A chest protecting data from being hacked

February 9, 2023

How to future-proof your privacy program, part 3: Leverage technology to maintain your sanity


In this series, we’re talking about how to future-proof your privacy program. ‘Cuz let’s be honest: Isn’t that the hardest part? On a recent IAPP webinar, TerraTrue COO Chris Handman, TerraTrue Director of Content Strategy Angelique Carson, and Uber CPO Ruby Zefo discussed how to do just that. Prefer consuming your how-to news on video? No problem. Catch the full conversation here.

For context, here are parts one and two.


When TerraTrue COO Chris Handman went to work as Snap’s GC, and with it, inherited an FTC consent decree, he didn’t have today’s tech tools at his disposal. Had he, things would have been different. Still difficult, but not in the ways organizations struggled to document themselves back then. But it was only 2014, and all that happened in Google Sheets. To be clear: Many, many, sheets.

Uber CPO Ruby Zefo had a similar experience. Or two.

“I think every program starts out manually,” she said. “Back in the day, everybody did their PIAs manually. There weren't even a lot of vendors around. You're trying to put some document together in whatever word processing or other suite of tools that you have.”

Aye, those are yesterday’s realities. Today’s tech tools will help you amplify what you’ve got, and provide a stop-gap to fill a hiring freeze or budget shortfall. There’s no avoiding the quintessential truth that the larger an organization grows, the more essential technology becomes. Plus, let’s be honest: It’s 2023! If you’re still trying to do compliance without tooling, you’re playing a losing game. And unless you’re at well-resourced organizations like Uber or Snapchat, you're still grossly outnumbered by product teams and engineering teams.

But you know that.

Thank God, that’s no longer the case. Zefo said, “in this current environment, scaling and automation is important as the program grows and matures. And you hope that happens at your company. But it’s also important as it shrinks.”

She said, “If your company is having a tough time, you also have to figure out how to logically – with an educated crystal ball – shrink it and prioritize. Scalable doesn't mean just growing, it means shrinking as well.”

Handman added, “The only way to ensure that you can keep up with the pace of product development, and to keep up with the pace of regulatory changes that force you to make little tweaks to your framework, is to be able to create more scalable ways to accommodate what's coming in right from the business,” he said. “Then you map that to what needs to be identified, and flagged for risk, and mitigated, and send that back to the business.”

Zefo recalled asking for budget to handle DSARs under the GDPR, for example.

“That was one of the first things we needed to automate, but you need the funding for it,” she said. “That's where the math came in. I went to the CFO. We went with an entire analysis of the cost-benefit, and based on case history, based on what the potential fines would be. Then we showed them the difference in the investment versus the risk of getting it wrong. That's what won the day.”

Listen, don’t overthink this. Just know that the realities are present and practical, and your approach should explain that.

It’s about really about 3 things: Intake, assessments, and future-proofing

The only way to truly future-proof your privacy program, and therefore your business, is to tackle three essential pillars.

The first: visibility. Handman said your success hinges on getting better visibility into who’s collecting and using the data – and for what.

One: Privacy fails if it's totally blindsided about what your team is building. If your team wants the product to go out the door yesterday, you find yourself playing catch-up. You’re in reactive mode.

“The whole point of these programs is to be out front of that,” Handman said. “Use technology to gain a better grip on what's coming down the pike in a way that doesn't feel like a block on the way the business operates.”

Two: Now that you have better visibility into what the business is doing, you face a new problem: how to keep up with all the business’s initiatives, how to know which new privacy laws apply (and which don’t), and how to do all this in a way that doesn’t invite needless repetition and fatigue. That’s where technology again makes the difference. You need a single source of truth that can apply rule-based automation to flag which initiatives require a review, help triage the risk, route workflows to the right people, and can map the business’s new use of data or new types of data to the world’s laws.

Handman said it’s essential to invest in technology that can quickly identify what’s changed in the legal landscape, and how it maps to your policy’s promises.

“Without it, and the bigger you get, and the more privacy debt you accumulate, you do need something to help round out that challenge,” Handman said.

Three: Future-proofing means insulating your privacy program from the lurching shocks that new laws and regulations can impose.

“The one constant over the past few years in privacy has been the complete dynamism of privacy regulation. That makes privacy an exciting discipline, sure, but it can wreak havoc on a privacy pro’s best-laid plans,” Handman said. “A new privacy rule on, say, precise location might send you and your product teams scrambling to identify every feature that could be affected by this one discrete change. Now multiply that goose chase by the dozens of nips and tucks from regulators and the scores of features your product team releases, and you can see the problem.”

But you can avoid that agony with a technical solution that understands every last data type, data use, and data subject, among others, that your teams have used. That platform can then map the latest regulatory changes to your entire catalog of features and instantly perform a gap analysis identifying what needs your attention and what can be ignored. That’s where we are in the tech space these days, and that’s how you future-proof your privacy program. And ensure your sanity.

In part four, the final post of this series, we'll talk about the importance of privacy by design to any future-proof plan.

For more on this, see Ruby Zefo, Angelique Carson, and Chris Handman's full chat here.