As part of our Captains of Privacy Industry Interview series, Lawrence Brown, Sr. VP Legal, Houston had the fortunate opportunity to connect with data privacy pioneer Joann C. Stonier, Chief Data Officer for Mastercard. JoAnn’s extensive experience in finance, law and technology, coupled with her proven success as Chief Privacy Officer, earned her appointment as Mastercard’s first Chief Data Officer. JoAnn is a highly recognized data and privacy thought-leader, and we’re thrilled to share her invaluable insights with you. Enjoy!
Q: What does Mastercard do?
Mastercard is a technology company in the global payments industry. Our global payments processing network connects consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. Mastercard products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more secure and more efficient for everyone.
Q: Tell us about your background path to your current role?
My career reflects my desire to learn new skills and have new experiences. I started my career as an auditor and as a financial analyst, but shortly into my finance career I decided to go back to law school. After a brief stint as an employment lawyer, I was drawn back into finance and into designing new processes via acquisitions and mergers. My career took me through a range of companies including PricewaterhouseCoopers, PepsiCo, Waldenbooks and American Express. In each of the roles that I held in finance, law and technology, I learned different skills that I ultimately used both as a Privacy Officer and now as a Data Officer.
Currently, in my role as Chief Data Officer, my team and I are responsible for ensuring Mastercard’s information assets are available for innovation while navigating known and future data risks. This means understanding our business strategy and helping to create the corresponding data strategy. It means understanding our data – the data we currently have and issues like data quality, data governance, data policies and data use, finding and sourcing the data we need – and assisting our product development teams to utilize data in a safe, secure, privacy-aware and ethical and responsible manner to create new products and solutions. My team also identifies and creates new platforms and infrastructure that are needed to handle our evolving data profile. All of this supports current and future innovation. It really is a fun and challenging position.
FROM CPO TO CDO
Q: You have a long history and amazing reputation in privacy but you’ve moved on to a Chief Data Officer role. What does a CDO do? How is this role different?
Thank you Lawrence, I appreciate the compliment. It has been an interesting journey as I moved from an area where I had really strong knowledge to one where I had to create a new position for the company.
Typically the CPO role is compliance and legally focused as the privacy function ensures that an organization is complying with the ever-increasing privacy and data protection laws that relate to how organizations collect, use, retain and share personal and sensitive information about individuals.
The CDO role is a broader role focusing on all types of data that an organization collects, uses and shares. The role is more of a business and strategic role ensuring the organization has the right data for innovation. This means additional data skills – including creating programs that ensure good data quality, ensuring that the organization understands its data sources and lineage, creating good governance processes for data collection, data analytics and more recently data governance for Artificial Intelligence and Machine Learning. The Chief Data Officer also assists in creating the data strategy for the organization which is derived from an organization’s business strategy – so how will data be used not only to improve efficiencies in operations but as an enabler for the next generation of products and services. While the role of the Chief Data Officer started to emerge in the early 2000s, we have started to see more of them more recently as organizations are beginning to recognize that they need someone focused on both opportunities and risks.
The roles work together, as both teams manage different aspects of data risk and are important in ensuring that data innovation is balanced against risk and that the rights of individuals are at the center of the organizations’ design methods.
Q: Cross-functional communication and collaboration are obviously key in a successful data & privacy program. What players need to be peers? CISO? Others?
I think that every organization has to create an organization that matches its data profile. I am not sure that we understand who are peers or who are subordinates, but what is most important is that an organization understands its data practices, understands its data risks and has the right professionals to navigate both its risks and opportunities and then places them so they can succeed. That is what is most important.
Q: Is the proper scope of the role “just privacy” or a broader umbrella that might include data governance, data ethics, InfoSec, data monetization, privacy compliance, consumer trust & safety, law enforcement response, privacy public policy, etc.?
I think that many organizations are trying to determine what is the right span of control for their Privacy Officer and/or Data Protection officer, and I think that is a good thing. But that being said, you need to look at the skill set of that individual and their team. What does the organization need? What is their data profile? If the organization has a smaller data profile and doesn’t use data for innovation perhaps one individual can handle all of the responsibilities. But, if data is core to the organization’s business strategies, it might be better to expand the data knowledge of the organization by adding a Chief Data Officer or a Chief Data Analytics officer to begin to add additional knowledge and skills. Sometimes one person simply cannot do it all and shouldn’t be asked to.
