Scale, Automate & Optimize Privacy Operations | Lightbeam

Learn how to scale, automate & optimize privacy operations with insights from Lightbeam’s Privacy Applied eBook Vol II.

Scale, Automate & Optimize Privacy Operations | Lightbeam

Learn how to scale, automate & optimize privacy operations with insights from Lightbeam’s Privacy Applied eBook Vol II.

Transcript

Hello, and welcome to this episode
of Privacy Pros podcast.
Today I have the honor
and privilege of welcoming Kimberly Lancaster
to our Privacy Pros podcast.
Kimberly wrote an article in the privacy, API 2.0 book.
Um, the article dealt with how do you scale, automate,
and optimize your privacy operations.
Um, Kimberly herself is a senior leader
and privacy advisor who directs data protection
and drives operational excellence by aligning InfoSec,
security, compliance, data privacy, GRC,
and risk as a unified platform.
Instead of, you know, dealing with all of these silos,
she brings it all together, uh, very active in
multiple organizations such as XRFI, privacy, the Rise
of Privacy Tech, women in Privacy
and Security, the Cloud Security Alliance,
IAPP amongst others.
Kim Kimberly has a lovely code that I would like
to, uh, add over here.
She says, privacy is not just a passion,
but a way to connect people.
So, very well put, because there are so many organizations
and teams that need to work
and get affected by privacy and security.
Um, so I'll, I'll continue,
but a way to connect people, processes
and tools to provide awareness
and methods to protect themselves.
Kimberly, it's my pleasure, um, to welcome you.
Welcome to this podcast.
Thank you pd. I'm excited to be here
and to talk about this subject,
which is very near and dear to my heart. Let's
Get started with the first question that I have.
You talk in your article about how do you optimize
and scale privacy operations.
The question that I have for you is, many people that I talk
to, they don't even care about privacy.
They don't even focus on privacy, let alone, um,
optimizing or scaling it.
So, could you tell us why should people even care?
People that organizations even care about privacy?
Privacy is a fundamental right of humans,
and it is something that you think about kind
of on the side.
It's not for a lot of people, average citizens,
those not in the industry.
It is not something that we need to do.
Or if you're in a business,
they think about it in the aspect of, oh, okay, I need to do
that, but I'm gonna do that through security measures
and I'm gonna do this and that.
Um, there's helping people understand how being aware of
what the privacy requirements
and what they should ask for, for themselves as individuals
or as employees or as users of a system
or a product, is very important.
And with that, I often have conversations around
why should it be important to me?
And bottom line, it comes down to, uh,
a conversation I had with a 10-year-old a while ago,
and that conversation was, okay, if you are playing
with a bunch of your friends
and there's something that you don't want to share
with those friends, but you have another friend over here
that you play with all the time, that it's okay that
that friend knows you tell that friend.
You want that friend to keep that to them.
So you ask them to keep it private.
If that friend violates that
and tells all the other kids at the playground,
and then you're embarrassed
or you're unsure or all those things.
So think about what information you share about yourself.
And it was a really interesting conversation
to watch the child's demeanor change
as the conversation went on and,
and the questions just kept coming
and coming and coming around.
Well, now I see why that's important. Well, what about this?
If I'm playing a game online, do I need to do this?
And well, yes. You know, do you want to tell everybody
where you live?
What hou what your house number is?
Oh no, I don't wanna do that.
So when we take it down to that, that very simple level,
and you have conversations with people around
what privacy means to them, it's their right to know
that the information they have about themselves
and the things they do will remain private
and only shared with those people, companies
or individuals that they agree to share with,
that they've given consent to.
So when we talk about privacy, it's, it's a learning stage.
It's, you know, a lot of people think, well, okay,
I'm gonna get online and I'm gonna do this,
and no, I'm not gonna share my information.
But do they realize that the webpage they went
to is gathering information about them?
Do they realize these things?
And a lot of people don't, and so they, they move forward.
It, it's, it's very fascinating.
You help a 10-year-old understand the importance of privacy
and implications of sharing your
data here, there, and everywhere.
I think it would be a subject of another podcast
that we do together.
If you have time, whenever you have time, which is to say,
Yeah, love to, if You can,
if you can help a 10-year-old understand importance
and implication of privacy, you know,
we should figure out a way to get the executives
and the board members
of organizations understand the importance
of exactly, you know, privacy.
I I just read a, a stat just yesterday that nearly a third
of the global 2000 organizations do not
have a privacy officer.
I was shocked with that. Like your global 2000 automat
don't have a privacy officer.
Uh, that, that was surprising, um, to me.
But continuing in the article that you wrote for us
around optimizing
and scaling privacy, you talk about four steps to plan
and implement, uh, your privacy operations program.
We, we would love to hear from you
what those four steps are.
Sure. So it's breaking it down into,
