look, I love what you’re doing. I totally support this initial monetization effort. But there are a few wonky things here that the law might shine on. We can actually achieve 99.9% of what you want to do if we take this slightly different path.” And that makes you more than just a legal doorstop. You’re now a strategic collaborator.

CISO is key

The chief information security officer at your organization is a key partner for privacy operations. The CISO’s department is the first line of defense in protecting the personal data you’re collecting. In addition, security teams practice security by design, which pre-dates privacy by design by about a decade. Security by design came out of the same needs you have as a privacy professional: Info-sec teams need visibility on what happening with data, and they struggle with scaling to keep pace with the business.

Handman said the security team typically have an advantage over privacy’s struggles in that they they’re more technical.

“They're engineers, they're working in JIRA,” he said. “So some of the technical blocks that divide lawyers and privacy folks from the engineering side of the house maybe don't exist, but they still struggle with that, that same visibility. They struggle with scale. They have to do reviews as well. And what's often forgotten is the line that divides privacy and security is a blurry line. What is privacy if not security? And vice versa at times.”

If there’s an existing info-sec meeting you can jump in on quarterly, you should. You need face time with that group at a regular cadence to build those critical relationships. If there isn’t a natural place you can insert yourself, think about creating a privacy and security committee that meets regularly.

“I think is really helpful to demonstrate that, hey, this is actually a top of mind thing for our organization,” De Jesus said.

The next step is developing a single source of truth among you, creating once space where both info-sec and privacy can do the necessary reviews. That creates a powerful economy of scale for the business, because you’re not tasking it with constantly completing questionnaires on behalf of either team.

“Even though they're like probably two sides of the same coin, there’s lots of overlap, and you can now consolidate that,” Handman said. You can leverage the overlaps, which demonstrates to your leadership that you’re thinking strategically on this and returning value to the business.

“By unlocking visibility and having that single source of truth where you can see what’s happening and weigh in gives you and your team the ability to basically do your jobs,” he said. “You’re actually someone who’s collaborating and working on product as well. And I think those who are attracted to the tech world and privacy find that to be a really exhilarating mix.”

Leverage tooling to create a ‘single source of truth’

The problem with privacy reviews is the manual work of understanding what’s coming in, what the implications are, and which laws relate to that particular data. How can you get a beat on what your business is doing before things go out the door? And how can you do it in a way that doesn't feel like you're paralyzing the development or feel like you need to hire 50 people to keep up? The importance of using tooling to maintain a single source of truth for your teams can’t be overstated. There’s a lot of duplication that happens when teams work in siloes; teams start developing their own data inventories or maps without understanding that other teams are doing the same thing.

“What is the point of creating an Excel-based data inventory that you can't keep evergreen because it might have changed in 24 hours based on another vendor system that might be onboarded and contributing to that data inventory,” DeJesus said. “So I think it is essential to identify where the source of truth is for the data that's going to support all these artifacts that you need as a result of ROPAs, as a result of things that you are going to support your operational program.”

Think about PIAs, for example. They leverage much of the information that product might use for product requirements documents. The info-sec team might be using data maps that focus on the technical eccentricities of data flows, but you can leverage that information to determine what data’s flowing from the EU to the U.S. for your ROPA, for example.

Technology allows you to create structured data sets around location, SSNs, or user IDs, for example. It allows you to create rule-based triggers to route the review to the appropriate team, whether it be security or trust and safety. It allows you to create audit trails at scale, which in effect allows your team of two or three to do the work of 10.

In addition, while privacy teams have often existed as a forkloric knowledge of privacy getting by on spreadsheets, tooling helps you formalize your process: These are our rules, this is the data, this is how we think. It allows you to create repeatable structured formats for your compliance needs. From those repeatable processes come the metrics that will allow you to demonstrate to your leadership that privacy is a strategic differentiator.

“You can use technology to leverage your own rules and scale your own counseling as if you were hovering right over them,” Handman said. The number of PIAs, DPIAs, DSARs, and vendor reviews can now be measured without the tens of hours it would take to gather those metrics manually.

“When we think about where we sit today in this regulatory environment and the pressures that boards are increasingly putting on security and privacy teams, this is where technology really can carry a huge promise,” Handman said.

The metrics they care about

In a recent Cisco study, 93% of respondents said they reported at least one privacy related metric to the board. But gathering metrics isn’t always easy in privacy.

“For the most part, the challenge with privacy in terms of proving affirmative metrics is that so much of what privacy doe is to catch things before they become measurable impacts on the business, right? So, making sure that a feature that goes out the door isn't inappropriately, collecting data that you shouldn't be, or isn't going out without the proper consents, or isn't unduly collecting more data than necessary. The sorts of things that maybe a regulator gets concerned with.” But that can be hard to capture.

The numbers that matter to your board will indicate not only how many risks the privacy team caught or how quickly you’re able to get through reviews, but also how you’ve strategically enabled the business to operate with speed.

At a baseline level, privacy’s role is to make sure the business is creating great products that are consistent with the law and user’s expectations. But it also has to do that in a way that ultimately doesn’t inhibit the things the business cares about.

“You’ll want to report metrics beyond the number of reviews you’ve done or risks you’ve found, but how we’ve been able to speed up reviews, and how we’ve managed to bring down the amount of time that the business has had to spend dealing with privacy reviews,” Handman said. “Those are the metrics that technology can unlock so you can start to bend those cost curves down.”

But context matters when you report all that, De Jesus said. Imagine you’re aiming to report out on your DSARs. Instead of just sharing the number you processed, think about how you can tie that to a business initiative. Here’s a tactical example of translating a metric that could be as bland as ‘number of DSARs’ into something that might be a little bit more consumable at the board level.”

“Let's just imagine that as a result of the CPRA, an influx came in. And you're proud of the fact that you responded to thousands of DSARs,” De Jesus said. “Translating that into board level speak would be something to the effect of ‘We implemented a tool that allowed us to automatically respond to a million DSAR requests, thus saving X number of customer experience hours, which translates into X cost savings.’

Or we can turn to PIAs an an example.

“A bland metric might be something like, ‘This quarter, we conducted 10 PIAs and give DPIAs. Boring, right? However, translating that to something that’s a little bit more board-level speak: We fully automated our PIAs, and through the use of this tool, we were able to conduct five PIAs in the last sprint, which allowed us to review X number of product reasons, this meeting product timelines.”

Think about: How did privacy support your profit center’s KPIs? How did privacy proactively help support product rollout?

Lastly, let’s use vendor reviews as an example. They’re a pain point for executive teams, and historically the business thinks of them as a bottleneck. Privacy’s reputation has been that it naturally introduces friction to product lifecycles. But it’s not always privacy’s fault! Tooling can help you identify where the bottlenecks are, and it might be a cross-fucntional team or the vendor itself.

“You should be able to identify which teams are the deficiency,” De Jesus said. “Because I could be responding to someone’s privacy vendor review on time, but I might not be getting the documentation I need from the vendor point of contact quickly.”

Armed with that information, you can take metrics to the board that are more impactful than “We’ve conducted 20 vendor reviews.” Instead, attach the number of reviews to the profit center’s KPIs with a metric that sounds more like, “We’ve conducted vendor reviews on three cticical vendors that will support our growth in the North American market by 50%,” for example.

For more on this topic, watch the full conversation between Handman and De Jesus here.