As part of our Captains of Industry Interview series, Lawrence Brown, Sr. VP Legal, Houston had the good fortune to sit down with the incomparable Kristie Chon, Chief Privacy Officer at PayPal. Kristie is a highly recognized data ethics expert and proven privacy thought-leader. It is our immense pleasure to share Kristie’s invaluable insights with you. Enjoy!
Q: What does PayPal do?
PayPal has remained at the forefront of the digital payment revolution for more than 20 years. By leveraging technology to make financial services and commerce more convenient, affordable, and secure, the PayPal platform is empowering more than 300 million consumers and merchants in more than 200 markets to join and thrive in the global economy. For more information, visit paypal.com.
Q: And tell us about your background / path to your current role??
As PayPal’s Chief Privacy Officer, I lead a global team that develops and operationalizes PayPal’s global data governance and privacy program. I am passionate about helping PayPal harness the power of data and technology by creating programs focused on driving brand loyalty, customer experience, and innovation grounded in data protection and ethics. Part of that passion is focused on fostering a culture of responsible data use through data governance.
Outside of my day-to-day role as Chief Privacy Officer and Global Head of Data Governance, I serve as the co-chair of the PayPal’s Technology Information Security and Privacy Risk Management Committee and am a member of our Enterprise Risk Management Committee.
Before joining PayPal, I was the Chief Privacy Officer at HCL Technologies, leading an organization of experienced privacy professionals to develop and operationalize a privacy framework from the ground-up. Before my role at HCL Technologies, I was the Privacy Officer for the Enterprise Growth Group at American Express. I started my career advising technology outsourcing and consumer protection issues in law firms and regulatory agencies.
Privacy Team Structure and Management Best Practices
Q: You clearly have experience setting up several privacy teams from the ground up and through your career have seen some very different privacy org structures. If you were to design a privacy team from scratch, where would the role report? General Counsel/Chief Legal Officer? CCO? COO? Chief Risk Officer? CEO? Etc.
Every organization differs, so it’s tough to pinpoint a specific reporting structure. That said, any organization’s privacy team has to be within an organization that has a horizontal view that goes above and beyond regulatory risks. In order to truly build a culture of privacy, I believe in building a cross-functional team able and willing to think about privacy not only through a risk-focused lens, but as a corporate responsibility and a way to build and maintain trust with customers. The team needs to be able to think proactively about how privacy can improve the customer experience as well as responsible and ethical data use. The team needs to not only understand regulatory requirements and setting policy but able to translate policy to technical and product requirements. This team has to have horizontal clout and weight and should sit within whichever structure makes that possible.
Q: Cross-functional communication and collaboration are obviously key in a successful privacy program. What players need to be peers? CISO? Others?
Of course, cross-functional communication and collaboration are of utmost importance in privacy programs, especially when it comes to escalations and decision making. In any company, there needs to be a clear pathway around governance that encompasses functions across the business, including marketing consumer product, technology, legal, security and so on. We’re increasingly approaching privacy from a platform-focused perspective, meaning that privacy can’t be done by one team, and that all products and features should be built with privacy and trust as a core business principle. The strategy is overseen by a steering committee encompassing product, marketing, privacy, legal, and technology executives. As we pave the way for this new approach, there has to be buy-in and visibility across the company.
Q: Many companies have moved to having a lawyer in the top privacy spot. Why not Chief Privacy Counsel? Or General Counsel for Data?
I am a lawyer by training, but my position is not in the legal organization. There are a lot of operational, product and technology aspects of my team’s role in building out the data governance and privacy program. The person at the top not only needs experience in those areas, but also must be able to lead the teams on that mission. He or she leading the privacy organization needs to be able think beyond legal requirements and risk to transform the organizational culture to have a privacy-culture mindset as well as to operationalize and build privacy as a platform not only to scale but to have it as a core part of the product.
Q: Is the proper scope of the role “just privacy” or a broader umbrella that might include data governance, data ethics, InfoSec, data monetization, privacy compliance, consumer trust & safety, law enforcement response, privacy public policy, etc.?
I believe the scope of the role is evolving beyond privacy. I look after a team that does data governance, data ethics, privacy, consumer trust initiatives, including responsible and ethical use of data, fair use of data, and third-party risk etc. Every organization is different – it makes sense for PayPal because in order to do privacy right, you need to make sure that the company does basic data hygiene and governance right internally and with the third parties we interact with. The other aspect of my organization – once you have the built out the basic ‘plumbing’ – is the responsible and ethical use of data. Without broader responsibilities, it would be much harder to make contextual decisions about responsible use of data.
