Engineering Privacy at Scale
The nature of privacy and what it means for businesses, consumers, and regulators, vary across organizations, industries, consumer segments, and jurisdictions. Even within a single organization, the conception of privacy (and its perceived impact) will differ from CISO to CPO, from GC to CMO, who have not yet acquired a common language of privacy with which to communicate.
The technology required to achieve a business’ vision of privacy too is in flux, as demand for comprehensive solutions that can support everything from data mapping, consent management, DSARs and DPIAs, to effective KPI reporting and board-level dashboards evolve. The demand is evinced by the number of data privacy technology firms, the continued emergence of new entrants, and the acquisitions, mergers, and partnerships taking place to meet growing demand.
Much of this flux is driven by the many organizations (large and small) that seek to move beyond basic compliance to privacy as a strategy. Privacy as a business value-add that not only elevates brand but very directly, impacts top-line revenue.
The challenges to the maturation process and associated technology needed to affect privacy-as-strategy were discussed during the June Spokes Privacy Conference session, Engineering Privacy at Scale. Joining WireWheel Chief Solutions Architect Chris Getner and VP of Product Management, Ylang Nguyen, were Jules Polonetsky, CEO of the Future of Privacy Forum, and FordDirect GC & CCO, Beth Hill.
Navigating Privacy from Compliance-Focus to Business Outcomes
I think that there are so many challenges that we face…[but] they can be opportunities too. And I was very excited when I first met WireWheel and talked to other privacy tech providers because it means we are reaching a different phase of the evolution of this topic. One that will help us get to a more strategic place.
—Beth Hill, FordDirect
Putting aside the ongoing interpretative legal questions, Hill calls out three key challenges facing organizations today:
- With the discontinuance of the third-party cookies, how does the organization accomplish what is used to do by means of those cookies?
- Achieving an affordable way to maintain an understanding of all data assets across the data lifecycle: from acquisition to enrichment, intelligence, and insight, to use-sharing, and disposition.
- The evolution of consent management: Making sure the organization has defensible rights to use data in the ways firms need to, want to, and customers want.
These challenges certainly echo what WireWheel hears in the marketplace. And Nguyen asks that product manager’s go-to probing question: “If you could wave a magic wand and define what sort of technology could exist to help you, what would that look like?”
Hill’s wish list is not unexpected: automating and standardizing reporting and metrics in a way that elevates it to a strategic level and supports senior leadership decision making, “instead of just compliance-based reporting (like tasks that have to be done, based on a statute or a regulation.”
The CPO Transition from ‘Cost Burden’ to ‘Value-Add:’
We’re law, policy, and think tank people who spend significant time speaking with CPOs at dozens of companies including just about every leading company providing technology. And what we saw was really the development of a privacy stack moving from ‘I need a tool to do X,’ to ‘I need a platform that helps me with the complexity of risk management.’
—Jules Polonetsky, Future of Privacy Forum
“We were starting to see what I call a “third stack,’” says Jules. “We saw, at an increasing number of companies, the senior privacy executive saying, ‘If I’m going to be relevant, I can’t simply be the person dealing with risk minutiae.’”
In short – very much as has been the recent trajectory of legal departments more broadly – senior privacy executives want to position themselves “not just as a kind of legal burden that you have to pay for,” but rather as “supporting business outcomes…supporting customization, supporting research…supporting analytics.”
And as Jules rightly points out, this will require having “all the tools needed to ensure [data] availability, ensure consent, and ensure risk is handled appropriately.”
This transformation requires moving beyond the task-based accounting that preoccupies compliance-focused programs (e.g., number of DSAR requests received and satisfied, number of DPIAs completed) and developing privacy metrics and KPIs that not only work as indicators of successes (trailing indicators), but also enable strategic evaluations (leading indicators).
What KPIs you choose are critically important.
My magic wand would be more coalescing around the KPIs that drive things. Because as we automate processes, we can increase standardization, and then know that we’re helping to drive business outcomes: that the KPIs in privacy are aligned with KPIs in the business.
Having the industry coalesce on how you measure privacy team success, and how you transfer that to the business would be really powerful stuff.
