This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


How Legal Should Talk to Security About Privacy

Alicia diVittorio, December 12, 2023

Data risk mitigation is driven by two teams in most organizations: legal (usually general councils) and security (typically headed by CISOs). While the former work to increase compliance and reduce violations, the latter look for potential threats and vulnerabilities within organizational systems. But because of the constantly evolving nature of today’s regulatory and technological landscapes, these teams often find themselves at pains to collaborate on solutions. 

Thankfully, at DataGrail’s 2023 Summit, industry leaders shed light on paths for doing just that. During “Let’s Get Technical: Talking Privacy With Your CISO,” Brandon Greenwood and Jonathan Agha (two CISOs from Overstock and FanDuel, respectively) explained that in order to avoid analysis paralysis, it’s critical to acknowledge that privacy solutions are often a bit messy; solving challenges while simultaneously taking first steps, they pointed out, is a lot like “flying the plane while rebuilding the engine.” 

In this piece, we’ll build on these and other insights from the DataGrail Summit in order to detail how legal can broach critical privacy conversations and jumpstart collaboration with their CISOs to best protect organizations. 

Bringing GCs and CISOs into alignment

Security teams see things through the lens of technology. It’s no wonder, then, that they regularly lean on IT systems to reduce privacy risks. Their legal counterparts, on the other hand, tend to think more big-picture about governance and oversight by issuing company-wide mandates. 

These approaches often come into conflict with one another. When general council arrives on the scene with a blunt object (such as a broad data privacy policy), CISOs might be left scratching their heads about how to quickly implement it and get buy-in from other organizational actors. 

To avoid bottlenecks over privacy and align on solutions, GCs and CISOs need to create dialogue around best practices, learn to speak the same language, and make smart use of technology—all in order to better collaborate on a winning privacy program

Create dialogue around best practices

First and foremost, legal can’t be afraid to reach out to security for local examples of data use and current best practices in the industry. When they do, they need to dig deep to understand not only their company, but also how other organizations from across the sector are dealing with their own privacy risks.  

From there, GCs should clearly define their privacy priorities before acting on them. This will give CISOs the opportunity to respond with expertise and insights that legal might have overlooked—thus giving both the chance to align and work together towards the same, shared goal.   

Learn to speak the same language 

While dialogue like this can solve issues related to diverging goals, sometimes conflicts over privacy strategy are simply a matter of vocabulary. If legal and security aren’t using the same words, frustrating misunderstandings are bound to arise. 

Privacy risk reduction is a team sport that requires a shared language. “In sports,” Brandon Greenwood and Jonathan Agha explained to the Summit audience, “the action of ‘blocking’ a shot in basketball and ‘blocking’ in football are so different.” To make sure that teams avoid using privacy-related vocabulary in opposing ways, the two continued, GCs and CISOs need to establish how they’ll employ key terms, namely “event,” “incident,” “threat,” and “vulnerability.” Doing so will make collaborations between legal and security more efficient and ultimately more effective.    

Make smart use of technology

While GCs hold the keys for understanding the legal stakes of privacy, they need to remember that risk reduction always comes down to the efficient use of technology. Data privacy challenges can’t be solved with Terms and Conditions alone; instead, companies need to empower their associates and end users with the right IT tools.  

Brandon Greenwood and Jonathan Agha drove this point home at the Summit by reminding attendees that while tools like utensils help us to eat, they can also be used as weapons. In the same way, tools aimed at data transparency are often double-edged, so it’s up to legal to provide constant feedback to security about the possible risks created by their technical solutions.  

Collaborate on a winning privacy program

Once legal and security have a shared goal, language, and understanding of IT, they can collaboratively work toward a privacy program. 

The first steps of this journey consist of clarifying which business units will be part of the program and then working together to achieve buy-in from across the organization. Even if the program won’t cover the entire business, privacy is always a company-wide question, so education is key. As we’ve already said, this requires that GCs and CISOs are aligned on best practices and which tools will be deployed to protect data privacy. But it also requires that legal and security lay out the context for privacy risks and explanations about the proposed solutions. 

As long as GCs and CISOs collaborate to lower organizational risk, their solutions stand poised to minimize data breaches, ensure compliance with evolving privacy laws, demonstrate their company’s commitment to transparency and consumer privacy, and build trust with current and future customers. 

Interested in hearing more about how legal and security can learn to speak the same language? Check out the DataGrail Summit on-demand sessions for insights into cross-departmental privacy solutions in the age of AI.

subscribe to GrailMail

Like what you see?

Get data privacy updates sent straight to your inbox.