Captains of Industry Interview: Meredith Grauer, Head of Privacy for Marqeta

Meredith K. Grauer is Deputy General Counsel and Head of Privacy at Marqeta, leading a team
that defines and drives strategy to holistically manage all privacy-related matters impacting the company globally and provides guidance to support product development and information
governance.

Before joining Marqeta, Meredith served as Chief Privacy Officer at Nielsen, where she was
responsible for the strategy, development, and execution of Nielsen’s Global Privacy Program,
as well as General Counsel, Ops-Tech, Employment, Compliance, and Government Affairs.
Prior to that, Meredith worked as Privacy & Security Counsel at PwC and as the Americas Head
of Global Data Protection at Deutsche Bank.

Meredith received her Juris Doctorate from Fordham University School of Law and her Bachelor
of Science degree from Syracuse University.

Q: What does Marqeta do?

Marqeta helps companies build and manage payment solutions that meet the unique needs of their businesses. Our platforms and APIs enable our customers to launch new digital services, modernize existing payment operations and optimize payment efficiencies.

Q: And tell us about your background path to your current role.

I did not set out to focus on privacy; it was not a common area of practice at law firms or organizations when I graduated from law school, so it wasn’t even on my radar! But I have always looked for opportunities to learn new things, to expand my skill set, and to challenge myself. So, when states started implementing breach notification laws in the early 2000s, I was happy to be tasked with figuring out what my organization needed to do, even though my practice at the time was focused on asset and wealth management. And later, as Deutsche Bank was building out its global data protection team, I jumped at the opportunity to lead the Americas team. Every role I’ve held throughout my career has allowed me to grow – by working in different industries, at companies at various stages of growth and maturity, and even by supporting and overseeing functions other than privacy and data protection.

Privacy Ops

Q: You have seen different industries, risks and different size orgs. What are the common threads you see for good “data hygiene”?

There are many common threads. Regardless of size or industry, organizations have similar foundational needs to have good data hygiene. A strong privacy program requires companies to have a clear picture of the data they have, where it comes from, how it’s used and shared, where it’s stored and processed, etc. So many elements of data hygiene start with these; it’s imperative to really understand the data you have and how it moves in order to determine the safeguards that need to be in place, better manage data access and retention, ensure that your data use is appropriate and that your disclosures and contracts align to your practices.

I’m also a big fan of education and advocating privacy as a business enabler. I don’t worry about making sure that employees know the ins and outs of any particular law or regulation (in fact, most employees should never need to worry about that), but I do think that employees need to know what ‘personal data’ is and to understand key data protection principles and why those matter to the company, our employees and our customers. The more people are able to recognize when they are working with personal data and understand basic privacy concepts, the easier it becomes to apply privacy measures in all that you do. And that helps maintain trust with customers and partners.

Q: CNBC put Marqeta on their Disruptor 50 list in 2021. How is “doing privacy” different at a disruptor/more nascent company compared to ‘doing privacy’ at a major mature org like Deutsche Bank?

Some things are easier, and some things are a bit harder. Of course, there are also some things that are the same everywhere (cross-border data transfers!)!

One of the more positive aspects of being at a younger company like Marqeta is the fact that fewer things are ‘baked in’ - it can be easier to implement new processes and controls and embed privacy and data protection measures in our products and services, because our business is still evolving and we are less encumbered by existing tools or procedures. Disruptors, by definition, transform things, and I benefit from a culture that embraces change and is open to new ways of doing things.

On the flip side, more mature organizations often have existing resources and structures that can be leveraged and that can enable privacy programs to scale more quickly.

Q: How have you seen the privacy world change? Is ‘doing privacy’ the same as pre-pandemic or are there things you do differently? What is the impact of remote work on doing privacy?

I will age myself a bit here… I started in privacy when we were still using Blackberries, and social media was fairly new; almost everyone worked from an office. GLBA and COPPA had only recently become effective. There was no GDPR, no CCPA. Change has been constant. Technology developments and the proliferation of devices that capture so much of our data have changed the privacy world, and the regulatory environment continues to evolve. Things are definitely more complex and also more interesting!

The shift to remote work, in particular, raises a number of new privacy and data protection considerations, such as managing and safeguarding company assets when folks are using their own devices for work and when notes and files may be maintained in people’s homes. The fact that people’s personal lives and work lives are also much more intertwined now raises different issues too. Employees may be taking calls from their children’s soccer games or traveling with their work laptops and files. Information requires the same level of protection as it did when folks were sitting at a desk in an office, but practically speaking, the way you do that has to be different. I mentioned the importance of education earlier, and this is another example of why it’s so important. We need people to be privacy conscious all the time.

