Professionals in data privacy and data governance have navigated unprecedented challenges since compliance regulations like GDPR and CCPA have changed the way companies do business. This has compelled CDOs and CPOs to reassess objectives, reconfigure processes, and increasingly align to adapt to new demands and design new business outcomes.
BigID’s On-Demand Digital Summit, “Examining the Intersection of Privacy and Governance,” addresses these challenges with a panel of experts from top companies’ data offices and privacy offices. The panelists explore lessons they’ve learned, steps they’ve taken toward successful collaboration, and the way their roles intersect to create opportunities for business growth.
A Wake Up Call for Privacy, An Opportunity for Data
In the past few years, the GDPR (General Data Protection Regulation) and the CCPA (the California Consumer Privacy Act) have transformed the way corporations look at data — its collection, security, and management.
These regulations not only marked a “major wake up call” for businesses to achieve compliance and avoid financial penalties, says JoAnn Stonier, CDO at Mastercard — but they also created an opportunity for companies to use data as a business advantage.
It’s one thing for privacy teams to work in a support function to keep a company out of trouble — their historical role — but it’s another for them to partner with data teams to transform privacy into a business driver.
Regulatory concerns are “making privacy a bit more standardized — and something that all industries are going deeper on, and frankly you even see that with hiring trends,” says Farah Zaman, VP and CPO at Meredith.
“Privacy is coming up more and more as part of the dialogue that the entire business needs to speak about. If done well, I think the privacy office has this really unique opportunity to help educate and bring the entire corporation together under one narrative and one visibility.”
Data Privacy + Data Governance = Data Trust
Working side-by-side, data offices and privacy offices can create a strong framework of data trust. “I don’t think you’re going to have a successful privacy or data governance program if they’re not talking together,” says Zaman.
To start “doing privacy right,” as Stonier puts it, CPOs and their teams must work closely with CDOs, data stewards, and other governance professionals. A successful collaboration ensures that companies have appropriate protections in place for their data while gaining valuable insights from it.
Many organizations focus on data trust by positioning privacy as a driver. “Looking back, we made [GDPR and CCPA] absolutely the top priority for our governance and privacy teams as they work together,” says Chris Stephens, VP of Data at American Eagle Outfitters.
From his perspective, if customers are “generous enough to share data about themselves — and keen to do so, as long as they see value coming back in personalized offers — we want to make sure they understand that we are protecting that.”
Of course, any collaboration comes with an expected set of challenges. Taking steps to align data privacy and governance within SAP, for example, “was not a one-size-fits-all approach,” says Tina Rosario, SAP’s CDO.
“It required a balance of expertise and skills. When GDPR went into effect, we brought in experts who had the legal and regulatory background and worked closely with our colleagues in global risk and compliance — and we had data governance leaders in each of our line of business areas. I really see it as a team effort, and what’s come out of it all is that we’ve stayed really well aligned and connected.”
An “Offensive” Privacy by Design Model As a Selling Point
The most successful data governance programs “already have privacy and security by design built into their programs,” says Peggy Tsai, VP of Data Solutions at BigID.
Simply put, privacy by design incorporates privacy regulations into product design and process from the word go — from the first stages of ideation all the way through rollout.
Stonier credits part of the collaborative success she’s seen at MasterCard to privacy by design. “For any product or solution that’s going to use personal or sensitive data, it’s just easier if you include a member of the privacy team in those early sessions so privacy issues can be spotted right from the beginning, and so the solution can be built with privacy in mind.”
This enables the teams at Mastercard to design solutions “with the individual in mind — even if there’s no personal or sensitive data in the product.”
From the privacy side of the aisle, Pedro Pavon, Director and Sr. Corporate Counsel at Salesforce, agrees: “Differentiating yourself as a trusted partner because of strong, robust, and transparent controls is a market differentiator. When you build that kind of thinking into your product design and your go-to-market strategy, I think that is a healthy way to have privacy DNA and privacy consciousness integrate into all parts of your organization.
“Every time I talk about privacy to my business stakeholder,” Pavon adds, “I talk about it in terms of value add — how does this add, increase, improve, speed up, or differentiate whatever your activity is, or product is, to make it better?”
Aligning Data and Privacy — Companies are Paying Attention
Together, CCPA and GDPR “have helped bring into focus what used to be fuzzy,” offers Pavon. “If you ask 10 people, 9 out of 10 are gonna say, privacy is important. We have to think about it. We have to incorporate it as part of our corporate culture or the way we do business.”
But, before the adoption of formal regulations, “there wasn’t really a formula for how to make that happen.” CCPA and GDPR “illuminate how complicated things might be if each state passed its own privacy law. I think it’s gotten the attention of our legislators in DC to think about a comprehensive national privacy framework and law to hopefully create a US standard.
“And I know that’s something lots of our employers are interested in — and the tech industry is really interested in — because it’s obviously much simpler to comply with a couple global standards than 50 different rule frameworks, and then 20 or 30 other ones across the world.”
Articulating the importance of bringing privacy into the world of data management “can be tricky,” says Pavon. Concrete costs around regulatory violations help focus that conversation on business outcomes. Requirements set forth by CCPA, GDPR, LGPD, and so forth, “really help people understand: Hey, there are real penalties here if you do the wrong thing. So we gotta get this right. That always captures people’s attention — fines, penalties, etc.
Once you’ve made it past this, then it’s on to: How do we implement this, and what are the benefits of being robust versus doing the bare minimum?”
A Promising Future for CDOs, CPOs … CDPOs?
When it comes to what’s in store for CDOs, “there’s a huge demand for expertise around the data topic, and I don’t see that demand going away, especially given the complexities we’re facing,” with the COVID-19 pandemic, says Rosario.
“We’ve got to keep focusing on data that’s most critical, most valuable, most important, what’s fit for the business purpose, and what’s driving data quality — while at the same time being innovative.”
As more and more businesses move to the cloud, “new scenarios are going to bring new challenges around the data side — and so we need the [data office’s] leadership,” she says.
Speaking of leadership, Pavon believes that, as privacy and data teams continue to band together, they could both fall under a completely new office in the future: “instead of just this idea of Chief Privacy Officer or Chief Security Information Officer, somewhere above that layer I think that ‘Chief Data Protection Officer’ or Offices will start to pop up, and they will bridge data governance, security, and privacy — and make sure all those efforts are harmonizing and working together.”
Michael McCullough, CPO at Macy’s, ties this potential “data protection” or “data trust” role to evolving business needs. “I think part of the issue isn’t, what is the role going to look like, but what are the needs of business going to look like — and what are companies going to have to do differently or better than what they’re doing now? I like this concept of a ‘Chief Trust Officer’ because it takes all the things you do and hopefully brings them under one house.”
Through all these possible evolutions and next steps, one thing is certain, says McCullough: “People are going to need to become more tech conversant than they are.”
Zaman agrees, predicting a future characterized by more “public education” and fluency. “We need to make sure we’re not only talking to our data governance teams, but other teams internally — and also people in our own personal lives and helping with that public education.”
Whether the privacy office and the data office start to blend together entirely or continue to reach across the aisle to one another, helping businesses achieve compliance and drive value from their data, “I hope for all of us that it stays fun, because it’s really a great place to be,” says Stonier. “There’s a lot of opportunity for us, and each month, each year brings a new set of challenges. That’s what really makes it exciting.”
Learn more about best practices for privacy-aware data governance — and how a successful collaboration can help your business achieve full compliance and create real insights from your data.