Q: In light of this shift, is “Chief Privacy Officer” still the right title?
I don’t feel that the title matters as much as the job responsibilities, reporting structure, processes, technologies and organizational philosophies that make up the role. Sure, you could make a case that it could be “Chief Data Officer” or “Chief Digital Trust Officer”, but there is no real precedent for either in the industry since some of these concepts are fairly new, so it could cause undo confusion depending on who sees it. For example, my LinkedIn network may understand the nuance and support the change, but it may cause confusion to the general consumer.
Q: How does the CPO role sync with GDPR’s DPO? Different roles or semantics and the same person?
At PayPal, we have a global data protection officer organization that reports to me, so they are different roles. Our approach to the DPO function is to have a team with responsibilities broader than what the law requires. They are empowered to look after many jurisdictions outside of Europe and other countries where DPOs are required.
Management and Operations:
Q: The pace of change in privacy is accelerating, and yet the more things change, the more it seems basic data hygiene stays the same. Are you concerned about the pace of change? Broadly speaking, what is your strategy for change so that you don’t have to iterate the program for every slight difference?
Pace of change and the gray is what is exciting! We pay close attention to impending change and focus on making sure we are prepared in the event of any shift. But because of the people, processes, and technology we’ve put in place, I’m confident in our ability to change at the rate required to stay ahead. As mentioned earlier, our strategy is to think about privacy more as a flexible platform built on the fundamental privacy principles. Rather than retroactively changing an organizations’ foundation to be more competitive and compliant, our industry should be more focused on deepening relationships with customers by building technology with privacy and trust as core business principles.
Q: With work from home being a new normal for many companies, what considerations you might highlight? How if at all, would this new work from home era change your thinking/strategy on privacy issues?
Covid-19 will create new cultural norms, expectations around privacy and using data to protect and promote public health and safety. Working norms will change and with that expectation around privacy may change. We need to be thoughtful around balancing privacy with public health. I am fortunate to work for a company that puts employee health and wellness front and center while thinking through the challenges and risks this new normal present.
Q: What are your key factors for determining staffing levels? Department budget?
Our budget and staffing needs are aligned with our product and technology roadmap for next 3-5 years and beyond.
Q: What are the key factors you look at in hiring outside counsel?
We look for outside counsel that are both practical and really understand the business. It’s crucial that outside counsel are able to make contextual recommendations.
Q: Lots of new hiring these days. What is the top 1 or 2 must-haves when you look at a candidate? How do you know if a candidate is “doing privacy”? How much does exactly on-point legal experience matter compared to say project management or ability to craft a simple business solution? What advice would you give an up and coming privacy lawyer?
A good candidate must really understand the policy, the product and the technology. They need to be “privacy multilingual” in that they are able to translate ideas and across multiple organizations to influence design – like a solution architect.
Q: What is the top data (privacy or security) issue that keeps you awake at night? How has this changed as you’ve moved industry or between companies with different B2C/B2B focuses?
Regardless of the company I am working for, I’ve definitely lost some sleep thinking about the unpredictability and volatility of data. With so many bad actors in the ecosystem, the opportunity for consumer education on data privacy, and how people can protect themselves has never been greater – or more complex.
Q: What is the “value add” for a company to invest in and have a strong privacy organization?
Some of our internal market research has shown that consumers interact more with companies they trust, and that when consumers believe their privacy is cared for, they are even more valuable to companies. Investing in a strong privacy organization enables you to make the best possible decisions on people, processes and technology to earn and increase that trust in your brand. On top of that, it’s just the right thing to do for customers.
Q: Any insight for peers or up and coming folks on how to “manage up” generally and, tying to last question, how you make the budget pitch to the powers that be?
Metrics, metrics, metrics. If you are able to quantify the benefits and risks in a digestible way for stakeholders, it’s a much clearer and objective way to demonstrate progress versus qualitative.
ABOUT KRISTIE CHON
Kristie Chon is the Chief Privacy Officer at PayPal where she leads a global team that develops and operationalizes PayPal’s data governance and privacy program. Kristie is passionate about helping companies harness the power of data and technology by creating programs focused on driving brand loyalty, customer experience, and innovation grounded in data ethics. Kristie’s specialties include financial services, fin-tech, digital commerce, as well as promoting a culture of data responsibility.