A chest protecting data from being hacked

February 2, 2023

How to future-proof your privacy program, part 2: Here's the foundation you build on


We’ve all been through it. First came the GDPR. Then came the CCPA. Then came the CPRA, and U.S. states started to follow suit. That’s to say nothing of the laws that sprouted up in Brazil, India, South Korea, and elsewhere across the globe. When the dominoes started to fall, there was a palpable panic among companies. That's to say nothing of changing consumer expectations on the tech they use to live their lives.

It’s clear there’s a need to run a privacy program that’s flexible and agile enough to keep up with current and future legislative mandates. So how do you approach doing that?

In part one of this three-part series, we talked with TerraTrue’s COO, Chris Handman, and Ruby Zefo, Uber's first-and-current CPO, who debriefed us on how to approach your business pitch for a privacy-by-design program that will insulate you from the constant changes you face in the privacy landscape. In this post, let’s talk about how to go about building the program itself.

Ruby Zefo, who’s Uber’s CPO, said not to panic if at first, you’re overwhelmed. That’s just the nature of the gig. It’s scary, it’s moving fast. There’s an avalanche coming at you, and you gotta ski through it to the other side. But you can.

“The first thing is just understand: You're not alone and it's okay.Ifyou're just starting out, or you're in a really small company, it's okay to be whacking moles, duplicating efforts,” she said. “There's a lot of chaos in the beginning. It's normal. But it’s how you learn what's going on.

This is why it's a great practice area for any level of experience because even if you've been at it for years, you've got to keep up. There is no way around that.”

So, there you have it.

Read the tea leaves, then get movin'

If you’re just starting out, of course, you’re looking for threats and trying to take them down like a ninja. But that gets old and exhausting, and it’s not sustainable in the long run.

Chris Handman remembers well the initial chaos of coming into a company and feeling overwhelmed by the staggering array of regulations, and the sense of almost impossible complexity.

“But I think like a lot of things with a little bit of time, pattern recognition starts to emerge, and that is something that only can happen with a little bit of practice. But ultimately what I think emerges is a bit of a crystalline structure to privacy and you develop whether it's GDPR or some other fits or some other framework.

“At some point, you've got strong enough legs that you're able to read the tea leaves for your company,” Zefo said. “And that's where your real value comes in. You're making judgment calls that are not based on anything but your gut: what you're reading, and your experience. You pick a foundation to build on. For many people, and for us, largely, it's GDPR. It's a framework, though it can be toggled and tweaked for U.S. sensibilities and other things.”

And that’s the way you avoid having to duplicate every single process for every single law. In some cases, yes, you’re going further for a certain jurisdiction than you necessarily needed to.

“But, yay for consumers,” Zefo said. “They like that. Then you pick how much scalability you can afford, depending on the maturity of the company and the ROI. What's the benefit if I invest this much in doing something special for a particular country?”

From there, she said, it’s about setting up a tracking system based on that foundation. You need to figure out what’s different from one legal jurisdiction to the other, determine how’ll you address those differences, and report that out.

That can be difficult, though, because there are few categorical rules when it comes to privacy. We all know there privacy envelopes shades of gray.

Build your program on foundational principles

Because of those gray areas, Handman says to build on core principles, whatever those are in your industry. When problems arise or uncertainty presents itself in decision-making meetings, you’ll be able to come back to the principles you’ve established to guide you.

Once you’ve established those lines in the sand around your foundational principles, the business becomes more self-empowered.

Here’s the alternative:

“If privacy, to you, is a series of subdivisional requirements, your team will never be able to implement it, and they'll always be dependent on you, and then probably go around you because they just don't get it,” he said. “If you can simplify it to a few core ideas, that's going to get them 90% of the way there.”

The remaining 10%? Those are the tricky, nuanced questions that’ll require your direct input. But that’s a more manageable load than the 90% you empowered the business to solve on their own based on the pillars you’ve taught them. And that will allow your team to scale faster. If you’ve trusted them to absorb and embrace that backbone to the business’ approach to privacy, you’ve got built-in safeguards against the risks changes present.

And still, there’s room for flexibility.

“There's a lot of room for risk calibration, a lot of room for mediation between you and your product teams or your business teams about how you want to think,” Handman said, adding that in-house privacy teams earn their stripes by their abilities to see around corners, and to “anticipate where the laws are going so you can begin to tweak those frameworks if they need to be tweaked.”

The 007 method

In privacy, the product design plans are just as important as the privacy program. Similar to when you start building out your privacy program, she said, you have to pick a foundation from which to build all of your products. Zefo likes to use a James Bond metaphor in explaining this, she calls it the 007 method.

In the Bond movies, “every 007 has differences, but there are also a bunch of similarities,” she said. “They're all debonair gentlemen, although there's now a woman in the last one. But they all have a lot of similarities with some differences, and that's on the product side.”

You have to ask: “How many flavors of this can I afford?” If you can afford three, you build a foundational product, and then you allow tweaks to the other two flavors.

They all have a similar basis,” Zefo said. “You can't do it all. You can't have 100 different variants around the world, even if you're a super global company like Uber. That's why the foundational thinking, what's my foundation, really carries across various areas of how to run the right program, and then how much can you afford and what the ROI is.”

Bottom line: If you always keep first principles within your eye line — in fact, tether yourself to those principles — you’ll experience far less turbulence. And who likes turbulence?!

In part three of this series, we'll talk about the efficacy of using today's tech to future-proof your privacy program.

For more on this, see Ruby Zefo, Angelique Carson, and Chris Handman's full chat here.