Blog by Divebell

Three team members in conversation

What I Talk About When I Talk About Data Privacy

Feb 8, 2022
Jeremy Mailen

In Haruki Murakami’s meditative memoir “What I Talk About When I Talk About Running,” one thing is clear about his relationship to running: He’s an endurance runner. It manifests not only in the stories he tells but also in the vocabulary he uses to write about making progress. Endurance runners aren’t the only people moving their feet fast to travel, though. In fact, put a sprinter, a marathoner, and a jogger in the same room and you might hear them measure their activity with quite different words:

Endurance Runner Track & Field Athlete Jogger
Pace Splits Heart rate zone
Miles Meters Calories
Course Track Loop

If you ask each of them to describe their strategy for being a great runner, the conversation rapidly diverges. The words indicate deeper differences in assumptions and goals — whether it’s outracing the person next to them, making relentless forward progress, or getting in better shape. They share certain values about running in common, but if they didn’t understand each other’s context they might talk in circles without connecting on a topic that they are all passionate about.

Data Privacy too runs into similar challenges. A Privacy Officer, Infosec Analyst, and a Data Engineer may all be talking about how they want to protect the vital personal data the organization holds. But because they come at it from different perspectives, reflected in their use of certain terminology and language, they often end up talking past each other instead of with each other. To illustrate the difference, let’s take a look at the different terminology that they might use to refer to similar concerns:

Privacy Officer Infosec Analyst Data Engineer
Subject Sensitive data Entity
Data map Threat model Catalog
Compliance risk Vulnerability Error

Different Goals and Responsibilities

The difference in their language is a reflection of their professional background and training as well as the roles and responsibilities they have historically been tasked with. While this is true of many cross-function endeavors, when it comes to privacy, this has been further complicated by factors such as increasing regulatory pressures, the exponential growth in data, and the fast pace of technological innovations. To keep up with the pace of change, organizations have either tacked on privacy-related responsibilities on top of existing job functions or created new roles that have the responsibility for ensuring privacy and security compliance. Depending on the role, people tasked with ensuring data privacy may have different goals intertwined with the outcome.

Privacy Officer Infosec Analyst Data Engineer
Regulatory accountability Data security Data quality and availability

Adding to the complexity is that often achieving the goals and fulfilling the responsibilities for their individual or departmental role puts them on a direct collision course with others within the larger privacy team. Data security can prevent a Chief Privacy Officer from getting the visibility they need for a Records of Processing Activities (RoPA) to be able to fulfill the requirements of the General Data Protection Regulation (GDPR). Similarly, processes put in place to ensure compliance with privacy laws can impede the availability of data for important business and revenue purposes.

When you understand the different lingo and frames of reference of your team members, you can facilitate productive and solution-oriented privacy conversations within your team. Team members will better understand the different perspectives their counterparts bring to the table and that while their language might differ, their concern for privacy is equally high. It can also help team members to know that sometimes their access is blocked inadvertently — because someone is trying to do their job. It can help foster a better working relationship and a more efficient privacy team that is not working at cross purposes. We’ve created an infographic to illustrate this. In my next blog, I’ll talk more about various roles and responsibility of privacy team members and the diffused ownership of privacy.

Any opinions expressed here and statements made are not legal advice, nor representations or warranties, and are intended to promote discussion around technology and data protection.

Contact Us