Tips for Jumpstarting a Privacy Engineering Program: A Startup Perspective

On March 29, 2018, the IAPP held its inaugural Privacy Engineering Section Forum. I was honored to present, along with my panelists Lea Kissner from Google and Javier Salida from Microsoft. Moderating the session was Jonathan Fox from Cisco.

Our task was to share real-life anecdotes in implementing privacy engineering solutions in tech organizations, engineering privacy into products and processes, and working with cross-functional teams. In so doing, we also hoped to define what privacy engineering is – and what it isn’t.

I’d like to take these points in reverse order and provide some additional commentary that our time constraints precluded me from making during our panel discussion.

Who is a Privacy Engineer?

I suggested that all too often, many shy away from this area because of a belief that to “do privacy engineering” one needs to be an engineer and have a technical degree. We all too often look to our left and to our right for that “privacy engineer” that needs to step up to assist in implementing the privacy program, when, in fact, we simply need to look in the mirror. If you are passionate about privacy, and like executing and operationalizing privacy principles into transparent, repeatable processes, procedures and technology, you ARE a privacy engineer, at least so far as being in a startup is concerned. Successful privacy engineers come from all walks of life, from musicians, philosophers, lawyers, and journalists to the more obvious suspects: engineers and product managers. I mentioned that the best “privacy engineer” that I’d seen was a guy that was bored in Marketing -- he loved the move to operationalizing privacy. Privacy engineers aren’t “someone else”; they’re YOU!

What makes for a successful startup Privacy Engineer?

Job role flexibility and adaptability. In startups that are Seed or A round funded, there may not be a full-time position that the budget can justify. Be prepared to do other things. As a lawyer, I’ve frequently been called on to perform three concurrent roles: GC, CPO and in many cases Privacy Product Manager. 

What makes for a successful startup privacy program?

Culture begets budget. Culture ensures privacy program “stick-to-itiveness.” Culture provides you necessary resource support. Culture may just keep you employed! My view is that if you have strong board and senior management support, your changes of programmatic success are high. If you lack this C-level support, it will be very difficult.

Are there any techniques you’ve used to build a strong privacy program you can pass on?

Yes! First, welcome existential company events. If your business model requires you to sell into banks, and banks are seeking SOC2 compliance, that’s a great first step to building a successful privacy program! Better yet, if you’re selling into the healthcare market, and your startup is asked to execute a Business Associate Agreement and/or to “rep and warrant” that you’re in full compliance with all relevant federal, state and local privacy laws and regulations, rejoice! You’ve just been handed a forcing function!!

Second, if you have relevant C-suite or Board connections, work them! Find and lobby the ones that are or may be supportive of privacy initiatives. At a former startup, we had a former Chief Privacy Officer at a multinational company and a former FTC commissioner on the board. It would have been malpractice for me not to have sought (and secured) their support.

Third, secure a Board-approved mission statement that clarifies privacy is a core value for the business. Declare goals, give it teeth and review progress towards it. And use the Mission Statement as a “north star” for continual alignment and success when programs veer off course.

Are there telltale signs of concern for a privacy program’s success that we should know about? 

Yes, here are a few -- first, are you merely window dressing, or is your company truly serious about getting privacy right? If you’ve got the title, but little else in the way of support, you might want to dust off your resume.

Second, in a seed (certainly) and A round (possibly) environment, your privacy programs will always be at risk as “cost centers” unless the company is selling a privacy product and generating meaningful revenue from it.

Third, it’s definitely a warning sign if the company views privacy as a “check the box” compliance exercise. “We’re HIPAA compliant. Next question.”

Summary.

I want to thank the IAPP again for the opportunity to participate in the Forum.

With GDPR just around the corner and Facebook/Cambridge Analytica high on everyone’s mind, use this world-wide attention on privacy to drive your program!

It’s a great time to Join the IAPP’s Privacy Engineering Section.