How To Implement a Privacy Program That Makes Legal Strategic and Avoids Bottlenecks

Feb 8, 2022 1:30 pm2:30 PM EST

Request The Full Recording

Key Discussion Takeaways

Are you wondering how you can identify, address, and tackle privacy risks before you ship a product or feature? If so, how can you plug into the development lifestyle to make sure your company is always compliant?

To bring privacy into your products without slowing down development or rebuilding your workflows, it’s beneficial to stick to the basics. One of the key strategies for creating a program that works is developing processes that capture critical information, allow for automation, fuse with existing processes, and offer a foundation for repeatable, scalable operations.

In this virtual event, Aaron Conant sits down with Chris Handman, Co-founder and COO of TerraTrue, and Anthony Prestia, the Head of Privacy at TerraTrue, to talk about privacy programs. They talk about how to build a privacy program that actually works, the biggest challenges in privacy programs, and how to provide privacy input within the product roadmap.

Here’s a glimpse of what you’ll learn:

 

  • Chris Handman and Anthony Prestia discuss their backgrounds and roles at TerraTrue
  • The main purpose of TerraTrue
  • How to build a privacy program that actually works
  • What are the biggest challenges in a privacy program?
  • Components of a successful privacy program
  • How to provide privacy input within the product roadmap
  • Steps to incorporate automation in your privacy program
  • Data points that will help you track the success of your privacy program
  • How is the privacy organization as a whole scaling?
  • The best clients for a program like TerraTrue
Request The Full Recording

Event Partners

Guest Speakers

Aaron Conant

Co-Founder & Managing Director at BWG Connect

Aaron Conant is Co-Founder and Chief Digital Strategist at BWG Connect, a networking and knowledge sharing group of thousands of brands who collectively grow their digital knowledge base and collaborate on partner selection. Speaking 1x1 with over 1200 brands a year and hosting over 250 in-person and virtual events, he has a real time pulse on the newest trends, strategies and partners shaping growth in the digital space.

Anthony Prestia

Head of Privacy at TerraTrue

Anthony Prestia is the Head of Privacy at TerraTrue. Anthony has more than a decade of privacy experience as an attorney and developer of software to assess privacy compliance. Before joining TerraTrue, Anthony served as Senior Privacy Counsel at Snap Inc., where he spearheaded the evolution of Snap’s world-class privacy program to comply with the GDPR. Previously, Anthony was an associate at Perkins Coie, where he worked as outside privacy counsel to both startups and Fortune 50 companies.

Chris Handman

COO and Cofounder at TerraTrue

Chris Handman is the Co-founder and COO of TerraTrue, the first privacy platform designed to seamlessly work with product development — made for collaborative, fast teams in the era of GDPR and CCPA/CPRA. Before co-founding TerraTrue, Chris was part of the General Counsel at Snap Inc., where he built the company’s legal, compliance, public policy, and law enforcement teams. During his time there, Chris developed a transformative privacy program that coupled rigorous review with tools and systems that were nimble enough not to restrain the relentless pace of execution.

Event Moderator

Aaron Conant

Co-Founder & Managing Director at BWG Connect

Aaron Conant is Co-Founder and Chief Digital Strategist at BWG Connect, a networking and knowledge sharing group of thousands of brands who collectively grow their digital knowledge base and collaborate on partner selection. Speaking 1x1 with over 1200 brands a year and hosting over 250 in-person and virtual events, he has a real time pulse on the newest trends, strategies and partners shaping growth in the digital space.

Anthony Prestia

Head of Privacy at TerraTrue

Anthony Prestia is the Head of Privacy at TerraTrue. Anthony has more than a decade of privacy experience as an attorney and developer of software to assess privacy compliance. Before joining TerraTrue, Anthony served as Senior Privacy Counsel at Snap Inc., where he spearheaded the evolution of Snap’s world-class privacy program to comply with the GDPR. Previously, Anthony was an associate at Perkins Coie, where he worked as outside privacy counsel to both startups and Fortune 50 companies.

Chris Handman

COO and Cofounder at TerraTrue

Chris Handman is the Co-founder and COO of TerraTrue, the first privacy platform designed to seamlessly work with product development — made for collaborative, fast teams in the era of GDPR and CCPA/CPRA. Before co-founding TerraTrue, Chris was part of the General Counsel at Snap Inc., where he built the company’s legal, compliance, public policy, and law enforcement teams. During his time there, Chris developed a transformative privacy program that coupled rigorous review with tools and systems that were nimble enough not to restrain the relentless pace of execution.

Request the Full Recording

Please enter your information to request a copy of the post-event written summary or recording!