Privacy Future

Q: How do you plan for the needs of the future especially staffing levels? What are your key factors for determining staffing levels? Department budget? 

Budget is tricky since it’s often influenced by a number of factors beyond my control. It’s critical to maintain an open dialogue with my manager and key stakeholders to make sure I am aligning my strategy and budget, including potential new staffing, to the organization’s short and long-term goals and priorities (are we focusing on sales? expanding to new markets? entering a new business area?), and also to make sure they are aware of anticipated challenges and risks, including new regulatory requirements, that could have a significant impact on our resource needs so that those can be factored in. 

When thinking about staffing levels and profiles in particular, I take a hard look at those priorities, current and anticipated projects and matters, and existing resources to make sure that I am building a team that will be able to continue to address the company’s needs and manage the workload. It’s also just as important to me to ensure that both existing and new team members will have opportunities to work on different types of matters and grow and expand their skill sets, so I look for people with different backgrounds at different stages of their careers to maintain that flexibility.

Q: What are the key factors you look at in determining your outside counsel?

It’s always helpful to me to work with outside counsel who have deep industry and regulator experience. So many data protection laws are relatively new, and there isn’t always a lot of case law or guidance from regulators to look to when thinking about how to interpret and address new requirements. Outside counsel with strong industry and regulator relationships can bring a broader perspective and help us gauge whether we are approaching things the best way.

I also really appreciate outside counsel that take the time to get to know my organization - the nature of the business, our priorities and goals, culture, time and resource constraints. Then I don’t just receive good advice, but good advice that I will be able to act on.

Q: What is the top privacy or data security issue that kept you awake at night as CPO?

Worrying that I will miss something! It seems as if there is updated guidance, an important regulatory action, or a new law being published almost every day. And the business can change quickly too! A big part of my job is staying on top of all of the changes and making sure people throughout the organization have the information they need about privacy requirements and risks so they can build and manage our products and programs in a compliant way.

Q: Lots of new hiring these days. What are the top 1 or 2 must-haves when you look at a candidate? How much does exactly on-point legal experience matter compared to project management or ability to craft a simple business solution?

The Privacy profession has grown significantly over the last several years, and we are lucky to have so many talented professionals. As a hiring manager, I am very focused on finding candidates who don’t just want to be subject matter experts but also real business partners and problem solvers. When faced with a difficult situation - for example, a matter where the business wants to do something that is not permissible or high risk - a great candidate won’t just highlight the challenges and risks, but will also propose alternative solutions and help our business get things done. Lawyers still get a bad rap sometimes for telling people what they can’t do. I want to build a team of business enablers.

Q: What advice would you give an up-and-coming privacy lawyer/professional?

The first piece of advice is the same advice that I would give to anyone, and that is that there is no one path to the top (or wherever you want to go), so keep an open mind and try things that appeal to you. My own career is very much the result of jumping into opportunities that allowed me to develop different skills and expertise, and I didn’t always know exactly what I was getting into. Of course, some of these worked out better than others, but making mistakes can be a good thing. Learning what works for you and what doesn’t, or what you enjoy and what you don’t, helps you define and refine your career goals and needs. And each different experience will give you new perspectives to draw from.

Speaking specifically to privacy professionals, I would say to think about how you can be well-rounded, even within this specific field, especially earlier in your career. Being able to recite GDPR or CCPA or HIPAA… should not be the goal. Privacy issues hit many aspects of an organization's business: contracts, M&A, HR, product, technology, security, etc. The more you can understand these different areas - how they work, the issues, objectives, and challenges, the better you will be as a privacy professional who can spot issues quickly, better assess risks and help craft practical business solutions, and it will keep more doors open as you navigate your career.

Q: I strongly encourage up-and-coming folks to prioritize finding a CPO who cares about their career. You are hiring. Tell us about you. How do you do what you do so well? What is your differentiator? 

I’ve been very fortunate to have some wonderful managers and mentors over the course of my career, people who really invested in my growth and development, understood my personal goals, needs, and ambitions, and encouraged me to take on new and different roles and responsibilities - in some cases, even where that meant I’d be switching teams or becoming a peer. Those experiences have stayed with me, and I want to be able to do the same for others. People should outgrow the role they were hired to do; I strive to make space for my team members to grow on my team - whether that’s supporting new product areas, leading different initiatives, or taking on managerial responsibilities, etc. - but I also understand that sometimes their next great step will be somewhere else and that’s okay too.

I know that as a candidate, it can be very hard to prioritize the people when salaries and benefits can vary so much across organizations. But when I look back at my experiences, there is no question that I have been happiest and most successful when I’ve worked for and with supportive managers and teams.

Q: Anything else you’d like to share?

Just a ‘thank you’ for this opportunity to share my thoughts and experiences!