6 Keys to Unlocking Privacy at Scale
Privacy and Data Governance
Privacy is complex by virtue of its comprehensive nature. From the regulatory perspective, privacy legislation encompasses data security, consumer rights, and business obligations. A complexity, and risk, that is further compounded by the fact that privacy legislation itself is a moving target. Operationally, this means privacy concerns information security, data management, and data governance, which must now take input from legal. Here, complexity is intensified by the differing data uses across lines of business (e.g., product development, sales, marketing, HR, et al.) and jurisdictional requirements.
From a data management perspective, an organization will need to write privacy into the acquisition, creation, storage, use, and control of data. From a program management perspective, a successful and scalable privacy program will need to systematize the processes, methodologies, and measurements that will enable an effective and compliant privacy program. And it must do so in a way that satisfies the diverse needs of the various business lines while meeting the security, consumer rights, and business obligations. A tall order.
To meet this challenge, applying a data governance framework to privacy program management just may be the key to cutting through the complexities and unlocking effective privacy management. At any scale.
To discuss the application of data governance principles to privacy program management, Lynne Bird, Privacy Program Owner, Microsoft, and Sameer Ansari, Managing Director Cyber Risk at Deloitte met online for the IAPP Global Privacy Summit, Privacy and Data Governance: The Key to Unlocking Privacy at Scale. WireWheel CEO Justin Antonipillai moderated.
Establishing a Privacy Governance Framework is Key
We took a step back and said traditional compliance doesn’t make sense given where privacy is going. Traditional compliance models tend not to be all that scalable or flexible. They are controls based and there’s often a lot of resistance to changing those controls and shifting them over time. And if you look at how the privacy landscape is changing, it’s still evolving.
— Lynne Bird, Microsoft
While a small team of only six professionals (a challenge shared by many privacy teams), the privacy group led by Lynne handles more than a thousand applications [applications here means services and components] and spans multiple different organizations within the division. The group does not “just handle one single scenario. It’s not simple in terms of just being able to stand up a very defined process. It needs to be flexible, says Lynne.
“Secondly, [the typical compliance space] is very reactive. It’s usually more than nine months before you have a good sense of where your issues are. And given privacy by design, it doesn’t make a whole lot of sense, particularly given the ROB [slow annual rhythm of business].”
To manage scale and complexity, and introduce the needed flexibility, Lynne’s team created a privacy as a service (“PraaS”) approach, and with it, a set of 4 key principles to steer its evolution:
- Customer Experience Obsession
- Leverage Existing Tools and Processes
- Abstract Away Policy, and
- Decide with Data
The anticipated benefits of this “PraaS” approach are a privacy management program that is scalable, flexible, and sustainable.
A Customer Experience Obsession
Obsessing over your customer’s experience requires first identifying your customers. For the Microsoft Digital privacy team, their “customers” are not the regulators or the auditors. Rather, they are the folks who are responsible for implementing privacy requirements.
It is those that are charged with functionally delivering privacy compliance (software engineers in the case of Microsoft Digital) that should be your privacy program’s customers. Not regulators, not auditors, not in-house counsel. But rather those who must translate the requirements of privacy regulation into operational competency. Importantly, this creates a much more positive (and welcome) feedback loop than if you chose the regulator or auditor as your “customer.”
This seemingly simple shift in focus leads to a number of privacy program innovations that truly unlock privacy at scale. Just the simple change in nomenclature – program managers typically speak in terms of stakeholders, influencers, roles, and responsibilities, not customers – creates an entirely new dynamic. One that helps address a core challenge that plagues all programmatic endeavors and seems particularly intractable with privacy programs: communication.
Abstract Away Policy: The Art of Communicating Privacy
The communication between privacy teams and engineers is often one of the most painful things we hear about in privacy program management. When a privacy team is actually talking to an engineering team, you get caught in literally a repeated loop of “what do you mean by that?”
—Justin Antonipillai, WireWheel
Addressing, what is ostensibly a language barrier, is the central point of the principal “abstract away policy,” says Lynne, and the Microsoft Digital privacy program framework is designed specifically to take policy out of the operational interactions.
“The engineers don’t need to understand the policy. They need to understand the requirement. That really is key. When we give them work items to meet…let’s say data retention controls, we actually spell out that they need to have a data retention plan” the regulatory and compliance issues that drive that retention schedule are not germane to the engineer. Rather, “they need to be clear on how they’re meeting that data retention,” says Bird.