Discussion Transcription

Aaron Conant  0:18

Happy Tuesday everybody. My name is Aaron Conant. I'm the co-founder and managing director at BWG Connect. We're a networking and knowledge-sharing group of thousands of organizations who do exactly that. We network and knowledge share to stay on top of the newest trends, strategies, pain points, whatever it might be that shaping the digital landscape as a whole. I connect with 30 to 40 organizations a week to stay on top of those trends. So when the same topics come up over and over again, we host an event like this. So a couple housekeeping items, as we get started, we're kicking this off at three to four minutes after the hour. And just so everybody knows, we're going to wrap it up with three to four minutes to go in the hour as well, we're going to give you plenty of time to get on to your next meeting without being late, maybe even grab a cup of coffee along the way. The other thing is, we want this to be as educational and informational as possible. So at any point in time you have any questions you can drop into the chat, you can drop into the q&a there, or you can always email me aaron@bwgconnect.com, we can feel questions that way as well. And for that portion, like, if it's after the call, an hour from now, tomorrow or next week, you have questions in digital space, don't ever hesitate to reach out. We got thousands organizations in the network, there's probably someone in here, an expert that we can connect you with. So with that, I want to kind of kick this off. A lot of focus, we're just saying and kind of the pre-call chit chat their massive focus away from oh, everything digital has to do with Amazon to, hey, a lot of stuff digital has to do with it internally, what's going on? A lot of brands building automatic consumer sites, there's a whole new preview. And so a lot of questions have been coming up lately is there's this huge focus on privacy as a whole. And that's how we kind of got to this topic today how to build a privacy program that actually works. And so a lot of information flying all over the place out there. But we got some great friends, partners, supporters of the network come highly recommended from a ton of organizations within it, who agree to jump on the line today and kind of help educate us. We're helping a lot of organizations out in this space and kind of just say, "Hey, this is what you should actually thinking about. And this is what works." But also answer as many questions as we can throw at them as possible. And so, Chris, I'll kick it over to you first, if you want to do an intro on yourself, TerraTrue, that would be awesome. And then we can kind of, we'll kick it over to Anthony, and then we'll jump into the next conversation sound good?

Chris Handman  2:34

That's perfect. Thanks, Aaron. So I'm Chris Handman, I'm the co-founder and COO TerraTrue. Kind of TerraTrue story and my own biography kind of merged with my last job, which was I was the first general counsel at Snapchat, it was still called Snapchat back in the dark days when I joined in 2014. And one of the reasons why the company looked for a GC so early in its lifecycle was they'd already gotten hit by the FTC with a 20-year consent decree for some privacy missteps. And this was when the company was about 60 employees. So you can imagine suddenly, they had to contend with this existential threat, they're going to be audited by the government every year for privacy program. And what they had to do is build a privacy program where they were going to demonstrate through audits that before every code change every feature, every innovation, every iteration, that they could demonstrate that they knew that data was collected, how was going to be used, where it was going to go, how it was being shared. And so you can imagine that type of bureaucracy might work well, at 50,000 person company, but a fast-moving modern company, it posed a huge challenge. And so Anthony and I were the ones who basically, came up with a plan wrote the whole playbook on how to basically build a modern privacy program. Before there was a GDPR out there, before there was a CCPA. We were out there in the trenches solving these problems. And we ended up doing some of the gnarly like, resulted in a perfect compliance record. No odd no deficiencies noted, the business came to embrace what we did so what could have been rejected and what often is rejected at companies as a cynical process, we have the business embrace it for transparency. And so TerraTrue after the IPO at Snap, we decided along with my co-founder, Jad Boutros who was the first CISO at Snap, that there was this massive hole in the marketplace for platforms that could really bridge your product development with everything you need to do to be proactive about understanding the types of data you were going to be collecting, how that was going to implicate against the laws so we can take structured data maps around what you're planning to build, map that against the world's laws, which we embed into our platform GDPR CCPA and spit back real-time guidance. Cut down on the inefficiencies, the duplication, the ad hoc manual processes that often define the convoluted nature of privacy programs and create one really simple super-efficient workflow that unifies that product building and product review stages. And we've been really, really blessed to work with some incredible brands from Robin Hood, to Roku to Pinterest. It's been a fantastic journey so far. And we love to share our learnings around kind of what we experienced at Snap and how we're really bringing this kind of broader democratic ability to roll out super effective. And again, to get back to the title here. It's one thing to talk about privacy programs, but to make sure they truly the emphasis has been actually working. And that's really what TerraTrue specializes in, getting away from like the theoretical and really building platforms that help bridge the way modern teams want to work with the modern demands of privacy. And so all that is made possible by Anthony's contributions, both at Snap and where he is a TerraTrue and I'll let him introduce himself.

Anthony Prestia  5:49

Yeah, hi, there. I'm Anthony. I'm the head of privacy here at TerraTrue. Chris has already given you a bit of my background, I will say I am a pretty good attorney, but a truly awful software developer. And I've used that kind of mix to work in the privacy space for a long time in a variety of capacities. Originally, starting in the ad tech space, eventually working for a law firm called Perkins Coie, where I was kind of the lone privacy attorney in the San Francisco office, despite it having a very large privacy practice globally. But that gave me the chance to work with a number of small emerging companies, as well as larger companies in the tech space from Google and Facebook and Uber and Twitter and all those to snap as well, where Chris was a client and eventually asked me to come on and help build out that privacy problem. And I jumped at the chance and then jumped at the chance to do it all over again, for a number of our customers here at TerraTrue. So I'm going to keep it very short. That's all I've got. Chris, back to you.

Aaron Conant  6:45

Awesome. So really quick reminder, want this to be as educational and informational as possible. So drop any questions you have in the chat the q&a or email them to me, aaron@bwgconnect.com. And then I think you guys said it is why I think you guys got connected with us over and over again, was just around people want to feel confident in what they're doing. And they want it to work, and there's so much like, fuzziness that's out there. And you need to actually be able to go to sleep at night knowing that this it's all false. So anyways, I know you guys have a brief deck, I don't know if you want to start off with that we kind of walk through it. And then we'll just feel questions as they come in. So good.

