Episode 22: Heading up a global privacy team - with Emma Redmond of Stripe

Millions of companies use Stripe to accept payments and grow revenue. An operation that big requires some serious privacy procedures. Luckily for Stripe, they have Emma Redmond to take care of just that. And luckily for us (and you!), Emma is a guest on today's episode of Inspiring Legal, where she shares some of her absolute gems of insights.

Welcome to Inspiring Legal, the podcast for inhouse legal.

Get insights, learn from peers, life lessons from some of the most influential GCs. If it's related to inhouse legal, we cover it. For more inspiration, go to openli.com/community.

Stine: Inspiring Legal is back and we're back today with a special person who knows a thing or two about privacy. When you think about payments and you think about one of the biggest players in the world, well, that is Emma's company.

Or it's not her company, but it's the company she works for. I'll let Emma introduce herself in a second, but Emma Redmond is working at Stripe. 

So Emma, for the listeners out there that don't know you, would you share a little bit about your background and the company you work for?

Emma: Sure, of course. And first off, thanks so much for having me. It was delighted to take part in a podcast for a company that really values the legal in-house community. So it's an absolute pleasure.

A little bit about me. I come from the far west of Ireland called Galway and I have been living and working from Dublin for the past twenty years. In that time, I attended University College Dublin, did my law degree there, did my Masters in Trinity, became a barrister with the Honourable Society of King's Inns. I'm a mom of three, an Irish dancer, adjunct professor at University College Dublin, which I love.

And so there's there's a lot going on. And I currently, as you said, work for an amazing company called Stripe. And just a little bit about Stripe. Our mission is to increase the GDP of the Internet. 

And Stripe is a technology company that builds economic infrastructure for the Internet. Businesses of every size, from new startups to public companies, use our software to accept payments and manage their businesses online. So it's an absolute pleasure to work for Stripe and I'm having a lot of fun.

So that's a little bit about me. So for the listeners, they might feel that energy that you have and you do have a lot of energy, which is amazing. And so for you with that background and having built your career as you've done. Could you maybe just share some good advice for the listeners out there who wants to be you in the next two to five years? 

And what I mean by that is that you're handing up privacy at a company that is really making a difference when it comes to online payments and that whole gateway. And Stripe is a really, really big company. 

Stine: For the people that might not know you, this is a global company that has been growing super fast. And has really, I think, changed the whole way that payments and subscriptions are managed.

And it's not a sales pitch or me just going completely bananas, but that has really made a massive change. So with your background, could you share how you kind of like got to where you are today? And is there any good advice?

Emma: Yeah, of course. Look, like anything that's worthwhile, it takes time and patience is key. And for many who know me, I'm not always the most patient, but I had to be when it comes to a career like this, because it does organically change over time.

Privacy is about principles and applying principles in a very complex space. And this goes for all of the companies I've been at, not just Stripe. And so, you know, as background, I suppose, really, you know, the advice that I have and accumulated as I macheted my way through all of these difficult landscapes is, 

I suppose, look, I practiced as a barrister for a number of years, and that really set me up neatly for what was coming down the tracks in my career. You know, you learn to be concise, you learn to be to the point, you know, you take the opportunities when they arise. You know, you have to, you know, put yourself out there, be uncomfortable and be OK with that. And that's easier said than done, of course.

You know, I did, as I say, started off as a barrister, but I joined the fantastic in-house community. I was assistant general counsel at an ad tech online marketing company. And I thought to myself, you know, I was brave to make that jump, I think at the time, and I maybe didn't realize that. And what it did is expose me to the whole world of third party cookies.

And of course, with that came the whole privacy sphere. And, you know, the company I was with was an online marketing company. And I thought to myself, oh, you know, how hard could online advertising be? Surely it can't be that difficult. 

Of course, you know, unbeknownst to me and completely clueless looking back, that's where I really gained my ground in terms of privacy, because it was ridiculously complex. And that was really about getting comfortable with the uncomfortable. And, you know, the the the enjoyment, I suppose, that I got out of that and the challenge has always that's been one of the common denominators for everywhere I've been. You know, there's always ridiculous challenges there, but I enjoy them.

I think the difference for me and the advice I give is, you know, the ability in an in-house world to be so close to your client, to be there right at the time when they need to be making the right decision and applying the right principles is fantastic. And you don't get that in every sphere. And I would take it further in terms of privacy.

You have even more of an opportunity to do it because it's it's untested in a way. There aren't there aren't a lot of precedents out there in terms of how to apply. So that makes it even even more enjoyable. And joined obviously LinkedIn and the world of of of recruitment, social media, of course, had an amazing time there. Ancestry after that, in terms of of DNA, of course, and and family history and of course, Stripe.

