For those who missed Transcend’s end of year breakfast with Francella Ochillo and Michelle Denndey last year, the goal of these conversations is to end the year on an optimistic note and to get our minds firing on 2022 initiatives. The discussions typically include perspectives from different teams or disciplines that can help us all do our best work on privacy.
This year, multi-disciplinary privacy experts Whitney Merrill from Asana and Nishant Bhajaria from Uber joined Transcend CEO Ben Brook and myself for a discussion on the partnership between privacy engineering and privacy legal/compliance. I was eager to ask all three of them about where they observed progress in cross-functional privacy collaboration over the past year and where we need to focus similar efforts in the future.
When planning this event with Ben and Transcend, I purposefully asked Whitney and Nishant to join because of their experience leading cross-functional privacy initiatives. As the Data Protection Officer and Privacy Counsel at Asana, Whitney Merrill leads the company’s privacy program whose remit extends beyond legal requirements. She also earned a master’s degree in Computer Science and her JD from the University of Illinois in Urbana-Champaign where she explored issues associated with the intersection of technology, information security, privacy, and the law.
Nishant Bhajaria is the global lead for privacy engineering and governance at Uber. I had the pleasure of working closely with Nishant during my tenure at Uber and saw first hand how he successfully led technical privacy projects from start through launch to sustainable operations. At Uber, the privacy engineering, product, and privacy legal teams all report into different organizations and executives. Yet, individuals from each team come together to work on shared outcomes in service of privacy. Working with Nishant on these projects was a master class in herding cats and gaining influence.
It’s definitely worth watching the entire discussion for detailed examples and advice from the panelists, but I’ve summarized some of my favorite moments below.
Privacy is cross-functional
If you’ve been working on privacy issues for more than a few years, you might remember when this work was almost exclusively the realm of lawyers and compliance departments. However, a lot has changed since then and I asked the panelists to help us understand why.
What is driving engineers, product developers, lawyers, and other disciplines to find each other on the journey of privacy?
Nishant - The same processes that were adopted for fast development and innovation, e.g. agile and scrums, can also lead to serious security and privacy concerns. So, we need to find a balance where there isn’t so much process that we smother the engineers, but still have enough process to avoid crazy security and privacy issues. We’re all trying to figure out how to get everyone in the same room, the same page, or at least the same book to make sure we don’t damage trust with customers.
Ben - Personal data is now regulated in a way that requires that a lot of new operations be performed on all data across an organization. Historically, a lot of privacy work was focused on privacy policies and disclosures, making sure they aligned with what the organization was actually doing. Modern data privacy laws require that all personal data — which organizations have been collecting for decades and storing in thousands of different data stores — must be deletable and comply with consent rules. There is a lot more complexity.
Whitney - Ben alluded to this, but the expansion of the legal definition of “personal data” is key. Previously, we thought about it as “PII” and specific pieces of data, and now we’re looking at potentially everything you have that can be connected back to somebody. That means that as a privacy professional, you’re working with every team across the company. We’re working cross-functionally across the legal organization and engineering, but also IT, the people team (HR), etc. It has to be cross-functional because, as a lawyer, if you don’t understand the “how” and the “why” about the use of data at your company, you’re giving legal advice in a vacuum.
What I heard each of these individuals express during our discussion was that not only are regulations forcing a cross-functional approach by mandating new operations, which are inherently multidisciplinary, there is appetite from privacy professionals to improve the maturity and sophistication of their own profession.
2021 privacy wins
I then asked the panelists to share some specific examples of what a cross-functional win looks like, specifically areas where they personally saw progress during the past year. Privacy reviews were top of mind for all three of these experts.
Whitney - Traditionally, privacy reviews only happened at companies under FTC consent orders as a checkbox item for compliance when building new features or products. Now, as privacy work becomes more cross-functional across organizations, we’re seeing privacy reviews become more embedded and earlier in the product design process. Doing privacy reviews early on makes things easier and faster for engineers because you can give them high level requirements, expectations, and potential paths upfront. This also removes the resentment of privacy or legal coming in at the last minute of the development process saying, “You can’t do that.”
Nishant - When privacy reviews happen at the tail end of the development process, privacy advisors are often trapped between two hard choices. Do we let something go through that carries risk or do we stop it from shipping and earn the enmity of the engineers and company? Nobody wants to be in that position. At Uber, we created a privacy consulting model so engineers across the company can work with privacy engineers on their designs early on so we can catch privacy issues while ideas are still nascent. Concurrently, we let the privacy lawyers know what’s coming down the pike. We’ve noticed a couple of things since implementing this cross-functional approach. First, our PIA and PDIA processes are faster because lawyers aren’t caught off guard with gnarly problems at the last minute. Second, we’ve been able to identify engineering decision-making patterns that can lead to privacy issues and build tooling that can address them in very early stages of the process.
Ben - When your organization doesn’t have the level of specialization that we see at companies like Uber, it’s much harder to approach privacy with a cross-functional lens. So, we’re often giving power to the legal team to set up guardrails that engineers can work with. This brings the privacy review and control requirements to the very beginning of the software development lifecycle while giving engineers the infrastructure and greenfield they need to build.
I wasn’t surprised to hear so much cross-functional attention has gone into the privacy review process given it’s a big regulatory focus, but it was enlightening to hear the excitement and pride with which each expert recounted their experience working and building with different teams.
How to generate privacy wins in 2022
Finally, I asked Nishant, Whitney, and Ben how we can apply the lessons from herding cats in 2021 to other areas of privacy next year.
Nishant - Don’t assume engineers don’t have an interest in privacy. Give them a seat at the table because they’ll be making decisions every single day about how they code and how it’s deployed that will impact your privacy program. You’re better off educating and engaging with engineers early in the process. Don’t dismiss privacy as only a policy or legal matter.
Whitney - You can’t do it alone. We’d love to think that you can hire one privacy person to come solve GDPR, but you can’t do it alone. It is a company-wide, board-level problem, so ask for help. That may be, “I can’t do GDPR without engineering resources or a dedicated person from the marketing team.” Product managers are also key and we should be thinking about the features and tools within our own products and services that can help achieve privacy goals.
Ben - Start early and invest in your privacy processes. This is not going away and the fever pitch will only continue to increase. So, your processes need to be sustainable and shouldn’t be sitting on one person’s shoulders to be the wheelhouse for everything. Look for ways to put privacy deeper into your stack so you can build a scalable process that can support you for a long time as new privacy laws add more volume and complexity to your work.
Phew! OK, so find allies in engineering, ask for help, and start ASAP. I’ve seen each of these individuals achieve big privacy wins by following this advice and I’m adding my stamp of approval. 2022 has the potential to be another big year for privacy and I know that the more we embrace the collaborative nature of privacy work, the better off we’ll be in terms of workload and mental health, and meaningful privacy outcomes for customers and society.
Watch the full roundtable discussion here to learn even more about the cross-functional future of privacy from these amazing experts.