Chris Handman  7:31

Yeah, no, I think that's great. And we'll keep the deck kind of go through efficiently and then love to hear questions that anyone has. So I think Anthony is going to share this for us. So yeah, again, thanks, everyone for coming to this. As I said at the kind of the outset, like for us, like the real emphasis does fall on that kind of like the pragmatism of building a privacy program, how does it actually work? I think for anyone who has even the kind of most faintest experience with a privacy program, you know that they can often be difficult to roll out, difficult to get buy-in for, and difficult to kind of actually implement. And so what we really want to do today is showcase the ways in which this is actually a lot simpler than you can imagine. It comes down to understanding what you need to do and understand the right tools and processes you can do. And with those kind of key load stars in mind, you can help shape and guide a program that not only gives you the confidence and the rigor that you as a privacy professional or a legal person want to have for your board, and your C suite, but also kind of makes you that product champion, makes you no longer that bottleneck or the place that product, people think good ideas are going to go to die, and now really kind of stand out of the legal or privacy champion, both for your consumers as well as the product. And so that's a little bit what we want to get into. And with any luck, you'll emerge with some of that today. So we can move on to the next slide. And, look, let's just start with the table stakes conversations here. Identifying what are the biggest challenges. So privacy programs, I think everyone understands in the abstract. Having a privacy program is a laudable goal, a lot of people either tried to do it and fail or simply give up because it seems too intimidating. So let's just really break this down and understand what goes into a privacy program. So when we think about a privacy program, what you're really trying to understand is, let's be proactive, before we deploy products in light of GDPR and CCPA. And all the laws coming down from various states and countries. It's no longer if ever was good enough to kind of like ship your products and hope for the best and see what happens. It's really essential these days to get a handle on what your teams are looking to build before you deploy those products. And so that's what a privacy program is designed to do. Understanding what's being built, understanding the risks. enabled me to remediate them and document that. So what are those big challenges that stand in the way of being proactive about it? Well, the first is really just visibility. Your privacy program is only as good as you know you have visibility into what your teams are building. If you don't have a window into what your product teams or businesses are planning to do, the third parties, they want to bring on, the types of data they want to use, the privacy program just fails at the outset. So understanding building bridges, seamless extensions, from the tooling that your product teams are using to get a universal view of what they want to build is incredibly important. And again, one of the biggest kind of culprits that defeat privacy programs. The second and it's a close cousin of that visibility breakdown is coordination. If you can't coordinate as a privacy Pro, or a lawyer in your company, with the teams that are responsible for dreaming up the data they want to use and how they want to use it, and helping to bridge the remediations, the recommendations, the guidance, if that all breaks down, if it gets siloed off in different communications channels, that coordination ends up bottleneck into production. And then the more bottlenecks, the more the business ends up just growing kind of weary of the whole process. And it kind of leads to that self-defeating cynicism that I think can be the depth of any good effective compliance program, whether that's privacy or security or anything else. So but building the right connections is incredibly important. And then finally, scale. It is, of course, easy enough to identify how you want to do this on a single feature-by-feature basis. But when you start thinking about dozens, scores, hundreds of features in a quarter or a year, and having to understand and be consistent, and mapping guidance and rules to what's being built to what those laws are, that's when things can get really hairy and start to break down. And just to give you a kind of an example of like, what that challenge can be and how you can still succeed, at Snap, for example, I think, in the year we went public in 2017, we did something on the order of about 5000 privacy reviews. So that means 5000 independent reviews, understanding the data flows of a particular feature, or change, getting the feedback back, documenting, we did all that without slowing down what was an incredibly fast-paced, highly inventive sense of product. So it is not incompatible to have a highly rigorous and robust privacy program that at the same time of like making sure your product teams build and scale. But it all gets back to really that visibility, coordination and building the right structures in place. And hopefully it will give you a little bit of sense about today.

Aaron Conant  12:58

Yeah, question that comes in is around buy-in. That is there's been so many bad experiences with privacy programs, it does slow it down, you're inhibiting. There's this idea that as soon as it comes into place, here come the corporate fun killers. They're always trying to slow us down and get other way. I think it's a great question like, how do you dress buy-in? Who's the champion internally is another question that I get quite a bit as well.

Chris Handman  13:26

So let's go to the next slide because that that's a perfect segue to addressing that. Because as you think about the components of a successful privacy program, you need to understand that one of the key components is getting that buy-in, but you can't get that buy-in if you go to your executive champions, or your head of product with a kind of legacy, old fashioned view that privacy is a siloed compliance function. Because people who've had experiences with that, know it's terrible. And they want nothing to do with it. And you're not going to get that buy-in. So one of the things we want to build to do with this presentation is arm people with a sense of how you can build a modern, scalable, proactive program that's absolutely responsive to the needs and caters to the kind of wants have a bit of the business, and still satisfies that compliance savant nerd and all of us who wants to make sure we're totally buttoned up about the law. But you're absolutely right, like understanding that buy-in is critical. But you have to understand how to build that successfully before you can go to get buy-in, right? If you go to try to get buy-in and try to sell something that's absolutely broken from the outset, you're going to ruin your own credibility and then ultimately, the success of that program. So the goal really is understanding how you can come in with something that is going to work, how can be pragmatic, be modern, in a sense of like, understand, like the relationship of the way we are as lawyers and product people a privacy today. We can't view ourselves as this kind of like categorical gatekeeper that simple says, "No." It's finding pragmatic, modern ways to do that. And once you build that program in, it's a lot easier to make that sell. And we've seen that with dozens of customers who have taken TerraTrue as a way to really supercharge a privacy program and kind of bring a much modern sensibility integrated with the tools they use with. So when you bring a privacy program that’s already seamlessly integrated with JIRA, or Ironclad or the tools that your product teams are already using, there's already a sense of, hey, you guys get it, you understand the kind of cadence and rhythms of the way we operate as a team. We will get to that. But all of this is of a piece with how you get that buy-in ultimately.