So I suppose what I'm saying is it started with Adtech, social media, DNA, FinTech.

You know, was there a plan? No. And but what was there throughout it all was that openness to opportunity. And I think that is really, really key. I did have an idea early on, especially when I was living in a third party cookie world, that there was so much for the ordinary data subject to understand about their data. I thought to myself, you know, once individuals are educated about cookies, for example, they will have so many questions about how it works. And of course, that all played out, as we can see. Right.

And so, you know, education, transparency was always one of those things that, you know, pulled me along throughout all of those years.

You know, you put the hard graft in for sure. And I think you give yourself that exposure to all those elements of privacy and all the types of privacy that are really important. And, you know, there's a few common denominators and all the companies I've been in, you know, users and data subjects are central to the mission.

Transparency is really, really key.

And I'm not just talking about a notice here and there. It's really about being deliberate about how you give notice to users. Speed is  percent important in the privacy world, you know, could be because of an incident or a type of inquiry or what have you. 

So, you know, all of those all of those elements and all of those variables, you know, kind of came together, I suppose. It's not enough to understand the GDPR or the LGPD in Brazil or the act of the Protection of Personal Information  in Japan. It's about understanding how it applies.

It's context specific to the world that you're in. And, you know, I've attended so many conferences over the years and everyone can identify the issues and the problems. But it's about finding the practical solutions. And that's really, really hard. But it's also great fun. And it's a huge challenge.

I also think what's helped me over the years has been, you know, developing a way to think outside the box. So in that sense, I would say you have to be master of microscope and telescope. And what I mean by that is, you know, microscope, well, at least in my world, is looking at those privacy issues, literally in microscopic fashion and figuring out what the solution is or applying the law in the best possible way. But you also have to be master of telescope. You have to think ahead about what's important for the organization and what is meaningful and impactful.

So, you know, as well as that, I would say it's important to step into the shoes of your organization and, of course, the user at all times. So, you know, overall, I would say attend conferences, network, meet people working in the trenches of the area you are in. You know, I will never forget, actually, when Jean-Pierre came out and it was the most highly searched term, even more so than Beyonce in May . And I think that was the time I realized privacy is very, very cool. I was finally part of the cool gang.

And yeah, I felt I made it in May  when that happened. But look, you know, as you can see, all of those elements organically come together and it can help give you direction, you know, in terms of where you want to go in your privacy career. So I would say network, be open, be comfortable with the uncomfortable. You know, don't be afraid to ask those questions. Get as much varied experience as you possibly can.

Put in the hard work. See what matters for your organization and most importantly, the user. And I think just be brave about it, to be honest, and realize there's such amazing opportunity out there in this sphere. And personally, for me, I'm so, so lucky to be in this area of work. And as you said, also maybe have a little bit of a patience. 

And let it happen, because, you know, with all of these, you know, as I say, like there's no set precedent that's coming up, but this is all going to flow now over the next year. So once that happens, you know, you're going to be able to apply that more easily, but then something else will come along. And of course, we're seeing, you know, the the influence of AI coming through now as well.

So, you know, that's going to bring another layer of complexity or as I like to call it, fun. So, yeah. So you've worked, I'm also really impressed by your resume. You've worked at some of the biggest tech platforms, but also the platforms with the most data.

Stine: So working for a global company, having a privacy team, how would you recommend structuring that team? 

Emma: Yeah, no, it's a great question. And I know from talking to various, you know, colleagues and other companies, you know, we often share, you know, those ideas and there's no one size fits all clearly. And it's, you know, context is one of my favorite words. I mentioned it already in the earlier question, the answer to the earlier question.

I'll say it again. It does depend on, you know, the the type of data you're dealing with, the type of cross-functional teams that you're working with, etc. So as I say, I've had so many different structures over the years. And what I've learned, though, is, as I say, contextual for each one.

But what I would consider is, you know, it's important to spend the time as a team understanding who your stakeholders are. And that seems like a very obvious and basic concept. But it really is key because that is going to inform how your privacy team should be structured and who should partner with whom. And so, again, basic, but quite fundamental.

And I do believe that the team should consist of both lawyers and non-lawyers. The spectrum of skills that each provide are different, but both are wholly necessary. The project management skills that you can have in place within your team is going to be absolutely invaluable to you.

We all, you know, are trained in different ways, depending on our professions. And so you really want to get a mix of all of those different skills together. And I've seen over and over again how that has been a game changer.

