Privacy Operations in Practice: Practical Tips
• read
I’m trying to be as proactive as possible rather than reactive. A cross-functional approach makes it possible for a small team to be proactive. For example, our dedicated customer experience team is a key stakeholder in our privacy operations. They’re the frontline of defense. The ones who are dealing with customers who may be raising privacy issues.
—Kelly Peterson Miranda, Grindr
Whether you’re a small company or large – well into your privacy journey or just setting out – establishing privacy in practice presents complex and dynamic technical and cultural challenges that are made more demanding as additional state regulations that significantly impact consent, advertising, and notice rapidly approach.
To offer practical guidance, Grindr’s director of global business and regulatory affairs, Kelly Peterson Miranda, and Melanie Ensign, CEO & Founder of Discernible sat down with WireWheel’s senior engagement manager, Sheridan Clemens, at this year’s Summer Spokes Conference to discuss Privacy Operations in Practice.
A cross-functional approach to privacy operations
“Grindr has a dedicated privacy team led by our Chief Privacy Officer (CPO),” says Miranda. A stakeholder in legal and an advisor to the privacy team as she interacts with the regulators. “But I am also focused on creating a proactive strategy for handling upcoming compliance obligations.” Grindr is a small company of about 160 people, so privacy is decidedly a cross-functional approach.
Using a cross-functional approach to implement privacy in practice makes it possible for a small team to be proactive. “For example, we have a dedicated customer experience team,” she says. “They’re the frontline of defense. The ones who are dealing with customers who may be raising privacy issues.”
We’re seeing even those companies that have dedicated privacy engineers putting a lot more resources into teaching and evangelizing so that everybody becomes a privacy engineer in some regard. Even if it’s not in your title you are working on a privacy project. You’re thinking about privacy.
—Melanie Ensign, Discernable
“What we’ve seen at Discernable – we have traditional big tech clients that have very large privacy engineering teams and clients doing things similar to what Grindr is doing, such as teaching privacy to software engineers, SRE engineers, INFR engineers, and the other technical folks that own and operate all of the systems on which we need to apply and deploy privacy controls.
That said, “we’re seeing even those companies that have dedicated privacy engineers, putting a lot more resources into teaching and evangelizing so that everybody becomes a privacy engineer in some regard. Even if it’s not in your title you are working on a privacy project. You are thinking about privacy.
Managing the tension between privacy engineering and privacy operations
We need to be realistic. That tension will probably always exist. There’s only so much bandwidth. You have the core products or services that you’re trying to deliver, and then you have the compliance obligations.
Oftentimes it comes down to people who sit outside of a legal, privacy, or the compliance function who need to know ‘What do we have to do? What are the black letter law requirements?
—Kelly Peterson Miranda, Grindr
“The message we need to get across internally – and this is a long game – is that we are at a point, right now (especially domestically for those in the U.S.) that solely focusing on black letter law compliance obligations is only going to put you in debt for the long term: you’re always going to be playing catch-up and you’re always going to be playing a high-risk game,”
“You have to meet the engineers where they’re at and explain, yes, the law says X and my advice to you is that we need to do X+Y to enhance it because we are essentially future-proofing,” urges Miranda. “It will pay dividends in the long run. And we, as compliance professionals, have to do a better job of storytelling about the why behind the work we’re doing rather than simply stating, ‘it’s the law.’”
Organizational benefits of privacy operations
There is no company in the world that’s going to get credit for just operating at the legal minimum. You do not build a reputation and you do not build benefit of the doubt by constantly hitting bare minimum.
—Melanie Ensign, Discernable
“And privacy is not solely a legal decision,” continues Ensign. “There’s other types of risk that are involved, and sometimes, those other types of risk may be more compelling to the business than the legal risk.”
“In a communications role, I’m spending all day worrying about reputation and public perception. Prior to founding Discernable, I was leading security, privacy, and engineering communications at Uber where we viewed legal requirements as the floor, not the ceiling.”
