DataGrail recently interviewed Jeanne Sheahan, Head of Privacy Compliance at First Republic Bank to bring you insights from a leading privacy professional in the field of data privacy.
DG: What’s the most common mistake or misperception you’ve seen when it comes to data privacy and security?
JS: One of the most prevalent misconceptions is the continued over-emphasis on user choice in privacy best practices. Definitely, user choice and empowering users are unequivocally key features of any privacy program, but both have their limitations in a world with so many new products and technologies: information asymmetry is always a concern.
This is where privacy by design and default are genuinely exciting strategies. I’m fascinated to watch the evolution of businesses building products and services with privacy in mind as well as collaborating on best practices, codes of conduct, and interoperability in a manner that protects the users — even without the need for prescriptive regulations.
DG: GDPR received a ton of publicity last year; however, many companies are not as aware of upcoming regulations in California, Nevada, and New York. How can privacy professionals mobilize their teams to best prepare for upcoming regulations?
JS: Creating and operationalizing a principles-based approach rooted in the values and mission of the business proves to be one of the best ways to address domestic and international privacy regulations. Although it’s important that teams are cognizant of the rapidly-evolving regulatory landscape, it’s more critical for a mature privacy program to deploy a strategy that incorporates the key features of all of the relevant regulations.
While at times, there may be business, cultural, or legal considerations that require regional approaches, deploying enterprise-wide solutions to privacy regulations tends to be the most practical.
Orienting an entire program to one or two laws puts the organization at risk of losing steam when those laws become operative, such as when people thought “we’ve implemented GDPR — we’re done!” May 25th was just the beginning. A great way to proceed is to identify the organizational approach to privacy, obtain buy-in from key stakeholders, and bake in key attributes of the various privacy regulations that incorporate the vision for the business.
DG: How have you seen the data privacy landscape change from a legal perspective over the past 3 years?
JS: Privacy law and business practices no longer feel mutually exclusive, and three key changes occurred that forever altered the course of data privacy:
- The GDPR taking effect raised the stakes and awareness of why privacy matters, all of the way to the board level;
- Prominent privacy incidents being featured in the news increased consumer awareness as to why privacy in addition to security matters;
- The pace of change in the evolution of technology has accelerated, from detailed individual profiling to AI.
This trio has fueled an unprecedented surge of legislative activity across the globe and prompted companies worldwide to pivot their business strategies to feature privacy protections. Now, privacy is squarely both a legal concern and a business reality that is essential to protecting and enhancing user relationships.
DG: With rising consumer privacy awareness, how can businesses best inform users that their data is secure and private?
JS: The key to informing users that their data is protected is to acknowledge that a one-size-fits-all approach does not exist because user populations are incredibly diverse. When I was a teacher, I quickly learned, if you want to teach and have others learn, you need to be flexible in your tactics. In the business world, that means identifying multiple methods tailored to various channels.
On the web, perhaps that means non-legalese FAQs to talk to people as individuals, adding pictures for clarity. On mobile, where geography is a premium, bullet points or just-in-time notices at the point of data collection can be a nice workaround. In person, educate client-facing employees so that they are empowered to address user privacy concerns.
DG: How can companies with a strong foundation in security improve privacy for their users?
JS: A strong foundation in security is a necessary first step toward protecting users. With that foundation, my focus turns to raising internal awareness about privacy: what it is, how it relates to security, how it differs from security, and how both are essential to maintaining and enhancing user trust.
When explaining security and privacy to internal stakeholders to mobilize the internal privacy team (the village that makes privacy come alive), I make it personal, such as asking them to reflect on a time that they were surprised about how their data was used. Turning compliance efforts into more than just “check the box” exercises transforms a privacy program and creates meaningful goals tied to the company’s values, additive to the business, fun to operationalize, and protective of users!
Enjoy this interview? Check out our previous Interview Series with Susan Lyon-Hintze, Founder, Managing Partner at Hintze Law PLLC!