Launched in 2014, Greenlight Financial is a software company aiming to promote financial literacy. It built a family-focused app, helping parents to teach their children about budgeting, saving, and investing with a debit card for kids and teens. Through the app, parents can grant their kids use of a Greenlight debit card. Obviously, that means Greenlight necessarily collects a significant amount of financial and children's data.
Cristin Morneau is chief privacy officer and senior vice president. She joined Greenlight in 2022, and before that she took Groupon through the GDPR's inception. Morneau walked into a blank canvas at Greenlight, with more priorities to tackle than people to tackle them.
"So it was literally from ground zero. Like, how am I going to build a team? What do I need to focus on? What needs to be done? What have people said has been done but actually hasn't been done? It was a full spectrum of figuring things out and figuring them out on the go. So it was like, what tools can help me get there? Especially with a start-up, because I don't have a big team. I don't have the budget for it."
— Cristin Morneau / Chief Privacy Officer & SVP
THE CHALLENGE
Building a privacy program from scratch
No existing privacy program The privacy program needed to be built from ground zero. There were no systems, no documentation, and no established processes.
No visibility into data flows Morneau had to figure out what systems Greenlight used, the data stored within them, who had access to them, and what controls were in place.
Product teams lacked clear parameters Product teams didn't yet have clear parameters on data uses. Privacy by design wasn't widely understood across the organization.
Sensitive data at the core of the business As a financial app geared towards families and kids, Greenlight collects children's data and financial data, making privacy compliance especially critical.
THE SOLUTION
TerraTrue as the foundation for the entire privacy program
Though Morneau went through the requisite RFP process, she decided to use TerraTrue to build her privacy by design platform. She'd used the software during her tenure at Groupon, building its GDPR program, so she was already familiar with what it unlocked for her.
Key priorities
Map and document sensitive data
Children's data collection, storage, and third-party contracts. Financial data policies, collection, and storage.
Build core policies
Retention and deletion policies. Gain visibility on marketing's initiatives.
Scale through technology
Find technology that could help scale privacy's functionality. Integrate privacy reviews with product, engineering, security, and vendor management in Jira. Automate where possible. Educate teams on privacy requirements and what constitutes personal data.
"One person just can't handle this. A lot needs to be automated, and I need records for everything as well."
— Cristin Morneau / Chief Privacy Officer & SVP
Everything starts in TerraTrue
Now, with five of her teams working in TerraTrue, everything starts there.
"If you're going to onboard a new vendor, if you want to do a new project, if you are changing a significant project, if you're doing anything with personal data, and you're making changes, then TerraTrue is where we want it to start."
— Cristin Morneau / Chief Privacy Officer & SVP
"It's helped a lot, especially with our Jira integration because we can just go back to that ticket and see where things are, and then also see the other tickets that it links to as well. You also have the data mapping functionality, so you can be like, 'Hey, this is the data we're pulling. This is where it's going. This vendor we need to identify. This is where the service sits.' So it's really helpful, especially when you want to go back and do audits."
— Cristin Morneau / Chief Privacy Officer & SVP
THE RESULTS
2,000+ launches in just over a year, powered by integrations and automations
Jira integration made adoption easy
Greenlight built a Jira integration within TerraTrue to ease rollout and expedite adoption. Using custom workflows, Morneau added a screener question to eliminate unnecessary reviews: Is personal information going to be used?
"Engineering lives in Jira. Anything they do, they're going to create an epic. So how we set it up was anytime an epic is created, it'll automatically ask our question around whether or not PII is being used. And if they say yes or no, it's going to create a launch on our end."
— Cristin Morneau / Chief Privacy Officer & SVP
"They love anything that means they don't have to have a meeting with you. They can just click a few things. On their side, if the intake form says 'Yes, we're using PII,' it'll automatically create a link to TerraTrue in the Jira ticket. Then it goes to a launch. So it's really easy for them."
— Cristin Morneau / Chief Privacy Officer & SVP
Custom workflows to trigger risks
Morneau and her team built in custom workflows based on Greenlight's specific business model and data flows. For certain data uses, TerraTrue triggers a "high risk" warning, which allows privacy to take a closer look and decide whether to push forward or push back.
Holistic visibility on data
A single source of truth for data uses, storage, and sharing across the organization.
Metrics to demonstrate strategic impact
The team now has metrics to report up to the C-suite, demonstrating privacy's business impact.
"It's 100 times better than it was when I started. I think the biggest thing is don't let people forget that privacy is here, that it matters. I think we have, in just over a year, over 2,000 launch assessments. Keep records of your metrics. And that's easy to do as well. All that is there within TerraTrue. So report that up to your C team: This is what's going on. This is what we've looked at, this is what we're doing. These are the changes we've seen."
— Cristin Morneau / Chief Privacy Officer & SVP
KEY TAKEAWAYS
Lessons for privacy leaders starting from scratch
→ You can build a program from ground zero with the right tooling. Automation replaces the headcount and budget you don't have.
→ Integrate with Jira to make adoption effortless. If engineering already lives in Jira, make privacy reviews a natural extension of their existing workflow.
→ Use screener questions to eliminate unnecessary reviews. Not every epic needs a full privacy assessment. Let automation triage for you.
→ Build custom workflows around your specific business model. What constitutes high risk for a children's fintech app is different from other industries. Tailor accordingly.
→ Track and report your metrics to leadership. 2,000+ launch assessments in a year tells a powerful story about privacy's strategic value. Make that visible.