Anthony Prestia  15:49

Just very quickly, to add to that question, I will hit on some of this a little bit later on. But I do think some of the key components right around educating the business and empowering them to understand these issues to some extent, so they can make good decisions during the design phase, or even come to you with the right questions to speed things along. Part of it's just about pattern recognition as well finding these issues that come up very frequently, and in coming up with scalable solutions to address them quickly. And then really finding those different ways to plug into the existing processes and not be kind of this tacked on bottleneck later on down the road. So we'll talk about those in some more depth in a little bit. But it's a great question. And I think, absolutely one of the hardest things to get right for any business.

Chris Handman  16:33

And so when you think about these components of successful privacy program, so if you think about the just if we get rid of the adjective success, and just focus on components of a privacy program, what we list here, one, two, and three, I think liability can get but what makes them successful, is creating repeatable processes, digitizing this entire process. And again, that's kind of what TerraTrue really has revolutionized the way we think about privacy. Every step here from capturing that information, to triaging that information to understanding what data needs to get reviewed, when it needs to get reviewed, by whom should it be reviewed, and then filtering that all into downstream workflows, that you need to bring a sense of like automation and structured data to that. And so when we think about that stuff on capturing critical information, and triaging and getting back that point about visibility, if you have a tool that integrates already with whatever your product your business teams are using, let's say they're using JIRA to create lists of tickets, whether those are ethics or other issues, you can create, in TerraTrue, for example, ways in which you can seamlessly pull from those JIRA projects, everything you need to do. So you have one single source of truth that's created basically like a privacy ticketing system. So the business doesn't even have to think about should I raise my hand, should I offer something here, you don't have to deal with those ad hoc processes. So capturing the information, making that as automatic and as seamless as possible. And then creating rule-based systems through again, digital workflows that can triage and say, this needs review, this doesn't need review, based on the way we handle risk in the past, you're good to go or hey, this needs to be reviewed by Anthony, whatever it might be, that can all be done in mere seconds using platforms that are designed for that, as opposed to kind of the templates that define products today. From there, you want an initiative that if it does require privacy, hopefully, a lot of them won't, but some will require privacy review, you want to make it absolutely easy to get that data. So again, one of the biggest issues with privacy programs today, is that the way privacy pros get that information from their business is they send them the same templates, right? It's the same static templates, or questionnaires, or spreadsheet. And so the business is it gets that natural cynicism. But I've answered this question 15 different times, why do I have to keep saying the same thing about the same product? You know what products I work on, stop asking me these questions. We want to get rid of that. So we have structured data that can remember what teams work, what individual members of teams worked on, how that data maps to past products that you've done so that the gathering of that data and the mapping that data to the laws to your own company's rules, to your own risk calibrations that you have set and define can occur seamlessly on rails without having to have that kind of personal mediation every single time. And then that gets into like that showing your work right? As you show your work. That too is a repetitive process. It is this specificity and process every single time you have to push that rock up the hill, and there's no reason to do that. There's a much more efficient way to do it. You should be able to like clone past work, leverage what you've done the past. So again, all this comes down to having the right tooling that is designed to revolutionize not What you have to output, but the processes and the ways you get there to cut that down 10x or even more. And then finally, and this is one of the big, big, inhibiting factors of efficiencies and privacy program, keeping all of that, that work up to date, records of processing data maps. Again, the way that's been handled today is pros are sending emails out, slack messages, spreadsheets, fill this out. This is all information that if you did it right, should have already been captured in steps one and two. And so if you can efficiently almost like think about in terms of like a recycling, regenerate the same work that you did in steps one and two, into all those downstream workflows, and created automatically again, this is what we TerraTrue are built, so that you capture all those efficiencies, you're nothing spawns to the cracks. And the teams and the businesses are basically not having to interact with privacy pros as much. And when they do interact, it's always high value, and then repeatable from there on out. And so I think Anthony can go ahead and weigh in on a few of the other more practical aspects here.

Anthony Prestia  21:07

Yeah, absolutely. So the first thing I want to talk about, it's very simple. It's don't overcomplicate things. I think one of the most common issues I saw both in private practice, and now that we've been bringing TerraTrue to market and working with customers that just haven't quite gotten their privacy program off the ground yet, is a tendency to kind of focus on the minutiae of privacy, compliance, and never get around to actually doing anything. This is an understandable problem. The privacy space, especially here in the US has been a patchwork for a very long time, right? Different laws addressing different sectors or specific ways of using data and not these kind of general privacy practices and principles. But globally, we're just seeing more and more requirements and regulations over time. So I get like people do this. But realistically, I think it's worth taking a step back and understanding there's no way you're going to cover everything out of the gate. And realistically, there are just a few things you have to get perfect on the first go. And the first one of those is really about making a good impression on the business stakeholders. So I think this goes back to that question we had from the audience a bit ago, about how do we kind of build that trust and not end up being attacks on the back end? Well, you're unlikely to do that if you start out dumping a bunch of complicated legal jargon on the business and kind of disrupting the way they develop product. It's just not going to work. To give an example of this, as well, I guess I was working with an early stage StartUp that went on to be very successful a long time ago, made the right decision to invest in privacy early, hired a privacy counsel, they were real gung ho to get things up and running, and immediately started implementing what I think was probably an overly complicated privacy program. And tried to motivate the business, not by education, but by talking about the huge potential fines that could result from like tiny missteps and those sorts of things. So when I started working with this company, I started trying to get some feedback from the PMs and other folks in the business about the program and what they liked, and what they didn't like. And one thing that has stuck with me over years and years is there's one PM who looked at me and said, Look, if this business fails, I'm going to write a book about it. And there will be an entire chapter dedicated to the name of this privacy person. And like, that has been my benchmark for who I never want to be. And how can we avoid that? I think it's by keeping things simple. So just understand your goal is to educate the business early on, and help them understand why privacy is important. And I think the easiest way to do that is to pick a baseline to align your program to. There are kind of two ways you can go here, right? The first is picking a law, maybe the CPRA here in the US, maybe the GDPR if you're a business that's kind of global. But the goal is to teach the core concepts to the business. So they can help identify things as they're building product. So that might be understanding what sensitive or special data is, maybe when they should get consent for the types of products they're building, or how to even balance like your business needs against risks, these sorts of just fundamental things. You could scale it back even more, though, and look at the OECD Fair Information Practices, right or the FIPS. So these core ideas around limiting the amount of data you're collecting, making sure you're scoping the purpose for collecting that data, all that sort of thing, simple concepts for anyone to understand that really underline or underscore like all of the privacy laws we see today. I think once you've done that, it's really about being proactive as well, reaching out to the business and helping them understand privacy. So there's this initial learning piece, but it's not over right there. It's about coming up with scalable ways to come in and help people understand privacy as the law develops, as your product develops, and understand that there will be curveballs, always. And those could come internally, because your business is going in directions you didn't expect the product to go. It could be because there's a new state law, or there's new class action lawsuits coming up in a place all the time. Suddenly, biometrics are a big thing you need to worry about and understanding that, yes, get those baseline principles down. But be ready to be proactive and reach out when situations change. But the real key here is just not letting perfect, be the enemy of good. Get in there. Set up a baseline, educate your business, and then evolve over time.

