Workday Podcast: The Future of Enterprise Privacy

Jules Polonetsky, CEO of the Future of Privacy Forum, and Barbara Cosgrove, Workday’s chief privacy officer, talk about why it’s important to take a global view of privacy, what a chief privacy officer does, and how privacy leaders create value by working together.

This podcast was recorded before the global pandemic. While the world looks a lot different today, we believe this content remains valuable for helping organizations move forward and emerge stronger.

Jules Polonetsky, CEO of the Future of Privacy Forum, and Barbara Cosgrove, chief privacy officer at Workday, talk to me about why one needs to take a global view of privacy, what a chief privacy officer does, and why it’s important for privacy leaders to work together. 

Listen on SoundCloudWorkday Podcast: Future of Enterprise Privacy

Listen on Apple PodcastsWorkday Podcast: The Future of Enterprise Privacy

If you’re more of a reader, below you’ll find the transcript of our conversation, edited for clarity. You can find our other Workday Podcast segments here.

Josh Krist: Privacy. Most of the talk around privacy these days is in the context of consumer products and services, but in the enterprise context, data-fueled AI and advanced analytics are quietly, but surely, improving business processes, increasing productivity, and surfacing patterns that help business leaders make better decisions, all while incorporating strong privacy protections. On this episode of the Workday Podcast, we're going to talk about why it's possible for technology and privacy to co-exist. With me today are Jules Polonetsky, CEO of the Future of Privacy Forum (FPF), and Barbara Cosgrove, chief privacy officer at Workday. I'm Josh Krist. Thank you both for joining me today.

Jules Polonetsky: Good to be here.

Barbara Cosgrove: Thanks for having us.

Krist: Jules, can you tell me about what you do and probably more importantly, why you do it?

Polonetsky: I've been a chief privacy officer for a number of years and I thought there was a gap when my colleagues and I—who were increasingly helping shape the data decisions made by companies around the world—didn't really have a place to get together and think about some of the hard questions, some of the new issues created by new technologies, where simply following the law wasn't enough because you could see that there were going to be challenging issues, and there wasn't enough engagement with civil society. It was more often adversarial—situations where one party might think, “Oh, those are the folks who are going to sue me or criticize me,” and many companies didn't engage. But the reality is, the responsible players in civil society certainly are certainly going to disagree when they disagree, but there's a lot of room actually to hear opinions, to discuss, to debate, and to have each side walk away feeling a bit more informed. The academic community’s doing so much interesting privacy work but they're often doing it in their silo. There's not as much engagement where the best ideas can get into practice.

So at The Future of Privacy Forum, we bring together 160 or so privacy leaders at companies to learn from each other, interact with each other, and create best practices, self-regulation, codes of conduct, and model legislation. But frankly, to also serve the academic and civil society communities—bring them together, show the new product early to a group that might be critical so that a company can go back and make it work better. Privacy is too big for any individual sector to think that it has the last word, so we try to be the centrist voice working with folks like Barbara—leaders in the industry—to make progress on these challenging issues.

Krist: Okay. And I know that you and Barbara just did a business leadership forum together. What was your takeaway? To the people in the audience, did you have a next step? Like, "Hey, if you're not involved, you should be," or what was the takeaway there?

Cosgrove: From the Workday perspective, we were really looking at how business leaders can continue to implement new technologies—especially around machine learning, artificial intelligence—in a time when regulations are quickly changing. We want to make sure people are thinking through the right issues and look at how you can still implement these technologies while complying with the regulations. Especially in terms of being transparent on how the technology is used, in terms of following privacy by design and making sure the right people throughout the entire organization are involved.

Polonetsky: In many ways, I think Workday has an interesting opportunity and an interesting challenge. In some sense, when you talk about privacy, you're talking about the confidentiality of your customers' data—and they may think about it in terms of privacy, but it's really more that this is your information about your employees and we may be hosting it, we may be providing tools for you to use, but it's yours and the boundaries of how it's used are yours. So you might call that private, but it's perhaps business confidentiality. And then you have the actual individual users: the employees who have to be treated properly by your clients, but as a custodian, as the builder of a lot of those tools, you're enabling that privacy of those individuals. There are different concepts, but ideally they fit together.

Cosgrove: You're exactly right. To us, we're responsible for safeguarding the data that our customers trust us with, but it is really from a confidentiality and security perspective. We're only doing with the data what they tell us that we can do and for which we have the appropriate protections in place for it.

But at the same time, we want to be able to deliver applications that have privacy protections built in so they can feel confident using it with their workforce and with their end users, that they have the ability to configure the product so they can meet their privacy obligations to their end users. And then we also have to talk about privacy in terms of being able to process the data from a global perspective, and having the appropriate data transfer mechanisms in place. So from that level, we do have to talk about things like our Privacy Shield certification, our commitment to maintain our Binding Corporate Rules, and have data transfer mechanisms that allow our customers to have their data with us.

Polonetsky: And the global perspective here is really critical. Barbara talked about global data flows, but I'd also chime in with the reality that in Europe and in many other places in the world, the employee relationship when it comes to data is very different than the consumer relationship, right? We ask people to opt into things and if they give us permission and they know what they're agreeing to, we typically feel it's a reasonable exchange. Employees are situated very differently. They may not have a true choice, just because you ask them. Well, if I say no, I may lose my job, so do I really have a choice? So for companies that do business globally, understanding concepts like proportionality, understanding what's actually necessary to serve the purpose that the company needs as opposed to collecting too much data or using it in a way that is intrusive—it's a more challenging issue in some ways than some of the consumer privacy questions because you really have to be a custodian of the autonomy and the human rights of those individuals.

Krist: Yeah, it almost seems like the consumer privacy issues are a little bit easier to explain because we all opt into email or not. Is that right?

