Episode 7: Getting started with privacy

Privacy. What's the deal, and how do you deal with it? How do you get buy-in from the top? What's the best approach when implementing it? We'll discuss that in this episode of Inspiring Legal.


Welcome to inspiring legal, the podcast for inhouse legal. 

Get insights, learn from peers, life lessons from some of the most influential GCs. If it's related to inhouse legal, we cover it. For more inspiration, go to openli.com/community

So this is a new episode of Inspiring Legal.: My name is Stine and today we're going to talk a little bit about privacy. Often when you're sitting in-house, a part of your responsibilities are related to privacy, GDPR, CCPA, and the various privacy legislations that are out there today. You might also have a privacy team. But regardless of whether or not you're sitting in privacy, if you're sitting in legal, you need to figure out how you want to work with privacy. What is your privacy vision, mission, goals, and how do you get that ingrained across the organization? Well, I think the first thing we should talk about is getting management to stand by the support, the insights, and the power that is needed for you to succeed with working with privacy. Because if you don't have management, it's going to be very difficult to get this implemented. 

So what I would do first is I would start by figuring out just at my own desk, where are we in my understanding of our compliance level related to privacy? Once I've gotten that, what I would do is I would at the next management meeting go and introduce them to just generally privacy, where we are as a company, and also what is needed for us to be at an acceptable level. I'm not talking about going into details about whether or not you have your Article 30, if your DPA is up to date, your privacy policies. I'm talking just in general. And then I would go to management and say, I think this is important for reasons A, B, and C, not focusing on the fines per se, but focusing on how we can leverage privacy as a revenue generator, just one example, or as a way to build trust with our users, or if we can see that we're getting a lot of requests in the sales process, or from users. 

Let's say that we're a B2C company. If we can see that a lot of users are starting to ask questions about how we're doing things related to privacy, well, that is always good to have on file. Because as soon as you make it tangible, as soon as you make it visible to management, how this is impacting the company, not only because of high fines, but how you're operating as a global company, as an example, well, then it makes a difference. So this is where I would start. Then I would ask for a mandate to go and take a further look into how we're working with privacy. And what I would do then is simply start classifying GDPR and privacy into different buckets. There is how we're doing in terms of sales, how many requests are we getting, how we're doing in terms of end users asking us questions, how we're doing in terms of internal, it might be your employees that have questions, and then how we're doing on the overall compliance level. 

In my own personal view, I've not done any digging at this point in time. And I then have a good understanding of the impact that I'm able to maybe have with running and implementing a privacy program. What I would do then is simply start mapping out how we're doing, what data are we getting, are we a data processor? Well, some of the things that I would start looking at first is how, let's call it, risky are the data processors that we're using to deliver the service to our company. 

Let's imagine that my company, it's not, by the way, just emphasizing, it is not, but built on Google Analytics. If it's built on Google Analytics, I know, not good, right? Because if you've seen all the many different types of decisions coming from the regulators, well, then you would know. Google Analytics aren't doing super well. So we do that mapping and seeing, okay, just on a general level, how we're progressing in that regard. And once I had that, well, I would start doing more mapping. Then I would figure out overall what impact do I anticipate that working with privacy will have on my company? Because it might have an impact. 

In some scenarios, it probably will. Marketing might not be able to do the same type of lookups in Facebook that they were doing before, you know, lookalikes. It might be that some of the processes for buying tools will drag out a little. I'm not talking necessarily about a lot, but before you start buying a tool, figure out whether or not your data processor is GDPR compliant and working with privacy and have the appropriate security measures. Well, that's important. 

Because as soon as you open up, you start to share data, and then you're relying and hoping on their compliance level. So you might want to introduce your process when it comes to buying tools, which might have an impact on the product teams. Because also the product teams, they like to buy tools, just like marketing. And if all of a sudden they just can't go out and buy the tools as they were normally doing, well, then you would need buy-in. So getting that overview before you start implementing it. And then what I would do is I would go to each of the business owners, and I would have a conversation about it, telling them why it's important, showing them how many requests we're getting from customers, how many tools we're using in the organization, how much data we're sharing across, or maybe also how many of our prospects have questions about the subprocesses we're using. And how it's impacting sales. 

I would go to, for example, my CPO, which is the chief product officer, and I would say to him, well, this is how the world is. Many product officers are really dedicated to privacy. That's my experience. So when you're talking about, we need to keep data safe, you need to make sure that we're working with the right companies, well, they typically buy-in. Especially if you're asking them also about how can we improve the process. 

It's all about stakeholder management. But it's also about figuring out a balance. And then creating your vision and mission together with these decision makers. Because if you can get the CPOs buy-in, well, a part of your maybe goals would be that we contract with tools, platforms, and services out there that have a certain standard when it comes to private security. And if you get that buy-in, that's an easy goal. It's also easy to get incorporated into the business. And then you go to management and say, well, me and the CPO, we are here to talk a little bit about our vision and mission when it comes to privacy and working with vendors. So we've agreed that we've set the bar to be, we want to work with contractors, platforms, services. That meets these basic criteria. So we will be implementing this and that would really help increase our compliance, make sure that our product is safe, maybe minimizing the amount of potential data breaches because we're working with these more maybe secure companies. 

And at the same time, by the way, my CCO, Chief Sales Officer, I can tell you that we can see that a lot of the customers have had questions about subprocessors. So implementing this process will make the sales process go faster because we will have our subprocessors more under control. And the legal team will be able to much faster go in and tell how we're vetting vendors, how we're working in with them, and how we're then keeping your customers' data safe. So this is how I would start. I hope that this is useful and that it might have inspired you to work with privacy and how to get buy-in. 

And I look forward to having you join our podcast again. Take care. Bye.

Thank you so much for listening to Inspiring Legal. Remember to subscribe and if you want more information, you can always go to openli.com/community.