The IAPP’s “Profiles in Privacy” series features a monthly conversation with a notable privacy professional to discuss their journey in privacy, challenges and lessons learned along the way, and more.
A "renaissance" field. That’s how VMware Vice President and Chief Privacy Officer Stuart Lee, CIPP/E, CIPP/US, CIPM, FIP, describes the privacy profession. And it’s a particularly “cutting-edge” time, said the multi-cloud service provider’s global privacy operations leader.
“We get to interpret new and exciting technologies and policies into something that can really make a meaningful change for our business and for our stakeholders, and the challenge is you’ve got to be able to think about how you can do that in a global organization where the rapid pace of change keeps coming,” he said. “So, it’s a double-edged sword.”
For the global company of 30,000-plus employees, VMware’s 11-member privacy team balances the ever-expanding regulatory environment and constant technological advances by following privacy-by-design principles and a set of five internal “operating pillars,” which Lee said are guided by safe and secure innovation and scalability.
Previously, Lee worked within Deloitte & Touche’s Privacy and Data Protection Practice, working with technology, retail and life sciences clients from across Asia, Europe and North America, in designing, building and assessing global privacy programs.
At VMware, where he recently added the role of vice president to his title, Lee has had the opportunity to build and grow a privacy program, an experience he called, “really very fascinating.” When he started at VMware in 2018, the company’s privacy program was built for the EU General Data Protection Regulation, which had just taken effect. The challenge in moving forward was determining how to scale out the program, with the realization that the European regulation was “just the beginning” and that with VMware’s global operations, solutions need to consider privacy and data regulations that have since been popping up around the world.
“The mission I had was how do we continue to grow the program. How do we continue to make sure that we are able to operationalize the program and really think about where we are going to take it, so we are being proactive of all the issues that are coming down rather than reactive,” Lee said. “It’s definitely been a great place to really grow a program because there’s so many different nuances.”
To better manage today’s busy privacy and data protection environment, VMware has established a series of councils focused on key themes like customer experience, employment-related issues, engineering and more. Council members, who come from around the world, engage with their individual teams on topics and the latest happenings, ultimately, Lee said, “helping us to be aware of what the issues are and to understand what the big projects coming down the pipeline are.” Internal and external legal partners, as well as VMware’s government relations team, also help to keep the team up to date.
“There is always a ton going on that we have to stay up to date with,” Lee said. “You have to be aware of issues that are affecting different teams. You have to keep an eye on emerging technologies, even sociopolitical issues. When you work in privacy you are going to get exposed to customer concerns and demands, you also need to have a broad understanding of what your business goals are and to have a truly successful team you have to be able to work across the entire enterprise, rather than just be thinking about employee data, customer data. It really is a key success factor.”
Lee said VMware’s mission is to be a “trusted cloud partner” for customers, helping to deliver the right solutions that assist them in their business and compliance strategies.
“Our customers are often providing services to other customers and other entities, so we are providing that connectivity, which provides a new set of problems because, historically, if you think about where a lot of professionals often think about privacy it’s between a company and an end user,” he said. “We think about privacy as, yes, we have the marketing and sales and the like, but we also have to help design and build and deploy solutions that enable our customers to be able to operate securely and while thinking about privacy as well.”
In recent years, Lee said conversations around data protection and privacy have shifted from a focus on trust, to choice and control, making it a particularly interesting time to be a chief privacy officer. What’s more, CPOs get to see and work with more aspects of an organization than they have before, while conversations have upleveled to the executive branch.
“It’s one of those very unique roles in business today where you do have to be able to understand your craft, but then wear different hats as you apply the conversation and the logic,” he said. “The CPO is playing a larger role from a strategy conversation than it used to four or five years ago. The role of the CPO is becoming a lot more strategic, which is great, and then the fact that you’ve got to be able to wear those different hats and navigate across the organization rapidly is very interesting.”
Photo by Sam Schooler on Unsplash
