Mark Jaffe leads the Rivian ethics, compliance, and privacy program, which includes ethical culture, compliance oversight, privacy, and investigations. He leads a team of approximately 20 people that includes privacy professionals, lawyers, compliance professionals, and investigators responsible for developing and implementing Rivian’s ethics, compliance, and privacy programs and investigating allegations of employee wrongdoing. Mark and his team work on issues related to privacy, information governance, cybersecurity, artificial intelligence, and data ethics.
Before joining Rivian, Mark was Senior Vice President for Privacy at Teleperformance, a global business process outsourcer with over 400,000 employees operating in over 80 countries. At Teleperformance, he was responsible for a team of privacy professionals building and scaling a global privacy program. While at Teleperformance, Mark spent almost two years in Singapore managing privacy issues in the Asia Pacific region. During his time at Teleperformance, he also managed privacy issues in the Americas and Europe, the Middle East, and Africa and was asked to begin creating a compliance program before leaving the company in late 2020. Prior to joining Teleperformance, Mark spent 17 years at AT&T. While at AT&T, Mark provided legal support for a number of business functions, including business-to-business products and services, international carrier relations, and international HR before serving in roles relating to global privacy, compliance, and ethics.
Mark is a frequent speaker on a variety of topics related to privacy ethics and compliance. He earned his B.A., cum laude, from Duke University and his J.D., cum laude, from Northwestern University.
Q: Give us the highlights. How did you get to be responsible for privacy at Rivian?
I have been involved in privacy since 2005. My career in privacy began at AT&T, where I established the company’s international privacy program, helped integrate several major international acquisitions, and developed and rolled out the company’s GDPR compliance program. Six years ago, I joined Teleperformance as a Senior Vice President to establish its global privacy program. When I joined Rivian almost three years ago, part of my scope included building the privacy legal and operations function. Over a year ago, I added privacy strategy to my portfolio and now have overall responsibility for all of privacy at Rivian.
Q: As the Head of Ethics, Compliance and Privacy, your remit extends beyond privacy. What else do you cover?
My scope at Rivian also includes responsibility for developing a comprehensive program and culture of ethics and compliance, and I oversee internal corporate and employee investigations. Consistent with our motto, “Adventure with Integrity,” we:
Q: For privacy specifically, what is the scope of your remit? Do non-lawyers report to you? Do other areas that might be privacy related (such AI, data governance, cybersecurity, privacy compliance, program management, etc) also report to you?
My remit includes privacy as it relates to strategy, legal, and operations. This includes responsibility for privacy compliance, privacy program management, reporting to the Board of Directors and senior management, chairing our executive Privacy Steering Committee, and collaborating closely with our Chief Information Security Officer and the cybersecurity team. My team collaborates with others on AI and data governance and plays a critical role in how the company approaches those areas. The team deals with a full range of issues, including our privacy strategy, privacy notices for customers and employees, data subject access request approaches and templates, records of processing, privacy impact assessments, privacy by design, contracting, third party diligence, data incident response, data transfer approaches, and so much more. The team consists of five fantastic professionals – one lawyer and four privacy professionals with deep risk, compliance, and operational experience.
Q: What does a car company have to do with privacy?
As you may have noticed in the press, car companies are increasingly involved in the collection of customer data to provide services and features related to the vehicle and to enhance and improve the safety and reliability of their products. Unlike many other car companies, Rivian’s vehicles are built on a data platform that enables Rivian to continuously improve and roll out new features and services remotely. In order to do this and to enable our customers to use features such as mapping, various levels of autonomous driving ranging from lane assist to automatic braking, and sending remote commands (e.g., unlocking the vehicle), we collect data. In some ways, we are at the cutting edge of a highly connected and sophisticated “internet of things” device that touches sophisticated topics such as artificial intelligence and data-enabled analytics. In addition to these unique privacy concerns, we have the normal data privacy issues of an employer and value the protection of employee data privacy, including the privacy of protected health information under HIPAA.
Q: Where do you report in the organization? Where do you have dotted lines? Why is this important?
I report to our Chief Legal Officer. I work closely with and chair our Privacy Steering Committee, which includes a number of our top executives who oversee vehicle software, technology, our commercial relationship with customers, and autonomous driving. I also update the Audit Committee of the Board of Directors on ethics, compliance, and privacy. Given that privacy is an important aspect of Rivian’s strategy to enhance its brand and build trust with customers, reporting to the company’s top executives and having their attention is important to elevating privacy as a significant area of focus for the company.
Q: Isn’t AI just software code and hasn’t the world already been dealing with privacy issues from software code? How is this different? Why is this important?
AI is more than just software code. It is using software code to learn and make decisions quickly and more efficiently than humans and to drive improvements that hopefully will benefit people. One of the privacy concerns with AI, and in particular more sophisticated AI and generative AI, is that the software can be designed and/or learn in a manner that creates unintended or even intended bias in a manner that may not be transparent to its users and may have negative ramifications for some individuals. Given the speed at which AI is progressing, companies must be responsible in creating and explaining AI and its uses in a manner that can be easily understood, and in developing controls and testing to mitigate the negative impacts and effects. This is not easy and is a challenge for the AI industry and those utilizing AI.
