Episode 3: Briefing the Board | On Your Radar Podcast

We’re back with another episode of On Your Radar! In this week’s episode of our podcast, we sit down with Tami Dokken, lawyer and data privacy expert, to discuss privacy best practices for briefing the board. Tune in to find out what information leadership and the board really want from the privacy team and how to best prepare. 

Briefing the Board

Judy: Hello, and welcome to “On Your Radar.” I’m your host, Judy Titera. Whether you are a privacy, security, compliance, or risk professional, we can all relate to the challenges of trying to keep on top of the rapidly evolving operational, regulatory, and technology changes. We can easily become overwhelmed if we are not focused on the right things.

Judy: In this show, I have invited privacy professionals to understand what keeps them up at night, what excites them in the privacy sector, and what’s on their radar. Today, I’m speaking with Tami Dokken. Tami has an impressive career as a corporate lawyer with specific expertise in data privacy and data regulation.

Judy: She most recently completed an appointment at the World Bank, where she was the first chief data privacy officer and established the bank’s data privacy office. Prior to that, Tami was Chief Privacy Officer at MoneyGram International. She began her career in private practice, advising corporations of all sizes and industries.

Judy: Welcome, Tami. I am so thrilled to have you here today with us.

Tami: Thank you, Judy. Thank you. Always happy to talk privacy.

Judy: Yes, wonderful. So, the reason I invited Tami to join us today is Tami and I have a similar career path where we we’re working in corporate for many years, Chief Privacy Officers, and we have, and I’m going to use air quotes, “retired” from our corporate positions, but are continuing our careers on that next chapter and Tami are both exploring opportunities as Board of Directors and board advisors.

What Does the Board Want from the Chief Privacy Officer?

Judy: And one of the things I commonly get asked from many people is what does the board want from the chief privacy officer? What should the privacy team be preparing for the leadership and for the board? And Tami and I have had these discussions on a number of occasions. I thought would be a great opportunity for us to get together.

Judy: And to talk about this. So Tami, welcome. And congratulations on your career and everything that you’ve done. But I’d love to hear from you on your thoughts on, what should we be presenting to our board. What is the board expectation and Anything else you want to add on that topic?

Tami: Sure. Thank you again, Judy. It’s delightful to be here with you and happy to talk about this topic. Having advised boards of directors in the early stage of my career on, uh, compliance with regulation and general corporate, governance, I come to this topic with that perspective, but then also as a Chief Privacy Officer reporting into boards of directors.

Tami: So I think what’s really important from the board perspective is threefold. Number one, what are the regulations, what is required, and more importantly, though, what is expected out of that regulation? What is it really trying to get at, you know, what’s the heart of it? Not the strict line by line word by word, but really what is what are we trying to protect here and making sure that the board understands that what these regulations and expectations are is just making sure that we are using personal data appropriately and respectfully. So number one.

Tami: Number two, I think it’s really important to give metrics to the board. They’re kind of dry. They sometimes, you know, tell a pretty, you know, boring story, but boards like metrics and they like to be able to look at how you’re doing now and how you were doing and where you’re going.

Tami: So I think it’s always important to remember the audience and the audience of boards of directors really do appreciate and pay attention to metrics. Number three, I think it’s important for privacy officers to make sure that what you’re talking about is relatable and goes beyond the predisposed concept of, “Oh, data privacy. Sure. We have a cyber security team.”

Tami: That’s common. It’s understandable, but I think it really needs to go beyond that. And what I like to do is whenever I’m speaking or presenting to the public or presenting to a board is grab something from a recent headline or a recent scenario.

Tami: So, Open AI, and the issues around that right now would be, a good example, including the board situation with Open AI and Microsoft. Another example that I would choose right now would be, we read about certain drugstore chains revealing that they would openly share personal data, and prescription data with law enforcement just by law enforcement asking. That’s probably not a great practice.

Tami: And something like that would catch the attention and the ability of a board to understand that while yes, we want to cooperate with law enforcement, it’s probably a good idea to have some control over who, and when, and how you’re handing script information over to law enforcement.

Tami: So really just trying to put data privacy and data privacy regulation into, something that’s relatable and understandable and that the board, because they come with all different interests and backgrounds, the board members can go, “Oh, okay. I get that.” It’s not just about having secure systems that’s in place. It’s about making sure people understand when, how, and whether to share personal data. So I guess that would be my top three.

Judy: That’s outstanding. I think those are three outstanding and perfect examples. So, helping the board understand where the data is, how we’re using it, the appropriate use. The metrics and then also framing it like what’s going on in the world right now, right? Especially with AI. I think that’s fantastic.

Judy: Let me let me pull the string a little bit on metrics. So, I think that’s one of the questions, too. Are there certain categories of information that you think is important for a board and leadership to to be following for the proxy program?

Tami: Yeah, definitely. So, the easy one, and one depending on the organization that you’re working with, is how many data breaches or how many data incidents I should say, and how many of those incidents rise to the level of a data breach and what were the circumstances around those breaches? It should, in my opinion, though, go much beyond that.

Tami: And again, this helps educate the directors on how their organization is using data. So, for example, I would provide metrics around how many business activities are processing personal data. So at the bank, we had a full list and we would report on those. We would report when processes changed when processes were added.

Tami: And so that was a constant moving target. And it really, I think, helps The directors understand that you know, oh, we’re not just using personal data to process payroll or, you know, in obvious fashions, but, you know, we’re using it, you know, in Washington, D. C., the bank has bus drivers that take staff from building to building and even those bus drivers use personal data.