You know, as I say, the different spectrum of skills in place, both from lawyers and non-lawyers. If you have the luxury, and I'll say luxury again, to have a technical program manager or an engineer on your privacy team or have access to them, I think that really sets you apart. The reason being that, you know, many questions are technical.

They are complex and much time can be wasted wading through concepts that may or may not make sense from a technical perspective. Or else you may not pick it up yourself correctly if there isn't technical expertise. And you can go down a rabbit hole of issues where it could have been short circuited, you know, quite quickly if you had that technical advice.

And so, you know, I would say that that's that's a particularly important one. You know, if your company is global, I would say ideally you will have a representative from your team in each jurisdiction. You know, the aim, of course, there is with all of the different time zones, it is crucial to be close to your stakeholders. And so in that sense, time zone does matter and close proximity to your stakeholders matter. And so in that sense, if you can do that, I think I think that's that's hugely helpful. So, yeah, hopefully that just gives you a little bit of a sense.

And I'm taking that from various experiences I've had across different companies. But that's something that I, you know, after many years, I see has worked has worked really well. So hopefully that's helpful.

Stine: Yeah. So you talk a little bit about resources and skills.And you also said like have a at least some kind of developer, if possible, nearby. 

You talked about project management skills. So what resources or skills are you looking for when you're hiring people for your team?

Emma: Sure. Yeah. I mean, I think this goes across the board, no matter if it's if it's developer, lawyer, non-lawyer, whatever it is. Privacy ism. We are at the tip of the iceberg when it comes to privacy. And it is in its infancy.

The precedents, as I mentioned, aren't fully set down yet, but yet it applies to so much in our day to day lives, in our day to day world. And as I mentioned already, even think of how it extends to now, too. There are many unknowns. And so to have someone who's excited for that challenge, what you can think outside the box is really crucial.

As I say, being comfortable with the uncomfortable. I will mention the microscope telescope analogy again, because there is a dual role for anyone on a privacy team so that they can really navigate the true assets of that team. And so the ability to be able to look closely at an issue, but then be able to take that step back.

Really important to know when to take that step back. I'll often remember a manager of mine a number of years ago said, you know what, sometimes it's important to take the back seat and not always being the front seat all the time. And sometimes you have to, you know, it's a little bit of a push and pull skill to realize when you have to do that.

That takes time and patience, but you do learn it. You know, and that's what I say. Microscope telescope. I like I like, you know, privacy practitioners who think that way. Humor and personality is a must in my books. And look, these issues are deep.

The issues are really hard and they're complex. And so having a team who can take the time to laugh, you know, take some time out to reset, it's beneficial for them. It's beneficial for the company  percent because you get to the right place.

And finally, of course, you know, having someone who has that technical knowledge is clearly a core component. But what I would say, it's not just about the law. It's about how it's applied. And that sets one practitioner apart from another. And, you know, someone who isn't afraid to be, you know, in the deep end.

And I think it's important as well to be able to summarize and be concise about issues. And where I come from there is I remember, you know, during my my time training as a barrister, I was told about I was informed about the one third rule, which I thought was very interesting. So one third of what is said is heard.

One third of what is heard is understood. And one third of what is understood is actually acted upon. So you have a very, very small window in a way to make a difference, I would say. Now, obviously, organizations are vested in this, you know, in terms of your in terms of privacy, obviously. So I'm sure they will give more than one third. Right.

But the point here is, you know, you you really have, you know, a chance to make a difference. And it is important to, you know, be be prescriptive about what that is. Now, hopefully in this podcast, they will you know, everyone will take more than one third away, I would hope. But look, it's something that stayed with me over the years.

And I think, you know, it's a pretty useful one. So in summary, I would say enthusiasm, humor, technical knowledge, thinking outside the box, you know, being comfortable with the uncomfortable will be some of the resources and skills I'd be looking for. So you talked already a little bit about upon AI and and also that adaptability skill.

Stine: So how do you see the privacy teams and their responsibilities evolve over the next five years? Yeah. It's a super interesting question. 

Emma: I actually attended a conference recently where this was discussed and the words data governance came up.

And it's it's it's super fascinating because. It's morphing from this this concept of privacy and applying GDPR or whatever legal analysis you want to apply to to what's in front of you. And then it's kind of taking it that bit further and it's saying, well, hold on a second.

We actually need to take those principles now and apply it to an absolute machine like this thing that we don't even understand. The concept and how big it actually is or is going to be. And it's a constant.

So applying principles and privacy over and over and over again, every day. How is that going to run? And so where where do I see it? I think I think and I'm open to correction, but I think I see it going down more data governance route. But I also see it going down the route of, you know, just general data usage, positive data usage and how privacy teams can actually help make that happen.

