Fireside Chat: Matt Cooper from Vanta

December 13, 2021

Every other month, Opsware partners with privacy experts from the around the globe and shares real world insights and data.

In December 2021, we sat down with Matt Cooper from Vanta to discuss the best practices when planning and implementing your privacy program.

Transcript of Q&A:

Peter Barbosa:

We have four questions parked for Matt. We're gonna aim to get them at around five minutes each. And at the very end we'll then address the audience Q&A again at the end of the session there. So let's jump into it and not wasting time. We're gonna try to keep this to below or around the 3:00 PM mark. So first question, Matt, what are the first steps to dealing with privacy and compliance?

Matt Cooper:

Perfect. So the first step I would say is to really establish and understand your business context or the context of your organization that is, , you, your organization is trying to accomplish something. Those are your objectives. And a privacy program is really a means to an end. So you're facilitating the accomplishment of those objectives. If you're doing things to comply with privacy, but they're not compatible with your strategic direction or what you're ultimately trying to accomplish, you're not really achieving what you want to with that. So part of that context is, , just knowing who you are, what you're doing, where you're operating, who your stakeholders are, et cetera. The second step I would say would be to understand what are the laws or regulations that are relevant for you, or what are you trying to maintain?

Matt Cooper:

So things like GDPR, CCPA US state level laws, , there's a whole bunch of them. Additionally, maybe your organization is maintaining an ISO 27001 certification, or they're ATEST to the privacy criteria under SOC2. You need to know what you're trying, , what your target is, what you're trying to,maintain and what you have to stay compliant with,ufollowing that, I would say having a very clear inventory of your scope. So what data do you actually get that's PII or related. Then where does that data live? What systems does it live in? What vendors have that data,what people have access to that data, maybe even locations where that data is accessed or stored,so that, , really the scope of what you're trying to protect. Uand then once you've done those things, I think the last step is to really assess the risk. So you have certain data, it lives in certain locations, , what could go wrong and,what do we need to do to prevent that from going wrong? What controls do we already have in place? And then what is the Delta there, what are the gaps between, , what we wanna accomplish the controls, we have to do that. And the things that , we could do better.

Peter Barbosa:

Awesome. So you mentioned one interesting thing there around stakeholders and one challenge that we hear a lot of when we do our customer discovery is getting stakeholder alignment, , particularly where we hear there's a lot of, , sometimes hesitation is with engineering and whatnot and understanding that. So what are the best ways to get stakeholder alignment and even sponsorship for a privacy program?

Matt Cooper:

Yeah, really great question. I hear similar things. So , the one thing that I think it's really important here is to frame this in, in the context of risk. This is something that I think senior leaders can get more behind. , it's one thing if you say, oh, , GDPR says X, Y, Z, so what, right. Like, how does that affect me? What does that mean for my actual business? But if you can show, Hey, , these are the things we're not going to accomplish as part of our mission because of some sort of privacy risk, or these are the dollars that we stand to lose because of some sort of privacy exposure or here's a number of opportunities that we can't go after, or capture, , because of some exposure.

Matt Cooper:

Now, I think you're speaking the language of senior leadership and by putting it in the context of risk, it's not just privacy out on its own. It should be in the context of all the business priorities and risks, because that's what senior leadership wants to weigh against. We all have finite time and we have finite resources. And so that's, , that's the job of top management is to allocate those properly and, , not everything gets all the resources that, that, that group who's focused on that might want. But if you can look and see the bigger picture and how this works into the organizational priorities, , those decisions start to make more sense.

Peter Barbosa:

Cool. And you're suggesting really from what it sounds like starting from the top and making your way down, like going top down versus bottom up.

Matt Cooper:

Yes. And when obviously going bottom up makes sense too, , you want your own team, your own cohort and folks to be on board as much as possible. But at the end of the day risk is owned by senior leadership and they need to have insight into what's happening. The other thing is, , you, you don't wanna make assumptions for how they see the risk. , you might have a certain view, but once you make that transparent, you show, , something like likelihood and potential impact, and you share that with top management, they might have a totally different view once they see the risk and they see that, , put in front of them, they might say, oh, actually I think this is a lot, , more of a big deal then you did or less, , it can go either way.

Peter Barbosa:

Cool. And based off your experience, have you seen there been times where , privacy professionals or privacy officers actually go ahead to get sponsorship or at least to increase their sponsorship and actually end up getting less sponsorship and what are some scenarios where that happens?

