‘Privacy needs to have a seat at the C-suite table’

23 Sep 2022

Heather Federman. Images: BigID

BigID’s first-ever chief privacy officer explains why the siloed approach to privacy needs to disappear and discusses the ongoing challenge of cross-border data flows.

Heather Federman has had an extensive career in data privacy and protection, advising organisations of all sizes on cutting-edge privacy issues. She is currently the chief privacy officer at BigID, a data intelligence platform based in New York.

In this role, she manages and leads initiatives related to privacy evangelism, product innovation, internal compliance and industry collaboration. She also works closely with the product development team on all privacy-related features of the company’s platform.

“I also regularly confer with BigID’s clients – some of the world’s most respected, innovative companies – on their top concerns and how our tools can facilitate their privacy and governance goals,” she told SiliconRepublic.com.

“This window into the data protection needs of companies in industries as wide-ranging as entertainment, security and consumer goods has helped me quickly understand the topical concerns driving the industry forward.”

‘No one gives you a gold star just because you saved your company from a regulatory fine’

What are some of the biggest challenges you’re facing in the current IT landscape?

Oftentimes, the privacy office and the data governance teams work in different silos. This is like the left hand not talking to the right hand when we are all part of the same body.

But data processed by an organisation can range in complexity, from sensitive IP and business data to personal data like health records and shopping inferences. These teams, therefore, need to work together to address the common goal of having one standardised data taxonomy.

They should have the same understanding of what constitutes sensitive data as well as technical and business metadata. This can be done by a mutual data mapping exercise that creates a common data taxonomy, which can feed into an organisation’s classification of data as well as its inventory.

What are your thoughts on digital transformation?

Digital transformation is inevitable, and it’s up to the privacy practitioner to become more than just a compliance function. Otherwise, privacy becomes a thankless job – and no one gives you a gold star just because you saved your company from a regulatory fine.

Privacy needs to have a seat at the C-suite table and become a corporate driver. Rather than saying ‘no’, they can present alternative scenarios. They can help their organisation understand the real risks associated with potential data uses and what reasonable guardrails are for using this data.

By focusing on business capabilities more than compliance concerns, the privacy officer can become a business driver by creatively working with internal teams to creatively leverage the organisation’s data assets.

How can sustainability be addressed from an IT perspective?

For half a century, organisations have relied upon – and governments have codified – internationally accepted principles for data processing. One of these is the principle of ‘data minimisation’, which essentially means an entity should limit the collection/use of data to what is directly relevant and necessary to accomplish a specific purpose, they should also retain that data only for as long as necessary to fulfil that purpose.

One main way to achieve sustainability is by following this principle. According to Solutions Review, the average cost of storing a single terabyte of file data is now around $3,351 per year. They also predict that the volume of unstructured data will grow to 175bn terabytes by 2025.

In addition, data storage can harm the environment as it takes up a lot of energy and electricity to maintain. Cloud storage has a greater carbon footprint than the airline industry – a single data centre can consume the equivalent electricity of 50,000 homes, and the overall electricity utilised by data centres accounts for 0.3pc of overall carbon emissions.

Unfortunately, many organisations still feel the need to hoard data for an undefined period of time ‘in case they need it’.

Yes, big data requires a high volume of data to make it functional for many of its positive present/future uses, but if you can’t prove up front how you plan on using it and if you’ve had it for a decent amount of time and its value has not been proven, then it’s doing no good for anyone just sitting there on a server.

Data minimisation is a sound privacy/security practice – you don’t have to worry about protecting data if you don’t have it – in addition to being good for the environment and the company’s bottom line.

What big tech trends do you believe are changing the world?

I’m excited about advances in interoperability and portability methods. Interoperability refers to different applications and systems from different organisations seamlessly communicating and processing data in a way that requires minimal involvement from end users.

Interoperability is tied to the concept of data portability, the ability for individuals to obtain, use and reuse their personal data for their own purposes across different services.

Without this, a person’s data is accessible only through the platform where it is stored. Such a siloed approach creates lock-in effects, poor data quality and inaccessible data.

For this to effectively happen, though, there needs to be a standardised data taxonomy, not just within one organisation but across an entire industry sector for each sector. This ontology could then be used for sharing relevant information.

Interoperable standards foster better data quality and operational efficiencies while reducing costs compared to non-interoperable systems. It also improves data protection as organisations can more seamlessly share data rather than do so through manual methods, which are subject to human error and a higher rate of potential loss.

Portability and interoperability are established for regulated health and financial services. There has been an increasing focus on consumer-directed portability through the EU General Data Protection Regulation and the California Privacy Rights Act, and added to this is an increasing desire amongst individuals, as well as small businesses, to own the data produced by the services they commonly use.

This information becomes even more useful for the end user when combined and analysed with data from other sources. Can you imagine being able to easily and effectively control all of the data output that exists about you?

How can we address the privacy challenges currently facing your industry?

One of the main challenges facing organisations and their privacy teams is cross-border data flows. Regions like Europe and China have made it harder to do business. If data is transferred outside of those physical regions, businesses have to leverage transfer mechanisms to ensure an appropriate level of protection.

The current reality is a challenging environment in which to do business on a global level. Even if there are no physical means for the data to leave a country, if that data is processed by a foreign entity, then the technical or legal measures invoked will not be considered effective or adequate in certain cases.

And unfortunately, these economic protectionist measures hurt the free flow of information as well as the consumers who want to access global services and technologies.

As a lone privacy practitioner, there is little one can do other than make sure there are appropriate legal and technical transfer mechanisms in place. As a community, however, we can encourage our leaders and regulators to come together and create global standards to protect our data while enabling its continued flow across borders.

Thankfully, privacy authorities from the G7 countries recently held discussions on how to streamline the international data flow between member nations.

Regulators have committed to “collaborating on legal methods to move data and create options for businesses to choose cross-border transfer tools, suitable for their business needs”. Time will tell if such discussions will bear fruit, so in the interim, organisations can continue encouraging such regulators to progress on these efforts.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.