How to Operationalize Privacy by Design

I think I’m a closet Project Manager. When you operationalize concepts, you have to have some solid project management skills to ensure you’re identifying everything that you want to accomplish; how you’re going to do it; and the tactical plan behind it.

—Lisa Barksdale, Director of Privacy, Zillow

Privacy by Design is increasingly recognized as the pathway to achieving regulatory compliance, creating business value, and enhancing the consumer experience. Resistance, inasmuch as it existed, has given way to, okay, how do we do this? How do we take privacy by design from C-Suite concept to operational reality?

Elucidating the how, Zillow’s Director of Privacy, Lisa Barksdale, joined WireWheel CEO Justin Antonipillai, Yahoo AGC Katherine Pimentel, and Yahoo Legal Services Senior Manager, Tara Jones, at the breakout session “Rise of the Privacy Operations Leader” at the IAPP Privacy. Security. Risk. 2021 Conference.

Ms. Barksdale kindly spoke with us to offer a small preview of her planned presentation on successfully operationalizing privacy by design.

Gap Analysis and Framework

“It’s really important to first do a risk and gap analysis. You want to understand what already exists and what doesn’t. Once you figure that out, you begin a triage,” says Lisa.

Ms. Barksdale suggests breaking down the various aspects of privacy operations into “buckets” to better enable tactical focus. For example governance routines, intake and assessment processes, and reporting and metrics.

Importantly,

There’s no one size that fits all. It depends on what industry you’re in and what you’re looking to determine. Then, once you identify those buckets, you figure out, okay, what, in your utopia, would they look like versus what the organization is actually doing.

Having completed the gap analysis and risk assessment, the next step is to establish your operational framework.

Framework and Guidance

You then want to determine what your overall operating framework looks like. I’m a firm believer in documentation. Having written policy and procedures provides guidance for everyone and it’s a crystal-clear pathway to where you want to go.

Without documentation, I feel like everyone’s just running around trying to figure out what they’re doing.

Having established the buckets of operation and guidance, “you then also want to identify who your key partners are,” suggests Lisa. And you need to do this early in the process “because as you’re building out your documentation, there could be areas where you need to bring them in to make sure you are aligned across the enterprise.”

Inclusivity is very important, offers Lisa. “And this means training and education around, not only what we’re doing, but how we’re doing it, and what role our key partners play in it.”

And the most effective way to inculcate privacy in the business and routinize privacy-by-design with effect is to identify privacy champions within the business units themselves.

Privacy Champions

Ms. Barksdale suggests that operationalizing privacy by design “is really about behavior change. Understanding what those challenges are and being able to get over those hurdles.”

Identifying privacy champions can be challenging. “It is a huge change,” she says. “I’m asking the business to identify a resource that doesn’t necessarily report into the privacy office but who will be spending a considerable amount of time working through privacy risk and being that liaison for us.”

So, what makes for a good privacy champion?

I think what makes a really good privacy champion is someone that knows their business. They know their business operations and they’re curious about privacy. They want to understand what it is and how it impacts their businesses.

Education and training is key to privacy champion success opines Lisa. Ms. Barksdale does not only ensure education around the various privacy operations, but also has training programs on facilitating engagement and the liaison skills requisite to a successful privacy champion role. “We’re also educating the businesses to make sure that they’re communicating with their champions in their various areas,” says Lisa.

And, of course, part of good communication is being a good listener:

As a privacy leader, you need to be open and not critical of the spaces you operate in. You need to understand your business and how it functions, and what privacy by design means for them: then you can start to plug it in.

Be curious and be open minded about how to implement it. And be a great listener. You learn a lot listening to your businesses that will help ensure your program is best in class.

Key Takeaways

1. First Perform a Gap Analysis

• Identify Risk
• Determine Current State vs Desired State
• Differentiate between “must have” and “nice to have”

2. Define an Operational Framework and Guidance

• Establish Operational Buckets
• Written guidance (policy and procedure) is critical!
• Identify your Partners, and
• Think like a Project Manager

3. Identify your Privacy Champions

• Educate and Train, and
• Appreciate the Time Commitment Required

4. Education and Training

• Privacy Training for the Business
• Liaison Skills for Champions
• Strong Communication Protocols