Product and engineering working together

June 30, 2023

How to build a privacy program privacy & eng can love


The success of any privacy program depends on the degree to which you’ve aligned with the business on priorities and risk, your organization’s willingness to adopt that program, and how seamlessly you roll-out the program to stakeholders. In a recent TerraTrue webinar, "Building a privacy program product and engineering can love," OpenAp General Counsel and CPO Andy Dale chatted with TerraTrue Head of Privacy Anthony Prestia about how to do just that.

In this post, we’ll cover how to get C-suite buy-in, how to get the visibility you need on data flows at your company, and how to successfully roll-out your program to hesitant teams.

Convincing the business privacy is a priority

Before you can get the stakeholders at your organization to buy into what you need them to do for privacy’s sake, there has to be some endorsement from the top. Depending on your business and your risks, the business may already prioritize privacy. But for many, that’s not the case, so it’s on you, the privacy person, to convince the business that privacy’s not just a compliance function, it’s critical to your bottom-line success.

So how do you frame privacy in that way when you talk to your leadership?

Andy Dale, general counsel and CPO at OpenAp, said it depends on whether you’re in the B2B or the B2C space.

B2B vs. B2C

“When you're at a large public business-to-consumer company, like when I was at Ameritrade, our approach is very different than it is when you're in a business-to-business SaaS company, for example, and you're really focused on sales and growth in a different way,” Dale said. “From the business-to-customer business lens, we were focused on being obsessed with the customer, and what does the customer expect when they transact with TD Ameritrade?

What kind of things do they care about? What do people think about? What is the regulatory environment going to be? What are our competitors going to do?”

In the B2B context, however, Dale would focus elsewhere in talking to leadership. Velocity, for example.

“How quickly can a good privacy program cruise us through an enterprise sales cycle?” he said.

Those things that really move the needle with a leadership team: speed to revenue, speed to closing deals, speed through due diligence in a funding round. I think you're really kind of working to shape the tool for the job specifically.”

Anthony Prestia, head of privacy at TerraTrue, agreed it differs depending on whether you’re a B2B or a B2C company.

“In the B2B context, having a good privacy and security program is just tables stakes to getting deals done these days,” he said. “You're out of the conversation and can lose deals or have them move very slowly if you don't have something in place.”

Working with product and eng to get the visibility you need

Historically, privacy has had some trouble with getting the visibility that it even needs to do its job well. That’s partly because of some hesitancy from stakeholders to share plans given privacy’s legacy reputation as a place where GTM plans slow or even come to a screeching halt in some cases. That’s changing now as companies recognize that privacy has to be involved from the very ideation stage of product development. But at most organizations, there’s still work to be done for privacy to get invited to the table that early, so it takes a bit of strategy to get the visibility you need.

Prestia advises privacy leads to build privacy champions throughout the business to ensure you have allies that can act as eyes and ears when you’re not in the room, and feel empowered to issue-spot because they understand what privacy’s about.

Dale said at larger companies, he’s recruited champions by scheduling quarterly meetings at the leadership level,

“I pitched it as sort of a requirement of the law, when maybe it was or wasn't,” he said. “But you just kind of say it's required that we have these meetings once a quarter to go over our key privacy initiatives. I think probably you can read into multiple laws that some sort of strategic management like that is required. I would look at it as part and parcel of your risk assessment. It can be loose. Allow different teams to talk about the top things that they're working on. It's a little messy. We all know meetings like that can swirl and people can go off on tangents. But the truth is that's how forming privacy champions is messy. It's not like a very easy project with multiple goalposts and then the project is done. It's just not like that.”

Prestia said, first, focus on education. And that doesn’t mean you should summarize the GDPR for them. Rather than trying to make allies experts on every privacy law, talk to your stakeholders about what you’re doing: What does our process look like? What do our customers expect from us? What are our risks? How do our baseline rules and policies map to those risks?

“But also I like to think of the education piece as a two-way street. So you're not just teaching about privacy, but you are also setting up time to meet with key stakeholders in sales, in product, whatever it may be, to learn about what motivates them day to day,” Prestia said. “And a lot of them, oftentimes, are excited to talk about what they're working on – especially engineering teams, who maybe are working on cool problems all the time and want to share that work with you. And I think getting that understanding helps you do your job better, but also builds some relationship and credibility back with the business that you can leverage later.”

Build your relationship with product & eng by showing up and being curious

A major reason folks don’t disclose every product dream to privacy is the fear of getting hit with a bunch of compliance concerns before anything has a chance to get built. But the privacy function doesn’t have to be the place where teams can expect a simple “yes/no” answer. When privacy is involved early on in product planning and development, you become a strategic partner. You’re able to troubleshoot issues early and come up with solutions before it’s too late.