Aaron Conant  25:45

I love it from the standpoint, I listened to your talk, couple things that I pull out is like, educate, don't sell, right? Because in that scenario, if you're selling something, you're selling risk mitigation, a potential thing that might happen, which is something really tough to sell. But on the education side, you're educated, hey, this is a real possibility that could impact the business down the road. Do you want to swim towards that? Or do you want to swim away from it? And let them make that decision? The other one is just yeah, I think better not best. And the only wrong thing to do is to do nothing. It's just to let it sit out there and get analysis paralysis and not at least take a step forward in the right direction. So no love and just reminder to love to commentary on that. But yeah, other people have questions drop into the q&a, the chat or keep emailing them to me, aaron@bwgconnect.com.

Anthony Prestia  26:38

In the point you brought up there is absolutely right, do something. The only wrong thing is to do nothing. And one of the reasons I discourage folks in the privacy space from doing what this privacy council I talked about did, which is say look at these horrific fines and all the terrible things that can happen. Realistically, small missteps are not going to hit you with your 4% of your global revenue fine. And those things unless you're truly disregarding privacy, doing nothing and just being absolutely careless about it. If you can show you have a program, you've aligned it to some of these principles, and you're trying, you may get some amount of time to remediate what you were working on, or a lesser fine, but just doing nothing's when you get in trouble, make best efforts get started, you can improve over time, it's really important. So once you've started this education piece, you really then need to come up with a good way to figure out how to plug into the product roadmap. You can only provide advice and help the business out if you understand what's being built. And I think in our experience, there kind of three key things you need to address. The first is helping teams understand when they may need to reach out for privacy help, right? So when do I need to raise my hand. And this will vary from team to team. So part of it will be that initial education process, we talked about, helping folks understand the requirements of the law, or even what folks expect from your product. You get into privacy trouble and take that kind of PR hit when you're doing something with information that people don't expect, right? So helping people identify those. But then really providing tailored advice to individual to try it. So for example, if you have an advertising or marketing team within your business, you may want to provide some tailored education around sensitive categories of data and like requirements for automatically making decisions about folks, not targeting certain groups of people, the ads and those sorts of things. You can talk to your HR folks about the risks of collecting government IDs or information about trade unions and doing background checks, or even sending that data off to vendors or using new tools, these sorts of things that may require privacy reviews. As you can imagine a lot of different ways you can tailor that advice over time, it is one of the trickier things, I think when you're first starting out building a privacy program and giving that individual attention to different teams. I think what we tried to do with TerraTrue was address that in a more scalable way by using integrations and configurable rules that have automatically flagged these processes. As folks or buildings, you don't just have to rely on education, which can be a slow process. And then next thing you want to do is make sure you're not the bottleneck, which again, I think goes back to that question we talked about before. And some of the experiences I've seen in other companies where privacy ends up being a tax that is feared by business. But realistically you have to build trust and make sure you're never a bottleneck by giving timely and consistent support always. The stakes here are high. If you're not timely if you're not consistent, you will just be ignored. Your privacy program doesn't work if people don't interact with you. There's trust in both directions here. businesses rely on you and you need to rely on the business. So the keys I think, are really to just be responsive, always pick your battles, and then find ways to create scalable advice. So what I mean by that, I mean responsiveness, I don't think I have to dig into much. Any privacy job is a service job, you need to treat everyone that comes to you as a customer and do the best you can to respond promptly. But then you also need to pick your battles. So there are things that are worth fighting for, that are worth slowing down the product roadmap because it presents a huge risk to your business or reputation. But you don't need to make every single privacy decision, one of these. Help the business, identify risk yourself, develop your own rubrics and understanding of what kind of risk your business can tolerate, and pick your battles. And then kind of that last bit there about providing scalable advice, look at patterns, figure out where you're getting common questions from different teams or across the business and come up with baseline rules that you can share. I'll talk about this a little bit more in the next slide. But within TerraTrue, our product, we've come up with ways to kind of do this in an automated fashion. But if you're not using a tool like ours, just be ready to look for patterns and take notes. And that could be for you. Or if you have a team of several people on your privacy work, talking together regularly to identify those patterns across the business and make sure you're all aligned and giving consistent advice.

