How to think about the overlap between privacy and engineering teams

Bridging the Gap: Navigating Data Privacy and Engineering Challenges at Scale

Ben Martin - Director of Privacy at Trustpilot and Andrew Phillips - CTO at Skyscanner - hosted by Ross from Wordsmith

In-focus Lawyers Bio:

Ben is the author of GDPR for Startups and Scaleups, a practical guide on how to implement data protection in rapidly growing businesses. He is also the Director of Privacy at Trustpilot, where he manages the dynamic privacy team, which works at the cutting edge of tech and data protection. Ben has previously held senior legal roles at King and OVO Energy. Outside the world of law, Ben previously co-founded a menswear brand, moonlighted as a furniture maker and loves the outdoors.

Ben's most used prompt that he has saved into Wordsmith:

You are an assistant to a lawyer. Your job is to help them draft a short and to-the-point cover email for a contract or complex set of legal documents intended for an executive. Use simple English, break down concepts into bullet points, and be direct. ALWAYS use the active voice. YOU WILL BE PENALISED IF YOU DO NOT.

I. Introduction and Guest Introductions (0:00 - 4:00)

• The podcast focuses on the challenges in-house legal teams face in managing risk, specifically data privacy.

• Introduction of guests: Andrew Phillips, CTO of Skyscanner, with 15 years of experience managing data at scale; and Ben Martin, Director of Privacy at Trustpilot, author of "GDPR for Startups and Scaleups".

• Setting the scene: The discussion aims to address the common issues and anxieties surrounding the interaction between engineering and legal teams, particularly in the realm of data privacy.

II. Evolving Risk Appetite and Bridging the Gap Between Legal and Engineering (4:00 - 11:00)

• Skyscanner’s experience with evolving risk appetite: Initial high risk tolerance as a startup transitioning to a more measured approach with scale.

• The importance of legal teams understanding and prioritising business-critical risks, presenting solutions alongside problems.

• A case study: Skyscanner’s challenge with data deletion after shutting down a product highlights the need for proactive data management and inter-team collaboration.

• Building empathy and understanding between legal and engineering teams: Legal teams should understand the engineering team’s pain points and work collaboratively to find pragmatic solutions.

III. Avoiding Overengineering and the Build vs. Buy Dilemma (11:00 - 21:00)

• Balancing compliance requirements with engineering efficiency: Avoiding unnecessary complexity and "Death Star projects".

• The importance of abstraction and third-party vendors: Leveraging specialized expertise and adapting to the rapidly changing privacy landscape.

• Considerations for "build vs. buy" decisions: Understanding the hidden complexities ("below the iceberg") of building in-house solutions and the benefits of specialised vendors with dedicated resources.

• Skyscanner’s experience with building and buying: Transitioning from in-house solutions to third-party platforms for greater efficiency and agility.

• Engaging with vendors and influencing their roadmap to align with strategic objectives.

IV. Communicating Data Usage and Building Trust (21:00 - 32:00)

• Challenges in communicating data usage: Balancing transparency with the evolving nature of product development.

• Examples of communication missteps: Slack and Adobe's vague language around AI training data leading to public backlash and erosion of trust.

• The importance of clear and precise communication, particularly in sensitive areas like data usage and AI.

• Turning data privacy into a brand differentiator: Learning from companies like Meero who communicate data practices proactively and transparently.

• Elevating legal from a support function to a strategic driver of product value and brand equity.

V. Conclusion (32:00 - 34:00)

• The evolving role of legal teams in a data-driven world: Moving beyond reactive responses to proactive leadership and education.

• Emphasising the importance of legal involvement in early-stage planning and decision-making, particularly concerning data infrastructure, usage, and liability.
  
  For those with only a 5 minutes, some take-aways!

1. Start with Clear, Practical Solutions

Quote: "Legal teams bring problems without saying, 'these are what we think the solutions can be.'" — Ben Martin

Legal teams should not just identify compliance issues but also suggest practical solutions that align with the business’s goals. Understanding the product deeply and anticipating engineering challenges can prevent legal advice from becoming a roadblock.

2. Understand the Hidden Costs of Compliance

Quote: "If you keep piling things on top of each other that aren't done very well, the whole system is going to be really problematic." — Ben Martin

Ben discussed the concept of "debt" that accumulates when companies don't address privacy and compliance properly from the start. This isn't just legal debt, but also technical debt that can make systems inefficient and costly to manage.

3. Leverage Third-Party Expertise Wisely

Quote: "For the non-core IP stuff, I think you're pretty hard-pressed to say building is the right thing." — Andrew Phillips

Andrew explained that for aspects like privacy compliance and security, which are not a company's core IP, it often makes sense to use third-party vendors. These vendors have specialized expertise and can adapt more quickly to regulatory changes than an internal team might.

4. Use Data Privacy as a Strategic Advantage

Quote: "It’s about being part of the solution...being able to work really collaboratively." — Andrew Phillips

Data privacy shouldn’t just be about compliance; it can also be a strategic advantage. Andrew emphasized how aligning privacy initiatives with business goals can foster a culture of trust and collaboration, ultimately benefiting both the brand and its customers.