Rise of the Privacy Operations Leader
In the early years of privacy legislation, the focus was on legal interpretation and high-level understanding. What do the principles mean? How do you reconcile the European-style data protection regime, the US, and others? Naturally, the general counsel’s office and executive leadership – the C Suite – was the locus of corporate response.
Today, privacy has moved out from legal and into the broader organization. As data privacy and protection concerns all facets of the business –marketing, sales, product development, data governance, et al. – it requires programmatic design, implementation, and control. It requires more than legal expertise. It also requires operational expertise.
We look to a framework to understand how we can take all of these obligations and boil them down to something that we can pragmatically implement within our organization. A framework will really help to not only just boil a lot of this down into more usable concepts; it’s also going to be able to scale with your organization as well.
WireWheel CEO Justin Antonipillai moderated a panel to discuss the challenges of operational privacy, and the resultant rise of the privacy operations leaders. The panelists are Lisa Barksdale, Zillow Group Director of Privacy, Katie Pimentel, Yahoo Assistant General Counsel, Global Privacy, and Tara Jones, Yahoo Legal Services Manager, Global Privacy.
Privacy Operations Fundamentals
Of course, you need to need to understand what privacy laws mean, “but the business really wants to know how it’s going to impact them. And there are fundamental things you absolutely need to do right,” says Zillow’s Barksdale. First, you need to perform a gap analysis in each area of the business to understand what you are dealing with, know the key players and then develop a framework to help identify those things that require focus.
Privacy Notice Management: make sure they’re comprehensive and make sense. If you have “50 different notices, that’s really hard to operationalize and make sense of, so you want to drill down on that” suggests Lisa.
- Regulatory Initiatives: As more regulations come into effect domestically and globally, this needs to be managed.
- Reporting: “I love reporting,” enthuses Barksdale. “It shows what we’re doing, how we’re doing it, and how we’re performing against requirements.” It also provides insight to senior leadership.
- Risks and Controls: Comprehensive monitoring and testing program is paramount to ensure your businesses are adhering to your policies and procedures.
- Meetings and Forums are vital to excavating and understanding any issues you may have.
- Devise an overall governance routine to guide action.
- Purpose Limitation
As Antonipillai notes, for those just starting out, the Fair Information Practice Principals (the core of the Privacy Act of 1974) provide a framework that is widely accepted and that is emulated in many states’ laws as well as internationally.
Okay, so how do you really operationalize that?
I do get questions like, “okay, it all makes sense, but how do we really operationalize this? Who are the people? How do we organize?” says Lisa. At Zillow, the core privacy operations leadership comprises:
- The Program Manager
- The Business Line Relationship Manager
- Privacy Legal
- The Data Manager
- The Monitoring and Testing Manager
- Privacy Champions
The Privacy Manager aligns with the CPO and acts as the lead program manager (PM) covering all elements across the program. “They may have some subject matter expertise in certain things, but they are responsible for getting things over the line.”
The Business Relationship Manager is responsible for developing and creating the privacy impact assessments (PIAs) and working with various committees.
Privacy Legal, of course, creates the standards within the organization, tracking the evolving regulatory landscape, interpreting the regulations, and translating how that impacts the businesses.
The Data Manager, working closely with data governance, covers the creation and implantation of record of processing activities (ROPA) and tools and manages data mapping and inventory obligations.
The Monitoring and Testing Manager identifies and documents the controls and processes to ensure adherence to the privacy policies applicable to the individual businesses.
One of the things that is a challenge for a lot of privacy programs is headcount….We created privacy champions, that sit in the business and operate as liaisons between the business and the privacy office.
They are the subject matter experts of their business. And we have invested in educating them and training them on privacy and how it impacts their areas.
How do you know it’s all working?
The answer to this question speaks to the importance of developing a comprehensive framework including testing and controls. As WireWheel works with both small businesses and large multinationals, Antonipillai is seeing more and more companies starting to audit (internally or with external help) much like audits and certifications have been used in finance (e.g., SOC with SOC Type 1 and Type 2 audits) and data security (using the NIST framework as Katie, Tara, and Lisa discussed with us here).
Getting a pulse on your program after you stood it up is probably as critical as standing up the program.
You put all these processes in place, set up all these resources, and you think all right, I’ve got everything covered. But nobody’s adopted the PIA – you have them trickling in. Groups are failing their monitoring and testing. The controls aren’t working.
“You can either get an external company to come in and do a health diagnostic on your program or you work closely with internal audit,” offers Barksdale. “In either case, it’s important to get that health diagnostic.”
“When you start to dig into ROPAs and developing controls,” cautions Katie, “I would highly recommend doing these under privilege. When you start lifting up rocks within your organization you don’t always know what’s going to be underneath. [You may] uncover some things that you probably won’t want to be discoverable.
It’s why reporting is so critical. “You want to look at your metrics and ensure that they make sense. And if they don’t, dive in there and figure out why. You would hate for the regulators to come in and let you know it’s not working before you identify that yourself.”
For privacy governance programs the big picture benefit is scalability repeatability and testability. Well, how do you make that work? Developing controls.
Controls drafting and implementation is critical to ensuring that you can understand what that program is doing, you can understand where the gaps are. That’s, the only way that your program is truly going to be testable and without testability, you can’t (with a straight face) go to a regulator and say, “Sure my program’s working…all the processes are being followed.”
In addition to controls, says Katie, critical to a privacy governance program is understanding your data. And “records of processing assessments (ROPAs) to really understand the who, what, why, where, and how, of your information processing is going to help you understand if there are areas of non-compliance or high risk.”
Launching the Program
This may seem overwhelming to smaller organizations without the infrastructure and resources of Yahoo or Zillow, but the same fundamental principles apply at any scale. As Yahoo’s Tara Jones notes, “even in a multibillion-dollar company, we still started at the grassroots with spreadsheets.”
Over the course of a year, Tara and her team were able to present a business case to the executive committee to justify acquiring privacy technology to support their efforts and chose WireWheel. “When we began working with WireWheel to tackle this project we ended up needing more than 1200 assessments for our business,” says Tara.
When that data begins to filter in, we then have to figure out…For what purpose are we analyzing it, how are we going to analyze it, what tools are we going to use for that analysis. You need a plan in place to determine what is going to happen with this data. How are you going to analyze it? What are you going to report on?
That is very easily overwhelming because there is so much data.
Of course, not everything fits in a neat box. As Tara points out, there will be exceptions and it is critical to developing an exception handling process as well: “Is there going to be an exception process? Who’s going to be in charge of the exceptions? Who’s going to have to approve or deny? If it’s denied, who’s going to work with the business to make sure that we’re able to still do business?”
As Katie opines, “this is another area where, again, the framework just really became critical for us.”
Ultimately, it is not a one-size-fits-all affair. The implementations, workflows, and how privacy operations are organized will be unique to each organization and its data profile. However, the underlying principles, such as those outlined in the Fair Information Practices Principles, are a common feature.
This is why employing a framework is so valuable. They provide the necessary overall structure that ensures you are adhering to best practices with regard to privacy while providing the flexibility within which to build the specific policies and procedures that best suit your business. The alternative is an ad hoc approach with is difficult (more likely impossible) to manage, control, or scale, effectively.
- Complete a Risk and Gap analysis
- Prioritize the privacy issues and risks of the business
- Document your privacy principles
- Establish an operational framework
- Develop metrics and reporting
- Know your business controls environment
- Identify & leverage key stakeholders in the business
- Be prepared to quickly manage risks identified through ROPA data