into the four steps helps you plan how you get there.
When you start a program, you wanna define the goals
of the program and the requirements that you have to meet.
So for a privacy program, if you have global data, you,
you are gonna have to meet GDPR.
If you have US data, you're gonna have US laws, now
that we've got seven of those guys out there, um, you know,
you gotta know what those are.
If you're signing contracts,
what are your customers asking you to, to meet?
The second, after you define those goals and
and requirements, you lay those out
and really understand them
because the next step is, is
that you develop your roadmap and your strategy.
What do you wanna achieve?
Yeah, I'd love to stand up a program in, in six weeks.
Does it happen? Eh, not always.
Um, so you gotta have a strategy around it.
Where do I focus? Do I focus on the high risk first?
Do I focus on the lowest hanging fruit first? What do I do?
Once you kind of get that roadmap and strategy
and alignment, then you start the actual digging
and you start your privacy analysis
and your, your, um, risk reviews basically.
And you look at everything from
employees in the company to the customers
that you're dealing with, to the vendors that you're using
to, you know, the, where you send your data out to
after you're done with it, et cetera.
And you start your reviews.
And those reviews actually help gauge
the growth and the roadmap.
So once you start those reviews, you're gonna come back
to your roadmap and your requirements and your goals.
Quite often, one of the things
that's very important in my opinion is
that you are on at least a quarterly basis at the minimum
looking at your roadmap, your strategy, and your goals
and requirements to see what's changed.
Those are critical things.
Once the review is, is underway
and moving, then you start to implement your process
and you then comes the, you know, everybody thinks, okay,
that review analysis is really tough.
No, it's not that tough compared to the operation
to operate opera, to implementing opera.
Um, you mean operationalize? Thank you.
You, it's a big word. I get it. It's a big word.
It might, I need more coffee, apparently.
And then you can think about maturing your program.
You know, we talk about implementing processes,
implementing awareness, implementing, um, abilities
for people to escalate and talk to.
Then you can start into the next phases
and move down the path where you build this routine
and then you look at the automation.
So this moves into that next course of questions around,
what can I automate?
Because if you have a small company,
you've got a one person team,
they simply can't take on all the work.
But if you're doing the right approach to things,
tackling your highest risk first,
tackling your low hanging fruit as often as you can,
then you start to build the maturity of the program.
And when you build private privacy maturity,
you build awareness at a key level where partners
and coworkers that you have around, you don't have
to think twice about it.
It becomes second nature to
Them. Got you.
You know, every time I hear you talk about how
to go ahead and scale, operationalize,
and optimize your privacy operations program,
I often end up taking notes.
And, you know, my, again, I took notes by the way, just
during this podcast, and, and I'm gonna repeat
and summarize, know them because they're very important.
I think where you started is define your goals.
Make sure that you know what data you have
now, what are your requirements?
What are you working towards, number one.
Number two, develop a roadmap and a strategy.
And here you mention something really important
that I at least hadn't thought of
before, which is there are two ways to look at it.
Do I go after the highest risk, um, problems first, do I go
after the lowest hanging fruits first
because you know, I can get some quick wins.
I, or do I go after the high highest risk
where I'm working on the most important stuff?
And you actually answered, I was about
to ask you a question about, well, what should we do?
Should we go over highest risk or should we go
after the low hanging fruits?
And you actually answered that as part
of your fourth bullet point, which is you said, look, go
after highest risk and then get the low hanging fruits
as often as you can, which I think is a, yeah,
fantastic way of looking at it actually.
Now get some quick wins,
but keep working towards your highest risk, actually.
Um, step number three,
you said privacy reviews and analysis.
This is where you do risk reviews, uh, for example,
for all the data that you have from an employee,
from a customer, from a vendor standpoint.
And step number four is implement this process
and look for automation.
Uh, very well put, uh, this is why, uh, listeners
and viewers, uh, please do read the article.
Uh, the article goes in great detail talking about,
uh, all these four steps.
And let's move to the next question that I have for you,
which is, you know, yeah, this is along the lines
of automation, which you had put in the fourth point,
which is, you know, we hear a lot about DS a R
and ROPA automation.
There's something that's very near
and dear to my heart actually.
Uh, automation of data classification.
Unfortunately, my understanding
and my experience is a lot of the automation talk
around DSA ropa
and data classification is all about generating lots
of forms and then having people fill a lot of forms,
which doesn't seem like automation to me,
but I have my own biases.
I would love to hear from you around what's your wish, uh,
when it comes to de andro automation?
So my perfect world would be that I'm able to
use information through an inventory gathering
and understanding the data in all of my systems