Q: The pace of change in privacy is accelerating, and yet the more things change, the more it seems basic data hygiene stays the same. Are you concerned about the pace of change? Broadly speaking, what is your strategy for change so that you don’t have to iterate the program for every slight difference?
I think this is a great question. We will always have change; the question is can you design a program that is flexible enough so that it can handle change as part of its built-in methodology. I agree that the basic information principles have remained the same, but the pace of data and the volume of data that many businesses use have increased. This means data management practices have to be able to grow and expand with the changes in business practices. It also means you have to understand not only how your business is changing but how the external landscape is changing as well – what is happening with regulation, with your industry, with your value chain and data eco-system, as all of these elements will also impact your data practices. Like any other aspect of business, these factors must be built into both your privacy and data programs.
TEAM & STAFFING
Q: What are your key factors for determining staffing levels? Department budget?
I have a global team that is continuing to grow and we have open positions…if your readers are interested. The positions range from data strategy positions, to data quality and acquisition roles, to data management and governance positions, to teams that support AI and analytics and teams that build data platforms. It’s really is a diverse group.
Q: Lots of new hiring these days. What is the top 1 or 2 must-haves when you look at a candidate? How much does exactly on-point legal experience matter compared to say project management or ability to craft a simple business solution? What advice would you give an up and coming privacy lawyer?
When we are recruiting for my team we look for folks that can speak multiple skill languages – data, business and technology – we call these folks data bilinguals, as they have to have the ability to translate requirements between different teams. So I really need folks who are multi-skilled: First, an understanding of business strategy and how data is a key element to achieve that strategy. Second, an understanding of systems and processes and controls so that data can be put to use. Third, an understanding of data risks – privacy, security as well as what an organization or initiative is trying to achieve. So that you can determine what is in and out of bounds.
Don’t get me wrong, my legal background helps everyday – it helps me understand the regulatory landscape, guides how to create the next generation of solutions and makes me mindful to create ethical solutions.
TACKLING DATA VALIDITY
Q: What is the top data issue that kept you awake at night as CDO?
I think one issue that we are just beginning to really solve is the issue of data validity, which is one form of data quality. In this age of fake data and data that can be manipulated, how do you ensure that the information you are using is accurate, complete, consistent and from the source that you believe it has originated. While there are techniques to validate lineage, as non-ethical actors continue to manipulate data for their own purposes, we are beginning to push on this issue.
Q: Is this something that only Mastercard peers need to be thinking about or is this role something that every company should be considering?
Any company that has anything to do with data, which is almost every company today, should consider having a Chief Data Officer. The most essential and obvious industries are those in technology and data analytics. In addition, we are seeing CDOs in financial services, larger multinational retail organizations and health organizations begin to be senior roles. The Chief Data Officer’s role is becoming a strategic role that not only assists with innovation but also ensures that data is handled properly and with the consumer always in mind.
Joann C. Stonier serves as Chief Data Officer for Mastercard, charged with assisting the organization to innovate with its data assets while navigating current and future data risks. She oversees the curation, quality, governance and management of the company’s extensive data assets as Mastercard increasingly looks to deepen the strategic value it can provide its merchant, banking and government customers and cardholders through its data analytics capabilities and other data services.
JoAnn previously served as the company’s Chief Information Governance & Chief Privacy Officer and within that role she was responsible for worldwide privacy and information governance as well as leading regulatory engagement for data compliance.
JoAnn is a recognized data and privacy thought-leader. She has served on a number of industry boards and organizations in leadership roles. Currently she is on the Board of Advisors for the United Nations Information Governance and Artificial Intelligence Council, the World Economic Forum’s Council of the Future regarding data consumption and she serves on the board of Truata, a trust co-founded by Mastercard and IBM that offers a new approach to handling data anonymization that meets the highest regulatory standards established by the EU-General Data Protection Regulation. In the past JoAnn has received honors and recognitions including being named an Aspen First Movers Fellow, serving on the Board of Directors of the International Association of Privacy Professionals (IAPP) (Chair in 2017), Centre for Information Policy Leadership (CIPL) and the Information Accountability Foundation (IAF).
JoAnn received her Juris Doctorate from St. John’s University and her Bachelor of Science degree from St. Francis College. She holds memberships in the Bar of the State of New York and the Bar of the State of New Jersey. She is based in Purchase, N.Y.