April 14, 2023
From the IAPP's GPS '23: Metrics will validate you, PbD will future-proof you
Share
Privacy by design has been around for more than a decade, but it’s always felt like an academic phrase. Today’s tech tools enable you to turn privacy by design into a real-world application, and those same tools can give you the metrics you need to prove your worth to the business.
In a recent session at the IAPP Global Privacy Summit 2023, TerraTrue COO Chris Handman, Greenlight Financial’s Cristin Morneau, and Lyft’s Brittany Rhyne came together to talk about the practicalities of automating and scaling processes, embedding privacy with product teams at the pre-deployment phase, and gathering the right metrics to talk about your program’s value.
Here’s a transcript of their conversation, edited for clarity and length, so you can reap the benefits even if you missed the live chat!
Using tech to elevate privacy by design at your company
Handman: Technology can elevate privacy by design, which has historically failed because it's just so hopelessly manual and repetitive, and it just feels like people are doing the same thing over and over again with very little payoff. How have you used technology to overcome the inefficiencies and the duplications that bedevil that intake?
Morneau: I was at Groupon right before GDPR went into effect. So our first time building a design program was there – and on a global scale – it was entirely manual. It was so stressful trying to figure out where this process would fit within the business. Learning engineering ...then also realizing our company isn't just engineering, it's sales, it's marketing, it's business development. You have to look at each and every part of your company and do create it in a way that makes sense for them.
Also, I think the biggest thing I've learned is developing relationships with people; your chief product officer, your product manager. Those are the people you really need to build strong relationships with.
Using tech to build internal trust
Handman: We hear a lot about that. You need to build these relationships. You need to make sure that privacy isn't thought of as the place that good ideas go to die, that the business comes to appreciate what you can do. If you can marry your work with where they are working and meet the business where they are, it’s right for both of you. It’s like, “Look, I'm not coming to you with my grandfather's view of what a lawyer is. I'm going to integrate with your systems. I'm going to create some rules that will pull from you into my source of truth." Does that end up being a way to sell them on the vision of privacy?
Morneau: I always try to take the approach: I'm not trying to be an internal regulator. My job is not to get you in trouble or to tell you where you're wrong. It's just to help you. Because it's harder for you if you get ten steps down the road … and now you just lost friends, and you lost three month's worth of work, and you’re not going to make your next iOS launch. All that affects you in a way that has real economic value. Let's go get ahead of this.
Handman: That’s a great example. In the past, that sort of argument might have just been the realm of the anecdote. Now, with technology, you actually have a way of being able to identify, “Where has this been sitting? How long is it taking to do this for review?”
Rhyne: This is an interesting one for me, coming from an IT-audit background. Being internal audit specifically, reputation is everything. You want to make sure that your privacy program has a really good reputation. And specifically in tech, knowing core values around velocity, moving fast, breaking things, and failing quickly and often. But we can use our SLAs to look at how quickly we're going through these reviews to show them that, nope, we're not a bottleneck. We have the stats right here. We can prove it.
Morneau: We have hard-coded SLAs around our launches as well. So we try to get them out the door within seven days, but really realistically, even sooner.
Handman: It would be great to hear some concrete examples of SLAs in practice.
Rhyne: We really do try to mirror how [product and eng] work. And one of the ways we do that is we have a team on call. So if you're an on-call analyst that week, it's up to you. You’re the first point of contact for triage and acknowledging the ticket, and letting people know upfront how long it’s going to take, and whether there’s an impact. And that needs to be done in eight business hours.
The next one is around the actual review itself. We leverage the freeze tag, so it'll pause the timer on the SLA. A lot of times, the product teams are really the ones holding things up. So if you're just looking at that blanket metric of "It took three weeks," [it’s like] "Well, no, it took us a day, but your team is driving this."
Handman: With technology, you can at least measure how often that is happening, because that alone might indicate a malfunction within the product-planning organization. Not that you want to call people out, but you will be able to automatically identify date stamps. When did the ticket come into your system, right? When did they complete the spec that identifies the types of data and what is the delta between those two? And then you can measure that.
Using tech to avoid last-minute sandbagging
Handman: When you talk about that last-minute sandbagging from your business, [the right tool] can you improve this, right? It’s about creating a predictable framework that can pull in from Jira, or pull in from Ironclad, or wherever, to create that central ticket for you. Because you get those dinner-time requests where you don't have the ability to do your job, provide counseling, or craft solutions.
Morneau: Yeah, I think it's really important. I know the business always kind of wants a "yes" or "no" answer on the spot. They want to write you a novel and be like, this is fine, right? That's why it's always important for me to be like, "Oh, that's great, really interesting launch." And then we can chat about it some more … so you have the time to process what they're actually trying to do and what the different data points are.
Using tech to gather metrics
Handman: Do you look at how many review teams it takes or how many times it takes to review launches? How do you think about measuring?
Rhyne: We look at completeness, specifically for third-party risk. So, are we capturing all the third parties that we share data with? Because that is crucial. But the great part about vendor risk is that we won't pay any vendors unless they go through procurement. We have a gate. We don't have a gate for the launches of the engineering team, which is just shooting out products and features left and right. But we do have a gate because they're pretty high-risk.
Using tech to report metrics
Handman: Is there a shared sense of the importance of those metrics? How do metrics shape your kind of advocacy?
Morneau: Yeah, it's pretty persuasive, especially for the executives' team, because especially in my current role, they didn't have anyone that was handling privacy and doing privacy by design. So this was all new for them. So to be able to come in and start a program, be like, "Hey, within three months, we have over 500 launches. A lot of them are auto-generated through Jira." But that's a lot happening at a company in a really short time, and it's really important to show that we have visibility into that.
Handman: We should just take note of that. That's a huge number. Five-hundred assessments, captured in short order. The challenge of trying to do that in a non-technical way in years past would have been, I think, overwhelming. It required maximum consultants. Were you able to go to the business and say, "Look at this?" I’m curious how you’ve been able to use that to marshal support for the privacy program.
Morneau: I think it was pretty easy for us just because we deal with children's data, and everyone wants to do the right thing, and they want privacy to be taken very seriously. So it's like a sense of security for them as well that nothing's just going to get through.
To learn more about how TerraTrue can help you reach your PbD goals at scale, meet up with us for a brief demo here.