Polonetsky: People have at least a reasonable number of choices, typically when it comes to a lot of products. If I don't like one company's privacy policy, I can choose another. I don't want to take the consumer folks off the hook. We understand that most people just go ahead and use the email service they heard of and maybe they don't switch and the like, and so companies obviously need to be fair and have those reasonable boundaries. But I think we all recognize that you have an audience that can't decide to not use a certain technology at the workplace or not have their computer monitored or not comply with the need to be in the employee directory or the like. And since those are essential purposes, you certainly can do them, but you need to have that framing that you are only doing what is reasonable, necessary, and proportionate given the kinds of legitimate needs you have.

Krist: So then how do you two work together? How do you work with any chief privacy officer?

Polonetsky: Well, one of the key things for us is helping them learn from each other, convening and giving that opportunity. One area in particular that is of high interest to us and to Workday and to many other companies is: “How can I use machine learning in a responsible way?” So we've been pulling together the companies that are thinking hard about how we optimize our products, how to provide tools to our customers. But, how do we make sure that we're considering issues like fairness and bias and the need to explain the results of what you're doing? It's a new area and in every sector, the nuances are different, and Workday is one of leaders in thinking this through when it comes to employee data, HR data, the kind of data that is in their tools.

Krist: Right. And then GDPR has really put privacy legislation in the news and hundreds of emails in your inboxes talking about GDPR, but you mentioned Privacy Shield earlier. What sort of regulations or frameworks aren't we talking about, especially in an enterprise context, that we should?

Cosgrove: So over the past year, there has been a lot of focus on GDPR as companies worked towards the compliance back in May. But in the meantime there's been new regulations taking effect all throughout Asia Pacific. There's new rules in California. There's proposed U.S. Federal legislation. So it's really important to make sure that you're building a privacy program that's principle-based and that's going to be able to align with all of these new and emerging regulations.

For example, Workday recently certified to the Asia Pacific, to the APEC Privacy Recognition for Processors framework, which allows data transfers for data processors. But it was an effort where we were able to build upon our existing program to quickly move to that certification by building from the start, understanding where data is. By having good policies and processes, you’re preparing for all of these new legislation and new rules.

Krist: Right. And there's not only new legislation and new rules, but new ways to use technology. I know that we published a blog reaffirming our data privacy principles. Why is now a good time to reaffirm those principles?

Cosgrove: Privacy is in the spotlight. Every day there's new headlines, whether it's on potential misuse of data from a privacy perspective or whether it's tied to the new regulations. And as we're talking about new technologies, Workday is a proponent of AI and of advanced analytics, but we wanted to make it very clear and reaffirm our commitment to handling personal data the right way and commit to having these three principles in place in terms of privacy first, innovate responsibly, and to safeguard fairness and trust so that our customers understand that we will be continuing to safeguard their data as we develop these new technologies.

Polonetsky: I think there's room for optimism here. Sometimes when you talk about privacy, you enumerate all the scandals that are in the news, day after day. The reality is that exciting things are happening. Healthcare is improving. Cars are getting safer. Every aspect of consumer convenience [is getting better]. People with disabilities have tools that are widely and broadly accessible. I'm an incredible optimist but I don't think we're going to see the benefits that are feasible if we don't have that degree of trust. I want to see advances in some of the diseases that we all worry about and I understand that the answers may be locked in lots and lots of medical records that may need to be studied together. But who wants medical records willy-nilly, accessed, floating, being used in ways that could be harmful to an individual or even to a class of people?

I've got multiple smart devices in my home. A smart TV, a Google Home, an Alexa. I'm excited about it, but I recognize that if I'm going to have microphones in my home, I want to know that the data is going to be used in a way that advances my well-being and isn't solely there to be commercialized or to shape me, to sell to me, to try to affect my life.

And so, I think people like Barbara, the chief privacy officers of the world, lead an incredible charge. They're there to help enable the responsible use of data by the companies in the organizations they work in, right? They're not there to say, "Don't do things." They're there to say, "If our mission is a legitimate one—helping companies better manage employee data, helping provide services—what are the safeguards, the tools, the processes, the things that can support the trust needed so we have the license to do for you what you would like us to do?"

Cosgrove: And that's exactly why Workday is a member of FPF: It's a great opportunity for me as a chief privacy officer to interact with my peers as well as researchers and really look at how you can implement or create best practices or codes in terms of these new emerging technologies. FPF really looks at how you can build these best practices as these new technology challenges are coming in and think about privacy from the start and think about building it the right way.

Polonetsky: These are hard issues and at a lot of places, there isn't yet a right answer, right? How should we study corporate data to bring insights that can be helpful to the world? When do we allow self-driving cars—which may be already safer than the people texting and driving, and drinking and driving, and being distracted and driving—but they're not perfect. 

So what are the ethical decisions that we need to be making? Recognizing that we shouldn't rush just because it's new and it's technology, but where are there hard questions. Consumer genetics is a good example. We just worked with a lot of the direct-to-consumer genetics companies to set practices for what they can do and what they should do with their data. You can see the advances that are going to be possible. The laws protect some genetic data, but not all uses of genetic data. But [we have to consider] when and where and what does this knowledge mean to people and how can we shape them?

So the challenges for chief privacy officers: They're philosophers, they're legal, they're ethicists, they're compliance people. You really need to be, Barbara, you and your team, sort of renaissance people. It's an area where I think you're increasingly seeing some of the best and brightest seeing this as not a compliance job, but as a way to empower exciting responsible uses of data.

Krist: Okay that's all the time we have for today. Thank you, Jules. Thank you, Barbara. And thank you, listeners, for joining us on the Workday podcast. This is Josh Krist, signing off.

More Reading