Effective Privacy is Always Proactive

As Skyflow’s Chief Privacy Officer, I’m excited to help drive a “shift left” in proactive data privacy, making privacy by design easier than ever for companies of all sizes.

I first heard about Skyflow when reading a TechCrunch article. At the time, I was working as the Director of Global Privacy Governance and DPO at Twilio, a communications API company, so reading publications like TechCrunch was a part of staying on top of the latest trends in data privacy. When I read about Skyflow, my reaction was immediate: “That’s perfect! A privacy API that localizes sensitive data, controls access, and minimizes data proliferation through tokenization techniques… developers love using APIs for communications, so obviously they’d like to have APIs for privacy”.

As a privacy professional, I’ve long worked to make data privacy a part of product and service designs from the inception of any project — but without APIs to make data privacy easy for developers to implement, getting early-stage developer cycles was always an uphill battle. With Skyflow’s privacy API, I saw the potential to “shift left”, or move data privacy into the early stages of application and service development — thus avoiding painful prerelease engineering work following a privacy review. I saw the potential to make privacy by design attainable for more products than ever before, and give data subjects (users and consumers) improved privacy and security.

In light of what I’d seen in the data privacy space since entering the field in 2008, this was a breath of fresh air.

How I Became a Privacy Professional

I started in the privacy space when I left my original career in finance and accounting and found an interesting role at TRUSTe (now TrustArc). While researching the company, I Googled “Privacy”, and what came up first was Facebook’s Beacon settlement. Other than that, there wasn’t a lot of information available on the concept of data privacy in 2008. While at TrustArc, I learned all about data privacy, including privacy basics, and why privacy is a fundamental human right in the EU. I also learned why it’s important that privacy statements be written so that they are easy to understand, just like a nutrition label. And, I became familiar with important legal concepts like the (now deprecated) EU-US Privacy Shield and COPPA.

Privacy really spoke to me on a personal level. My mother was an immigrant who came to the US at the age of five as a refugee with her family, escaping the Soviet takeover of Hungary in the 1950s. Privacy was a fundamental value for my mother’s Hungarian family, and threats to their privacy were a part of why they fled their country of origin. And my mother continued to hold this value throughout her life in the US.

I clearly remember an example of her valuing privacy when I was a college student. At the time, my health insurance ID was my mom’s social security number (SSN). I recall having to share that number verbally with a receptionist just to see a doctor, and my mother being alarmed by hearing about this. Even to this day, Europeans and many European immigrants are very aware of the value of privacy. 

When asked for her SSN, my mother would always ask: “Why do I need to put my social security number down on this form? Is this really necessary?” Now, if anyone asks for my child’s SSN number, I think the same way: Is this really necessary? And as a privacy professional, my questions go further: where will his SSN be stored? How are you protecting his SSN from a data breach?

Racing to Comply with GDPR

The value that Europeans place on data privacy became relevant to many companies with the advent of the EU’s GDPR regulation. I was working on the Global Privacy team at Yahoo when GDPR went into effect in 2018, so I witnessed firsthand how companies that processed personal data had to scramble to comply with GDPR’s Article 30: Records of Processing Activities (ROPA). As companies worked to comply with ROPA and other facets of GDPR in 2018 and beyond, the impact was broad and deep. Departments companywide including HR Information Systems, Revenue Operations, Business Operations, Platform Engineering, and IT suddenly realized how much customer PII is processed, stored, copied, and spread across different vendors, locations, and systems.

With so much PII replicated across systems, this manual data discovery exercise was (and continues to be) a very time-intensive and expensive exercise. Seeing how much work was required to comply with GDPR made me think that a fundamental shift in the approach to privacy was needed — someone needed to rewrite the data privacy playbook for companies. Someone needed to find a way to make the vision of proactive data privacy achievable for companies of any size.

Evolution of the Field of Data Privacy

As a privacy and data protection leader, I’ve seen privacy evolve from a back-office risk and compliance function to one of driving awareness and standards to get data privacy right early in the development process. A new and rapidly-evolving field, data privacy leadership is an area that includes a lot of women. This is in part because so many women saw the value and volunteered to help with data privacy, and so became privacy experts early on. And as I talk to other women at conferences like the annual IAPP Global Privacy Summit, we have often discussed the need for better tools to make it easier to proactively tackle data privacy.

With GDPR providing a data privacy “wake-up call” for many companies, the time is now right for a new generation of technologies that make it easier than ever to be proactive with the protection of sensitive customer data.

Joining Skyflow as Chief Privacy Officer

Having read a bit about my background and experience, you can now see why I got so excited when I became aware of Skyflow, and why I wanted to be a part of what they are building. As I met with the team, I found they were an intelligent, thoughtful, and passionate group of leaders with a common mission. I also felt that the company’s culture spoke to me. When speaking with leadership, I could tell they were very business- and strategy-focused, but also dedicated to employee happiness and work-life balance.

I’m excited to be Skyflow’s first Chief Privacy Officer and to work with customers to demonstrate our dedication to privacy and data protection. I’m passionate about all areas of privacy; learning about customer problems to help them be successful, whiteboarding the data flows of a new product or system, educating and developing internal champions around privacy, building further partnerships within the industry, and sharing thought leadership pieces. By hiring a Chief Privacy Officer, Skyflow is further demonstrating its commitment to doing privacy right.  

My 13-year career in privacy and data protection has spanned different roles, experiences, and opportunities and I’m excited to apply those experiences here at Skyflow. For example, while at Google and Yahoo, I worked closely with engineers and product managers on ensuring that they were building privacy by design and anonymization into their products. Most recently, at Twilio, I built my team from just myself to an amazing global team supporting internal and external data privacy needs for Twilio and its users. 

The View from the Data Privacy Vault

The Skyflow team and I share a common perspective: privacy is a must-have for organizations to build fast and scale up while maintaining compliance and avoiding fines. General-purpose databases weren't built with regulations like GDPR and CCPA in mind, and that’s why companies need tools like Skyflow’s Data Privacy Vault that make regulatory compliance easy so they can continue to rapidly innovate while protecting PII, PCI, and PHI.

By taking a proactive approach to data privacy where sensitive PII, PCI, and PHI data is stored in a Data Privacy Vault, you get to effectively isolate, protect and govern that data. This lets you get ahead of privacy regulations and deliver on the consumer demand for data privacy — the same demand that led to regulations like GDPR and CCPA. By addressing the underlying need, you can be confident that as new data privacy regulations are passed worldwide, you will be ready. To paraphrase Wayne Gretzky, you can prepare for where the regulations are going to be, not where they have been.

And, you can have the confidence that you are taking the right approach to data privacy: using APIs to proactively handle privacy early, executing the “shift left” that privacy professionals like me have been advocating for throughout our careers.

Conclusion

Earlier I said that someone needed to rewrite the data privacy playbook for companies. Skyflow has done just that by proactively applying privacy by design, data minimization, security, and data governance upfront, all via a comprehensive privacy API.

Skyflow’s API frees developers to innovate without worry — and without worrying their Chief Privacy Officers! So, as you re-architect or build new healthcare, retail, or fintech apps (or overhaul your current PII, PCI, and PHI data stores) you can now be proactive, instead of reactive.  

Now that I’ve been here a few weeks, I can see what a collaborative, smart, and supportive team Skyflow has. Everyone is so helpful, humble, and willing to both learn and teach. And my 5-year-old son loves that I’m a “Skywalker“ (Skyflow’s name for its employees)! Come join us — become a Skywalker!

If you’re attending the annual IAPP Global Privacy Summit in Washington DC, please feel free to reach out or stop by the Skyflow booth! I hope to see you there.