Are you trying to build an effective and functional privacy team for your company? We’re delighted to have Vanessa McKay as our next guest on A Little Privacy, Please!® As corporate counsel at Tripadvisor, Vanessa is responsible for the day-to-day privacy management at the company, including advising Tripadvisor’s portfolio companies across the globe on privacy and data protection. She’ll be offering us her insights on how to build an effective privacy team.
Watch A Little Privacy, Please! on building an effective privacy team with Vanessa McKay
Many of our viewers are attorneys and will see the world through that lens. Do you think there is a value that non-attorneys would bring to a privacy team?
If you build a privacy team that is solely comprised of lawyers, I think you’re missing an opportunity. At Tripadvisor, we’re introducing technical product managers and technical program managers. We’ve got engineers with privacy expertise, and I’m seeing that development in terms of the value we can add to our business. Is there a role for privacy professionals that are not lawyers? One hundred percent.
How do you align privacy standards and procedures across a global portfolio company?
It’s definitely a challenge. If you look at the composition of a group, you’ll often have entities within your group that are more B2C facing—they’re facing consumers. They’re going to have different sensitivities to, say, a B2B business. You have to be able to build some nuance in your privacy program.
In terms of how I recommend executing, start with your global standards. Start with your global wish list. Maybe you’re following a third-party framework like NIST or others, but that is certainly your starting point. As you spend time understanding where each of your brands wants to go from a road map, from a KPI perspective, and understand where the real value and goals are for that business, that’s where you start to tweak.
Let’s take, for example, data subject rights. Different brands will have different sensitivities. Maybe they’re only operating in a jurisdiction that doesn’t have mature data privacy laws externally, and so starting by taking that application of a common denominator is your standard and then tweaking through it for each business. Otherwise, you need an army of lawyers to help you with that problem.
How do you articulate the role of your privacy team to internal business functions and stakeholders in the company?
It has definitely evolved because the expectations and roles, and responsibilities of a privacy professional have changed. The expectations are not just that you can apply the law and say, “Here’s my recommendation on how we execute.” There is an expectation that you really understand how the products and services work, and, particularly in our business, it’s a very data-centric business; you’ve got to understand data.
When I’m working with the business and advocating that privacy has a seat at the table very early on, we have to reposition ourselves as partners in that process, not the tall gate at the end that gives you a privacy stamp, i.e., a legal approval as such. We want a seat in those discussions where it’s very much ideation focus or coming up with a strategy.
The way we articulate that is to say, “We’re your partners here. We want the end result with you. Bring us in nice and early. Let’s practice privacy by its design together. Let’s look at what your expectations are, and we can work with you throughout that journey, not be that tall gate at the end of that process.”
Are there qualities that you look for when you’re bringing on new privacy talent to your team?
You have to know data. Businesses in this day and age are going to be less forgiving of the lawyer coming in and saying, “Sorry, can you explain what a cookie is?” The expectation is now we at least understand the basics. And so, whenever we are hiring, or we’re looking to stand up these cross-functional teams to work on an initiative, it’s really important that we’re attracting data-savvy, data-articulate professionals. Not necessarily professing to have an engineering grade standard of how these things work but being able to ask the right, smart questions. Otherwise, I fear an attorney’s advice comes across as static or archaic, or too academic.