But that requires some relationship-building with product & eng. And you don’t want to scare them off. Instead, show up to their meetings and be curious about how they work, how they think, and how you can help them get where they want to go.

Ask them to help you understand the product

“I like to understand early on: How does my business go from ideation to implementation?” Prestia said. “What does that entire process look like?” From there, Prestia said he aims to identify two important answers. First: What is the earliest point in the process where something goes from a mere idea in a JIRA backlog to something you’re going to develop.

“And what that helps you do is flag issues very early on before they become intractable and you can't change them because you've already dumped a bunch of man-hours into building something,” he said.

When you understand when and where that happens, you open up your toolkit to go far beyond a simple yes/no at the end of a product lifecycle. You’re able to help the business be more strategic.

“You can really help people come to interesting solutions early on,” Prestia said. “But it also ensures you’re not wasting your time or the business’s time asking a lot of questions about something that’s really a pie-in-the-sky idea that no one’s ever actually going to build – or it’s going to come out three years from now.”

Identify the choke-points

Second, identify where the choke points exist. Are there spots where you can easily embed yourself? Where are teams already doing routine checks, maybe a design review, where you can go to see the early designs or testing of a product.

“And you can be another voice to join the chorus and say, ‘Hey, this looks fully baked,’ or, ‘I think there’s more we need to do here.’ And you can provide real value back to them, but also see this product in action before it goes out to market.”

Meet them where they work

To build relationships within the organization, whether it be privacy champions or leadership or the like, you’ve got to show up. And while many of us work remotely these days, that doesn’t mean you can’t ask for an invite to engineering’s sprint planning meetings, for example.

“And I think your goal is not to be the star of the show,” Prestia said. “You may just sit in the background and kind of be a sponge and gather a bunch of information, but it's a really great opportunity to say, ‘Hey, look, privacy is here.’”

To do that, you’ve got to understand what tools folks are using. Is the organization tracking work in JIRA? Asana? Are they doing product specs in Confluence? Google docs?

“You want to have an account in all of those tools your business is using so you can hop in, even if it’s just an observer account,” Prestia said. “You want to be in those tools so you can take a first-hand look and provide feedback in the tools they work in, rather than force them to come out of their day-to-day process.”

Dale agreed it’s essential for privacy leads to get out of our proverbial seats and get into the conversations where they’re happening.

“Don't take it over, but add value into that conversation. And you say it gently and say it nicely,” Dale said. “Once you have a conversation with product, and you actually make a product better, they will call you every single time.”

Use tech to help you scale

There’s no one-size-fits-all for choosing the right tool. But it’s likely that many of your teams are doing work on spreadsheets, if at all. But if you’re raising funds and looking to get acquired, or you’re a larger company and you process a significant amount of consumer data, it’s a no-brainer to engage with some kind of tech stack.

But to figure out what that stack looks like, there are a core group of people that will want to do that vetting together.

“I guarantee in the company there's a few people that want to vet any technology that's going to come into the company,” Dale said. “Every engineering team is going to have somebody that's going to want to know how something works, and why it does what it does, and how it's going to link up with your existing systems.”

And that’s an opportunity to gain a new privacy champion or two.

“Go to somebody on the engineering team who's going to be a good person to help work with you on the tech side of this,” Dale advised. “I've onboarded many technologies, and you don't get anywhere unless you have engineering in the conversation with you. And I think their voice should matter heavily in the selection of that tech because they ultimately know what it should do, but you can't do it alone.”

Prestia agreed that what kind of tech stack you need and when will vary based on your growth, and some companies choose to build their own tooling before they hit critical mass. But that can become problematic over time.

“I know when I was at Snap, that was something we did because there just wasn't much tooling out there at the time,” he said. “There are issues that come along with that, like ongoing maintenance of that tool. No one necessarily joins a company like Snap because they want to build internal privacy tools. They want to build a cool camera app, right? So you have to keep that in mind.”

But when your company grows to the point that it’s clear you need to scale up on tooling to keep pace with the business, Prestia agreed with Dale that you’ll want to bring in the stakeholders to evaluate what that tool will be.

“With a solution like TeraTrue’s, which is a SaaS product, we do pilots with companies all the time, and it's never just, ‘Hey, let the legal team poke around.’ Because doing privacy by design or security by design, all of these things really require deep collaboration,” he said. “You need to make sure whatever you're going to adopt is going to work for the PMs, and it’s going to work for the engineers that need to be involved. They have to be part of the evaluation process. There's no question on that.”

If you don't want the rep of a "blocker," don't be a blocker

Privacy’s long been thought of as the place where plans or product deployment slow down or even come to a screeching halt. But that’s because privacy hasn’t been prioritized enough or integrated within product & eng teams from the pre-deployment phase. It’s not a foregone conclusion that privacy is a blocker, you just have to do it right.

