MarTech Interview with Barbara Lawler, Chief Privacy and Data Ethics Officer at Looker

Hi Barbara. Tell us about your journey into data protection and how you started at Looker.

My journey into data security and privacy began more than two decades ago, where I previously served as Chief Privacy Officer for Intuit, Inc. and the Hewlett-Packard Company. In fact, I was Hewlett-Packard’s first-ever CPO, where I led a global team that drove global privacy policy and standards covering over 150 countries.

I also founded Digital Stewardship Strategies LLC, working to guide organizations in setting strategies to implement ethical approaches to privacy and digital stewardship, focusing on Machine Learning and Artificial Intelligence applications. In September 2018, I decided to continue my career, this time in the Business Intelligence and Data Analytics space. I joined the Looker team as its Chief Privacy and Data Ethics Officer, where I currently lead Looker’s global privacy, ethics and accountability policies and practices.

You come from a very interesting background where you have managed vastly different portfolios in Channel Marketing and Legal. Could you tell us what inspired you to take up a role in a now Google-owned Data Management company?

I was initially inspired by Looker’s mission to empower people to make smart business decisions, and emphasis on customer-focused values and data ethics. Looker’s Data for Good initiative, which aims to move the industry forward towards ethical data practices and policies cinched the deal. The idea stems from the overarching Looker for Good philanthropic program, which focuses on giving back to our communities and the groups that enrich them.

Looker is an exciting, fast-growing company that is at the heart of transforming how businesses discover operational insights from their own data in their own environment. Now that we are an official Google company, we are given even more opportunities to continue our Data for Good initiatives and inspire businesses of all sizes to implement these ethical data practices and policies.

CCPA recently came into effect. GDPR has been there for some time now in the EU. How do these data privacy regulations impact your industry?

While CCPA was inspired by some of the components and principles of GDPR, it is not GDPR or a de facto GDPR for the United States. For companies that have dealt with GDPR though, it does lay the groundwork for certain underlying governance principles that also apply to CCPA.

It sounds relatively simple when you describe it that way, but it can be tricky for large companies, even smaller companies, who don’t have a good grasp of what I call their data supply chain because that invokes the idea of a chain of custody—from the point it comes in, all the different places it’s going to go, including any third-party providers and then where it goes from there. Each step of the way needs to have appropriate levels of monitoring and control and encryption.

In fact, New York’s latest privacy act titled The Shield Act is another example of a regulation set to impact the industry, as it is slated to go into effect on March 21, 2020. This is similar to CCPA in that notification requirements now apply to any person and business that handles New York residents’ information regardless of whether that person or business conducts business in New York. We can expect similar impact from the proposed Washington State Privacy Bill.

The overall impact I’ve seen from CCPA is the accelerated awareness and high standards companies everywhere are being held to, and increased action from consumers to exercise their data rights. I hope we continue to find a path that blends regulations, individual rights, common sense, and data ethics together for a more balanced and less heavy-handed approach. As you can tell, the conversation doesn’t end here—it’s just the beginning.

How is data privacy different from data ethics? How do regulatory bodies find a balance between the two?

Data privacy is responsibly collecting, using and storing data about people, in line with the expectations of those people, your customers, regulations and laws. Data ethics is doing the right thing with data, considering the human impact from all sides, and making decisions based on your brand values. I see these as overlapping circles in a Venn diagram.

Information privacy and protection are fundamental throughout. Policy and governance apply to both. There is a need to have a tight grip on security, within the company and with our relationships with customers. Data ethics is not about what we are required to do but what we should be doing. What is the right thing to do? And even to challenge the way Looker technology is being used or might be misused. A lot of companies shy away from that question, but Looker does not.

What is the approach you often take to build a Data Privacy and Management team? What kind of talent and skill do you usually seek and hire for? What challenges do you meet in building effective Data Privacy teams?