Q: A big topic in 2024 for car companies could be autonomous driving. Why should privacy pros care about autonomous driving in 2024?
Autonomous driving advances hold great promise. They can continue to make vehicles safer for people and reduce the number of serious injuries and death. As with any product, software is not perfect and sometimes has unintended consequences. The privacy laws are designed to protect individuals, but also to promote the legitimate uses of data and uses that benefit the greater good of society without infringing unreasonably on individuals. From a policy perspective and a safety perspective, improvements in autonomous driving will challenge our views on societal benefits, individual rights, and artificial decision-making. From the use of technology to determine driver attentiveness, to bystander behavior, to other driver behavior, these technologies can improve our lives and our safety and will need to be responsibly created and explained to the public. How autonomous driving technology companies collect, process, and utilize the data needed to make these technologies help make society safer will likely further inform the standards all companies will have to understand when it comes to behavioral analytics and the balancing of societal benefits and individual privacy.
Q: The privacy workload has exploded over the last several years with no sign of slowing. What is your secret for “managing up” so that you can marshal resources such as headcount and budget?
My approach is to be clear about what additional resources are needed to do different types of activities and what the benefits and consequences might be for the different ways one might approach staffing an activity. Resources are usually hard to come by, but depending upon the strategic priority and importance, the resources should match the level of importance and risk that the company wants to have. Therefore, being clear on what the budget buys and what the team will not do if the additional budget is not provided usually helps with that overall discussion. We also work closely with our stakeholders to enable them to have accountability for privacy, to have the resources to implement efficiencies, to scale processes and procedures, and to implement good privacy-by-design practices. Without the entire business being supportive of privacy with resources and budget, the privacy office will not be successful.
Q: You have managed at some of the largest companies in the world (AT&T, Teleperformance) and now at a startup. What have you found to be the same? What have you found to be different?
Every company is unique and has its own culture and approach. Although I worked at AT&T for almost 18 years, I was really a part of 8 different companies, given the dramatic changes that took place through mergers and acquisitions. All my experiences have one thing in common – collaborating with people and developing relationships are the keys to influence and success. Being successful at doing this requires constant work because organizations are continuously changing. The biggest difference between Rivian and AT&T and Teleperformance is that Rivian is maturing in all areas of the business. At AT&T and Teleperformance, parts of the business were mature and other parts were in the process of changing and/or maturing.
Q: Competition for top-quality privacy candidates is fierce. We often advise candidates to ‘chase the CPO’ not just title/brand name/comp. What set you apart from your peers to get hired? What sets you apart from your peers as someone who may be in a hiring position?
There are several areas that set me apart from my peers. The first is experience. There aren’t many people who have been involved in ethics, compliance, and privacy for almost 20 years. I have seen a lot and been involved in a broad range of issues. Second, I am pragmatic, operationally focused, creative, and realistic. I have perspective. Third, I am a caring person who works very hard to provide my team with growth opportunities, decision-making authority, and individualized coaching. My team’s success is my ultimate reward.
Q: You landed the Rivian gig but never worked for a car company. How were you able to change industries? For up-and-coming professionals, are there skills/knowledge/experiences they should focus on to be more broadly appealing to hiring managers? From your own experience hiring/being hired, what is the role of industry experience?
Depending upon the industry, it is not always easy to change industries. As mentioned in the previous question, I believe my broad experience in a wide range of issues has allowed me to be a good candidate for a position in almost any industry. However, in some industries, industry-specific experience is going to be very important.
Q: What advice would you give an up-and-coming privacy professional?
Be flexible. Seize new opportunities and projects. Think creatively and pragmatically. Think about the short game and the long game – it is not always important to solve all problems immediately, but to make improvements and to continue to improve over time. Privacy is a journey, not a destination, so see where the road takes you for an adventure. Focus less on the skills and more on the experiences – be the one who is willing to take on a new task, learn a new area, and grow your breadth of experience. The narrower your skills and knowledge, the more restricted the opportunities may be.
Q: The last several years have seen lots of change, especially with Covid, WFH, RTO policies, etc. How do you instill and maintain team culture? What does ‘culture’ even mean?
Having worked at large companies, I rarely have worked in the same location as the people on my team or the people in the business with whom I interact the most. When I started out, all my work was done by conference call – video conferences did not yet exist. So, for me, having video conferences has made it easier to connect with people and develop a culture. Within my team, I try to instill culture in a few important ways. First, by being human – learning about people, their families, their interests, their working style and ambitions, etc. Second, by having regular contact – both planned meetings through video conference and unplanned meetings through quick calls or messaging. Third, by having team meetings both remotely and in-person and, of course, meals and events. Lastly, by building camaraderie – a common purpose, a team philosophy, and a way of connecting everyone together.
Elise Houlik is Chief Privacy Officer at Intuit. In this role, she drives Intuit’s data...Read More
Meredith K. Grauer is Deputy General Counsel and Head of Privacy at Marqeta, leading a te...Read More
Lorenzo Robleto is an Adjunct Professor at the University of San Francisco, School of Law...Read More