Presentation: Managing Privacy & Data Governance for Next Generation Architecture
This presentation is now available to view on InfoQ.com
Watch video with transcriptWhat You’ll Learn
- See what’s going on within Pinterest when it comes to privacy and data governance.
- Learn about the framework that Pinterest has developed to evaluate vendor use cases.
Abstract
The number of privacy-related regulations are on the rise and more vendors than ever before are vying for the attention and validation of privacy programs. In order to advocate for resources and technological solutions, the privacy office must be accountable for vendor governance and procurement decision-making, and oversight. How do you organize business use cases, requirements, and stakeholders to evaluate privacy and data governance vendor solutions? Who should be involved in decision-making for vendor solutions that have implications for compliance, but also require investments across the company?
This talk will explore a governance framework for roadmapping, resourcing, and driving decision-making for next generation of architecture with privacy by design. We will walk through the key players, requirements mapping, templates, and vendor engagement models for informed decision-making.
Tell me a bit about your background?
I started my career as a systems engineer working on business strategy. One component of that was privacy strategy. After working in consulting, I worked at the Federal Trade Commission and have worked as a privacy engineer as my career has progressed. Now I'm a technical program manager at Pinterest, where I manage privacy and data governance from the engineering side. We ensure that with all of the emerging regulations, but also commitments to users and regulators and stakeholders, that we're maintaining compliance on the front end and the back end.
What are you going to hit on in the talk?
What we're seeing is as privacy data and governance become very hot topics, that means there's a lot of new vendors entering the space. As a privacy program, we're figuring out: how do we evaluate all these vendor use cases? What do we actually need? Which vendors are actually going to deliver for the next generation of our architecture? In this talk, I talk about a framework we've used as a governance model. We've set up a data security and governance working group that is cross-functional. We're looking at different business cases to evaluate. Our chief architect sits as the sponsor for that group.
We're able to look not only deep at our upcoming business use cases and new data sets we want to collect to be able to determine one as a company, but we also engage on whether we should take on that risk of collecting new data types. If we do decide to collect new data types, then how do we make sure that we're handling it effectively? We're evaluating different vendors across a whole range of factors and thinking end to end about the next generation of architecture. We engage stakeholders from I.T. security, product analysts, and data scientists. We also have technical program managers who sit on the working group. We're thinking about the processes and technical architecture and policy. We're also involving our procurement teams and our downstream product teams as well.
It's very cross-functional and just a body where we can talk about what we want to do since there are lots of vendors in the space. We want to understand what the success criteria are before we evaluate them and make sure we communicate with vendors.
When you talk about a framework, are you talking about a process framework that Pinterest implements to address things, or are you talking about a framework to say this vendor is evaluated against this criteria?
It's the latter. It's a framework for figuring out what our roadmap and our resourcing is for decision making regarding which vendor solutions we want to pick.
Who is this talk targeted for? Is it is it targeted towards people that are like that chief architect that need to have a kind of a process for evaluating these things? Or is it targeted for like the privacy professional that is responsible for governing a program like this?
I would say it's both. If you are a privacy professional and you find yourself looking at a bunch of vendors who are pinging you on LinkedIn and meeting you at conferences, t and you don't know where to start the conversation, then this is a great talk for you. If you're responsible for making those vendor decisions, this talk will be helpful.
I think it's also helpful for people who want to be a champion for privacy or find that it's falling on them even though they don't have that role or title.
Can you give me an example of one of the trickier bits that you had to solve?
One of the trickerie parts of vendor evaluations is the timing of evaluations. When we started this process, it's always nice to say, you know, we're gonna set up a program, and we're gooing to set up a governance working group to evaluate use cases. But in real life, use cases are always happening. There's always this new seed. You come into it actually hot where the use case is already out, or maybe there's somebody that's already talking to a vendor. So we experienced that. And so we had to stand up a straw man pretty quickly for evaluating our use case. That's not how ideally how we would've done it and now we will evolve it over time.
Another thing is sharing some of the lessons learned about how we looked at AI use cases for machine learning inside the company. We had to set up an environment for testing on the fly and everything from signing the NDA to evaluating the vendor and make sure that all the different business stakeholders across the company had a chance to try out the system for various cases were the responsibility of the data governance group.
What do you want someone who comes to your talk to leave with?
I want them to understand the possibilities for setting up a successful working group around data security and governance where they're able to deliver results and come to success criteria and proof of concepts for vendor solutions that will help them run their privacy programs effectively.