Harneet Kaur on Building Scalable & Sustainable Privacy Solutions
Privado celebrates the work of Harneet this Data Privacy Day.
Senior Privacy Program Manager, Privacy Engineering
About
Harneet is a Senior Privacy Program Manager, Privacy Engineering at a leading fintech firm. She's previous worked as a Manager (Privacy) at Dropbox, and Cyber Risk Consultant - Privacy at Thornton LLP. She is CIPP/E certified, and is a speaker at International Association of Privacy Professionals (IAPP).
What is your role, and how does it relate to ensuring data privacy?
At a high level, my role as a senior privacy program manager entails being an advocate for embedding data privacy and technical, non-technical, and operational processes, systems, and programs across the organization. Overall, I design, build, implement and maintain privacy programs. I perform privacy assessments. I support privacy incident response. And I collaborate with various technical and non-technical stakeholders to build and design products with user safety and data protection in mind.
Tell us about your approach to building privacy programs.
My approach to building privacy programs focuses on building a scalable and sustainable solution that makes sense for the team at that point in time and can be iterated in the future based on how we use the program and how we grow the program. So the first thing that I do is evaluate the scope. So I look at what we are trying to achieve with this program. What are we not trying to achieve? Who are the stakeholders for this program? How involved will they be? How will they be impacted? Stuff like that. Then I do a deep dive into the current processes in place. Is there a partial process in place today? How does it work? What are the pain points in that process? So that we refrain from repeating that in the future process? Again, like who is involved, How involved are they things like that, if there's no process, and we're building a program from scratch, I investigate if there's like any existing processes, systems, or tooling that we could potentially leverage as we build out this new program.
So, for example, if there's an existing security third-party review process where we could make adjustments and plug in the privacy aspect of a third-party review, leveraging, like, whatever consolidated review tooling they have, as an example.
And then, after I do that kind of deep dive investigation, I put together a program design and project plan. And I keep in mind things like timelines, resources, cross-functional stakeholders, how involved they want to be, and what they're buying looks like. And then I use that to propose appropriate solutions. So sometimes, this can look automated, like a fully automated solution. But other times, due to a business need or resourcing constraints, it could be partially automated or even in the annual solution, depending on where the organization is and its privacy readiness.
How do you measure and prioritize data privacy risks?
Measuring and prioritizing data privacy risks is something that I collaborate on with like a privacy council to make sure that we're taking into account the various privacy regulatory requirements and frameworks that we need to keep in mind and can assess risk accordingly. We should consider the scope of impact if the risk is realized and what the blast radius looks like. What is the likelihood of the risk, whether or not it impacts sensitive personal information or personal information, whether it impacts a vulnerable population, and whether it includes third-party systems? And then we have to think about notifications. Like third-party risk factors as well, things like that? All those different factors and more will impact how you measure and prioritize the risk.
What's one thing that has surprised you in your data privacy work?
One thing that pleasantly surprised me is how quickly privacy has become mainstream. And it's something that people can recognize as important to address. Sometimes they might not have liked the language for it, but they'll, you know, come to you and say, Hey, we're storing data in this specific database, like, should we be doing that? Or, hey, we want to work with this third party, but they do X, Y, and Z. Are they still like a good candidate? Whether they recognize it or not, they're talking about and thinking about things from a data protection perspective. This is likely exacerbated by a lot of the recent privacy incidents in the news, but I'm grateful for that awareness.
Nonetheless, privacy has jumped in leaps and bounds in Privacy Awareness over the past couple of years. It's a relatively new field. So you know, I'm excited to see how that grows.
What challenges have you faced, and how have you overcome them?
I guess like goes hand in hand with what I just mentioned about Privacy Awareness. A lack of privacy, knowledge, and awareness in an organization can be a big one because it impacts stakeholders' buy-in on your projects. It can impact resourcing and funding and stuff like that. And different ways that I've looked to overcome it has been with education efforts. So whether that's like broad generalized training, or like role-based kind of discussions with like specific teams, like for example, with a marketing team or with a data team, walking them through and helping them understand what specific risks impact their area of business.
Overall, evangelization of privacy makes a pretty big difference. And helps people understand that there's one like a privacy function to begin with, to what it stands for, and three, how they can engage with it. So evangelization is pretty big. And then definitely cannot understate the importance of leadership championing privacy with a top-down approach. People often look to their leaders, rightfully so, to set the direction for the company. And so, having leadership acknowledge and champion how important data privacy is to them makes a difference in our conversations at the individual level.
And then finally, one way to overcome this is to build processes into existing processes that people use daily. I think about it by trying to make privacy like second nature for people if they already come to a certain process, like I build right there, rather than creating multiple places for engagement.
What has been your experience engaging technical or developer teams?
