Building an Effective Data Privacy Program
By Axiom Law
“When it comes to privacy, I love being at the table ‘early and often’ when teams are developing their products and services, and serving as the advocate for the consumer,” says Axiom lawyer Sue Gomez. “It means bringing up considerations that the teams may not have yet thought through, and being at the intersection of products, the law, and the technology.”
Sue Gomez, Axiom Lawyer
With extensive experience in industry, first as a businessperson, then as a lawyer in technology, and recently in health care, Sue built her career focusing on commercial and technology transactions. She has helped companies design and release products, services, and business models with data security and privacy in mind.
On a recent Axiom engagement with a F50 global tech company, Sue served as Products Counsel, where she focused a great deal on data privacy. Because of her strong understanding of the nuances of data privacy, she was able to quickly assimilate with the business development and engineering teams to help design a brand-new marketplace that is privacy-friendly. Sue notes, “To be a really good products counsel, having a privacy background is critical.”
Sue makes the case that companies should embrace privacy compliance as a business differentiator, especially as the privacy landscape rapidly evolves and new regulations, such as California’s Consumer Privacy Act (CCPA), go live.
An extensive background in data privacy
Sue’s combined education and experience gives her a powerful perspective on how companies can incorporate data privacy into their operations. She holds an undergraduate degree in nutritional science and with a minor in Chemistry, and earned an MBA and JD, as well as an LL.M in Intellectual Property. She earned her master’s, law degree and LLM at night while continuing to work. She has worked for several heavy hitting Silicon Valley technology and healthcare companies, in a start-up that developed a leadership coaching tool for Silicon Valley executives, and is an experienced speaker.
After working in-house at technology powerhouse Sun Microsystems, and then memory giant SanDisk, Sue pivoted to a stint in healthcare where she built experience in working in a heavily regulated environment. While she loved the healthcare sector, she was interested to get back into technology and after joining Axiom she began working in-house at a F50 global tech company.
Due to her blend of commercial, tech, health care, and intellectual property experience, Sue is uniquely positioned to understand the nuances of legislation and its impact on many different aspects of a company. She knows how to take the nuances of a particular legislation, and match it up with the business model and company objectives to set up a functional compliance program. This is more important than ever as “regulations are getting more specific, enforcement is getting more aggressive, and fines are getting larger.” While certain sectors, such as health care and finance, have been subject to heavy regulation for many years, a broader array of companies must navigate the privacy landscape now as these new regulations go live.
Develop a practical approach to privacy
Sue believes that the key to working successfully in-house is developing an operational approach to all aspects of the legal work, including privacy. While initially focusing on commercial and tech transactions, Sue spent her time at a large Silicon Valley company managing a team, and negotiating contracts, strategic deals, and business operations. However, her career blossomed when she took on new challenges as the company grew and the business and legal environment changed. Sue recognized that her company could benefit from enhanced attention on and structure for privacy. After talking with very receptive management, she took on the privacy function as a “labor of love.” With the help of many dedicated people across Legal, Products, Engineering, IT, and Compliance, she continued her work on commercial transactions while building and running the privacy function for 10 years.
Building a privacy office is a truly cross-functional undertaking. “You need to identify the vision, hone in on why it’s the right thing to do, and find the people to get behind it and carry it forward. To do that, you need to practice all the skills in your toolbox, both business and lawyering, like legal research and interpretation, project management, leadership, bringing people together, and building a structure that works within the culture of the organization,” Sue explains.
“To run an effective privacy program, you must understand privacy principles and how they operate within the organization’s structure, then create a working model with the ‘buy-in’ of the business, legal and executive management. Privacy shouldn’t be perceived as a hindrance to product development. Privacy can be both innovative and reflective of the values of the company, and should be embraced as a business differentiator,” Sue explains. She outlines her approach to privacy as:
- Know the principles
- Understand your business’s needs
- Assess the risk relative to the business’s direction
- Build your strategy
Like many elements of a business, Sue acknowledges that privacy compliance is a moving target. However, she emphasizes that “with the right leadership and commitment of management, and people in the business with a shared vision about protecting personal privacy, we were able to help the company build a program that was right-sized for our particular business model, and one that we thought was one of the best out there.”
Identify the rules of the game
“Building a privacy program can be incredibly rewarding, in-depth, and no doubt stressful,” acknowledges Sue. To be successful, Sue emphasizes, one needs first and foremost “high-level executive support.” You also need to invest in training for executives, legal and business teams; and in finding the right people to build the systems and tools to support your privacy function.
“It's also important to remember that the laws are the floor,” says Sue. “As a company, you may want to be known for something beyond simply complying with the law. Instead you want to be known for enhancing the consumer’s privacy protection.”
As a company privacy leader, Sue explains you have a specific, and awesome, responsibility to “think far in advance about the impact your privacy practices in the current and future regulatory environment may have on the company’s brand, because not everybody in the company will have the time, knowledge, or the mindset to do it.”
Understand your bread and butter
Before creating a privacy plan, Sue recommends taking the time to understand your company, the culture, appetite for risk, and the systems, processes, and values that drive it. “Are you driven by engineering, financial, or data?” she asks. She also recommends understanding the following about your data:
- What data is being collected
- Where that data is being stored and how it is being kept secure
- How that data is being used
- How you get user consent, and/or identify your legal bases for data processing
“I think the key thing for privacy leaders is to undergo a risk assessment, and understand what their company is doing and how they are collecting data. For established companies, you must be confident you know where 90 percent of the data is coming from, and then keep digging down to understand the last 10 percent. For a company that is less established, start with understanding that first 80 percent, and then insert yourself with the teams to keep iterating and going after that last 20 percent until you’re confident that your program is on solid footing when it comes to data,” explains Sue.
