Brandi M. Bennett, CIPP-US’ Post

Does the modern Chief Privacy Officer (CPO) need to be technical? In my opinion, yes. I’m not suggesting they need to write code. But it would help immensely if they could (pro)actively work with people who write code. Historically, CPOs have assessed risk through the lens of the law. Today, with decentralized engineering teams, CPOs need to also assess risk through the lens of the code. Rather than waiting for the privacy review stage, modern CPOs should consider shifting left by using tools that identify risk: 1) As code is being written, 2) Before code is deployed,  3) Before code creates large volumes of data. 4) Before code is reused across multiple teams This mental model repositions the modern CPO as an end-to-end technologist who can help right-size risk, compliance, trust and efficiency proactively rather than an after-the-fact adversarial blocker who slows the company down. It will help CPOs become more influential within the company and preempt pushback from data governance/platform teams. This approach will position CPOs as technologists and innovators rather than reviewers and blockers. Most importantly, rather than “one size fits all” solutions that are unwieldy to implement and impossible to scale, this approach will enable CPOs to align their solutions to the company’s innovation culture rather than the other way around.

Should privacy engineers report into the legal department? Some topics that generate a lot of debate include Boston Red Sox vs. Yankees, Soda vs. Pop and Return to Office vs. Fully Remote (or hybrid). But here is another topic that is worthy of debate: Should privacy engineering report into a legal function? Many Privacy Engineers and Chief Privacy Officers (CPO) reach out to me seeking to get an answer before they build their teams. In reality though, there are many trade-offs involved and dependencies so there is no single answer that applies across the board. I do have some considerations for you, based on my experiences reporting into the CPO, CISO, engineering and product management. Advantages of Privacy Engineers reporting into legal: 1) As privacy becomes more about tooling and less about pure policy, it makes sense for the CPO to own a technical function rather than depending on borrowing resources and bandwidth from the business 2) The CPO can build an engineering function that can span the business and take a holistic view around risk rather than focusing on specific silo(s) 3) Aspirational CPOs understand that a wall between engineering and legal and engineering never made sense, and even less so now. The most effective CPOs will understand technical considerations so as to make solid recommendations rather than operating at high-level “first principles.” This will become easier if they have skin in the game from a technical standpoint. 4) Privacy can become a business differentiator, and can help with business efficiency, data quality and overlap with security. The CPO owning an engineering function can help deliver tooling that can build customer trust, thereby boosting rather than merely protecting the business. There will always be the more traditional thinking suggesting that the CPO function should only include legal/policy experts but in this agile high-stakes economy, it makes sense not just for privacy to “shift left” but for its practitioners to “step forward” as well. cc Jim Singh, MBA Kalinda Raina Claire Coleman Rebecca Shore Richard Cohen, CIPP/E

Nandita, Gagan, and Neville graced our class at Texas McCombs School of Business with wonderful presentations and inside look into the life of privacy engineers. We really appreciate their insights, summarized below. Data catalogs, maps, and inventories serve as crucial metadata repositories, capturing the location, flow, and types of data. Data discovery involves the meticulous process of locating, scanning, and classifying personal or sensitive data elements. Executing data discovery at scale necessitates an impeccable grasp of the people, processes, and technologies employed by a business. This understanding is quintessential for crafting an optimal framework that prioritizes various layers of discovery techniques. Tools like NVISIONx INC orchestrates this methodology into its features. In today's landscape, Infrastructure as Code (IaC) enables developers to craft code that delineates one's data architecture. One might say, code has morphed into a new form of metadata. Annotations is key to inform what data it is processing, and why (purpose of use). Without clear documentation of the code, data discovery cannot be effective. In this milieu, developers require tools like Ethyca that can expedite and simplify code documentation, adhering to a standardized taxonomy for data classification and processing pupose. Standard taxonomy such as Fideslang helps developers declare data types and data behaviors in the tech stack. Given the multifaceted nature of data privacy, a staggering 80% of a typical privacy engineer's tasks involve harmonizing perspectives across diverse stakeholders—ranging from business and product teams to data science, infosec, and legal departments. Since comprehensive privacy laws were conspicuously absent during the tech revolution's inception, most organizations lack architectures designed to tackle privacy issues like data subject rights, data minimization, or de-identification by default. The lack of unified privacy law across states means privacy engineers need to anticipate the most likely common denominator as the requirements constantly change. For example, when one state law considers consumption of herbal products as personal health information (similar to prescription medication), it suddenly creates new compliance requirements for food delivery app such as DoorDash. In summary, instigating a significant shift towards robust privacy demands a triad of regulatory, cultural, technological, and financial incentives. Laws increasingly hold executives accountable for data breach prevention. Developer tools must modernize to empower them to "move purposefully and fix issues." When consumers opt for digital services and products that respect privacy, we can anticipate a future where trust and safety are seamlessly woven into our digital ecosystem's fabric.

Nandita, Gagan, and Neville graced our class at Texas McCombs School of Business with wonderful presentations and inside look into the life of privacy engineers. We really appreciate their insights, summarized below. Data catalogs, maps, and inventories serve as crucial metadata repositories, capturing the location, flow, and types of data. Data discovery involves the meticulous process of locating, scanning, and classifying personal or sensitive data elements. Executing data discovery at scale necessitates an impeccable grasp of the people, processes, and technologies employed by a business. This understanding is quintessential for crafting an optimal framework that prioritizes various layers of discovery techniques. Tools like NVISIONx INC orchestrates this methodology into its features. In today's landscape, Infrastructure as Code (IaC) enables developers to craft code that delineates one's data architecture. One might say, code has morphed into a new form of metadata. Annotations is key to inform what data it is processing, and why (purpose of use). Without clear documentation of the code, data discovery cannot be effective. In this milieu, developers require tools like Ethyca that can expedite and simplify code documentation, adhering to a standardized taxonomy for data classification and processing pupose. Standard taxonomy such as Fideslang helps developers declare data types and data behaviors in the tech stack. Given the multifaceted nature of data privacy, a staggering 80% of a typical privacy engineer's tasks involve harmonizing perspectives across diverse stakeholders—ranging from business and product teams to data science, infosec, and legal departments. Since comprehensive privacy laws were conspicuously absent during the tech revolution's inception, most organizations lack architectures designed to tackle privacy issues like data subject rights, data minimization, or de-identification by default. The lack of unified privacy law across states means privacy engineers need to anticipate the most likely common denominator as the requirements constantly change. For example, when one state law considers consumption of herbal products as personal health information (similar to prescription medication), it suddenly creates new compliance requirements for food delivery app such as DoorDash. In summary, instigating a significant shift towards robust privacy demands a triad of regulatory, cultural, technological, and financial incentives. Laws increasingly hold executives accountable for data breach prevention. Developer tools must modernize to empower them to "move purposefully and fix issues." When consumers opt for digital services and products that respect privacy, we can anticipate a future where trust and safety are seamlessly woven into our digital ecosystem's fabric.