Landing a job in the privacy sector is a dream come true, isn’t it?
I remember the feeling of sheer joy when I received the news that I’d been successful in the recruitment process as a data protection lawyer t at a firm specialising in this field! Wow, those months of transition, immersing myself in GDPR and LGPD, attending face-to-face courses, meeting people, posting content on LinkedIn… it had all paid off! Now I could devote myself to the subject I was passionate about and, on top of that, get paid for it! Isn’t that the dream?
Obviously, I hadn’t thought of one “little” detail: not everyone is as obsessed with the subject as I am (and my colleagues in the field). Over the years and in the various places I’ve worked, I’ve noticed this pattern: I (and the team) were passionate about the subject and, for us, there was nothing more important in the world. The client (who in this case were external clients or other departments within the company) definitely didn’t share the same enthusiasm.
I have a crystal-clear memory of when a former coordinator said to me: “Lígia, you have to remember that we’re in a company where the end product isn’t privacy. However important and worthwhile the issue may be to us, that’s not the reality for the rest of the company.”
Gosh, it’s shocking to realise that the issue you think is important, that underpins democracies, that is historically an achievement, that is a fundamental right, that you’ll go on and on about to friends and family at events… well, the subject that is part of your life, of your heart, and which is now your profession (THANK YOU, UNIVERSE!) doesn’t cause the same excitement in everyone hahahaha
But if you think about it objectively, setting your emotions aside (perhaps that’s a topic for a future post: maturity and realising that people’s reactions to your work aren’t personal), it becomes easier to see this:
When I worked as a consultant, the first (and naive) thought that came to mind was: these clients have paid a lot for this consultancy and are just as anxious and eager as I am to begin this journey of compliance with data protection laws (poor thing. . .)
Of course, I was very lucky: I had several clients who attended EVERY data flow mapping meeting. They turned on their cameras, were engaged, seemed happy and in good spirits, shared details of their reality, and voiced their concerns without fear. The first blow came when I was responsible for data mapping at a company in the energy sector, and I was met with coldness, even a touch of apprehension. I realised that you have to make it clear that everyone there is on the same team, and that this was definitely not an audit. With a lot of effort, exhausting all my charisma on a daily basis, I felt that trust was gradually being built (even so, nobody ever turned on their camera… which is a bit of a bummer, but never mind!)
Now, when you’re working in-house, there are many advantages: you know people by their first names or nicknames, you understand the business, you get to know the limitations of each department, and, above all, how they view privacy in a context where it’s “not part of their job”. Both when I worked at the bank and in my last job, the scenario was this: people already have their own work to do: targets to meet, meetings, problems, documents to review and draft… imagine someone coming up to you and saying, “Hi, you need to fill in this privacy assessment in a system you don’t know how to use. You need to update a document with a strange name, also within a system. You’ve been identified as responsible for a high-risk issue, and you need to mitigate it.”
With this approach, what do you think happens? Yes, the departments get fed up with us, I’d even bet they roll their eyes. e There’s likely to be a lot of privacy theater going on. As the Portuguese saying goes, “privacy for the English to see” *.
OK, but what did I actually do to turn that situation around?
At the bank, I relied heavily on building personal relationships and fostering trust between people. Yes, it’s a cliché, but in the end it’s always about people. Talking to them, explaining that there’s going to be an incident response drill and that “I know your schedule is very busy, but your department is crucial to this drill, and it would be incredibly valuable if you and another representative from your department could attend. I’m really grateful for your contribution to our department and for ensuring that, should a worst-case scenario arise, the bank’s key departments will know what to do and will be on the same page”.
At the start-up, in addition to this personal touch, I relied on something that is definitely super important: the support of senior leadership. When the person in the highest Product role reinforces to the squads that the privacy team needs to be involved in day-to-day operations because this helps ensure new initiatives are born ‘in accordance with the law’, we build friendships among PMs. PMs who not only submit all documentation as soon as they organise their quarters and attend all FUP meetings, but who proactively seek you out whenever a question arises, and who end up spreading, organically, the mindset of “speaking to privacy first”.
In that role, I saw the concept of ‘privacy champions’ take shape naturally and organically before my very eyes, stemming from that combination of building relationships and trust, and understanding the importance of the issue to the business. Honestly, nothing moved me more than when a message popped up on Slack from a dear colleague in HR who was concerned about a new initiative and asking for a privacy opinion, or when a message appeared from someone on a team I’d never heard of, but whom someone from the product team had mentioned might want to speak to me about a campaign.
This is getting a bit long, but I can’t help but mention how smoothly (and quickly!) the workflow for handling requests ran, thanks to the company culture and the way the CSI team (yes, just like the TV series) was introduced. I wasn’t working at the company yet, but I heard that the CSI team was introduced to everyone with the following premise: if someone from CSI contacts you, help them. The matter is urgent and important. So, whenever there was something related to a data subject request that had been previously filtered by CSI, I felt as though I had a fast-track pass within the company: I’d raise my hand, send a Slack message explaining that it was a CSI request and that I needed the XYZ information, and voilà: I always got help, and the mystery was quickly resolved, ending with a response we drafted together (PrivacyOps and Privacy Legal) and sent to the data subject.
I’ll conclude this piece by reflecting on the importance of building genuine connections with people from different sectors, of understanding that privacy isn’t the main concern of other teams, that support from senior management on the issue helps a great deal, and of approaching privacy in a way that’s palatable, rather than as something tedious, abstract, bureaucratic and that ‘holds up’ the business. I firmly believe that our role is to foster and enable initiatives in a way that aligns with the company’s reputation and legal obligations, and I can say that I have seen this happen in real life.
*The expression means, for all intents and purposes, ‘without validity’. The most widely accepted explanation is found in the book “A língua Nacional” by João Ribeiro, which explains: “during the Empire, the Brazilian authorities, pretending to yield to pressure from England, took token measures to combat the African slave trade – a fight that never took place, which was merely staged ‘for the English to see’.” Source: https://veja.abril.com.br/coluna/sobre-palavras/como-nasceu-a-expressao-para-ingles-ver/