Inside the chief data privacy officer role with Barbara Lawler
This fall, leading data platform company Looker announced that Barbara Lawler had joined the company as its new chief privacy and data ethics officer. She appears to have been an obvious choice for the role, having previously served as chief privacy officer for Intuit, Inc. and the Hewlett-Packard Company.
At a time when a growing number of data privacy mandates are taking effect or will soon, such as the General Data Protection Regulation, more organizations are adding a data privacy officer to their data management teams.
Information Management spoke with Lawler about why there is a growing need for this role, what her primary responsibilities are at Looker, and her advice to others that would like to pursue this career step.
Information Management: You join Looker as chief privacy officer and data ethics officer having already served in the chief privacy officer role at Intuit and at Hewlett-Packard Company. How common is the role of chief privacy officer and why is it needed?
Barbara Lawler: Chief privacy officers (CPOs) emerged around 2000 in the tech industry (led by IBM and Microsoft), but were few and far between. The role has become quite common now, but not all chief privacy officers are created equal. Some CPOs are mid-level compliance managers, some act in more of a risk management capacity, and a few are directly involved in shaping and driving strategy. My role at Looker falls into that latter category.
When it comes to my role as CPO, I consider myself the trust amplifier for the company and especially for the customers. It’s my job to instill responsible and ethical data policies and practices so our customers trust us.
CPOs have the unique benefit of seeing across the entire organization - where data flows, how it’s used and why. Data is becoming increasingly critical to business strategy, customer engagement and operational effectiveness. It’s important to our customers that we’re getting privacy right. A successful CPO should be bringing the stakeholders within the organization together to assess privacy and data ethics issues, tackle new privacy regulations and establish effective controls around data.
IM: Who do you report to, and how much ‘clout’ do you bring to the role?
Lawler: I report to the general counsel, who in turn reports to the CEO. “Clout” happens through a combination of three paths in leadership: 1) sponsorship and empowerment from the very top; 2) engaging with and building relationships with key internal stakeholders; and 3) product, engineering, marketing, sales & finance taking decisive actions to anticipate and deal with privacy needs and issues.
IM: What are your primary responsibilities as chief privacy officer and as data ethics officer?
Lawler: My role covers three major areas. First, I lead strategy on data ethics for Looker, our customers and partners as data becomes the lifeblood of organizations. Being a leader in the data platform and data science ecosystem means increasing rigor at all phases of the data lifecycle.
Second, I enable product, engineering and sales teams to meet customers’ and prospective customers’ privacy compliance requirements, including privacy-by-design reviews. And I drive solutions to ensure our products and website are market leaders in privacy features.
Lastly, I serve as the go-to person and ensure Looker’s policies and compliance with all applicable global privacy and data protection laws, including the EU General Data Protection Regulation (GDPR), and E-privacy Regulation, UK Data Protection Regulation, Japan Data Protection Regulation, and US Federal and State privacy and breach laws.
IM: How does your role fit into the overall mission strategy at Looker?
Lawler: Looker’s mission is to empower people through the smarter use of data. Customers care that their data is protected as they enjoy the benefits and conveniences of modern technology. They want to know what data about them is captured, how it is used, how long it is retained, and who has access to it.
When privacy is done right, that knowledge will bring customers confidence and trust in the vendors who demonstrate respect for their data. Privacy is good for business―and for innovation. Achieving this takes expertise, experience, commitment and engagement across organizations. Technical, legal, and business teams must collaborate to make this a reality.
IM: How is your job being impacted by recent regulatory actions, for example, the GDPR?
Lawler: While GDPR sucked all the oxygen out of the room and continues to drive new or revised privacy rules around the globe, it is important to keep in mind that no single country or region owns the rules. Each country interprets privacy according to its cultural norms and legal frameworks. Other international efforts such as APEC’s Cross Border Privacy Rules, the EU-US Privacy Shield, along with legal data protection regulations and frameworks in 126 countries and across 50 U.S. states prove that responsibly handling people’s data is serious and critical for business success.
New on the horizon is the California Consumer Privacy Act (CCPA) of 2018, inspired by GDPR but carrying its own unique set of requirements. It’s highly likely that other U.S. states will replicate some of it or all of it. This is currently driving renewed dialog and debate in the U.S. Congress about what an appropriate national framework for privacy legislation would look like - one that provides a level playing ground for business, greater certainty and consistency for consumers while retaining and enhancing the United States’ global leadership in innovation.
What’s unique about Looker is that it’s a centralized data platform that leaves customer data in their databases. This means that people no longer need to extract the data to analyze it. They can interpret it and act on it directly, accessing only the data they need to answer their immediate questions, while still retaining the ability to ask more. That means that Looker’s architecture helps enable GDPR compliance.
IM: What led you to pursue these areas of data management as a career focus?
Lawler: Early in my career I consistently had roles that involved databases, manipulating data and setting business requirements for systems that supported sales, call center ops and CRM, resellers and content management. Pre-data brawl and data sprawl - it was an era of mini brawls, building walls, moats and silos. I am an advocate for the customer and people need to remember that behind the data are real people and human activity. What led me to pursue this career was really a focus to keep the humanity in data analysis.
IM: What do you find to be the most challenging responsibilities in your job, and why so?
Lawler: At Looker, the most challenging part of the job is staying focused on the strategy and long-term support of the company’s mission and driving data for good, while at the same time tackling the day-to-day needs of the sales teams. This involves helping the executive team “see around the corner” by responding to customers who are constantly asking for detailed privacy and data protection information.
With the traditional CPO role, the most challenging part of the job is keeping up with the complexity of new or proposed laws and being able to quickly translate what that means to the business. This includes the “soft”’ trends and topics in the news, actions in the courts and the “court of public” opinion that gives you leading indicators about emerging issues.
And staffing! It’s still very much a job-seekers market and demand vastly exceeds supply.
IM: What professional skills and experiences, and personal qualities and traits, do you feel most help you to be successful in these roles?
Lawler: In sports we talk about “multi-tool athletes,” and I think to be a successful and impactful CPO this concept still applies. A CPO needs business skills, soft skills, technical skills and the ability to synthesize and explain complex topics in a straightforward way. As a CPO, you don’t need to be a lawyer but you certainly need to have a firm grasp on legal concepts, issues and legislative language (and intent).
IM: What advice would you offer to someone that aspires to either of these job roles?
Lawler: First, if you have a technical background, love data and are interested in privacy, businesses need privacy engineers and architects. That is the future of many privacy roles, including at the leadership level. There is a demand for privacy engineers and architects who can design and drive implementation according to SDLC methods in partnership with the CPO.
Second, if you aspire to the CPO role there will continue to be leadership roles in privacy for lawyers, consultants, compliance managers, etc. This includes handling contractual risk, developing and promoting policies and writing notices.
Find out who is leading or dealing with data and privacy issues and volunteer to help with a critical privacy, data governance or data security project or initiative. If you are just starting out, more and more universities are offering some type of privacy curriculum mostly in the legal and technology/data spaces.
Definitely follow privacy publications and articles from policy groups, technical groups, legal scholars and privacy thought leaders. Join the IAPP (International Association of Privacy Professionals) and get privacy certified.