Chris Handman  31:27

And Anthony, can I just jump in on because it's such an important point that you raised there around preventing bottlenecks, and being responsive to ensure that trust and being scalable. And I think this just goes to show one of the pitfalls of the way programs are run today. Because so much of the communication and collaboration from your business into the privacy is coming from a dozen different channels and different communication mediums, whether it's email or slack, or an in-person meeting. And so the more you can consolidate those workflows into one simple workflow, one platform, one source of truth that has houses all of your privacy conversations, but there might be two-way sinks with tools that are already being used, right? So you can communicate people from maybe a TerraTrue, and that goes out to JIRA, they can respond to you in JIRA, but the conversation stays consistent and coherent in one channel, that allows you to do your job much better at scale, and promote that consistency. And then all those rules again, as Anthony said, being pragmatic, making those right judgments, building those rubrics in, that is in some sense, an inherently ad hoc process. But there's no reason why once you make those determinations, you can't create rules that help define future situations and make sure like situations are governed alike. And today, there's no every single situation is being reviewed a new, again, using technology to create rules that address that across the board, as you go forward, just makes your privacy program become a flywheel effect. And the more you use it, the more you use technology to create those rules, the faster you and your business and proceeding.

Anthony Prestia  33:09

Yeah, look, bottom line, I think, is this last note on the slide here making private See, review, scalable, consistent is all about process. So making sure it's easy for folks to loop you in early, making it easy to gather information about how products and features are using personal data, quickly identifying privacy concerns and patterns, and then sharing your kind of feedback and guidance. As early as you can in the process. Understanding that product development, it shifts right, no one sets up the perfect spec and then builds it. It's going to change over time and just being flexible and providing that advice. And really, I think the best way to do that is by looking at this process and trying to incorporate automation into whichever steps you can. So that first step intake I talked about is a tricky one for a lot of businesses. You need to be available where your team's work. And I think for a lot of privacy folks internally at companies, that means you're getting things via email via slack. A few years ago, people would show up at your desk, it's certainly less common now. But you get requests from any number of different venues and you need to be responsive in all of them. At TerraTrue, what we've tried to do is build integration. So this all pulls into a single platform where you can see everything and track all your work and guidance and all that good stuff. But the real key is just making it simple for folks to raise their hand and being open to all these venues. Once you've done that, you really need to have a scalable way to gather data about what products and features folks are building and how they'll use data. I think for a lot of companies early on this starts out with plugging into a product specking process, something like that, adding in some questions about how you're going to collect data and share data. Are you working with any vendors? How long are you going to keep this data, those sorts of things? Where that ends up being problematic over time is that when you give folks just blank questions like that, or a spreadsheet, or whatever it is to fill out, you may get inconsistent responses over time and across teams, the same teams collecting the same sorts of data, but calling it different things or retaining it for different periods of time. And it becomes difficult to pattern match there and provide consistent advice, or even have different teams kind of work together and say, hey, look, we're already collecting this data and using it this way, why don't you just plug in and help out here? This is one of those spots where actually privacy program can be a cost saver, in some cases, if you're doing it well. I think TerraTrue what we tried to do is create structured tools to do this. So you can ask consistent questions. And we can provide automated feedback and say, "Hey, look, here's the data you're already collecting, here are retention periods that are already approved, it make it much, much faster to gather that data, and then make good suggestions about how they should be doing it." The next is identifying those privacy issues and patterns, right? So saying, hey, look, we're collecting facial scans here, we should probably get consent, things like that. These will come up frequently. Education is a great starting point, as we talked about for businesses first starting out. But again, like the reason we built TerraTrue was to try to do this in a more scalable way, which is to say, hey, look, if someone says they're collecting facial scans, you can provide this automated feedback that says, "Look, we collected and sent in that case, and here's how you might do it." If you're not using tooling, another strategy might be things like internal wikis and things like that you can point folks to, but the real goal, right is to get that information out there and the fastest way you can.

Aaron Conant  36:51

Really quick like comes to mind there, it has to be simple enough, that there's no reason for anybody not to use it. If I'm on the data privacy team on general counsel, I was saying, I want this so simple. There's no way anybody could say I couldn't figure it out. It has to be that simple. And yet it has to be robust enough to allow free text and or actually capture the information you need and not slow anything down.

Chris Handman  37:17

I think one of the things, Aaron you're absolutely right, and I think it's why the DNA of like TerraTrue, like there's a bit of like that, that Snap product mindedness around. This is a b2b SaaS tool, maybe you want to think about broaden the compliance space. We know that this is a tool that has to work well with product teams, people who are used to colorful, modern, responsive UIs, like Asana or whatnot, that's what TerraTrue is. And so making sure that this is both accessible, colloquial, not larded with like, legal jargon, and really super-fast and responsive. And also agile in the way teams have to build is, again, goes to like the way in which I think we've been able to tap into a lot of those companies that are very tech-forward, and even just kind of progressive in the way they want to think about this. So you're absolutely right.

