Nandita Rao Narla is a senior industry leader with deep experience leveraging data governance to reduce risk and enhance privacy and cybersecurity programs across the technology, healthcare, banking, energy and telecommunications sectors. As the head of technical privacy at DoorDash, she focuses on embedding privacy in products and enterprise wide cross-functional initiatives. Nandita recently visited with the @ISACA newsletter to provide her perspective on some of the most timely trends and challenges on the privacy landscape. The following is a transcript of the interview, edited for length and clarity.
What do you consider to be the single biggest challenge facing privacy professionals today?
As companies embrace data-driven growth models and AI, new opportunities for leveraging personal data may be at odds with the evolving privacy regulations and data protection concerns. Privacy professionals can be seen as “blockers” for innovation and new monetizing ideas. One of the biggest challenges I see is that privacy professionals must balance the business need for data with the need for privacy. No one-size-fits-all solutions exist, and trade-off decision-making is complex.
Building excessive privacy controls may render the data useless, stifling innovation. With AI-related use cases, there is the additional tension between privacy and fairness, where enforcing strict data minimization could introduce bias in the outcomes. Privacy professionals need to perform a careful analysis of several factors such as regulatory requirements, privacy concerns, business use cases for data, data quality expectations, anticipated privacy threats, availability of privacy-enhancing technologies (PETs) or privacy-preserving techniques, cost, risk thresholds, technical maturity, etc., to align on the optimal path forward.
In practice, even the most promising software solutions that enhance privacy while allowing data utility to acceptable degrees require significant computational power and technical expertise. Unfortunately, there are no silver bullets, and privacy professionals are challenged to build fit-for-purpose solutions that balance utility and privacy efficiently.
What is an often overlooked aspect of privacy that people should be paying more attention to?
Privacy threat modeling is an essential but often overlooked aspect of privacy programs, primarily compliance-driven. Privacy threat modeling involves using systematic approaches to identify and address privacy concerns proactively. It is typically performed in the design phase of software development before any code is written so that threats identified can be prioritized and fixed early.
Despite privacy threat modeling frameworks being available for more than a decade, it is not widely adopted in the industry due to several factors such as talent shortage of threat modeling skillset, lack of executive support, limited success with agile development environments, lack of tooling and automation to reduce costs, etc.
Privacy professionals who embed continuous privacy threat modeling within their programs benefit from reducing the cost associated with privacy retrofitting. Identifying threats and design flaws early in the development process helps reduce the amount of re-designing and privacy bug fixing. It also helps clarify the requirements for privacy and allows organizations to move toward building standard privacy features and patterns. Because privacy threat modeling is typically a team exercise with diverse stakeholders involved, it also serves as an excellent tool for building privacy awareness and driving a privacy-forward culture in the organization.
What type of skills do you consider to be most important for aspiring privacy professionals?
The roles within privacy teams are very diverse, with different skill requirements for each. Without focusing on role-specific skill requirements, some baseline skills that I would consider essential for aspiring privacy professionals are:
Cross-functional collaboration and communication: Privacy is an interdisciplinary field that requires working with stakeholders from almost every other function in the organization. To make sure privacy is steeped into company culture and viewed as a shared responsibility, privacy professionals must be able to translate complex privacy requirements into actionable steps and drive privacy initiatives for various teams such as IT, engineering, data, marketing, cybersecurity, etc.
Knowledge of privacy laws and regulations: Privacy programs in most small and medium businesses are compliance-driven. Therefore, familiarity with applicable regulatory frameworks is vital. The regulatory landscape is also quickly evolving both in the US and internationally, with new sector-specific and comprehensive state privacy laws coming into effect this year. Privacy professionals must be familiar with these developments to ensure compliance with the unfolding patchwork of regulations.
Privacy by design skills: To build a proactive privacy program, professionals must have knowledge of privacy by design principles and the ability to apply those principles to the design and development of products and services. Embedding privacy early in the development lifecycle avoids costly privacy retrofitting and helps build a more robust privacy program, especially where regulation is yet to catch up on technical innovation.
Data governance: Understanding where personal data is collected, where it is located, how it flows within and outside the organization, how it is protected, and how it is used is at the core of a robust privacy program. Ensuring privacy throughout the data lifecycle and building processes to enable data rights requires knowledge of data management best practices and tooling.
Privacy teams are traditionally modest-sized, so multiskilled privacy professionals who can fill several gaps in the team are highly desirable for hiring managers. For experienced professionals who want to pivot to privacy roles or early-career candidates who do not have significant work experience in privacy-related fields, certifications and courses are a good way to gain sought-after privacy skills and demonstrate a strong interest in privacy.
You wrote recently about the evolution of facial recognition technology – in what context/use cases does the use of this technology concern you the most?
Facial recognition technology has many applications and has been in use for fraud detection, finding missing children, preventing stalking, airport security, etc. What concerns me the most is its unchecked use by governments and corporations without adequate transparency and oversight. Ubiquitous facial recognition leads to biometric surveillance negatively impacting individual privacy rights and civil liberties. Additionally, it isn't as effective in correctly identifying people of color, women, children, and older adults as it is with white males. Until the algorithms and training data sets are improved, facial recognition will continue to impact vulnerable populations disproportionally.
Without independent audits and public transparency reporting, questions about consent, adequate notice, ease of opt-outs, potential secondary uses by third parties, and appropriate security of the large volumes of collected biometric data remain. Recent data breaches resulting in the disclosure of photos and other biometric data has also led to the loss of trust in organizations employing these technologies.
A lot of the focus in the privacy space is around regulatory compliance. What do you consider to be the biggest benefits for companies that have strong privacy functions, beyond avoiding penalties?
Beyond a regulatory compliance checkbox, good privacy is a good business strategy and ultimately helps the organization. There are several benefits of holistic privacy programs:
Privacy as a trust enabler: consumers’ expectations of privacy are rising, and they want companies to be good stewards of their personal information. Recent surveys have shown that poor privacy experiences lead to a loss of trust, causing consumers to discontinue using the company’s products/services and ultimately leading to revenue losses. An example is the mass exodus of millions of users from WhatsApp to Signal following a global backlash over WhatsApp’s privacy practices allowing data-sharing with parent company Facebook.
Privacy as a competitive advantage: Having good privacy practices in place helps organizations use it as a competitive differentiator for investors and customers. For example, Apple took a strong stance on privacy and launched successful ad campaigns focusing on iPhone’s privacy protection features as a differentiator in the smartphone market.
Privacy for breach prevention: The cost of data breaches has been steadily rising over the past decade, and investing in privacy controls such as PETs, privacy awareness, data minimization practices, etc., lowers the risk of large-scale data breaches, which have long-term negative consequences for affected companies.
Adopting a privacy-first culture also supports innovation and reduces operational inefficiencies by having a better control on personal information in the organization. While non-compliance related fines have incentivized building privacy programs, companies are gradually realizing the additional benefits, and we are shifting from compliance to trust-based approaches to privacy in the industry.