Build strategic partnerships
In Sue’s experience, building an effective privacy program needs a systematic approach. It's necessary “to have people with boots on the ground who can review these programs with engineers and business development, who can talk about data use within the structure of products, people, places and things; a leader to pull it all together; and executive leaders who will actually review what you come up with.”
At SanDisk, Sue partnered with key business players to create a privacy committee. At a weekly meeting, each function would talk about the actions they were taking around privacy. They would then work together to craft a privacy program solution that would work for them and their business function.
Sue used the example of engineers building an app to illustrate how data is collected and utilized, and how regulation can impact that process. If developers need to pull data from a device like a smartphone, how do they get consent? GDPR demands that companies need a prescriptive methodology to follow in the event consent is withdrawn. “You could be left high and dry if you had consent from a user to collect data six months ago and now you don’t,” Sue explains. This example illustrates why it’s important to partner and communicate regularly with many different stakeholders throughout your business.
Learn the privacy landscape
It’s crucial that privacy professionals not only spend time building a privacy structure, but also implementing it. As a result, it’s important for companies and privacy professionals to understand the broader privacy landscape in which data privacy operates.
“Privacy” has many components, and overlaps with cyber security and data security. Sue describes creating working groups with the Chief Security Officer, the IT team, and engineers to really dive into how data privacy works on a day-to-day level. She has even gone so far as to examine the code the engineers were writing. In 2011, she earned her Privacy Certification through the International Association of Privacy Professionals (IAPP). In addition to the privacy and security landscape, as a way to dive deeper into patents, trademarks, copyrights, and trade secrets, Sue earned her LLM in IP, which included privacy courses, in 2014.
“It’s really valuable to not only be exposed to privacy laws and regulations, but also to the technological underpinnings and the vernacular, especially with engineers,” Sue explains.
One place where privacy and security professionals can work together is on creating incident response plans, especially around protecting personal data. “That’s where a lot of regulator action has been,” Sue points out.
Think beyond your walls
Data privacy compliance doesn’t just apply to what happens at your company. As you implement a privacy plan, you also need to consider any outside stakeholders, such as vendors and regulators.
Contracts with vendors, affiliates or partners, and “third-party providers” is a focus both of GDPR, the landmark 2018 European privacy regulation, and CCPA, and must be a focus for any privacy function. “Another big factor for privacy is vendor and partner management – it’s not just what’s going in your own four walls, but also in your third party’s — who they are, how are you sharing your data with them, what they are doing with it, and how deep in the chain you have to go to be satisfied the data is adequately managed and protected,” explains Sue.
Sue warns that some vendors and partners may not be able to fulfill privacy requirements and will push back as you renegotiate your contracts. When renegotiating contracts in order to meet new privacy regulations, Sue notes, “It helps a lot to have a really strong commercial negotiation and technology background.”
Serving the business as regulations evolve
“As lawyers, we want to be advocates for our clients, as well as help mold and shape where legislation goes,” says Sue. At least 15 more US states have passed or are considering privacy legislation as of October 2019, which makes the work of privacy professionals even more challenging. Sue remarks, “The level of detail in the current and emerging laws is overwhelming, but as lawyers what we can do best is pull the requirements together and find the common high bar, and build out programs around that.”
Because there is no national, or international, standard for privacy, lawyers must tease out the differences between GDPR, CCPA, and other privacy legislation. “There are so many nuances as to whether CCPA applies, for example,” says Sue. “That’s why you need strong legal professionals and close connection into industry groups, such as IAPP, to understand the collective interpretation and implementation.”
Overall, if you as a legal professional are connected to the larger privacy community, and stay keenly aware of the recent developments of laws, their interpretation, and their enforcement, and ensure your privacy program reflects this, Sue observes, “You’ll be in a better place when it comes to standing behind your company’s decisions and actions in meeting these regulations.”
The role of the privacy lead is also to ensure that all the privacy work that is being done will be understandable to future employees, as well as to regulators. When you have a privacy plan in place, including privacy workstreams, buy-in from leadership, and budget, you also need to decide on a plan for auditing. “Making privacy work and understandable to the next person, especially the regulator, is a constant challenge that requires transparency,” says Sue. Lawyers, she notes, can play an important role in translating regulators’ structure and demands into a company’s privacy practices.
She urges companies to “know the common denominator, identify the high bar, come up with solutions and systems that manage these risks within your organization, and be ready to justify and identify what you've been doing. Otherwise, you may get lost in the minutiae, and that’s not helping your client. Your clients want solutions.”
Axiom lawyers like Sue are part of a powerful network of legal professionals who bring the benefit of extensive commercial expertise and industry insight to our clients. For expert guidance in setting up, structuring, and scaling your privacy program, and to work with accomplished privacy professionals like Sue, get in touch with us at Axiom.
Lawyer Angelo Basu examines the business impact of privacy regulations like GDPR and CCPA.
Lawyer Andrew Lupu balances practicing privacy and antitrust law with teaching.