“You need to bring your cross-functional partners together to talk about the different types of risks that exist and what future proofing looks like for the organization,” suggests Ensign. “Then you can go to the business and say, ‘Here is the legal risk. Here’s the reputation risk. The financial, market, and competitive risks.'”
“But nobody wants to be at a disadvantage, and it seems everybody’s waiting around not advancing privacy because they worry if they’re not exploiting people on the marketing side, their competitors still are,” observes Ensign.
Approaching risk cross-functionally, you can go to leadership “with a 360-degree view of the risk and present recommendations to protect the business for the long term. And Kelly’s a hundred percent right. It’s about the long game and not giving the business whiplash every six months when a new privacy law comes into effect.” And as Miranda points out, “reputational risk can speak loudest to the business and especially to the C-Suite.”
“Everyone in the world sends a message to their customers saying, ‘we take privacy seriously,’” continues Miranda, “so you need to double check with your comms and marketing team about what statements were made in the past and if the move we’re getting ready to make is antithetical to that? If it is,, your competitors will call you out on it.”
“The question is not just are we breaking any laws, but also, are we breaking customer trust?”
“The other function that I recommend that folks check in with is your sales teams,” suggests Ensign, “which also provides an opportunity to communicate how privacy investments are directly impacting the bottom line.”
Getting budget and scaling up
With CPRA going into effect in mere months, and Colorado and Virginia following, privacy teams will need both budget and scale to cope. Doing this, particularly in resource-constrained environments can be difficult. So what the approach?
Teach existing functions how to improve their own workflows rather than trying to build a separate privacy silo that’s not part of anybody else’s existing performance reviews or performance ladder.
—Melanie Ensign, Discernable
“If you’re on a small team, don’t try to create everything from scratch,” continues Ensign. “In my experience, investment in time and energy is better spent building relationships.” Get support from engineering, marketing, operations, et al. “You’ll get more bang for your buck. When you’re small, you can’t do it by yourself. And when you’re big, you’re just wasting resources.”
Technology is a critical factor as well. “Less reliance on manual processes, and more reliance on automation, that’s either built in house or through a third party is key,” stresses Miranda. “If you’re manually fulfilling your compliance obligations, that’s good intentions, not best practice. Process and tools are the way to scale your privacy operations. Understand the tipping point of when a centralized privacy function may not work anymore.”
Measuring privacy compliance success
We’re seeing a push towards transparency overall. How compliance obligations help support the bottom line and the view of privacy as an asset to, rather than a deficit to doing business.
—Kelly Peterson Miranda, Grindr
There are numerous metrics related to meeting legal requirements: the number of DSARS or number of deletion requests being processed. The timeliness of the response. How many high-risk processing activities are undertaken and for which you’ve put in sufficient controls. Number of DPAs. How many privacy incidents and their time to resolution.
Beyond that, there are a myriad of additional and equally important such as training notes Miranda, such as how much, when, and what kind of training are you offering? Number/value increase of deals privacy helps to close and DSO rates? Is there a positive impact on reputation?
Metrics are going to mean different things to different companies, depending on the context. DSAR spikes are a negative thing if you are going through a crisis [like a cyber breach]. But being able to respond quickly [and effectively] is a win you may want to communicate publicly.
—Kelly Peterson Miranda, Grindr
Importantly, “when you’re dealing with consent, you need to look at it as a measure of the trustworthiness of your company, says Miranda. I think you also need to look at, for example, the consent rates for different things or perhaps help articles related to privacy: how many views are you getting?
“Tell a total story: the wide birth of things that a privacy function can actually do.” Some of it will be shared with C-suite, some company wide. “But also look for stories to tell publicly with metrics that help endear trust.”
“We’re seeing a shift to where customers are demanding more information about privacy and security as they evaluate whether they’re going to do business with an entity,” says Miranda. “This means marketing and sales needs to know more so they have the privacy fluency needed to close the deal.”
In short, privacy needs to be a compelling story internally (told in the context of what is important to your partners in sales, marketing, engineering, government affairs, the C-suite) and externally to customers and regulators.
Compelling stories need good storytellers.