Tami: So really teasing that out and making sure that the directors understand that this goes beyond just the obvious. And then I think, sharing with the board, and this is probably the most important sharing with the board, the risk assessments that are being done, particularly those where a risk has been identified.

Tami: And if that risk was either mitigated, or the risk was accepted, and this starts to blend in with the risk committees and the risk profile of an organization. So is the board comfortable with the decisions that senior management is making with regard to risks related to personal data and how it’s being used?

Tami: And that could lead to a dialogue. It could lead to maybe a change in direction, or again, just a better understanding of how personal data is being used within the organization.

Judy: Yeah, that’s fantastic. Very, very helpful. So a lot of changes in the regulatory world right now, right? Especially U.S., international. We’ve been talking about that a lot as well. How are you seeing that in organizations and making sure that their organization within the privacy program, and then, again, communicating that up, on how things are changing, any thoughts on how a privacy team can help their board understand that regulatory environment as well?

Tami: Sure, such an important question, Judy, because it is changing every day. And if you look at the global landscape, regulation is either being put in place for the first time or updated or being enforced in different ways. So it’s a constantly moving field. That can sometimes be scary because, you know, what you say today might not be true in a year as regulation is enacted and enforced.

Tami: So I think it’s really important that you are able to adjust and flex a privacy program to meet the shifting regulation expectations of stakeholders and learning from others who have been called out. For example, the drugstore chain that I mentioned earlier, might trigger some A board to say, “Oh, you know, do we have a law enforcement policy in place that would help this?”

Tami: So, but I think the most important thing is to be able to look down the road or as Wayne Gretzky, the famous hockey player said, “Where’s the puck going?” And we want to make sure that we’re building a flexible program and responsibility so that we can demonstrate that we’re doing the right thing and staying current and active and, don’t have to redo everything as changes happen.

Judy: Wonderful. As a board member, how often would you like to see privacy from a privacy standpoint? We want to be there front and center every day. But from a board perspective, how often would you expect a privacy update at board meetings?

Tami: Sure, that’s a good question. So I was comfortable with a pace at the bank where we provided quarterly reports to the audit committee and a full report to the full board once a year. And this is a standalone report where we, you know, as we were building, we were able to demonstrate. I think that’s a good cadence.

Tami: It keeps, I agree. We should be at front and center of every board meeting. But for some reason, they don’t see it like that. But, to have some, you know, some, interaction just through a written report, you know, given to a committee and making sure that at least the concept of data privacy stays in their minds.

Tami: And then I think, a board report and a presentation at least once a year again to help directors understand what we mean by privacy and where the risks are for the organization.

Judy: Yeah, that sounds perfect. Great. So let me ask you, I, you know, being both of us have been in privacy for a while and I look at, you know, back when we were starting out there, there wasn’t, privacy wasn’t a subject in school. There weren’t degrees. They’re starting. We’re starting to see some of that now.

Judy: So when you were in school, you know, and you’re starting your career, where did you, where did you think you were going to go? What did you think your career was going to look like? And when did it pivot to privacy? And how did that happen?

Tami: Sure. Great question, and there was no such thing as data privacy when I was in law school. You’re absolutely right, Judy. So I thought I would be a corporate lawyer practicing, you know, general transactional corporate law. My bread and butter was mergers and acquisitions and corporate structures. My pivot came about 15 years into my practice where one of my clients had an issue pop up in Poland.

Tami: This is a global hospitality company. And the issue came up after literally two years of a franchisee negotiating with the Polish data protection regulator on a very serious data privacy issue. It finally bumped up to the franchisor, my client, and nobody knew what to do. Nobody had any idea. Again, we were U.S.-based. This is Europe-based, which is, you know, certainly far more advanced, at least back then on data privacy. So I raised my hand and I said, yeah, I’ll look at it. Let me see what I can do. And so I dove in and in 2 weeks, I learned everything I could about Polish data protection regulation.

Tami: This is pre-GDPR. So it was their own stand-alone law. Learned everything I could, presented it to the regulator, got a very favorable dismissal from the regulator and I was hooked. And I thought, “Oh my gosh, this is what I should be doing. So, I went in that direction. I got certified through the IAPP, and here we are. And it’s a, it’s a wonderful area to practice, as you well know, Judy.

Judy: Yes. Wonderful. That’s a great story. So let me ask you, what’s on your radar for the future? What do you see? Where do you think privacy is going? Any insights or thoughts on that?

Tami: Sure, you know, that’s actually a really easy question these days with AI in the forefront. I think that we privacy professionals have a wonderful opportunity to add that to our portfolio of expertise. We are the ones who can best help govern how data, how artificial intelligence, and machine learning models are being used and developed, and deployed. So not the science piece. I’m not a computer scientist or data scientist, but from the governance perspective, I think that is where we really can add value and we can keep growing as professionals and keep continuing to provide value to our organizations.

Judy: Wonderful. Well, Tami, we’re going to wrap up here. This is so much good information in this short, short session. Yes. I mean, great information on what are the boards looking for. What’s the timing? What are the metrics? Really helpful information. So we really appreciate your time today.

Judy: So, in closing, I just want to thank everyone for listening again to our “On Your Radar” podcast today. This is made possible by privacy and compliance innovators at RadarFirst. RadarFirst governance, risk, and compliance software solutions are trusted by organizations to reduce risk and simplify obligation decisioning with privacy, cybersecurity, and compliance laws.

Judy: Learn more at RadarFirst.com. Contact information and resources will be available in the show notes after this. And if you like what you heard today, please continue to follow our show. Tami, again, thank you so much for being with us today. It’s always a pleasure to talk to you and thank you for your time today.

Tami: Excellent. Thank you, Judy.