Anthony Prestia  38:09

Yeah, look, so once you plugged in, what's being built, you've got the infrared measure how it's being built, the next big piece is doing these privacy reviews, right. And this is where teams can become a bottleneck. You've got your pre DPI a checklist to figure out when there's sensitive data about to be used. And then you have to go through and do your analysis of like, what are our benefits here? Do we really need to process data in this way? Whose data we gathering? What are the potential harms? What safeguards do we have in place to mitigate those harms? All of that good stuff that requires careful consideration and can take time if you're not doing it promptly, will be the bottleneck in this business process. Because if you go through this work and say, hey, look, we need to implement these five safeguards. That's not something say an engineering or product team can do right away, especially if it fundamentally changes how that product may have to work because you're now needing to encrypt data, during transmission or something. Or you have to build out an entirely new UX to explain how this product or feature works. You can't provide that guidance at the last second. So you need to get quick about these and find scalable ways to do it. Again, pattern recognition is a great one here, I noticed at any number of these companies, you’re often iterating on products are not starting from scratch. So if you have easy access to the thought that you've done in the past, you can build on that instead of starting over every single time. Certainly if you're not using a tool like TerraTrue or something like that, you may do an in-depth privacy review for a product a year ago, and then somebody wants to update how it works now, unless you can go back and find that old privacy review you're probably starting from scratch. So TerraTrue tries to capture this unstructured information, provide real-time feedback and make this something crudely scalable over time. But you got to find the process that works for you so you can do these quickly. And in some cases that may just be identifying those highest risk products or features and focusing on those until you can scale your program with the business. And then the last step is that providing feedback I just talked about, you need to get it out there early to share it with the business in a way that they can track. That might be creating a ticket in JIRA. So engineering can focus on what they're doing or plugging directly into product roadmaps. For a lot of companies starting out this happens just by doing regular meetings with these business teams to provide the feedback and check in on status. But I think with tools like TerraTrue, what we try to do is make that a part of integrations. So if you provide some feedback in our tool, you can say, hey, now create a ticket in JIRA. So engineering can track this safeguard we want them to implement before it goes to market, things like that. That's a very, very high level, I think. I know, I think we've only got 15 minutes or so left here. So we'd love to kind of open this up for question.

Aaron Conant  41:07

Yeah. So if anybody has questions, you can drop in the chat the q&a or you can email them into me, aaron@bwgconnect.com. We'll get them answered. So a couple that come in here. What data points should we be thinking about to track the success of our privacy program?

Anthony Prestia  41:23

Yeah, this is actually a great question because this is something that I don't think existed until pretty recently, the legal field has not been one of metrics and performance outside of billable hours for a very, very long time. And I think, with privacy, we're definitely seeing a shift there because, look, traditionally, these legal teams internally are thought as cost centers, and you don't want to be that anymore. So I think trying to track metrics that show the value you're providing. And so that can be number one, just looking at the number of privacy issues, you've addressed, the amount of time you've maybe saved the business, I mentioned before identifying, actually here, let me step back at Snap, a good example would be we were identifying through our privacy reviews where there were teams doing very similar work, or where maybe we were maintaining a database that we didn't need anymore, and helping identify these things met actual real cost savings, when it came down to implementing engineering changes. We weren't just paying to store data we didn't need anymore, and things like that. So I think looking for those sorts of metrics that show how quickly you're able to help the business, identify issues and resolve them and things like that can be helpful. We've actually act TerraTrue of and working with customers who are trying to address these problems, for the very first time by using our tools to say, hey, look, you're getting this many privacy reviews from this team, and they're taking this long to resolve versus others, you can really get an idea of where different business units are finding the privacy program valuable and where you may need extra headcount to support them and things like that. But this is very, very early days here. And we've been had the good fortune to help some companies work through this. Chris, I don't know if you have any other examples?

Chris Handman  43:04

Yeah, no, I think the key examples, first, I'll just say that we are seeing increasingly, this becoming like an audit committee issue at public companies, boards are very interested in understanding the metrics around privacy programs. So all the more reason to, again, repurpose all that work you're doing inside the privacy program into dashboards and analytics that flow naturally from the work you're already doing, as opposed to have to like recreate it each quarter, again, something that we've been trying to prioritize a TerraTrue. So as Anthony mentioned, some of the headlines, statistics that really help benchmark the progress that you're making are how many features are actually even going through a privacy review? How long are you taking to review this? How many different new types of data are you processing? New uses of data are you creating? New vendors you're bringing on to kind of just measure both the efficacy of your reviews, but also like the scale and scope of risks that you guys might be bringing on? Those are all really easy to do if you have an automated tool, and really helpful, and again, getting budget and getting that buy-in

Aaron Conant  44:07

Another question that comes in around the privacy organization as a whole, how do you see it scaling? And how do people plan for it to scale? It should be growing in all reality. But anyway, so we'd love to hear your thoughts there.

Chris Handman  44:22

Yeah, I mean, I'll take this because I know Anthony has some good thoughts on it as well. But I mean, one of the interesting things we see in the market, talking to a lot of companies is how large privacy teams are growing. Whether they're in regulated industries or not, we're seeing this explosive growth in privacy lawyers, privacy program managers. I think as you think about scaling, it's inseparable from technology and platforms. There are really two trends that I think again, that we think are kind of immutable and unchanging. One, companies are motivated to collect more and more types of data of increasingly sensitive types. And regulations are getting more and more prescriptive, balkanized across geographical boundaries and complicated in the way you have to implement them. And so as you think about how to hand help your business as it wants to collect more data, and how you harmonize that, against the risk of this regulatory backdrop, understanding and bringing technology and platforms to help scale that is absolutely essential. The days of everything that Anthony just walked through and what we want to talk about the outset, you just cannot do that with Google Docs, and spreadsheets and email. So thinking first and foremost about those platforms, and how to build from there is absolutely critical. And then once you have that in place, understanding how different organizations will vary. A b2c company might have a different need in terms of its personnel than a b2b company, but in thoughtful about how you can best interface with the government, how you can leverage the technology, you have to work with your businesses, so that all of the repetitions and the cadences from your business into the reviews and back out, again, are as efficient as possible. So that might start with, one privacy lawyer, or then ultimately, some product counsel who have a privacy expertise. Again, one of the things about technology, whether it's TerraTrue or something else, is that you can bake into those platforms, a lot of automated guidance, so you can get away with a little bit less, and begin to amplify your voices in ways that again, you couldn't do unless someone was going to manually go read a wiki every single time. And so I think those are some just good guidance, thoughts as you think about building org. Anthony, anything else that you have on that?

