Terratrue's Chris Handman with colleagues

April 15, 2022

How to shift left at your company and elevate privacy's role


It can feel like an enormous task to build a privacy team, and even more daunting to get that team the visibility it needs to impact the organization in a real way. Traditionally, privacy teams have been invited to sit at the table just before a product deploys. Their function has been seen as a compliance exercise, one in which you check the appropriate boxes and hope for the best. But the privacy industry is undergoing a quiet shift, one that the security industry undertook a decade ago.

Thanks to an influx of laws like the GDPR and the CCPA, among others, privacy’s role is understood as increasingly strategic and important. Companies are realizing they have to involve privacy during the earliest stages of product development. If you think of a product deployment spectrum, privacy traditionally sits at the end of that timeline, on the far right.

Now, companies realize that to gain consumer trust, a competitive advantage and stay out of regulators’ crosshairs, they have to shift privacy to the far left.

At the IAPP Global Privacy Summit this week, TerraTrue CEO Chris Handman sat down with Elizabeth Hein of Foursquare and Harneet Kaur of Robinhood to talk about how to shift left strategically.

After all, all three of them have had to do it.

Learn how to elevate your privacy program.

Identify, prioritize, automate

A privacy professional’s mandate is massive. Many describe their day-to-day as “drinking from a firehose,” because not only do you have a program to operationalize, but you’re getting flagged constantly with urgent requests to troubleshoot issues. Worse still, the rules themselves are changing all the time. States and countries are passing privacy laws at a rapid pace. It’s overwhelming and relentless.

Foursquare’s Hein recalls the cold water that that fire hose was pumping, and she realized quickly that she couldn’t do it all. So she identified her big risks, and focused on those.

“I came out with DSARs, because I truly believe your customer facing policies and practices are one of the highest priorities. That’s who can go to regulators and complain to the media, and that can be very important.” She also decided she’d prioritize embedding privacy by design and third-party risk management. “I staffed my team with those risks in mind. It does take some extra time. But determine three risks, and build around that.”

Harneet Kaur, a senior privacy program manager at Robinhood, said she had to look for opportunities to free up her time. How could she duplicate systems already in place at Robinhood to make her life easier? The answer was automation.

“Your organization may have internal tooling you can use, but you can look at a ticketing system, where your email inbox auto-creates a ticket and you automate the triaging process and looping in teams,” she said. “It seems like a very small thing to do, but in aggregate is gonna save your organization a lot of time. And you can do that without going to leadership, because the chances are there are teams that already use ticketing systems, like your engineering teams. And that can be re-purposed in this situation.”

Build community while you build your products

Many privacy professionals will bemoan the roadblocks we all face in running a privacy program that has the buy-in you need to do it well. Part of that is that privacy professionals have typically been seen as the place where otherwise-good-ideas go to die. On the flip side, product teams will tell you how frustrating it is to keep up with a product deployment schedule while privacy teams slow or halt progress just before it ships over some concerns about compliance.

Foursquare and Robinhood and Snap, where Handman worked as its first general counsel, all had to overcome those hurdles. But they course corrected by undertaking a long term strategic initiative: They built a community of stakeholders who could help privacy shift left at their respective organizations.

“You have to build a relationship with your teams before you come to them with a problem,” Robinhood’s Kaur said. “Go to their meetings, meet them where they are.”

Hein agreed. She said it’s a misconception that product and privacy are mortal enemies, and it’s important not to underestimate the importance of just showing up.

“I show up to demo day.”The engineers and product teams want (privacy pros) there,” she said. “They don’t know how to interpret these laws. They need black and white answers. When you’re there meeting with them, it works out well. I haven’t met any resistance.”

It’s there that the culture shift takes place. Suddenly, with privacy shifted to the left of the product deployment timeline, product teams started problem spotting privacy issues during their very early product designs. In fact, Hein said, she now sees product teams putting privacy initiatives into their own OKRs. That’s quite a shift.

How to evangelize privacy at your organization

For those of us still trying to overcome being seen as the “no” department, it can be helpful to evangelize privacy throughout the organization so the masses can understand why privacy is essential to the company’s success itself.

Kaur said she facilitated a “shared-ownership perspective across the organization.” She created a slack channel, which serves as a safe space for product teams and others to ask questions freely and in real time. And she aligned privacy to the broader company goals and values.

“Bring in key stakeholders for privacy’s own design meetings,” Kaur said. “Tell them, ‘We want this to work for you, because what works for you works for all of us.’ Help them feel like they have skin in the game. You develop some buy-in from that.”

Finally, she said, “Brand privacy around how it benefits the customer. Everyone cares about the customer.”

For more on this, watch our webinar here. And for more on our Shift Left initiative, read our manifesto here.

TL;DR takeaways:

  • Prioritize projects based on risk. Go for substantial changes on high-risk problems first, later get to low hanging fruit.
  • Show up to product team meetings, even demo days. Show them you’re interested and care.
  • Align privacy initiatives along broader company goals, brand privacy around how it benefits the customer.