Matt Cooper:

Yeah. I mean, I, I certainly do. I think it's human nature that everyone gets very focused on the thing that we are involved in. The thing that we are responsible for. I think it's, it's almost a cliche that, , folks in the sec cybersecurity space in particular, you can get very , overly concerned about the vulnerabilities that you see, or, , some sort of weakness that you see in the technical environment. But once senior management sees those things, they can help to frame that again, in terms of where the overall organizational concern might lie. And they might say, Hey, I, I get that. I agree with you. Like this is not ideal, but really this thing over here that you're not really even involved in or focused on really needs to get our priority, our focus and our resources, and I'm gonna accept this risk for six months, and then we can revisit it when we budget next year or something like that, because, , we need to consider the entirety of the organizational priorities. And again, security and privacy are means to an end. The, the, the organization must be really focused on achieving its organizational objectives.

Peter Barbosa:

Awesome. Cool. So kind of brings me to our next question here, which is what are some of the common mistakes you see companies or price professionals making when handling personal data internally and what are some things they can do to,

Matt Cooper:

Good question. So the first thing is understanding the context. We just talked about the context for the business and the business' mission. There's also the context for privacy. So I work with a lot of American companies, especially American companies selling into Europe. And, , we have to understand there is a cultural difference and there is a different frame, , so there, there's a bit of a again, maybe a cliche here, but when we say data protection in the United States, , we oftentimes think about the bad, the bad guy, the hacker, or something like that. Some unauthorized person who's going to get access to our data or systems and misuse it. And, , the, the companies that we're sharing it with and our service providers, , those, those are the good guys and we're not so concerned, but I, I think when you look at a European perspective and just the history of privacy and data protection, I, it refers to more, not the bad guy, but the good guy misusing the data or not respecting my preferences, my data protection my privacy and it's about that appropriate use.

Matt Cooper:

So, , there's a lot of different mistakes we can make some of the common ones I would say would be over collection, , just collecting things we don't actually need to, , anytime you have PII in your system as a business, you, you should know how you're using that to make money or, or to achieve your objective. If you don't clearly know why you have that and why you need that, you have risk without a justification. Another similar risk to that is over retention. Okay, you took it, you got a good reason to use it for a certain period of time, but now it's just sitting out there in your CRM for years and years and years. And as that data accumulates and grows, , we're you to have some sort of a breach, you now have a lot more risk, a lot more exposure, a lot more cost to remediate.

Matt Cooper:

So take the, take the thing in, use it for a known purpose and a known period of time, and then get rid of it if you don't still need it. Some other, , more kind of tactical in the weeds, mistakes are, , confusions over opt-ins and opt-outs, or, or confusion over , purpose using things for secondary reasons that really weren't agreed to or understood by the data subject when they provided it to you in the first place. Another potential mistake is just weaknesses in your subject access request process. , not knowing where things are not, not able to adhere to the timelines, not able to track those things appropriately. Another very common place where you can have issues is with your vendors. So you have third parties or your service providers do you have the right contract language with them?

Have you properly assessed their risk? Do you know their role in a subject access request process so on and so forth. So those are what I consider like the kind of common things that we think about. I, I have one more, that's a real, more counterintuitive of, okay, that's over complicating the process over engineering the solution. So again, when we step back, when we look at the business context, we need to remember that privacy management is really a means to an end. And so if we're gonna spend a million dollars solving a privacy issue, when we could have spent a hundred thousand, that might not have been a smart way to go. And so really taking that risk based approach and everything that we do so that we know our solutions are right sized to the problem.

Peter Barbosa:

Cool. I like that. Now, how do you overcome some objections you might get from your stakeholders and something I hear a lot of and kind of going off script here is, , from our experience, a lot of engineers tend to really wanna hold their day close to them. Right. And they're very scared when it comes down to deleting data or even just kind of sharing information around it, or even how much they collect around it. What are some of your suggestions on how to overcome those objections that a privacy council or privacy professional might have within the business?

Matt Cooper:

Yeah, really great question. I get that you build something, it needs data to work and, , you want that to keep doing its thing. I guess the main thing I would ask would be, , what is the, what is the purpose of this processing? Because it's a very common use case where you have to identify, you have to identify a thing, a person, or an entity, and it has to be a unique identifier, but that identifier could many, many, many times be generic. It could be, , person 1, 2, 3, it doesn't have to be, , Matt Cooper with XYZ, social security number. And I think that when you really drill into that, the use case for when you need their specific PI, I really gets very limited. And so then the question for engineering is, okay, like, yeah, you need this data, you need this processing to happen. , can't, we do something more creative here so that you can still process, but we don't need to have this high risk data, this , address credit card number, social security number, you name it can't we pseudonymize it or, or something like that.