You know, each team is unique and has its perspective. So like some teams are going to be more receptive to privacy efforts, and others less so. So I cater my approach to each team. Overall, I found it helpful to spend time and energy building a relationship with the team, getting to know them, their goals, and their perceptions on privacy before discussing or even bringing up a privacy ask project, compliance requirements, or anything like that.
Building the relationship goes a long way in improving how receptive they are to like future asks. So I invest that energy upfront, make sure that they understand it's a two-way street, it's not just, you know, a gift from them, it's also received, they get a lot of benefit from partnering with privacy. And that's what's worked for me for the most part, thankfully. I have taken the approach here by trying to embed privacy by design at every stage of the development process.
The level of involvement may change. So when they're writing code, like, we may have different, I might have a different guideline that I shared with them of, like, here's how to make your code more data privacy friendly, for example. Or here's how you can improve and like collect less information. But my involvement is a lot more significant when it comes to a design document or an engineering design change that they want to make. I sit with the team, walk through their documentation, evaluate the data lifecycle with them, go through, like, you know, key privacy principles, and ensure we're comprehensive.
What best practices to share or pitfalls to avoid when ensuring data privacy?
I would say, always, you know, treat any questions that you get from different members of the organization as a curiosity because privacy is still a relatively new field, and people have a lot of questions. And it's very easy to assume that those questions, you know, might be them trying to challenge like whether or not privacy is essential, and that's not the case.
You know, folks just want to learn, they want to understand, like, how does this impact their day-to-day, so like, approach it with a lot of understanding and patience, and just, you know, approach it from a perspective of, we are ultimately working together to build something for the customer, whoever that customer might be. And so having a mindset of, like, we're doing this together versus it's me versus you makes a big difference, both like the relationship you have with those partners and the longevity of that relationship.
What does Data Privacy Day mean to you?
Data privacy day is an excellent opportunity to bring the next generation of privacy professionals to the field; many people need to be aware that data privacy is a field open to them for a career. And I hope that they, you know, come to data privacy day, learn a lot and realize that they too can make an impact on this field, regardless of what industry they want to work in and whether they want to, you know, like work in a federal job in tech in like healthcare and life sciences. There's room for privacy, and I love these fields. And so I hope, and I hope, that it is brought into the minds of the next generation of privacy professionals and that they join us on this crusade.
Continue reading
Privacy All Stars
Stay updated with future events and resources
Get updates on email
Stay up to date with our Data Privacy events and gatherings, and when new insights are published.
We are also on Slack
Connect with like-minded professionals and learn from the best in the field of data privacy.
More about the event
Who are Data Privacy Stars?
Data Privacy Stars are innovative privacy champions who have a grasp of today’s challenges and can project a vision about what should come next. ‘Privacy All Stars' are professionals with considerable data privacy-related achievements accumulated over the years, while 'Privacy Rising Stars’ are passionately driving data privacy initiatives.
Data Privacy Stars are innovative privacy champions who have a grasp of today’s challenges and can project a vision about what should come next. ‘Privacy All Stars' are professionals with considerable data privacy-related achievements accumulated over the years, while 'Privacy Rising Stars’ are passionately driving data privacy initiatives.
How is Privado celebrating Data Privacy Day?
Privado is celebrating Data Privacy Day by recognizing individuals doing outstanding work in implementing innovative privacy programs. As part of its Data Privacy Stars campaign, Privado has planned a series of activities to celebrate and recognize these individuals.
Privado is celebrating Data Privacy Day by recognizing individuals doing outstanding work in implementing innovative privacy programs. As part of its Data Privacy Stars campaign, Privado has planned a series of activities to celebrate and recognize these individuals.
What does it mean to be a Data Privacy Star?
The ‘Data Privacy Star’ recognition validates individuals who receive it as innovative privacy champions who have a grasp of today’s challenges and can project a vision about what should come next.
The ‘Data Privacy Star’ recognition validates individuals who receive it as innovative privacy champions who have a grasp of today’s challenges and can project a vision about what should come next.
What activities does the program entail?
As part of the Data Privacy Stars campaign, Privado has planned a series of activities to celebrate and recognize the privacy stars. These include a series of 10-minute video interviews called 'Star Insights', a microsite featuring Data Privacy Stars, celebrating the Privacy Stars on the NASDAQ Billboard, exclusive Data Privacy Week Dinners in the US and Europe, and ongoing engagement on the Privado Community.
As part of the Data Privacy Stars campaign, Privado has planned a series of activities to celebrate and recognize the privacy stars. These include a series of 10-minute video interviews called 'Star Insights', a microsite featuring Data Privacy Stars, celebrating the Privacy Stars on the NASDAQ Billboard, exclusive Data Privacy Week Dinners in the US and Europe, and ongoing engagement on the Privado Community.
I still have questions, who can I connect with?
If you have any questions or want to know more about the Data Privacy Stars campaign, you can reach out to Privado on hello@privado.ai.
If you have any questions or want to know more about the Data Privacy Stars campaign, you can reach out to Privado on hello@privado.ai.