We need to hold companies to a high standard for transparent and ethical uses of data, so that we can gain the benefits of new and novel services, treatments, and products provided through smart data collection and analysis. I hold myself and Looker to this high standard and seek individuals who are committed to data ethics and using responsible data tools that reduce risk and enhance trust.

The challenge is that we are in a transitionary period and not everything that is legally compliant and technically feasible is ethically and morally sustainable, nor is it always protective of the autonomy and privacy of people. People are the ultimate key to data responsibility and data opportunity and the challenge lies in finding those who are willing to change their mindsets on data privacy and implementing proper procedures to comply. They’re the ones making decisions about what to observe and collect, how to analyze it, what inferences to draw and actions to take or not take, enabled by state-of-the-art tools and governance.

What legal tech solutions do you rely on to stay on top of your game?

We use the WireWheel.io platform for overall privacy program management, automated data mapping support, D/PIAs and CCPA and GDPR DSAR compliance. We also use a variety of educational and policy online resources from the IAPP, Future of Privacy Forum and Information Accountability Foundation.

In the last 5 years, how much have the online data privacy and the data management businesses evolved?

Let’s look back even further to a quarter-century ago, where there was a generational shift in the consensus on how to respect privacy due to an emergence of personal computing, networked computing and large structured databases. That shift led to the implementation of modernized rules governing the protection of personal data, which has increasing amplified as seen with GPDR and CCPA.

Today, we are experiencing a new generational shift, driven by globalization of the economy and profound alterations in the digital, physical, and biological spheres we live in, creating an ever-expanding, data-first interconnected digital world. To keep up with the evolving digital world, the evolution of sustainable data ethics codes must go beyond check-the-box compliance and enforcement of the rules. There is continued pressure on companies to understand and define the impact of the spectrum of data uses, from simple personalized services and profiling, to robust analytics, and ultimately to Machine Learning and automated decision-making. New data ethics codes must objectively consider the effects new technology and data uses beyond common understanding has on people.

What foreseeable changes should CEO/CIOs/CMOs make to ensure they adhere to various customer data privacy regulations that are currently in place?

One of the fundamental ideas these execs must keep in mind is that an individual has the right to know what personal information the company has about them and where else the data has gone from there. That means exects, not just the operational experts, should understand where your data is and why you have it, from ingestion, to use and processing, to storage and ultimately deletion.

The CCPA and other state-level proposed privacy laws focus heavily on consumer rights (not business benefits), including whether the data is being sold. There are many companies that are incredibly responsive and ethical and accountable who say “We don’t sell our customer data. We don’t even sell it in an aggregated form.” But, if you look at the definition of selling under the act it basically encompasses any kind of business relationship and transaction you can think of. So that should give companies pause and a commitment to develop data maps and inventories. Executives must take the responsibility upon themselves to parse through the relationship with service providers or third parties to make sure they know what the ultimate destination of the data is going to be and whether that process will be defined as selling.

What would be your advice to young legal tech professionals who are looking to build a career with data and analytics-related companies?

Be transparent. Transparency is central, but so is a public commitment to ethical data practices, tools, and data governance. As a starting point, businesses, more specifically, the people — Data Analysts to Chief Data Officers — need tools as a means to analyze the data in their own databases, minimize sprawl, and reduce the risk of breach or misuse. We should be expecting data governance at machine speed.

Tag the one person in the industry whose answers to these questions you would love to read.

Susan L. Hintze, Founding and Managing Partner at Hintze Law PLLC and Sharon Anolik, Privacy Panacea.

One superwoman/literary fictional character that you would like to play in life –

If you know me, I’m inspired by real life heros, and I can’t pick just one of anything. I am inspired by the crazy smart intelligence and fundamental contributions to human and technological progress of Katherine Johnson, NASA Mathematician. I couldn’t begin to play her, but what an amazing real-life superwoman. Fictional characters I admire are Hermoine Granger and Elastigirl.

Thank you, Barbara! That was fun and hope to see you back on MarTech Series soon.