Whitney Merrill on Investing in Cross-Functional Relationships

What is your role, and how does it relate to ensuring data privacy?

I am the data protection officer, and I head up our privacy team at Asana. If you could put my job description in a word, it's to ensure data privacy. My goal as the data protection officer to ensure compliance with global privacy laws and build a culture of privacy at my company.

Tell us about your approach to building privacy programs

I think building a privacy program can feel really daunting. And what I've seen happen to a lot of privacy professionals out there is a company that is finally ready to like dedicate resources to privacy, and they hire one privacy attorney. And the privacy attorney gets there. And they're like, go. And so this is kind of my advice for that attorney. 

‍

And it's, you can't do it all alone. And you can't ensure perfect compliance. And as much as the regulators are going to hate me saying that it's just not possible to do privacy compliance with just one person. It is a multi-team effort to build a privacy program. And so when you're looking at building the first parts of a privacy program, it's really important to find those cross-functional stakeholders you need to align with, to help you establish your goals. And make sure that you are finding out what they need from you as well. Obviously, depending on whether you're in the b2c space or the b2b space, those needs will change and be very different. 

‍

But I think looking at those types of needs from the business, but also looking at, what you can realistically accomplish, is a good way to start. But ultimately, when you're building that program, thinking about what are the cultural values of the company that's building that program, right, we have companies that have different cultural norm norms globally, we have companies that you know, operate and have different types of regulatory requirements based on the types of data that they're processing. And so, you need to take all of those things into account to figure out what your privacy program looks like. 

‍

But ultimately, if you're looking to, like, what are the first like other couple things beyond that relationship building, looking and deciding what those long term fixes that need to be made are, and start getting buy-in for those now, because sometimes it can take a year or two to fix, really like a large architectural issue potentially, or something that might require more cross-functional buy-in and stakeholder buy-in, that may take more time for alignment, start on those now. And by the time you get to that solution, you'll have had time throughout that like longer period actually to build in and do some of the smaller wins. I've seen people get into a prep builder privacy program and just start doing the small things first, and that can feel really satisfying. But you gotta get those bigger rocks moving slightly so that you get them rolling before it's too late. 

How do you measure and prioritize data privacy risks?

So I think every company does it a little bit differently. If you have OKRs or goals, you can use that to measure your progress kind of. But I think, you know, establishing what privacy metrics make sense for your program in order to show both its problems and its successes are really important. I think looking at things like response times to data subject requests can be really valuable. Because if you start to see those go up in length, maybe they become more complex, or you need more individuals on them that can create a narrative to type what type of tooling you might need to solve those problems. And so looking at, what kind of data might help you solve those problems in the long run. 

‍

And sometimes, when you start collecting data and thinking about how you will measure it, you have to collect I can't believe I'm saying this as a privacy attorney. You have to collect that data first and then figure out kind of what story it's telling along the way because you may not immediately know when you start requesting those metrics.

What’s one thing that has surprised you in your data privacy work? 

That's it's [privacy] is a thing now? that sounds really crazy, but when I started doing, you know, privacy work more like in a much more focused way even just like which feels very recently in 2012, I remember people saying that's not really a thing, lawyers don't go do that, you know, some companies have you have to go into regulatory industries, or that only exists for certain types of companies that may be subject to a consent order. But it wasn't really a thing every company was required to care about or every organization cared about. 

‍

And to me, I'm kind of surprised, it really did shift and change. Along those lines, what kind of surprises me is, given how much of a shift has happened globally, like not just in Europe, not just in California, but just globally? I am shocked that we still don't have a federal privacy law here in the United States, given that shift that hasn't moved in more tangible way than it currently is. 

What are some challenges you have faced and how have you overcome them?

So one is getting past the idea that privacy is a compliance exercise, I think, in particular, with that big shift and what's changed. And what surprised me is that, you know, privacy, companies caring about privacy, organizations caring about privacy. And as a result, I think users were vocally talking about their privacy, I think they've always cared, but is that people look at privacy as that thing we must do to comply with the law or the changes in law? And I think that's just one part of the story of a privacy program and building strong privacy. You know, the culture within a company as privacy is very cross-functional, it's an ethics problem. It's a legal problem. It's a customer trust problem. And when you look at it through all of those various different lenses, your solutions aren't always going to look the same from a privacy perspective. And once you, get past that, like privacy is a compliance exercise, it can be really difficult, depending on the organization and depending on the stakeholders who are involved in those conversations. 

‍

How do you overcome them? I think surfacing the various different issues that might arise from a privacy perspective it's quite interesting, especially in the b2b space. And you see this a little bit in the b2b, b2c space where users have a little bit more say, or control or voice, they might be requesting certain types of features or control over their data, or the ability to do something that isn't necessarily required by law. And if you want those customers, if you want those users, you're going to have to complete to build those things. And I think that's a part of compliance or privacy that when you are having conversations with a product team or an engineering team, you're thinking, Okay, this isn't just we must do this, because of the law but look, here's how many people actually want this as well.

What has been your experience engaging technical or developer teams?