where I can then say, this grouping
of data matches this classification, this does this
and that, um, that's tied back to how the servers are
identified so that we know when we have restricted
or sensitive, highly confidential
or sensitive information
that is being encrypted and handled properly.
Building that baseline there then allows me to say,
because with D sars, the real key is
can I answer the questions for the individual?
That's the whole purpose behind it, is can I tell them
what their data is being used for, how it's being processed,
which is the ropa, how long is it stored?
Can I give them a copy of it?
Um, all of those areas, and desar
and ropa are the fundamental stakes in the ground
where we say, if I had my perfect world, I would be able to
look at all of the information.
Say I get a DS A R request coming in that says,
oh, remove all my data.
And I say, okay, without asking that person 1500 questions,
how am I gonna know where to look?
Correct? I can, I can start a review of
requesting information out of my inventory,
and my inventory gives me a baseline of, okay,
maybe they applied for a job here.
Maybe they use the products,
maybe they were a former employee.
But being able to then look at that grouping of data in
that DS A R and say, I can remove this,
but I need to keep this for other reasons,
or I can anonymize this.
So understanding the data behind the DS A R request,
understanding the information gathered for ropa,
which comes from that inventory,
and that processing allows me
to actually provide a great service for a customer.
Automation is the way to do this.
Automation allows me to
plug in an identifier, a name, an address,
and other key pieces of information
and understand, do I have two Joe Smiths here?
Okay, right. Which one do I want?
I can't do, you know, if, if I don't know,
then I've gotta ask the individual more information.
But being able to make the determination through automation
of data coming to me
or being able to access that information with ease is
such a highly important thing for a business.
For three reasons. The overhead of sending out forms
to 15 different areas in the company.
Yep. The aspect that we may not meet the time,
therefore possibly end up in a situation
where we could get a fine or a reporting to A DPA.
Are we gathering the right grouping of information?
And two, are we doing a disservice to the, to the individual
because we're turning around
and asking other team members
to go look at their data when they're wanting some fee
selling information?
And for me, as a privacy individual, that's really,
really important and why automation is so critical
with those two functions.
Wonderful. So I have, oh, go ahead.
Go ahead. Finish your thought, please.
No, no, go ahead. No, you're good. No,
I was just gonna, I was just gonna tee off
because you know, we are talking about the importance
of automation and, uh, how it avoids you to send 15 forms
to 15 different people who then have to work on all that
and, and just, you know, one thing leads wanna,
other is just a one hour leads
to a hundred hours getting wasted and so on so forth.
Exactly. Uh, which is, which leads the question and,
and you have been very active across multiple forums
and groups, uh, within the privacy community.
One of them has have been, one of them has been around, uh,
privacy enhancing technologies.
And my question to you is anyone who is looking at a pet,
a privacy enhancing technology, um, how should they go about
assessing, evaluating, uh, a privacy tech, uh,
any framework, um, that you could, that you could, uh,
you know, help us all, um, you know,
understand and educate us on
Comes right back to those first four steps.
What are your goals and your requirements?
What is your roadmap
and your strategy, and where are your risks?
Those should be the three, you know,
those things should be the three things that you start with
whenever you look at A-A-P-E-T in the aspect
that you could be looking at something that is so
overwhelmingly big for what you need.
Say I only have 200 customers.
Do I, do I need to go get something that, uh, you know,
has a very high budget, a very high
Right Implementation aspect?
So you really have to understand
where your program goals are.
You also have to understand who has to be involved in
that implementation, your security team, your IT team,
who the users are gonna be,
what systems they're gonna be touching.
So what I do is I build out, you know, I start,
I do a four square quadrant
and I start plugging information in what's important,
what's not so important, what I don't need, what is a maybe.
And I start putting information in there from,
from those three key items,
and then I start evaluating PTs from there
because that really gives me what need works for me.
Right? Makes sense. Makes not,
not just a very general framework about a, this is the PET
that's, um, um, you know, that, uh, a lot
of other ppu, none of that matters.
Really what matters is what are your goals, what are your,
what are your core objectives?
Uh, you start from there. Mm-hmm.
Uh, that's a great way of actually finishing this podcast
because we started with the four, uh, ways mm-hmm.
Of scaling, optimizing,
and automating your privacy operations.
And we are ending that ending right there, actually.
Like, as you are looking for your path, for your technology,
uh, for your, for privacy tool, keep
that first flow in mind.
Perfect. This is a great, uh, you know, podcast.
I really enjoyed the session and I'm sure our viewers
and listeners will too.
Thank you so much, Kimberly, for making some time
for us in your busy schedule,
and I look forward to doing
another podcast shortly with you. Happy
To. Thank you. Thank
You so much.