Privacy professionals and engineers are often tasked with the same goal: to protect personal information. Given that shared objective, why are there so many difficulties between IT and privacy teams?
That was the crux of the conversation Friday at the IAPP Privacy Academy and CSA Congress during the breakout session “Same Planet, Different Worlds: Getting IT and Privacy Teams to Work Together.”
“Privacy teams are good at saying what should be done, but it’s up to the engineers to do it,” said McAfee Director of Data Privacy Jonathan Fox, CIPP/US, CIPM. So communication between the two is essential, though challenging.
First off, privacy and IT teams speak different languages. GuruCul Solutions Chief Security and Strategy Officer Leslie Lambert, CIPP/US, CIPP/G, said it's like the Tower of Babel: “What you often see is teams communicating past each other, in different directions, instead of with one another.”
Plus, Fox pointed out, teams are not only speaking different languages but interpret the same words differently. An IT team interprets words such as “requirement” or “minimization” much differently than the privacy folks. Fox added, “My world needs lots of context, and when I ask, ‘How are you getting there?’ I get architectural flows, but I want a data flow chart. I need an itemized data map. Engineers don’t think that way.”
To illustrate the communication fissures, panelists used the need for an organization to delete data as an example. The privacy team notices that to reach compliance, or to meet various regulations, certain data must be properly disposed. On the privacy side, it’s a no-brainer: Just delete the data. But the IT side sees an entirely different set of challenges and obstacles.
“When people talk about the cloud, they think of it as one thing,” Lambert said, “but behind the curtain, we go, ‘Oh my god,’ think about all the data servers.” IT teams have to locate all the copies of the specified data and anywhere else that might source that data.
One lesson for privacy folks is to pinpoint needs ahead of time and communicate those with the IT folks. Really, that could be one consideration that’s designed into an organization’s architecture, Lambert said.
“Understanding process is really important,” Fox added. “I can ask to please have all that data deleted, or I could ask what the backup process is and know to delete the data in the source system,” for example.
Fieldfisher Partner Phil Lee, CIPP/E, CIPM, said he often hears a similar sentiment. Under pressure to get a product or service to market, engineering teams might go ahead and build it, and the privacy team finds out last minute, leading to retroactive fixes that are usually expensive. Opening up lines of communication to help prevent this could go a long way.
Fox and Lambert agreed.
“Build relationships,” Fox said. “Go to their turf for a meeting, or go out to dinner or lunch together. Keep those channels open.”
Lambert said it’s also important to learn each other’s space and take the time to become educated about “the other side of the world.”
“Learn the language,” Fox recommended. “Explain things more than halfway. Explain what ‘data minimization’ means and use examples, break things into word equations: I need X to do Y. If I don’t have X, I cannot do Y,” and “make your requirements in plain English.”
He also said to use case studies and be willing to be stupid. “I’m just a country privacy person,” he often tells people.
Understanding differing language also means understanding data classification, Lee pointed out. “One thing I’ve experienced, privacy pros tend to focus on protecting PII, but the engineering focus is on security and confidentiality of data assets.” But how you map the data—what’s public, what’s private, what’s confidential—can be extremely challenging.
“Data classification is always considered an arduous activity,” Lambert said, noting that PII can be differentiated into two nuances: the attributes of you as a real person—height, weight, date of birth—and your digital identity; e.g., your IP address or shopping preferences. The lines are becoming muddled, though, so it’s critical to identify “the different flavors and tiers” of data in order to prioritize what needs more protection.
The rise of the privacy engineer may indeed help diminish the separation between the IT and privacy folks, and Fox was optimistic, saying, “I do think the gap between the privacy and IT teams is closing.”