And I think that's going to be a really interesting challenge for the future and a very exciting one. And the. We see that, you know, for many companies, they do see privacy as a business partner, but I think that's also going to change quite rapidly. I do see that privacy and data protection is going to become more of a core component within the business and be more lined up with the business and closer to the business than it ever was before.

And I think that's going to be a very, very positive thing. It's going to bring about, in my view, maybe stronger privacy by design practices. Right. Again, we know what privacy by design means.

You you you apply privacy, raw privacy to a concept that's created from the very beginning and you follow that from cradle to grave. So the idea that, you know, privacy will become a closer business partner in the future, I hope, will organically mean privacy by design will become even more crucial and more important and more aligned to the business. And I think that can only be a positive thing.

So that's that's in summary how I see it.

A kind of data governance sphere, even closer business partnership and support that privacy teams give give to business. I think what we're also seeing right now, of course, is with, for example, AI and understanding the realm of how data can be used, but also how it can be misused and understanding the core systems. Is going to be crucial.

I also think what we're seeing with security and threats and cybersecurity becoming such a core part of every business. Well, most likely that is also going to happen with privacy. So with all this new legislation coming out and here I'm thinking about NIST  and DORA and so forth, privacy and security will go more in hand.

Stine:  And they're going to be more close knit more than today with GDPR.

So what are your thoughts on that cooperation between the privacy teams and the security teams and the CISO, so the information security officer? How do you see that value being maximized?

Because today we often hear that they're super interlinked, but I think we need to maybe build even stronger connections between that. So any tips and tricks on how we can do that? 

Emma: Really make friends with your CISO and the CISO team. No, no, really. Like as in spend time with your partners. And we all say that and we're all familiar with that. But they really are your partners.

You cannot have one without the other. It's simply not possible. It's not going to work and you're not going to get the output that you're looking for. And, you know, it's it's it's building those relationships.

Spend the time, you know, even if it's possible to attend, you know, some of their meetings so you can actually hear and understand. I'm a big proponent of stepping into someone else's shoes and hearing and seeing things from their point of view. Right. And, you know, if it does and maybe you're not you may not understand everything they're talking about, but that's OK. The point is, you're submerging yourself into their world and you're appreciating it and you're acknowledging it and you're respecting their world. And I would say the same goes for them. Right.

That they do the same to spend their time, immerse themselves, you know, in you know, with privacy legal teams and spend that time.

So it's a two way you know, it's a two way system, obviously. Look, in all the companies I've been in, there's been a very, very strong partnership with security. And, you know, not only not only does that actually happen, you know, happen organically, and I've been very lucky in the companies I've been in. But, you know, it has to happen.

So let's just call a spade a spade. This should be happening anyway. Right. And but I think that mutual acknowledgement and respect for each other's subject matter expertise is something that's really, really important. And you look in terms of tips and tricks, as I say, spending the time developing and ideally one on one in person time, if you can, developing that relationship, dig into their world, attend some of their sessions, understand their challenges. If it's possible as well to have presentation gigs together, you know, I think that always, you know, that always bodes very well.

It really harnesses that partnership even more. And I think it also shows as well to the organization how important the two faculties are together. So I think it has a very strong and impactful, you know, it's it's cosmetically it's very strong as well to see that the two the two are close together. The obvious one is is the constant communication, you know, and every organization has their has their different methods upon which to do that. But, you know, again, you know, not just at the high level, but also all the way throughout the organization.

So it's not enough, for example, for the head of privacy or CPO and the CISO just to have one conversation. No, it's not enough. It should trickle down across the CISO organization. So it's all matched. And I would say that there's a body on each side that matches up so that everyone's everyone's kind of lined up. The other thing I will say is, you know, for organizations that follow, you know, soccer's objectives, key results, whatever way you want to call it. 

It's important that each organization share share those so that you understand the mission and that you're all going down the same track, because that's one kind of housekeeping rule that I think works very, very well. But it's amazing how that can, you know, take take a different line if you don't really keep on top of that. So, yeah, I think between all of those things, keep keep them keep them very, very close. They're your besties in this landscape.

So, yeah. So talking about besties and talking about other people that are sitting around those decision making tables. What is your best advice that you can give when it comes to getting a seat at the decision making table as a privacy officer? I think what we're often hearing sometimes from the community is that some of the DPOs and the privacy officers feel that they're not always listening. And that's not true.

Stine: So how do you get that that seat?

Emma:  Yeah, I think you have to do things differently.

