DataGrail Summit brought in industry leaders, Brandon Greenwood, CISO at Bed Bath and Beyond, and JJ Agha, CISO at FanDuel for an eye-opening conversation around the real-world complexity of data privacy—and why solving it requires more than just compliance checklists or contracts.
When 75% of the population now has privacy rights, many organizations are still navigating uncharted territory. Regardless of where privacy resides in an organization, it’s a technical challenge that needs security team support.
Who owns privacy? Depends on who’s asking.
One of the biggest questions raised during the panel wasn’t technical—it was organizational. Who’s actually responsible for data privacy?
The reality is that data privacy doesn’t live neatly in one department—it sits at the intersection of legal, security, and technical systems. But that ambiguity isn’t necessarily a bad thing, it just means we’re still developing the foundation.
“Over the last four years we saw the ‘we care about privacy’ explosion go from 10% to 75% on the screen. We’re still in the early stages of this. I use the analogy we’re flying the plane while rebuilding the engines,” Agha remarked.
From Visibility to Alignment: Solving Privacy Through Partnership
You can’t protect what you can’t see—and that’s the core challenge in data privacy today. CISOs are no longer just breach responders; they’re becoming stewards of sensitive data—the “CFOs of privacy,” as Sounil Yu, CISO at JupiterOne, put it. That shift from reactive to strategic requires a new focus: What data do we have? Who has access? How is it being used?
But building this new focus requires more than tools. It demands cross-functional alignment—particularly between security and legal teams. “We need your legal help… there’s no way we could do this without you, and I hope you feel the same way,” the speakers explained. Legal brings the regulatory lens, security brings implementation—and both are working toward the same goal: reducing risk.
At its core, data privacy remains an access problem—knowing what data you have, who can see it, and how it’s being used or shared. Agha put it, “We are still struggling with the access management problem,” and without visibility and collaboration, that problem persists.
When legal and security teams operate as partners with a shared language and a common objective, privacy transforms from a compliance burden into a scalable and strategic advantage.
Building guardrails for smart innovation
At the heart of the discussion was a shared belief: the point of privacy isn’t to slow innovation, it’s to support it responsibly.
That means building privacy into systems from the start—not slapping it on at the end. It means security, and legal functions must collaborate—not just coexist. And it means giving business leaders the tools to make smart, informed decisions—not just telling them what they can’t do.
In this way, CISOs and privacy leaders aren’t just gatekeepers—they’re enablers. “We have to enable the business… and through that, we provide guardrails and hopefully make it easy and engaging for people to do the right thing,” Greenwood added.
By leveraging technology with intention, leaders can help organizations move forward efficiently while ensuring that data is managed with care, clarity, and accountability. Because in a world where the rules are evolving, the best thing we can do is evolve with them—together.
To watch this session with JJ Agha and Brandon Greenwood, and other DataGrail Summit sessions, click here.
For more updates on upcoming events and expert insights, follow DataGrail on LinkedIn and subscribe to our newsletter.