Peter Barbosa:

Cool. Awesome. Great. So that kind of dovetails nicely into our kind of, , our fourth question here, which is what are some of the best practices you suggested when collecting and handling personal day? I'm sure this is, this is a pretty big

Matt Cooper:

Yeah, no, there's a lot of things. So, , understanding your own context again, I, I already said that, but it's, , it's in some ways easier said than done but really having a very clear view of all these aspects. That's my mission. How does processing PII, , benefit that mission or how is it a necessity? And then, , from a technical perspective, , where is this actually happening? I mean, a very clear sense of the inventory of your data, the systems that it's flowing through, the vendors that hold it, how long they're holding it. So really just having a really crystal clear and crisp understanding of your own data environment I think is really critical. And once you do that, some of the other questions become maybe more self-evident beyond that, I would say, , it's kind of a joke, but like just don't do it.

Don't collect high risk data. That's gonna put your business at risk unless you really need to do that. And why do you need to do that? Okay, great. Do it for that period of time, get rid of it or anonymize it, student anonymize it just really looking at, , all the principles of privacy by design and really trying to implement those in as robust away as you can , getting creative potentially with your engineering and your data processing. And then, , as a backstop to all of that , without over complicating it or spending too much money, that it's not longer justified based on the risk.

Peter Barbosa:

Cool. And now, so it sounds like a lot of this still comes down to like one gap we hear a lot of is it always comes down to that privacy officer in the business privacy professional, right. And a lot of this is, , individuals understanding the contexts around their business and why they should collect data or what they're, , proper reason is or what their basis of doing that. But to me, it seems like a lot of this ties back up to a broader theme, which is like awareness and privacy awareness. What are some of the tips and tricks and, and even ways that you've seen, , privacy teams and professionals raise awareness within their organization, across their team members and get people to actually care about privacy.

Matt Cooper:

Yeah, no, that's a great question. I oftentimes in conversations end up taking it back to the basics , we're always looking for silver bullets or really cool tools in information security and, and they're out there , that well tools can be incredibly helpful in accomplishing these things. But at the end of the day, you need basic cyber or privacy hygiene in order for those things to be effective. So , it's the kind of boring stuff around training. Well, let's take training, right? <Affirmative> security awareness training. It's like almost a joke sometimes where you watch like a 30 minute video of once a year and you're like, boom, I'm not gonna write down my passwords and, , put 'em on a sticky note. Okay, great. Yeah. But, make that a meaningful exercise, , help your team customize something to really understand, like, this is the context for us, this is how we're actually taking in PII.

Matt Cooper:

This is the risk for us. And again, I think when you put it in that risk context, it gets more interesting where you're like, oh, wow, like that would really be bad. That would be really painful if this sort of thing materialized for us. And so let's really make sure we have a full all hands on deck effort to prevent that. And , this is where different stakeholders are gonna have different ideas. , engineering's gonna have a lot of ideas of like, oh, well, now that I really understand that privacy, a context from the business perspective, , here these three or four technical things we really need to, to think about that, , I've been talking about in the team, but let's make this more of a company effort and, , get that awareness out there for senior management to give us the support that we need to invest the resources to get those, those things done. Cool,

Peter Barbosa:

Cool. And one very common thing we hear of as well. And I'd love to hear your thoughts on it is, , PII seems like a lot of other individuals within the business anyway, often have different definitions of what PII is and what contains a PII. Well, again, what's the best way to raise awareness and educate your stakeholders and other team members, as far as what PII is and what, what that consists of and what it could look like. So they can tie that back day to day. So I find that sometimes the most challenging thing for teams is to understand, oh, an IP address can be PII. Are you sure about that?

Matt Cooper:

Would love to hear your thoughts. Yeah, absolutely. This is actually a super interesting topic if you really want to drill down into it, cuz it's, it's the obvious things, , it's so first off the short answer I tell people is anything that can be used to identify a person identify, okay, that's that's how is easy enough, but it's actually a little bit more complicated. If you really start getting into the weeds, especially in , I think European context, , you have identified data and identifiable data. So identified as like, , my name, my address, my social security it's clearly it belongs to me. It identifies me as a person, but then you can have data that seems anonymous, but actually could be used to identify me. Let's say you have a a data set, which is the cumulative age of all the people in my family.

