Data is now everyone’s business. It’s become intrinsic to almost every department of every organisation. But as the amount of data collected and processed has skyrocketed, so too have privacy concerns and data breaches.
In this edition of Ringside, we’re talking to Paola Zeni, RingCentral’s Chief Privacy Officer, to get an expert view on these challenges, and to find out what organisations can do to protect themselves.
What led you into the field of data privacy?
I started as an attorney in Europe. I used to work for Hewlett-Packard, and then for Agilent Technologies. In my role, I dealt with all kinds of legal issues, from HR to corporate governance, to commercial contracts.
When privacy started becoming important in Europe in the ’90s (because of the Data Protection Directive, which was being implemented in a number of member states, including Italy), I needed to understand what the law was. I realised immediately that it was both legally interesting and complex, and it got me to work with everybody across the organisation. I really enjoyed that. I’m an extrovert, and I like the relationship part of work. I am also curious, and I liked the cross-functional aspect of privacy, which led me to work with a lot of different teams across the company.
While I was becoming more knowledgeable about privacy, the topic grew in relevance and impact. It became critical because every business process became data-intensive, and the technology for data processing continued to develop.
Companies started having more and more complex situations regarding data, and the laws kept coming. In the early ’00s, when I started working in the United States, I had my first full-time privacy job, and I’ve been doing privacy ever since.
What are the biggest challenges for CPOs today?
The biggest challenges come from the fact that most businesses operate on a global scale – which means that data flows across borders and is managed globally – while laws and regulations are local.
Another challenge is (as I mentioned) that laws continue to develop. For instance, in 2023 alone, we have multiple US state privacy laws coming into force. Now we have a law in California, a different one in Virginia, and others in Colorado and Connecticut. More state laws are coming, which will bring additional complexity. In Europe, the legal situation is more homogeneous because of the European Union and GDPR. However, member states still have their own laws and regulations that overlap and may have different approaches to enforcing privacy law.
Our capacity and ability to ingest data and process large amounts of data (as companies) is growing every day.
The evolution is quick, while the laws that have been approved years back take a long time to change, and sometimes regulators struggle to understand technology.
What advice would you give to CPOs and CISOs to handle these challenges?
A CPO’s first objective is always to ensure that customers trust us with their data. Customers are our first constituents. What I’ve found very valuable in my career is to always think about making your privacy and security best practices visible to customers and the marketplace. So I would say, when you develop a privacy programme internally, (developing and operationalising privacy compliance and best practices) combine this with the outward-facing approach. The outward method involves generating collateral and thinking about what could be useful for customers and partners.
For instance, at RingCentral, we have a Trust Centre, which I established when I joined. We continue to add material to that – not only information about legal requirements but also information about how we process data. We use information and transparency to generate trust.
The other critical component of the CPO role is internally being an influencer. Because, for a number of people, privacy is just one more problem, one more thing to do, it is important to connect privacy with the value for the business. For example, explain and show that if we do privacy well, it will be easier for us to negotiate contracts and establish partnerships. This is about showing the business benefit and the ROI.
Finally, hire the right people and nurture them! There’s so much hunger for expertise in this area, and it’s a really good career opportunity for people.
What risks does a hybrid work environment create?
I think there are a number of risks. One is the hybrid use of devices: you have a phone, which someone will use for work and personal use. Then you have a laptop, which will also be for mixed-use. Also, you don’t know how secure the home environment is – from internal intrusion and external intrusion.
Another privacy concern is companies that are becoming more invasive in monitoring their employees. There’s been a lot of discussion and concern about this because of the potential of invasion of privacy by employers.
What can businesses do to stay protected over the next few years?
Some key privacy principles continue to be valuable. One is applying data minimisation to reduce risk. This involves minimising the amount of data we are processing by also limiting access and retention of the data. One thing that happens too often is that because collecting data, storing it and allowing access is so easy now, we collect too much. It is just easier to allow broad access, even when it is not necessary. This requires working with engineers, product managers, and IT to implement privacy best practices by design and not as an afterthought.
Another key area, in partnership with the CISO, is to map and classify data and then potentially apply data vaulting or data tokenisation to protect the ‘crown jewels’ and the highly sensitive personal data.
These best practices will be very good for several years, regardless of how technology evolves.
Trust in RingCentral
Paola’s team is currently focused on extending even more privacy and security controls for our customers. To find out more about what we’re doing around data privacy, check out our Trust Centre.
Originally published Jan 25, 2023