Aleatha Parker-Wood on Building Customer-facing Privacy Tools

What is your role, and how does it relate to ensuring data privacy?

I'm the principal privacy engineer at Amazon Web Services. I've worked both in the context of a privacy program, acting as the business consultant to help them improve their privacy posture. These days, I'm more focused on building privacy tooling and creating tools that everybody [other teams] can use to improve their privacy posture and taking some of the best practices and turning them into things that more people can use.

Tell us about your approach to building privacy programs. 

So I think one of the most important things that people sometimes miss out on when they're starting up a privacy program is getting engaged with the business stakeholders very early, getting a handle on what the priorities are, and helping them to understand the risks at a business level very early, I think sometimes we jump immediately to the problem and the solution that goes along with that problem. 

‍

But there's a whole education process that has to go along with that to say, Hey, you're taking on this risk that comes with these potential fines that come with this loss of trust. Getting in with the business stakeholders as soon as possible will make it much easier as you start standing up policies, procedures, and tools to get people invested because they understand what they're getting for their money.

How do you measure and prioritize data privacy risks?

Start from the business. But, for better or for worse, there's now a pretty good library of regulations and judgments. Early in GDPR, it was a bit of a wild west; everyone was looking at the law and trying to read the tea leaves and understand how things would be interpreted. So obviously, I think you need to start from the fundamentals of your business and start with customer trust. Regulations are just one way in which that expresses that. But meeting the law is not enough if you're violating what your customers expect you to do. So you start with your customers; you need to understand what they're going to care about deeply. And then you work backward from that through the regulations to say, Okay, I'm going to start with this. 

‍

Everything starts with data inventory. Okay, now I need to figure out with this data inventory, how am I going to stand up all of my basic legal obligations, DSAR deletion, all of that, and then what can I do above and beyond that's going to move the needle on trust for my customers. And that's very business specific. 

What's one thing that has surprised you in your data privacy work? 

So I'll give you a good surprise and a bad surprise; one good surprise has been the degree to which people not in the privacy field are getting increasingly aware and invested. I have loved working with many passionate product teams who weren't in the privacy business, who said, Hey, I want to do the right thing for my customer; I need you to help me understand what that is. So that was a wonderful surprise. I was pleased about that. 

‍

The bad surprise has just been from outside the privacy field; it cannot be obvious how much variation there is in the legislative landscape. Once you get into the details, you're like, this company has a consent decree, which is operating through these three jurisdictions. And this one's only operating in this one. So it's not a level playing field at all. And so each company has a very idiosyncratic set of things they're going to have to do, promises they'll have to keep it there's no checkbox for privacy. Everyone says that, but that's not just about the human aspects. It's also about the degree to which things are entirely different in terms of the environment.

What challenges have you faced, and how have you overcome them?

I think I faced the same challenges everybody else did. You must work through the business to convince them this is a priority. You have to coordinate across a reasonably large organization; there are very few concerns that are as cross-cutting as privacy, security comes very close, but security doesn't have the lawyers in the room. So, to be a really effective privacy person, you both have to be able to track these broad work streams with 10s, maybe even hundreds of people in them. And you have to be able to work effectively as a translator between different types of concerns. You have to take legalese and turn it into something that a developer speaks and something that a person concerned with PIl speaks. So it's, being able to effectively message all of these different groups has been the challenge for me and the thing that I continue to work on.

What has been your experience engaging technical or developer teams?

I have been privileged in that I often get tapped in relatively early, which I really enjoy. People come to me because they want to build something from the ground up; that's going to be the right thing. But I've also done sort of bread-and-butter privacy work, like assisting with data inventories. So I've tried to make sure that I worked with technical teams all the way through the privacy lifecycle so that I could understand it from their perspective. Having a background both as a software developer and as a data scientist helped because I have been on the other side of the fence saying, Hey, I just want to use this data; I just want to build a feature. What I have to do to get my hands on the data tells me, so I have a lot of sympathy for being on that side of the table facing down pages of policies and arcane legal language being like, I just need the data, tell me how to get it. So I think I tried to be a good partner; I tried to have a lot of sympathy for their priorities, not mine. And then, I tried to engage deeply with them all the way through the lifecycle. What's the feature you're trying to build? Why you're trying to build it? Have you thought about this? Have you thought about that? What data are you going to collect? Let's go through the schema to ensure you're thinking about this the right way.

What best practices to share or pitfalls to avoid when ensuring data privacy?

We've already discussed the importance of engaging with the business. And I think the other thing that I would say is to get crisp with yourself about the risks that you're facing and make sure that you're not focused on a problem, which is technically interesting but doesn't move the needle for the business; I think sometimes we can find ourselves in the business of over-optimizing on some particular aspect because there's a bunch of really cool papers about it. And you do have to bring it back at the end of the day; what am I doing to protect our customers? What are the risks my customers are facing? And how is this going to move the needle for that? So that's my best practice advice.

What predictions do you have for Data Privacy in 2023?

I predict that the privacy tools market is going to continue to evolve. As you will know, some cool tools are coming up that you guys [Privado] are working on. Of there are a bunch of other companies working in the space that I'm very excited to see mature. 

‍

I think we're gonna see more clarity around best practices and privacy. I see an evolution of the field towards security, where you now start to have some codification of the field, and you have a sense of who the different types of specialists are in the field; we're going to see more and more of that. 

‍

And I predict that companies will continue to struggle with the basics, much like with security; many companies out there are still trying to wrap their head around data inventory. What they're gonna do once they finish inventorying it, so I am hoping over time, will be to help them bring themselves above the privacy poverty line.

What does Data Privacy Day mean to you?

Much like people say, Christmas should be every day of the year. Every day is data privacy day, but it does give me a nice nudge to reconnect with my colleagues and reconnect with my community, which I love. As I've said before, this is a beautiful community. So I'm going to celebrate by reaching out to some of my favorite privacy colleagues, catching up, and talking about the big-picture problems we're facing and what we're going to do.