Anthony Prestia  46:43

Yeah, look, I think one of the important things to understand as well is that like, privacy as a responsibility for an org may fall on someone like a team in legal or something like that. But realistically, it's a shared responsibility. So when we talk about scaling privacy part of it's also realizing that like, you will have folks in the engineering org and folks in the product org, they're also responsible for understanding this. And it's your job to help them understand the requirements of the law and kind of get some of that initial issue spotting and burden and that stuff off of your plate. So you can focus on the tougher issues. And so tooling can help with that, education can I help that. That's all just a big part of it, I think for sure.

Aaron Conant  47:29

Yeah. So I mean, you kind of addressed it a little bit last question that came in, it was like, who's the internal champion for a program like TerraTrue?

Chris Handman  47:39

Yeah, again, that will vary from company to company. But typically what we see, I'd say about 70% of the time, we're seeing someone on the privacy team. If a company has a dedicated privacy operation, it's someone on that privacy team maybe rolls up into the GC suite. I'd say that increasingly, we also see it with it from the security angle as well. A lot of companies security and privacy really are two sides of the same coin, the same concerns around what are we building? And what are the risks in deploying this, that are equally compelling from a security team's perspective, as well as the privacy teams perspective? And in many ways, we see those security teams leveraging TerraTrue to create one workflow that can be rather than nickel and diming your business with two different questionnaires or two different workflows, one from security and one from privacy, you can now kind of achieve an economy of scale to make sure that one workflow can power and automate and get it to the right folks. And in those cases, you'll see security kind of lead the way. So a lot of will depend on the maturity of the organization and the kind of prioritization that they've had in terms of security and privacy. But the main thing, of course, is really getting that executive buy-in because a privacy program that is untethered from some sort of executive sponsorship really has a hard sell and kind of rolling it out and deploying it and gaining that buy-in. And again, as we said at the outset, the more you can then go to those executive sponsors with a sense of, hey, I understand why you might be skeptical about privacy and privacy program. And you might have encountered some kind of headwinds in the past. But look, there is a way to do this at scale. Like I know, it's been done. We've heard about some folks who've done it, you absolutely can do this. And I think that just gives those sponsors like, and it's funny because who doesn't want to have like good privacy practices, who doesn't want to like stay on the right side of law and regulatory trends? The only reason is you think it's going to kill my product, but if you can demonstrate no can't, you can actually make it better. That's always like a winning sell.

Aaron Conant  49:48

Is there a type of rollout time for tear trough?

Chris Handman  49:53

Again, that will depend. We've seen rollouts in a matter of like a few weeks, the more that accompany has in terms of a past practice, data maps collections of DPIA's, large taxonomies that they've already structured, we have seamless ways of importing that in. But we also want to take the time to kind of like create bespoke processes. I think, again, privacy programs in many ways, like the elements in what you want to accomplish are all relatively universal. But the ways in which you do it are as individual and bespoke to the way each company operates. And so, Aaron has even a point you mentioned, like making sure you can have that structure without sacrificing the individuality of a company's culture and its workflows is really critical. So we take that time as part of an onboarding process to understand that tailor workflows, create those customizations, all through like a no-code, like we're not taxing engineers to do any of this. And, in a handful of weeks, people can be up and running and deploy in a scalable privacy program.

Aaron Conant  51:03

Awesome. And I see we're pretty much like right at time here. I do want to kick it over to you for key takeaways. I also want to say a quick thank you to everybody who sent in the questions today. Thank you to both of you for jumping on the line today and answering as many questions we could throw at you, as well as kind of giving us an overview of how you see the space as a whole. Again, encourage anybody on the line today. Have a follow-up conversation with the team over a TerraTrue. They're great friends, partners, supporters of the network come recommended from a ton of organizations within it. So worth a follow-up conversation. They're really doing some amazing things in this space as a whole. So Chris, knowing we've got about a minute left here, any kind of like key takeaways as we wrap up and give people plenty of time to get on their next meeting without being late?

Chris Handman  51:46

Yeah, look, I think it's the old saying, like, the best time to start a privacy program is when you first launch product, and the next best time is like tomorrow. It's like, do it as soon as you can, and take those steps. It doesn't have to be a perfect program out of the gates. But the longer you defer these sorts of programs, given the nature of regulation and the complexity of operations and continuous deployments at most companies, you're just assuming more debt. And so again, we really encourage you to kind of we want to demystify this. It is a process that can be done effectively and can really help unleash creativity and productivity as well as that regulatory Renner. So that's what I would want to have people come away from this with.

Aaron Conant  52:33

Awesome, well, Anthony Chris again, thanks so much for your time today. Thanks for being great friends, partners, supporters, the network. With that, we're going to wrap it up. Hope everybody has a fantastic Tuesday. Everybody take care, stay safe, look forward to having you to future event. Don't hesitate to reach out if you have any questions in a digital space encourage anybody. If you have more questions on TerraTrue, what's going on and on the space as a whole don't hesitate to reach out to them. We can put you in touch for sure after the call. Take care, everybody we'll be in touch.

Read More
Read Less

What is BWG Connect?

BWG Connect provides executive strategy & networking sessions that help brands from any industry with their overall business planning and execution. BWG has built an exclusive network of 125,000+ senior professionals and hosts over 2,000 virtual and in-person networking events on an annual basis.
envelopeusercartphone-handsetcrossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram