As part of our Captains of Industry Interview series, Lawrence Brown, Sr. VP Legal, Houston had the good fortune to sit down with the first CPO of Zeta Global, Benjamin Hayes. In his role as CPO, he is overseeing Zeta’s privacy compliance program, managing privacy integration of its acquisitions, engaging in hands-on privacy by design, and helping navigate the GDPR, CCPA and beyond. It is our immense pleasure to share Benjamin Hayes’ invaluable insights with you. Enjoy!
Q: What does Zeta Global do?
Zeta is a marketing technology company that helps Fortune 500 companies acquire, grow and retain customers through real-time data, AI, multichannel marketing activation and analytics.
Q: And tell us about your background / path to your current role?
I have been a privacy lawyer for my entire 21+ year legal career. Due to a lucky alignment of stars, I graduated law school with a background in the field just as new laws caused a tremendous demand, with few practitioners at the time having the right knowledge and experience to respond. As the field of privacy law and the privacy profession have unfolded, I have been privileged to have a front-row seat to a fascinating chapter in legal history. I’m now practicing privacy in the digital advertising technology industry, which is about as close to the bleeding edge of legal and technology innovation as one is likely to get.
Privacy Team Structure and Management Best Practices
Q: You have experience setting up several privacy teams from the ground up and through your career have seen some very different privacy org structures – not always reporting up through legal. If you were to design a privacy team from scratch, where would the role report? General Counsel/Chief Legal Officer? CCO? COO? Chief Risk Officer? CFO? CEO? Etc.
I think the answer depends on the specifics of each organization, because despite job titles, internal decision-making authority is allocated in different ways across different companies. The bottom line is that the CPO needs to have the ear of top management and product leads and the ability to interact with them directly, as well as being in close communication with the people on the ground who actually make the company run on a day to day basis. In my current role, I report to the Chief Legal Officer, who reports to the CEO. That is a structure that works for us, and that I have seen work in other companies.
Q: Cross-functional communication and collaboration are obviously key in a successful privacy program. What players need to be peers? CISO? Others?
The privacy office occupies a unique position, because, maybe apart from the COO, it is the only arm of a company that needs to have deep visibility into everything the company does: all divisions of the company, all products, the technology that makes them run, the communications about them, how they are linked together, how they are linked to clients and vendors, and how all of it relates to the law. So, good relationships and communication are key with the CISO, product leads, commercial teams, engineering and facilities leads, the communications department, the learning and development team, in short, with both the people who manage the business, and the people on the front lines actually making it go.
Q: Many companies have moved to having a lawyer in the top privacy spot. Why not Chief Privacy Counsel? Or General Counsel for Data? Does “CPO” title create an expectation that there is no attorney/client privilege? Does the ‘counsel’ addon generate the expectation of privilege?
I personally think—and let me be the first to acknowledge my implicit bias as a lawyer—that exhaustive knowledge of privacy laws is the sine qua non of being a CPO. Because the role is about legal compliance first. It’s ultimately about a lot of things, but at a minimum it’s about legal compliance. And there *will* be lawyers involved, so in my experience it is just more efficient if the CPO can speak authoritatively on legal matters. Which is not to say that a non-lawyer can’t get there, but I think lawyers have a natural advantage.
The question of privilege is an interesting one. Certainly, a non-lawyer CPO could have less legal privilege, depending on how the organization is structured. That would seem to bolster the case for having the CPO report into the General Counsel’s office. As a lawyer operating within a legal department, I do tend to assume that my internal communications will be privileged for the most part.
Q: Is the proper scope of the role “just privacy” or a broader umbrella that might include data governance, data ethics, InfoSec, data monetization, privacy compliance, consumer trust & safety, law enforcement response, privacy public policy, etc.?
The question goes to the multi-faceted nature of the privacy office, because even one that isn’t trying to be very ambitious in its scope still has many roles to play, from compliance, to product development, to internal education and external communication. But to be sure, there are many areas “adjacent” to privacy that could lend themselves to being brought under the “privacy” or “data management” or “data governance” tent. In my experience, the “average” privacy office (use of quotes indicating that I’m not sure such a thing exists) touches to at least some degree on all the topics from your question, and usually other things besides. The privacy office in organizations without a dedicated compliance organization can sometimes come to play that role. I think to some extent it can come down to the individual personality of the CPO. Some are excellent leaders of people, and seem to constantly build organization around themselves; others see themselves in more of an advisory role and are constantly striving to decentralize privacy within their organizations. Again, much depends on what works for a particular company. I tend to err on the side of decentralization, because in my view privacy as a verb is ultimately executed by the business, not the privacy office. The privacy office is the catalyst.
Q: In light of this shift, is “Chief Privacy Officer” still the right title?
The question seems to imply “maybe not?” I am of two minds on this. On one hand, sure, even the word “privacy” is perhaps a misnomer for what the privacy office does in most companies. “Privacy” implies secrecy, and that’s just one tiny facet of what privacy professionals do. And I also doubt that any two Chief Privacy Officers have exactly the same job. But, having said that, it is at least a title that is now widely recognized, with at least some basic expectations about its scope. So I think it is probably the right title until something truly better comes along. I don’t love the title “Chief Privacy Counsel,” because I think the CPO shouldn’t only be an advisor, but should truly be part of the management of a company.
Q: How does the CPO role sync with GDPR’s DPO? Different roles or semantics and the same person?
As I read the GDPR’s requirements for a DPO, these are, to me, exactly what a CPO should be. Independent, compliance-minded, a voice for data subjects within the organization—all of that sounds like an effective CPO to me. So, in my mind the roles can absolutely be the same person. I think you could even argue that the DPO requirements provide some legal air cover to the privacy office on the rare occasions when the privacy office has to say “no” to something. And as a practical matter, all but the biggest companies (and even some of those) have small privacy offices and in most cases there is no realistic alternative to having the CPO or another member of the privacy team play the DPO role. Also, the DPO has to be accountable for business outcomes at some level.
Management and Operations:
Q: The pace of change in privacy is accelerating, and yet the more things change, the more it seems basic data hygiene stays the same. Are you concerned about the pace of change? Broadly speaking, what is your strategy for change so that you don’t have to iterate the program for every slight difference?
From my perspective, the pace of change is actually really, really slow. How long have we been talking about a federal privacy law in the United States? Really, since the EU Data Protection Directive came into force in 1999 we’ve seen a slow, but increasing convergence with that standard by the rest of the world. GDPR may have bumped the EU to an even more stringent level than the prior Directive, but I’m not sure that the entire world is going to follow the EU down that path. I do not, for instance, imagine a state legislature or the U.S. Congress passing a law mandating opt-in for data collection (think cookies in Europe). I do think, however, that whether by state action or ultimately federal, the entire U.S. will become subject to something along the lines of the CCPA/CPRA. But most of what those laws require are things responsible companies were doing anyway.
Q: What are your key factors for determining staffing levels? Department budget?
Demand. How many things are going on around the company that requires the attention of a privacy expert?
Q: What are the key factors you look at in hiring outside counsel?
Pragmatism. Insider knowledge of governmental agencies. Responsiveness. But Pragmatism is like 80% of it.
Q: Lots of new hiring these days. What is the top 1 or 2 must-haves when you look at a candidate? How do you know if a candidate is “doing privacy”? How much does exactly on-point legal experience matter compared to say project management or ability to craft a simple business solution? What advice would you give an up and coming privacy lawyer?
A lot of people like to put privacy on a resume without really understanding what it means to “do” privacy in an organization. I give applicants hypotheticals and gauge the instincts displayed in their responses. Personally, I think it’s the very rare person who can come to a senior privacy role fully prepared to be effective in the role without having significant legal and practical experience.
Q: Lots of new hiring these days. What are the top 1 or 2 must-haves when you look at a candidate? How do you know if a candidate is “doing privacy”? How much does exactly on-point legal experience matter compared to say project management or ability to craft a simple business solution? What advice would you give an up and coming privacy lawyer?
A lot of people like to put privacy on a resume without really understanding what it means to “do” privacy in an organization. I give applicants hypotheticals and gauge the instincts displayed in their responses. Personally, I think it’s a very rare person who can come to a senior privacy role fully prepared to be effective in the role without having significant legal and practical experience.
Q: Some clients see law firm training as a “must-have” when reviewing candidates. You don’t have that background and have reached the highest levels of privacy. What would you attribute your career success to? When hiring attorneys for privacy, how important to you is law firm training? What would you say to candidates who might be discouraged by clients wanting that box checked?
Ah, well, I actually do have that background – I spent almost 7 years at what is now K&L Gates. I was their first attorney to have privacy as the sole focus of their practice, in fact. I don’t think lack of big firm experience is disqualifying, but I think people who have it value it in others because of the shared mindset it implies (not that you embrace it, but that you understand it at least). If someone spent several years in a big firm, you know that that person is a professional, that they’re smart, that they can work hard. It’s sort of like basic training for lawyers.
Q: How has the 2020 pandemic and work from home changed your hiring / staffing approach? What is different about managing a team and program in this current reality from pre-pandemic circumstances? What challenges should privacy professionals be preparing for?
I’ve worked remotely in different roles for the past 10 years, and depending on how you count, to some extent since 2006. So the only real impact Covid has had on my job is that I haven’t traveled for work for months. For the first 6 months I was grateful for a break from it. Now it’s starting to feel like a long time since I saw people and I’m looking forward to being able to do that again. But our entire company adapted to working from home pretty seamlessly. It’s been fun to watch.
Q: With the current work from home situation, how do you continue to execute on leadership priorities such as maintaining team culture, training and personal/professional development of your team, etc?
We start every day with a team Zoom call. It’s been a great way to stay in touch. We talk about all sorts of things, not just work. We probably see more of each other than we did before Covid.
Q: What is the top data (privacy or security) issue that keeps you awake at night? How has this changed as you’ve moved industry or between companies with different b2c/b2b focuses?
The thing that probably makes me most uncomfortable is the way that government access to private sector data has increased over the past few years. The private sector should not be treated as the data-gathering arm of the government.
Q: What is the “value add” for a company to invest in and have a strong privacy organization?
We use OneTrust privacy management software, and wow, I don’t know how we’d function without it. Highly recommended.
Q: I routinely hear from candidates that “their company isn’t serious about privacy” or that the company talk s about privacy but won’t provide budget to actually back it up. What advice would you share with folks who have to set budgets? Do you have a strategy for determining what the budget ought to be?
Those companies are good places for people who are good at evangelizing privacy. Because without resources, evangelizing is basically what you’re left with. But on the other hand, a good evangelist can be pretty effective! But to be totally serious, if you’re starved for resources, focus on internal education, privacy by design, and decentralizing privacy as much as possible. It’s all you can realistically do. Nobody travels anymore, so don’t worry that you’re missing anything good.
Q: Any insight for peers or up and coming folks on how to “manage up” generally and, tying to last question, how you make the budget pitch to the powers that be?
Managing up is a crucial skill for the privacy office. You need people unafraid to look senior management in the eye and tell them the unvarnished truth, and to make real-world recommendations as to what to do about whatever it is. My advice in this area is to be 100% sure of anything you state as a fact, be clear about what the limits of ambiguity are if there is any, don’t use a lot of adjectives, and don’t put your own views or emotions on display. Management will embrace the privacy office if it sees the privacy office as a competent partner and member of the team.
You need to justify your budget. Be prepared to make a case for every penny.
Q: With work from home being a new normal for many companies, what considerations you might highlight? How if at all, would this new work from home era change your thinking/strategy on privacy issues?
Certainly, the security of remote connectivity is a huge, huge thing. Zoom bombing can be funny, but the implications for privacy of that sort of activity are unsettling. Without security there is no privacy, and in severe cases, no brand. So, companies should be reevaluating their remote connectivity security and investing there. But Covid hasn’t really changed anything in terms of regulations, so the core mission hasn’t changed.
Q: Anything else you’d like to share?
Just that I’m very grateful to have been able to have a career in Privacy. It’s been unfailingly interesting (if at times bewildering), I have had the privilege to know truly extraordinary people and wonderful mentors, and it has gotten me places I might never have seen otherwise, from Hong Kong to Marrakesh, from Montreal to the Gherkin in London. Most importantly, while a lot of the daily work in the trenches isn’t particularly glamorous, I have always had the overriding sense that I’m participating in an important process of social policy development. Future generations will think of this as the time when privacy was defined and codified, and I believe the events in the privacy world of the past 20 years will still be felt in the codes and practices a century from now. For people coming up in the profession today, I would say know your legal chops and find areas where you can specialize. The rest will take care of itself.
Benjamin Hayes, Esq., CIPP/US/E/C, CIPM, CIPT, FIP has been a legal advisor in the area of privacy, data governance, and security incident management since 1999, focused primarily on in-house strategic and compliance counseling for multi-national enterprises. He started his legal career at Kirkpatrick & Lockhart (now K&L Gates) developing compliance programs with then-new privacy laws like the EU Privacy Directive, HIPAA, COPPA, and Gramm-Leach-Bliley for clients that spanned a range of industries from financial services to entertainment and media to manufacturing and shipping, including DuPont, Deutsche Bank, JP Morgan, and World Wrestling Entertainment.
In 2006 Ben joined Accenture as its first Americas Privacy Lead—an in-house role developing Accenture’s compliance program. He led several global initiatives at Accenture, including the development of its incident response program, its client data protection program—a methodology for assessing data risks associated with individual consulting engagements, and right-sizing data security for the engagement, backed up with continuous auditing and program review—and an approach to contracting for cloud services that accounted for dozens of privacy laws around the globe.
In January, 2019 Ben became the first CPO of Zeta Global, a marketing software, analytics, and data company headquartered in New York City. In that role he is overseeing Zeta’s privacy compliance program, managing privacy integration of its acquisitions, engaging in hands-on privacy by design, and helping navigate the GDPR, CCPA and beyond.