In part two of this quarterly series, Stephen Bolinger, CIPP/E, CIPP/G, CIPP/US, CIPM, who spent years at tech giant Microsoft, shares some of the strategic and tactical decisions along the way as a first-time CPO at start-up TeleSign.
When I refer to a privacy culture, I mean a few things at once: a common understanding across a company of privacy principles in general and their value to individuals; an appreciation of the company’s privacy commitments and an understanding of why and how those commitments benefit the company, and taking the first two elements into account, developing employees across the organization to naturally consider privacy interests as they make decisions affecting personal information.
Having a training program is an inherent aspect of the elements above, but training alone doesn’t create culture. Training teaches the “what” and the “how” of privacy, but adding to those a compelling “why” is what begins to create culture.
Organizing for a Privacy Culture
The first step to building culture at a start-up is to figure out how you’re going to operationally integrate privacy into the business. The way in which privacy issues are raised and addressed will influence the cultural perception of privacy. Depending on your organization’s size and your available headcount and budget, you may have the opportunity to maintain or build a team of privacy professionals.
You may also have some individuals within the company who already have some expertise, or at least a strong interest, in privacy matters. Seek these people out and do whatever it takes to keep them interested. Even when employees don’t report to you, if you nurture and develop their interest in privacy, they can become an invaluable asset.
Soon after joining TeleSign, I knew that I would need to have individuals elsewhere within the business identifying privacy issues and incorporating privacy considerations into day-to-day business practices. It couldn’t all come from me. This was accentuated by working from London while the bulk of TeleSign’s business teams are based in Los Angeles and Belgrade. I considered hiring a privacy manager (or two) to work with different business units, but ultimately I concluded that training existing individuals within their respective business units was going to allow them to have more influence than someone new from the outside. It would also make them more invested in the privacy-aware outcomes we’re looking to achieve. I had a plan to develop and embed some privacy professionals across our company. But first, I needed to address the basics for all employees.
Baseline Training: Explaining What, How and Why
Beyond explaining how principles translate into specific requirements and obligations, it is important to help individuals understand why privacy matters at all. The specific value of privacy will vary depending upon the nature of your business. The way I expressed this value for TeleSign was that, at a high level, privacy is important for: our compliance with laws, regulations and contractual commitments; our customers’ compliance with the same, since we must build products that customers can use in a compliant manner, and a reputation of trustworthiness on the basis of company and customer compliance that translates into a business differentiator.
At your company, the correct hook may be growing your user base, or increasing sales, but the point is that if we fail on privacy, we’re not going to achieve our business objectives. It is critical to make that connection between privacy and your company’s central mission.
Creating Privacy Pros, Whether They Know It or Not
Ensuring that all employees have at least a broad understanding of the how, what and why of privacy is essential, but annual trainings fade as attention turns to day-to-day tasks. To ensure that business units are actively considering privacy issues, it’s beneficial to have deeper privacy expertise within one or more individuals among those business units. The number of individuals you identify and the percentage of your time you’ll be able to allocate to privacy will vary. But if you make a strong case to the rest of your leadership team, you may be surprised at the support that follows.
Based on our size and the diversity of our business units, I decided that we should develop deep privacy expertise in 10 individuals over the course of 2015. I didn’t intend to ask for a set percentage of time to be devoted to privacy as I’ve seen done in other organizations. The problem with doing so is that it immediately puts off managers who have other business deliverables to produce and don’t want to agree to a reduction of resources. Additionally, it keeps privacy as some separate function of the selected employees, rather than simply educating them and allowing that education to influence their daily work.
I concluded that the way I would develop this privacy expertise was by sending 10 employees to the IAPP for training and a relevant privacy certification—a substantial commitment for an organization comprised of roughly 260 employees.
I began by reaching out to the IAPP to see if it could construct a package deal for materials, training and certification for 10 individuals on the basis that we would pay the entire cost up front and have one year to take the training and certification exams. The IAPP was great at creating a solution that addressed the need and gave us some flexibility. For instance, the individuals could elect to take the training and exams online or in-person at IAPP conferences.
Once I had the total cost from the IAPP, I approached the rest of our executive team and proposed the solution to them, explaining that to make privacy a differentiator for our company, that differentiation would need to come from the individuals in their respective business units. We needed people who could integrate privacy into their existing expertise in marketing, software development, product planning, IT security, law, etc. There was unanimous agreement among the executive team, and I asked each business unit leader to nominate one or two individuals to receive some targeted and deep privacy training via the IAPP, explaining our costs and the additional costs of sending individuals out to attend IAPP conferences, which I strongly encouraged.
A few points on the IAPP package. First, paying for everything up front helped bring the cost down a bit. Second, up-front payment was a strategic choice because I wanted the rest of the executive team to understand that the money had been spent and that we needed to send people to the training in order to get value out of that spend. Third, the requirement that it all be utilized by the end of 2015 was similarly intended to increase the level of urgency within TeleSign to complete the training and certifications.
The internal decision to move forward on this was made late last year. Interest among our employees in the training was overwhelming and was soon oversubscribed. We selected individuals from across TeleSign’s business units: sales, engineering, operations, legal, product managements, etc., and across varying levels of seniority within the organization.
At the IAPP’s Global Privacy Summit three months later, I was joined by seven TeleSign employees who were there for the whole week to receive training, attend the conference sessions and take their respective certification exams. One individual opted to postpone her exam to a later date so she could focus on the conference sessions instead of worrying about studying. Of the remaining six, I’m happy to report that all six passed the CIPP Foundation exam and three passed the subsequent specialization exam: one CIPP/US, one CIPP/E and one CIPT.
At the time of this writing, TeleSign now has four employees with some form of privacy certification from the IAPP, myself included, and 10 more scheduled to become certified before the end of this year.
Already these individuals are showing an increased awareness of and interest in privacy issues and are becoming internal champions of privacy within our organization. When we consider the training, exams, travel to and attendance at an IAPP conference and the time taken away from these individuals’ primary duties, it will cost us a considerable sum before the year ends. But I’m confident that this investment will pay dividends not only in the form of a company always improving its own compliance, but one that understands the value of privacy and that will take its customers’ privacy concerns into account in everything we do, whether in marketing, in human resources or in developing our next wave of services.
Stay tuned for part three of this series later this year to find our how TeleSign's program is evolving.
If you want to comment on this post, you need to login.