Matt Cooper:

Yeah. You have this number: it's 300 years old and now you have a data set and it's the cumulative age of everyone in my family, except for me. Well now you've just identified my age from a data set and, , these are the things that statisticians need to think about when they're putting out data sets. But , the idea of reconstruction and rebuilding data can really put another spin on it for folks in terms of like what's PII. What's not, that's probably two in the weeds for most businesses to have to, to, , worry about cuz most of us aren't putting out statistical data, but it's worth considering you, , okay, we have this, this say that's identified, but what do we have that could be identified, , beyond that. And in the us to your point, , it's, it's different, it's, it's more weird because of our sectoral approach to privacy where an IP address in one contact is PII in a HIPAA context, let's say in a HIPAA breach, but in another context it's not PII. And so, , it, it, it is very confusing. And that's why companies need to really understand these things for themselves so they can take their own approach, their own risk based approach that they feel good about and they can justify

Peter Barbosa:

Awesome coming back to best practices. Now , one thing, , you mentioned early on is, , for, , essentially planning for your program is a map of different regulations and jurisdictions you need to be concerned about. So what is the best practice around, , let's say I'm in a scenario where I'm a global company. I operate in the EU, I operate in South Africa, Brazil and the us, and there's all these kind of broad privacy laws amongst regulations. , and I have customers and all those jurisdictions, , what is the best way for me to start looking into compliance? Like which regulation do I start with? , or when I map them, , one seems like one regulation, , L GD in Brazil says I need to, , respond to a de or, or fulfill within 15 days. And , another regulations is 30 days, unless it's 45 days, how do I kind of just cobble these together and, , how does that look like operationally any, any good practice or suggestions of how

Matt Cooper:

To handle that? Yeah, completely. And I get this question a lot too. So what I suggest is that you really look at the core controls around your information prior program because the themes and the control categories are really all the same. It's really the details where they start to differ. So things like, , notification purpose limitation the ability for the user to make SAR type requests. Sometimes these are referred to like as the FIPs, the fair information practices or the other, another other tools you can use for this are the frameworks, like an ISO 27, 7 0 1, which is a more of a, you, , generic privacy controls framework, or even the a two trust services criteria, or NIST has a privacy framework, which is quite good. And then put together a privacy program that meets these core requirements.

Matt Cooper:

And then once you've done that, now go look at the specific jurisdiction that you're in and see where you have these details on the margin that you need to account for. So to your point, response time, well, response time, maybe it's 30 days, maybe it's 45 days and either, , set your program to adhere to the most rigid or, , track on those details. , another, another potential real gotcha. Could be data residency, right? So data residency isn't strictly in GDPR, but it is becoming more of a post-trim to more of like an internal business requirement for certain sensitive industries in Europe. And , there are some residency laws out there, so that would be another, , detail or look at like CCPA and do not sell, , that's kind of out of the blue, , but this is like a, a detailed requirement that goes on top of the core of your privacy management program. But I would just definitely focus on that core first and then go through and track on the details.

Peter Barbosa:

So when you say core, , map out all the requirements that you know of, you can, and then to your suggestion pick the most rigid and most strictest and make sure you're following those and using that as your benchmark for all those operations within the,

Matt Cooper:

I think that's a fine way to go. And you'll find that, , when you look at these core requirements, , notice yeah. Purpose limitation , just integrity and security. And the ability for the user to request data, respond, get a deletion , those are gonna be common to all these frameworks. And if you get those things in place, you'll be in a very good position to meet the various requirements.

Peter Barbosa:

Right. And this makes your day to day operation probably easier then cuz then you're not worrying about different policies depending on where they're coming from. You're referencing that one policy.

Matt Cooper:

Exactly. And then Washington passes a privacy law or some new state and it's like, okay, we already have the main controls in place. It's not really a big deal to adhere to those or to accommodate those.

Peter Barbosa:

So it makes scaling your privacy program easier as the business is growing which is also probably the wisest start. You wanna do as early as possible.

Matt Cooper:

Yeah. Completely cool.

Peter Barbosa:

Awesome. All right. Well I think that's all we had for today. This is being recorded and will be shared afterwards, which it definitely will.

Peter Barbosa

COMPANY NEWS