I think you have to. It's like anything. Know your audience and surprise them a little. Right now, what I mean by that is, you know, in terms of getting a seat at the table, the usual, I suppose, or the expectation of privacy legal at a table will be it's it's, you know, constant. You have to know all the time. And that is simply not the case.

You know, you're there to enable, you're there to protect the business, obviously, but ultimately help the business and accelerate the business. And, you know, you have to decide what seat you want to be at. First off, you can't be at everything. Right. And so you need to be very careful, you know, strategically about about what you want to be out, because not everything is worthwhile and everyone's time is precious and you really want to make that impact. 

So be careful about, you know, what what you know, just more thoughtful, I suppose, about what seats you want to be at and what is going to have the most impact and where you will make a difference. I would say the advice I would give is, you know, talk to your colleagues who who do have seats at those various tables and really understand and do your homework. And there are certain seats you clearly should be at and must be asked.

So, again, look at your at the applicable legislation that applies to you in your respective jurisdictions. But, you know, clearly there are some that are very obvious in that respect. I would also say, you know, talk to your GC as well and who always has, I suppose, a truly valuable perspective to give and can really support. I've been very lucky with my GCs and managers over the years where they really, really value the concept of privacy and what it means. 

And so I would say, you know, do your homework, go to the areas where there's already seats there and see if that makes sense. You know, go to your GC, go to your manager, ensure you have that consistent line of communication, try and do, you know, some partnership presentations with others, for example, as a way as a way to get in there. Try and, you know, business call, try and join calls if you can or meetings where they're discussing bigger strategy and bigger ideas, because it means you're going to be on top of that.

And I think that's something that's that's worked very well. You know, the the notion of, you know, making making waves or making, you know, having impact. It's hard, right, because for a privacy perspective, it's not as if, you know, you can actually put an incredible amount of metrics together. It's hard. 

How do you put a number on trust? How do you do that? And it's a bit of a pet project of mine, which I'm looking into right now. But, you know, there's various papers and articles written about how to do that.

You know, talk to others about it. Talk. It's amazing to hear what others have done to create those metrics. And sometimes it's important when you know you want to have that seat and you want to help make those decisions again. Do your homework, see who's on the underside, understand how what matters to them. 

So, for example, if it's you know, you're at a table and you know, you're you're speaking to someone in sales or finance, see if you can actually, you know, apply numbers here. See if you can actually show the opportunities that apply. So, you know, again, contextual context, a very important word of mine. It applies here as well in terms of how to get that seat, because you have to frame, you know, your impact and your output based on who's at that table and what matters for them. 

So they're just a few tips and tricks over the years. 

Stine: So you talked a little bit about you getting your inspiration and where you are right now, kind of getting your ideas for next steps. So Emma, now that you've kind of inspired our listeners, you've definitely inspired me. And I do remember more than one third of what you've said. 

I'm curious, where do you get your inspiration from? Who inspires you? 

Emma: Look, again, I have been I have won the lottery when it comes to incredible managers and partners over the years. There is one who will remain nameless, but I've had the pleasure of working with them. They are a mentor, an incredibly hard worker, phenomenally practical.

And most importantly, they have a real love for what they do. And, you know, not only that, they think outside the box and they always, always think data subjects first. There is a huge amount that I've learned from that person and all my managers over the years, and I'll probably never be able to thank them enough for what they've done. But I suppose in my own small way, hopefully I'll be able to pass that along to others.

I will say, look, not to sound soppy, but, you know, my own family and my own children are a massive inspiration. The fact that they can look at issues even from a data protection perspective, you know, you see it from from a child's world or their curiosity, and always kind of inspires me to think, wow, we need to get even better, even stronger, even more transparent, educate more in terms of what's happening. 

So all, you know, between it's almost a nod to all the managers I've had in the past and a nod to my my family to kind of keep me going and keep on that mission to, you know, fight the good fight when it comes to privacy and do the right thing by users and, you know, make a difference, which is which is what you want to achieve after all. 

Stine: Like how can you not inspire people when you have an ending like this?

Emma: Well, I'm expecting my own podcast series after this as a result. I won't lie. There's another reason why I did this. So, yeah, I'll have my own radio station soon.

Stine: Amazing. I will be listening. And I want to thank you so much for joining us today. It has been a true pleasure. 

Emma: Yeah, it's been so much fun. Thank you so much. 

Stine: And on that note, well, another episode of Inspiring Legal is coming to an end. I hope you got inspired. And once again, thank you so much.

Thank you so much for listening to Inspiring Legal. Remember to subscribe and if you want more information, you can always go to openli.com/community.