Prestia said when he did privacy at Snap, his team of three would look at several thousand reviews per year for products or product changes. To keep pace with that, he said, they had to set up a strategic intake process and then triage everything right as it came in. From there, the team identified – early on – what could be the highest risk or the most visible and make smart decisions on the front end about where they’d spend their time.

“If you’re waiting until the last minute, that’s when you become the blocker, and you don’t want to end up in that position if you don’t need to be, if you can have those conversations earlier on because you’ve done the triage.”

And that’s where today’s automation becomes valuable: It saves everyone time and money.

Block wisely

Dale said to win hearts and minds as a privacy function, you should use any blocking chips wisely.

“Make sure when you cash that chip in, that it’s worth it,” he said of calling for a full stop. “I think there really needs to be an articulated business reason. And I think all of us who’ve been in bigger companies have seen that go a different way; when people cash in chips for things to block that weren’t critical, and that just bites you later.”

Save those blocking chips for a time that you’ve got a solid reason for why, such as, it could cost the business millions of dollars or it’s illegal. In addition, be sure to use context around the “yes” or the “no.”

How to roll out your program with minimal groans

As mentioned earlier, you may not need to start from scratch when it’s time to roll out your program. You may be able to identify other areas where there’s a process for rollout in place you can piggyback off of at first.

In addition, you need to roll out the program to the entire company in one fell swoop.

“There's a lot to be said for starting small and then expanding over time. Not doing the boil of the ocean and hitting people with every single potential concern that could come their way, but saying, ‘Hey, look, here are the big ones, right? Here's the stuff we're most concerned about. Here's the baseline information I want to get about every new product or feature coming down, so I can provide plain-English pragmatic feedback out of the gate.’ Versus hitting them with too much all at once.”

Dale said he’s in the process of doing this now. He said the challenge of how to effectively and seamlessly roll out your program will be on you “because the company just hasn't thought about it yet. Or they've thought about it, and they've thought about it from an engineering-centric point of view or an it-centric point of view because that’s what the company needed at the time. But that’s before you, the privacy person, arrived.

“Every outside council will tell you, ‘Start with the data map.’ And I think that's mostly correct, but I think you have to amend that. Instead, start with a product map,” Dale said. “What does your thing do? It sounds silly, but, spend time in the product figuring out exactly what it does and looking at the data flows. It's going to be really critical.”

From there, once you understand the product, its features, and the key privacy issues that overlay that mapping, start having key meetings about that data map with inside teams and outside council that study the product roadmap. Together, answer the question: What are we building in the future?

“That to me is the foundation,” Dale said, adding you can forget about CCPA and GDPR for a moment and instead focus on where the business is trying to go with the product. “Then I take that data map and I start applying the law against it, and I get myself a really good outside privacy council, make sure I can afford the amount of time I want to spend with them. Doesn't need to be a lot, but you definitely need checks and balances in your thinking you can't do it alone. We're in a very dynamic place with privacy law. We all know this. This isn't Sarbanes-Oxley, right? This is new. So I think you got to pick your partners.”

Befriend your CTO, big time

Speaking of partners, the CTO or the head of technology will be a critical connection for you. The person that’s melding the tech and the strategy should be some of your closest relationships within the company because they’re important.

Acknowledging you’ll also need to work with sales and marketing, among others, Dale said he’s learned that as CPO, it’s not the CEO or the co-founder that’s operating key business pillars.

“I really think it starts with the technology teams, and that's where I would dig in first,” Dale said.

From there, Dale said, he builds a checklist and identifies what needs to be done by which group for the end-state of a privacy program that meets the company’s goals.

You need not boil the ocean, mate

“It doesn't have to meet the goal of the GDPR. It needs to meet the goal of the company and follow along with the GDPR, and have those things woven into it,” he said.

Prestia agreed. He said the best route will be to align around business goals rather than starting with a piece of legislation and working backward.

“You want to start with what the business is trying to achieve, and then layer your expertise on top of that,” he said. “We see a huge difference in actual adoption of programs and efficient rollout when you have the buy-in from those leaders versus when you don't. And you're either trying to do a grassroots approach or you've got buy-in from an executive who's not actually doing day-to-day work managing the teams that are building product and tech.”

In addition, you can ease the pain points of program rollout by looking at what structures the business already has in place.

“There may be spots where you can insert yourself because there's already a security team doing application security reviews,” he said, for example. “Maybe your commercial council has a vendor review process in there. So you may want to look at peers and other functions that you can insert yourself into their process, or at least get a baseline understanding of what's happening there. Because one of the things you want to keep in mind is that while privacy is important, it is not the main goal of your PMs and your engineers. So you want to be as low friction as possible.”

For more on this topic, watch the webinar in full.