Building an effective privacy team can be challenging, especially with the visibility required in order for the team to have a measurable impact within the organization. In the past, privacy teams often focused solely on compliance and in the best of times, this made them the final stop before product deployment and in the worst of times, the places where good ideas and lots of work went to die. Times have changed, and with the proliferation of data protection laws in the US and globally, as well as the need to gain customer trust, companies are recognizing the importance of embedding privacy at the beginning of product development. Privacy teams must now be strategic partners to product and design teams – walking with them every step of the way, from concept phase to product delivery.
Privacy professionals globally participate in the International Association of Privacy Professionals (IAPP) to define, support and improve their privacy profession. The IAPP is the largest and most comprehensive global information privacy community. At the 2022 IAPP Global Privacy Summit, Foursquare’s Associate General Counsel of Privacy, Product & Compliance Elizabeth Hein joined TerraTrue’s COO Chris Handman on stage to discuss how to shift privacy from being the last step before product deployment to strategically taking privacy to the product and engineering teams responsible for innovation and product development. Here are some of the key takeaways from their conversation.
Prioritize Projects Based on Risks
Privacy teams face many challenges, balancing the need to operationalize a program while also receiving requests to resolve time-sensitive issues. Furthermore, since privacy laws and regulations can rapidly change, the privacy team must be on constant alert to respond and adjust accordingly. So how do leading privacy professionals advance their programs and stay nimble, all while helping to drive company success? By focusing on the key risks and shifting privacy to the very beginning of the product development cycle.
Foursquare’s Elizabeth Hein has learned that she can’t undertake all of these tasks simultaneously. Instead she takes a step back to identify three key areas where focused attention will have the most impact. For her, one of those areas is implementation and execution of Foursquare’s data subject rights program because she believes that, “your customer facing policies and practices are one of the highest priorities.” Hein also prioritized further solidifying Foursquare’s privacy-by-design program and enhancing third-party risk management efforts. Despite the extra time and effort it takes to pinpoint the focus areas, Hein recommends to her colleagues: “determine three risks, and build around that.”
Build a Community Within the Privacy, Product and Engineering Teams
The dynamic between the product and privacy teams in a company is akin to a push and pull relationship. Product teams are in charge of managing a product deployment schedule, yet the privacy team in many organizations tends to slow down the progress before shipment begins due to compliance concerns, which in turn alters the product team’s plan.
In order to overcome this obstacle, Hein orchestrated a long term strategic initiative, cultivating a stakeholder community that could embed the privacy team at the start of the product development cycle at Foursquare. It centers around the idea of fostering relationships between privacy and product teams, which can be as simple as attending each respective team’s meetings. Hein addressed the misconception that privacy and product teams are enemies, when in fact, they should be allies. For example, she suggests attending team meetings and demo days, where the engineers and product teams actually want privacy professionals to participate and speak up. “They don’t know how to interpret these laws. They need black and white answers. When you’re there meeting with them, it works out well,” Hein says. By attending meetings and conducting outreach, the privacy team is informally training colleagues on the importance of privacy and how to spot issues. Indeed, Hein has seen a cultural shift at Foursquare where product teams and engineers are identifying privacy-related issues in early designs and seeking active engagement with her team. Hein also noticed that product teams have started to put privacy initiatives into their objectives and key results – a win-win situation for all of the teams and for Foursquare.
Align Privacy Initiatives with How Teams Work
In order for everyone in the company to understand the significance of privacy and what it brings to the overall company’s success, it is important to highlight and align the privacy initiatives with how the teams throughout the organization actually work and communicate. At Foursquare, privacy is a shared responsibility. Hein has learned that the key to facilitating this “shared-ownership perspective across the organization” is for the privacy team to work and communicate like their partners do. Hein has found that learning how to work and communicate like the product teams and engineers do, leveraging their existing processes and styles, makes it much easier for the teams to take ownership of their privacy responsibilities. That sense of ownership also translates into empowerment and accountability, which ensures successful adoption of a company’s privacy program.
To learn more about Elizabeth Hein, check out this Q&A.