Building a global privacy and cybersecurity strategy which enables growth and innovation:

Let’s face it, there are a lot of privacy and cybersecurity zealots in this field who have lost all perspective on balancing business objectives vs. compliance imperatives. These folks get a high every time there is a new case or new law that makes the regulatory requirements more stringent. As a GC, you must make sure that you intervene and lead the team (both business, legal and compliance) in such a way where you are carefully balancing the growth and innovation needs with the regulatory compliance requirements. The biggest fallacy I have seen is when privacy lawyers advocate for applying GDPR when the company doesn’t even operate in the EU or UK. Why would you take on stringent legal obligations when they don’t apply to you? In my experience as Chief Privacy Officer, I have built and managed global privacy and cybersecurity governance programs around the world including countries most of us probably never even heard of and here are some key lessons I have learned.?

What is your company’s business model and how does privacy and cybersecurity fit into that?

For every company, customer data is important but how important is it? For e-commerce and ad tech companies, customer data means growth and retention. For enterprise SaaS companies, data is important but not mission critical. For a financial services company, cybersecurity is almost paramount. Any decisions you make around the design of the program and risk calibration must be firmly grounded in your company’s business model and how aggressively you need to collect, harvest and monetize customer data.

What are core global privacy requirements?

The beauty of privacy law is that most of the world operates (almost) on the same principles. You need to have a privacy notice, some sort of privacy impact assessment process for core personal data, have a third party data privacy program including data processing agreements, controls on how to use the data for marketing and other purposes, incident response plan to deal with data breaches and some training requirements. Some jurisdictions require cookie notices, opt-in for email marketing, do not share type of signals and some jurisdictions have controls around the cross border transfer of data. Privacy nerds tend to complicate things but this is where you need to come in a CPO or GC and have them focus on the core elements and build a program that meets your business needs while creating too many restrictions for your business partners.

Put a senior person in charge who has great commercial acumen!

There are a lot of privacy professionals out there and most of them don’t have a solid business and commercial perspective - they are compliance people. The biggest mistake you can make is to put a compliance person in charge of your privacy program - it will totally turn-off you key business partners. To me, while understanding privacy and cyber are necessary for this role, what is even more important is commercial acumen, stakeholder engagement and strong communication skills.

Get your risk calibration right - risk based focus!

While California, EU and Djibouti all have data privacy laws, which one should you focus on? The answer is obvious (no disrespect to Djibouti). You will often find privacy nerds getting bogged down in trying to comply with every possible law around the world - that is a bad use of your resources. If you are building a North American privacy program, focus on California and build your program around that. If you are building a European based program, of course focus on GDPR. If you are building an APAC based program, focus on Singapore. If you are building a MENA based program, focus on Saudi and UAE. If you are building a global program, use California and GDPR as a baseline. I ran a privacy program for an airline group where we flew to 131 countries around the world - there is no ROI in trying to comply with 131 privacy laws - focus on core and leave the rest.

Comply with the most stringent or allow for variance?

Many privacy zealots advocate for complying with the most stringent law which in my mind is not a wise move. It would be like deciding to pay your taxes based on the highest tax country in the world even though you are not obligated to. I am personally an advocate for leaving space for business partners to innovate and monetize data when their jurisdiction allows it, instead of blocking them. Of course, this is not always a legal question and it is also a question for program efficiency since allowing variances for each and every jurisdiction you operate in can be cumbersome and expensive.

What about cybersecurity?

In general, cybersecurity is not as heavily regulated as privacy except for regulations like SEC cybersecurity rule or NYFDS but when it comes to cybersecurity, it is more to do with protecting and containing any major incidents (and hence your data and reputation) rather than complying with the law. Your cybersecurity program may also come under scrutiny in the event you have a data breach, or another incident like ransomware event and a subsequent investigation or litigation. While a detailed discussion of a cybersecurity program is outside the scope of this post, partnering with your CISO to ensure threat modeling is done, sufficient policies are in place, a proper GRC program is in place and having a robust Incident response plan are the absolute essentials. As a GC or CPO, the day to day running of the CISO program is not your job typically, however, having appropriate governance in place to ensure risks are being identified, managed and reported are critical for any public or private company.