Leverage Existing Tools and Process
We already had tools in place to inventory our assets. That is not something we wanted to reinvent. There was enormous value for us in terms of leveraging that existing infrastructure. And so, by plugging into that, we trigger our privacy process based on steps that those teams already had to take: When they complete their inventory, immediately privacy is integrated into that process. There’s no bypassing the privacy process.
—Lynne Bird, Microsoft
This shift to a common language and leverage of existing processes is not only quintessential privacy by design from an operational perspective, but it also enables scale, risk mitigation, and cost reduction. Not only through leverage of existing infrastructure, but by integrating processes.
As Deloitte’s Amir Ansari notes, one typically sees a siloed approach in the data operating model in terms of three distinct functions: data protection (risk and regulatory), data privacy (focusing on privacy by design and use of personal data), and data management – which encompasses data governance – and focuses on mining value from data).
And as he rightly points out, a challenge to achieving privacy at scale is that “each of these functions tend to operate in silos leading to inefficiency.” This also creates process confusion notes Samir as with multiple systems and data owners, it is unclear to whom you should go.
Others have discovered the value of this. Speaking at the Wall Street Journal Risk and Compliance Forum (5 May 2020), Uber CPO, Ruby Zefo enthused “I can’t tell you how important it is to leverage existing processes so that your engineers and your product people have to go to one place” (Rundel, 2021).
I think a lot of these concepts really start to come together and start to get implemented from a privacy by design perspective [working] with their data governance and their data strategy and management folks to implement and get those requirements baked in and get that strength and that scale you’re really going to need to start to deliver.
—Amir Ansari, Deloitte
Another substantial benefit to this integrated and programmatic governance approach, notes Justin is that “while the privacy team often will need to live in a privacy tool, if the engineering team, your developers or other teams can stay in their existing tools for as long as possible, the more likely you are to collect the data in a scalable way. If you can keep collecting as much as possible in a natural environment, he observes, “you tend to get the scale.”
Decide with Data
We try really hard to use data to determine where there’s actual risk as opposed to “my gut says.” If you don’t have discrete data points, you’re actually robbing your program of an opportunity to mine that data and determine where you’ve got risk….That’s where you have an opportunity. If you’ve got security programs and data management programs in your business, they likely have data that is of value to a privacy program that you can leverage to start determining where to spend time and proactively minimize risk.
—Lynne Bird, Microsoft
As Lynne notes, with nascent programs, metrics are often manually generated which is time-consuming, often incomplete, and as a result, have limited value. The next step in privacy program maturity would be to have centralized metrics automated and delivered in an actionable manner. “The ultimate goal is…to be able to reflect privacy health and risk data.”
But you must start somewhere notes Antonipillai. “There is nothing wrong with starting with a manual collection of the data and manual production of the reporting because it gives you some baseline understanding of what it is you need to report on and the insights that matter to you as an organization.”
And indeed, as sophisticated as Lynne’s PraaS approach is, she readily acknowledges that “like most privacy programs we’re constantly evolving and every piece of work or project that we undertake, we ask the question: is it going to move us closer to a PraaS model.”
And this speaks to another very important aspect of deciding with data: developing metrics that help you measure the success of your company’s privacy program.
Privacy is a journey. A journey that often begins as basic compliance, but increasingly strives to become an enhancement to brand and improved customer relationships. Even more profitable ones. The journey is governed by both external influences (e.g., regulatory compliance, market, and customer preference) and internal factors (e.g., resources, expertise, and operational capacity). Knowing where to target your efforts, stay the course, and mitigate the risk of program failure also cannot be a function of “my gut says.”
Applying a governance framework to your privacy management program to keep it focused and successfully moving toward your ultimate goals is incredibly useful in this regard.
As the Data Governance Institute notes, “Frameworks help us organize how we think and communicate about complicated or ambiguous concepts,” and the “DGI Data Governance Framework” was designed among other things to help achieve clarity, ensure value from efforts, maintain scope and focus, and define measurable success. Useful in any undertaking.
The ultimate goal as noted by Uber’s Zefo is to “make it simple, elegant, efficient, and not overly invasive.”
The Keys to Unlocking Privacy at Scale?
- Identify your real customer. Who is it that is responsible for delivering compliance to the organization?
- Speak that customer’s language. And listen to them. Understand the challenges they are facing delivering compliance and create a positive and iterative feedback loop.
- Leverage existing tools, processes, and programs. Especially your customer’s tools and processes.
- Consider the makeup of your privacy team. Are there those who can arbitrate between those that live daily in privacy and those that must deliver against the requirements? (See key #2)
- Use data to determine where you have real risk (both programmatically and in terms of data privacy). Focus on the real problem.
- Allow that your privacy program will evolve. Establish basic competencies and map growth from there.