—Chris Getner, WireWheel
Jules notes that in his many conversations with privacy leaders “folks just wanted to talk about privacy metrics. Everybody isn’t clear on how to measure themselves…No one feels like they are truly measuring how well the department is doing, or importantly [being able to] report to senior management how well the company is positioned.”
That’s the challenge for the privacy tech industry. How can technology help quantify those things that we have to do…and also elevate [critical metrics] so that you’re really good at privacy. So that it shows up in your ESG score, shows up in your ethics program, and your brand promise….Using the same metrics, the same language, and the same taxonomy…How do you do that?”
—Beth Hill, FordDirect
Settling on a common language is a challenge that becomes increasingly complex when multiple stakeholders are involved. The CISO, CPO, CTO, GC, CMO, and other stakeholders, all speak different languages replete with their own terms of art and arcana. That different vendors will use the same terms to describe offerings that are not synonymous in scope or capability – not atypical of new and evolving technologies and services – adds to the polysemic confusion.
As Nguyen has experienced firsthand: “When we speak to different groups there’s this idea that there’s just a mismatch in terminology. The understanding of what a privacy professional might say, compared to what is actually being asked for from the technical or an engineering side.”
Getner sees this communication gap as particularly acute between privacy experts and data experts:
There’s an abstraction layer in how we talk about data that’s somewhere between broad categories of data and records in a table.
In general, privacy doesn’t edict rules based upon fields and databases. Privacy says this type of data needs to be treated this way. You need consent for this type of data, and that normally has some kind of relationship to detailed data, but there’s a lot of noise in that, and that’s a challenge that everybody has right now.
Another magic wand? if you could quickly go into a company and help them understand the right level of abstraction to think about data for their use cases, you could speed decisions, but still have the right level of focus.
—Chris Getner, WireWheel
This burden falls on privacy professionals. Not only to educate non-privacy stakeholders but to become comfortable with the stakeholders’ vocabulary as well. Particularly, if privacy leadership wants to be, as Polonetsky put it, “relevant.”
Bridging the Gaps
To bridge these competency silos, Polonetsky encourages his staff to go to fewer privacy conferences in favor of attending more business, technology, and data-related events. Ditto expanding reading and research to include these contingent areas, increase relevant knowledge, and ultimately efficacy.
He notes that the “senior executive suite deeply understands the business and the data flows,” and importantly, senior privacy people have a unique awareness of what can or can’t be done, and where the trends are…from a legal point of view [and] a technical point of view.”
In short, privacy experts not only bring unique expertise to the table but knowledge that is becoming increasingly salient to the core competencies of other key stakeholders. So, while privacy does indeed deserve pride of place, achieving “relevance” will require privacy professionals to deftly communicate across what are still siloed concerns. Technology alone will not suffice. “My argument is,” says Jules, “you have to really know, enjoy, and care about the way your sector uses the information so that you can actually give strategic advice.
It’s the right advice. Get out into the business stop talking to other lawyers. Even just for legal. Our job is to support and enable the business to achieve its goals. We are a strategic business unit that helps the business be successful.
A lot of companies have privacy champions [including FordDirect] and we are formalizing it to people from every different area of the business (both operational roles and support roles). We are giving them extra training and having them act as designee for different initiatives…To give that ownership to the whole business because it’s not just a legal thing, it’s not just an IT thing, it’s a business thing.
—Beth Hill, FordDirect
Privacy really is a “business thing.” And, as the recently issued Future of Privacy Forum report, Privacy Tech’s Third Generation, details, “privacy tech offerings are expanding well beyond products and services that assist in regulatory compliance into products and services that assist businesses in making the personal data they encounter both maximally available and maximally valuable for business services” (FPF et al., 2021, emphasis added).
As the FPF report highlights, and the expert discussion Engineering Privacy at Scale at the Spokes Privacy Conference confirms, central challenges to fully exploiting this “third wave” of privacy tech center on establishing a common understanding of privacy (at the “abstraction layer”) and developing agreed taxonomies and topographies for privacy tech.
Again, this is not unique to privacy management and technology. While as an industry, it is still by all measures nascent, it is a practice that leverages some well-tested principles, concepts, and technologies. And the fundamentals still apply. As Hill rightly puts it, essentially, this is “nothing new. Companies have been doing it for a long time. And you just can’t give up, you have to continue to have those strategic conversations.”