I love working with engineering teams, I consider myself an engineer as well. And so part of you know, I think working with any cross-functional team, but especially engineers, and product teams, is understanding their goals, their objectives, their needs, and also what problems are hard. I think one of the things that I learned when I became an engineer is a problem to a lawyer or to someone who's not in the technical field, you can say, Hey, I just need you to delete data, like just go and delete all this data. That should be easy, right? And then you dig in, and you find out if with the right product, why it's a technically difficult problem, because of potentially the certain like, a certain type of infrastructure that they may have built, or maybe decisions that were made long ago when the company first started. 

‍

And so I think this is a universal problem that when we're working with engineers and product teams, we need to say, how hard is this problem? Like if I'm asking for this type of solution? What does that really take to fix? And how do we get on that path? And that's to my point earlier about building a privacy program. You know, once you figure out what those really, really hard things are, where engine product can really help highlight them for you. You can help roadmap them accordingly and set expectations for your leadership stakeholders who care about those problems so that they're aware of risks from a privacy perspective.

How do you think about staffing your privacy team? 

So I think privacy teams are historically set under a legal organization or at least the nascent stages of one, and I think, you know, having lawyers on your team is really valuable, but I also think having non-legal folks, project managers, and privacy managers privacy operations individuals on your team is really, really valuable. And so, again, just privacy is cross-functional privacy isn't just a legal exercise. And so you have to hire people who are also cross-functional and who aren't just lawyers. And that, you know, no matter what your privacy structure looks like in your company, once you accept that, even if they're not on your team, for example, maybe you want a privacy engineer who lives in the privacy engineering or maybe you have an advocate whose main role is doing privacy compliance on your marketing ad tech team, there are all sorts of different ways that you can build that in. And I think when you're thinking about building a team, I think you need to think about not just your immediate team of who's directly reporting to you. But who do you want to advocate for across other folk's teams to help solve their problems and help advocate and solve those business use cases that, you know, might be the best fit in that organization?

What are some best practices to share or pitfalls to avoid when trying to ensure data privacy?

There are a whole bunch of things you could do. But one of the things that I tell I get the question all the time from new startup companies, I have friends who say I'm starting a company or I have a friend who's starting a company, like what're the one or two things I need to do from a privacy perspective? When do I need a privacy lawyer? And here's kind of what I usually say to them. Know where your data is, just start mapping your data. Now while it's easy, when you only have five systems, do it now keep a list of your vendors, good idea. Doing those two things, is going to really set your program up in the long term. Because a lot of what can be really difficult about privacy is that you can't govern it if you don't know where the data is. And the hunt for finding the data. And building that muscle of keeping it up to date, finding it across your stakeholders becomes much, much more difficult when you have to do it retroactively, like every single privacy person in existence, because GDPR really pushed that forward. 

‍

But now that we have that knowledge that, that's something we should all be doing. Do that now, it doesn't have to be a heavy, heavy exercise, you can start a spreadsheet, system, data elements, and roughly who you should talk to to know more about that system. That goes a really long way. And I've mentioned that because I think that's an easy pitfall to avoid, which is just keeping track of data flows and having some documentation there. Because eventually, when you are ready for a privacy person, or you're hiring a security person for the first time who will do some privacy work, they're going to know where to start. And they're going to know where the most sensitive data sets are and maybe who your risky spenders are as a result. 

What predictions do you have for Data Privacy in 2023?

I mean, more regulations, I expect to see more in the United States a lot. Aggressive isn't the right word, but intentional actions from the FTC around data privacy. And what I mean by that is, even last year, we saw this starting, and I think this will be a trend we'll continue to see at the FTC coming from the FTC. For example, the CEO was held personally liable for a data breach of the company. That's a very intentional action from the FTC to make a statement about how you need to think about data protection and privacy generally, I think we're going to continue to see more actions in that direction. What exactly will those look like, I think it's gonna be more guidance through consent orders as it relates to data privacy practices that aren't clearly written out in any sort of federal law. And so they sometimes call that FTC common law, I think we're gonna see a lot more FTC common law, which is, you know, explicit statements requiring data minimization, which we've already seen from the FTC as well. So I expect to see a lot more of that coming, in addition and kind of supplementing all of the state privacy laws that are going into effect this year and early next year.

What does Data Privacy Day mean to you?

You know, honestly, it's a day like every other day because every day is a privacy day for my team and me. But I think data privacy days are really great opportunity to highlight to folks who don't do privacy every day. The different aspects of privacy, right, that it's not just a legal exercise that also, you know, brings awareness and attention into the larger privacy issues that exist in the field. It's a great opportunity to reexamine kind of and reprioritize and think about how we can improve privacy over the next year. I like that it lands in January, it's kind of like starting a new year off with, like, some privacy goals as you think about it. And, you know, having a little bit of that awareness and it's, it's kind of, you know, it's a couple of months after Cybersecurity Awareness month in October, and so it's, it's a nice kind of follow up to that. That helps individuals who aren't thinking about it every day. So think about it.