Privacy Operations in Practice

Of particular interest to me right now – in a program with an early level of maturity – is the challenge socializing privacy substantively among business counterparts who are engaging with the data more directly, as well as socialization of privacy at the leadership level where you need buy-in for expanding the budget or collaborating with other business units.

– Nada Bseikri,
Apple Bank Vice President and Senior Counsel (Privacy)

Irrespective of company size or a privacy program maturity level, operational challenges present themselves on a near-daily basis. This is hardly surprising given the organizational and process complexities of meeting even baseline compliance objectives in a constantly changing regulatory environment.

Not all the challenges are privacy-specific. Business fundamentals apply. Like project management; developing core principals and supporting frameworks; and of course, the need for buy-in from the C-Suite and across the organization. That said, as privacy operations expert at WireWheel, Virginia Bartlett notes “organizational cultures of companies are very different in the way they achieve projects and run programs.” Solving privacy operations challenges will not be a one-size-fits-all affair.

Importantly, says Rebecca Shore, VP and Chief Privacy Officer at Albertsons^® “How do we find a way to have a strategic position operationally so that you’re less reactive to every little change that pops up and you’re really thinking more proactively about the principles of privacy and how you operationalize them more uniformly.“

Shopify’s Associate Legal Counsel Regulatory Affairs and Enforcement, Rachelle Bastarache joined Bseikri and Shore at the Fall Spokes Privacy Technology Conference, to discuss these challenges and how their respective organizations address them. The session, Privacy Operations in Practice, was moderated by WireWheel’s Bartlett.

Partnership is more important than reporting structure

It’s interesting to see the strategy that organizations take. There’s rationales for all of these models and why they sit under certain umbrellas.

Part of the process and building out this program has been creating a bit of an identity; a bit of a presence.

– Nada Bseikri, Apple Bank

Reporting structures for privacy teams are varied. At Shopify, the regulatory affairs team, government affairs team and the litigation team all fall under the privacy umbrella. At Apple Bank, the privacy function reports up to the GC. At Albertsons, privacy sits within digital technology and innovation which is part of legal.

All note that throughout their privacy careers their reporting structures have varied: within risk management, legal, cybersecurity, and also as an independent function.

Bseikri notes that reporting structure notwithstanding, “We now have a standalone privacy policy, whereas previously, commitments and obligations we’re spread across different policies and areas.” And crucially, “governance, policymaking, and committee involvement across the bank have privacy subject matter expertise representation.”

What I have found really successful, is when I was in risk management, I had my legal partner that was hand-in-hand, side-by-side with everything that I did. When I was within legal, my cybersecurity team was hand-in-hand with everything I did.

It was really about the partnership. How I reported in didn’t necessarily impact the value that I provided to the organization. It was the partnerships that I was able to create throughout my tenure.

– Rebecca Shore, Albertsons

“I absolutely agree,” says Bseikri. “Partnership is more important than the organizational structure. And privacy advocates in your organization can come from unexpected places.”

What’s the glue? How do people stay engaged?

The joke in tech is compliance is this dirty word. You don’t want to be the one to bring up compliance because it’s seen as the nemesis of innovation. So how can we ensure that [privacy] principles are being taken into account in a way that feels inviting rather than closing off innovation.

– Rachelle Bastarache, Shopify

“What keeps people together?” asks Bartlett. What’s the glue? How do people stay engaged? How do you find the right people to be on teams?”

“There are two factors,” opines Shore. One is speaking to people as individuals and not necessarily within their role in the company. For example, ‘You have children. Have you put a security freeze on their social security number?’ Getting them excited about what it is to be in the privacy space.”

She goes on to note that it also helps identify champions. “There are people out there who love privacy and just haven’t been made aware of the fact that what they love is privacy….That you’re not just putting out technology but also advocating for their experience and how they feel about something.”

One of the things that is interesting about the privacy nerd rhetoric is even when I was in law school [in 2017], we weren’t really talking about privacy the way that we [are now]. And I do think that the narrative and telling the story get people excited about privacy. You’re on this new rocket ship that didn’t exist before and it’s this invitation to become a bit of a pioneer in this area.

At Shopify, that narrative happens every day. And it works.

– Rachelle Bastarache, Shopify

“Beginning from a place where each individual has their own privacy considerations – that humanization or that individualization – makes it much more approachable when you’re thinking about a customer base,” suggests Bseikri. Tying in the personal keeps people engaged. It’s not just a compliance activity.

She goes on to note that the personal connection is a great way to find those “unknown privacy advocates” in the business who will want to align with the privacy team on particular initiatives.

Operationalizing the privacy glue

I had just integrated an international operation through an acquisition into a large company that was very U.S.-centric until that point. I did a series of monthly video clips in multiple languages where folks from other countries talked about what privacy meant in their country and why the culture around it was different. That personalization really helped integrate the practice. Before that, it was “we’ll never make this work!”

– Virginia Bartlett, WireWheel

Shore offers that “meeting people where they are (such as slack channels)” is important. One of the biggest moments for me was when there was a major breach, and I wasn’t the first one to write about it [on the channel]. People were asking ‘what do I do?’ I was so excited by the fact that the conversation wasn’t just driven by the attorneys in the room.

Bseikri says to engage with folks throughout the bank, she launched a monthly newsletter. She is quick to add she knows it “sounds like something that shows up in your inbox and you click delete. But folks were really engaging with the content. We had recurring sections, such as the privacy concept of the month, and it resulted in a lot of communication. It helped to create a privacy framework as more than just a compliance exercise.”

“We have a Security and Privacy Awareness Week,” offers Bastarache, “where we have… it’s funny to say…but prizes for different things. People love prizes, it doesn’t matter what the prize is, if there is a chance to win something, we engage.

For example, submit a DSAR request to see what information we have about you and delete it, access it, whatever it is you want to do, but interact with the tools we’ve built. Interacting with nice, sleek tools always gets developers interested. It has been a good way for us to have people engage with privacy in a way they otherwise wouldn’t have.

– Rachelle Bastarache, Shopify.

When key people, and their knowledge, leave

Privacy is a booming industry and privacy professionals are in high demand. This results in high turnover. While this is not a unique phenomenon to privacy, it is particularly vexing and disruptive to a nascent program when knowledge walks out the door.

The solution? “It’s really making sure that you’re building out a program, being strategic, and documenting that program so there’s a clear understanding of what was done,” says Shore. “It’s maintaining the mindset that I may not be here in a year.”

I’ve been on the other side of it, picking up the pieces when someone does leave. The number one thing the last few years has taught me is that continuation from the company perspective is crucial.”

Last week my boss, the CEO, left for a new role. What made it manageable was that the strategy was clear. We had been really involved hand-in-hand. So when I inherited the balance of the program portfolio, it wasn’t foreign to me.

Avoiding silos so that people remain informed will set you up for more success when somebody does leave.

– Nada Bseikri, Apple Bank

Key Takeaways

“Be strategic,” says Shore. “That’s going to provide the biggest benefit to how you move forward, identify relationships, and focus on trust. Build out your strategy, your playbook, and define who you want to be as a program and what message you’re sending out.

For Bseikri, it’s the value of socializing privacy. “It’s very easy to underestimate the value of socializing privacy to shift culture,” she says. Both at the business unit level and at the leadership-level.

“Don’t take for granted that everyone has the same investment in privacy outcomes.”

“Build your narrative,” says Bastarache. “Having people engage with the narrative of trust rather than compliance has worked wonders for us at Shopify.”

Watch the entire SPOKES session here.