🔒 Caroline Goulding (TikTok) & Emily Hancock Fireside Chat

Hi, welcome to Cloudflare TV. I'm Emily Hancock. I'm the Data Protection Officer at Cloudflare, and I'm joined today by Caroline Goulding, who is the Data Protection Officer at TikTok.

Very happy to have you here, Caroline. Thank you, Emily.

I'm delighted to be here. Great. So I thought I'd just start out because you're DPO at TikTok.

Before that, you were the first DPO at LinkedIn. Can you tell me a little bit about how you got started in privacy?

Because I know with GDPR, there was a bunch of newly minted DPOs in 2018, but I know you've been in the privacy space for a long time.

So tell me a little bit about how you got started. Definitely.

Happy to do so. And everyone has their own unique journey into privacy. Mine goes back actually a little bit further than my professional career.

So actually one of my earliest privacy memories is I distinctly remember, I'm not sure if you went to see it back then, is Enemy of the State with Will Smith.

It was released in the 90s.

I was at the cinema with my friends, and I can remember how the movie depicted in such a clever way how an innocent bystander became embroiled in surveillance and really how much the privacy rights were violated.

It was very informative.

And much later, we had the Snowden revelations. And in recent years, the term nation state actor has actually gone quite mainstream.

So really, that probably was my first foray into privacy from a younger age.

But from a professional standpoint, we know today we're celebrating the 15th annual Data Protection Day.

And at times, you could be forgiven for thinking privacy really only hit the mainstream when GDPR came into effect in 2018.

In reality, under the 1995 directive, which the GDPR replaced, users could still request their access, and they still exercise their deletion rights.

At the time, I was the first person at the company I was working for processing those user requests.

Over time, they became a lot more complex.

And that one person role turned into a global team, which I had the privilege to lead for several years.

Oh, wow. Nice. That's a more interesting story for me.

I was a summer associate at a law firm in law school. And I had an assignment where I had to help write a privacy policy for AOL.

So that shows you how far back we're going when we talk about AOL.

But I was just struck by, oh, a policy about what happens to your data.

Because yes, these are private companies. And so there's no rules yet.

And COPPA, the Children's Online Privacy Protection Act in the United States, had just started.

I think it had just been passed not too long before that.

And so talking about children's privacy. So yeah, not nearly as interesting as Will Smith, but definitely got me hooked.

Well, so what are you doing at TikTok to celebrate Data Privacy Day?

Because Data Privacy Day was not, you said 15th annual.

I don't think I realized that it's been 15 years. Because it's not something I've been aware of, I think maybe in the United States as much until more recently.

So how are you guys celebrating over at TikTok? Thanks. Yeah, it's a great question.

It's also the first time companies are celebrating Data Privacy Day in the global pandemic, in the era of more remote working.

So I would imagine that it's different for every company this year, depending on the circumstances.

While most of the world is celebrating it today, TikTok has actually decided to dedicate a whole month to it.

So really in recognition that our employees are building the products and features that our users are using creatively and expressively.

And we need those employees to have privacy front and center when they're building those products and features.

They're really integral to the whole privacy journey.

For me, the leadership buy-in was really important.

And so from the beginning, I went to our CEO, Vanessa Pappas, and the Global General Counsel, Eric Anderson, both based in the U.S., to secure their support.

And once I had that support, I was able to leverage it and convince them further to take part in an exec privacy testimonial video, alongside some more execs.

And as you're aware, like both of us working in global companies, it can be tricky to manage the time zone.

So this video is a good way to get the message out from the top and cascade it around the world.

And then I think there's other ways we were able to weave it in as well.

For example, in-region privacy panels. And this time, what we're really focusing on is actually recruiting those people that don't necessarily work in privacy for their day-to-day journey, which helps reinforce the messaging.

Similar to the slogan behind me, privacy, it starts with us.

That's been our tagline for the privacy campaign. And just speaking of Zoom backgrounds, I think in years gone by, when we were in our offices, there would be laminated posters or flyers in the corporate kitchen.

They're not quite possible now.

We're all on video calls. So I noticed you as well have quite a lovely Zoom background.

So we're all having to make it work as best we can. One other area I would call out that we've launched and as quite a newer platform, it's been helpful for us is a new privacy ideas forum.

So this is just really encouraging employees.

And this will go on beyond Privacy Awareness Month. If there's issues or ideas you have, share them with us.

And they may make themselves onto our roadmap. I'd love to hear, Emily, how is Cloudflare celebrating?

Yeah. I was just going to say, those are great ideas.

Because one of the big challenges, as you know, is when you're on a privacy team, there's only a few of you, especially at growing companies.

And so you really have to rely on a lot of people throughout different teams in the company to bring issues to you, to give you ideas, to help you cascade thoughts out.

So that's awesome that you're reaching out that way. And I think I'm taking some of your ideas and implementing them at Cloudflare.

So today, we are celebrating with Cloudflare TV.

So we've had a number of segments that have already happened, because a lot of them were recorded during European time zone, but will be rebroadcast.

And I've got a blog post. I think everybody's got a blog post these days about Privacy Day.

But yeah, and then talking about it just generally at the company.

Thursday, conveniently, is our all-hands meeting day.

So talking about Privacy Day a little bit at the company today. And just trying to really cascade the message.

And fortunately, at Cloudflare, and I think this is true at TikTok too, privacy, I think people, when they come to work at Cloudflare, really are thinking about privacy already.

And they come to Cloudflare because they want to be at a company that really is protecting privacy and security of people's data.

So it's kind of nice, because the culture already really supports minimizing data collection and trying to not hold on to data too long.

And we don't want to track where people are going on the Internet. And as an infrastructure company, it's a little bit different than you guys, as a platform or an application layer.

So we have a little bit more, I think, both responsibility to try to minimize that kind of data collection, and then also to help our customers figure out how they can do that.

Obviously, I think when you've got a video platform and it's all about people putting themselves out there, I think the privacy conversation is completely different, which is great.

But it's good to hear that you guys are really cascading that out through all the employees, because I think that's so important.

Because we all know how one team who maybe doesn't think about privacy so much can go a little bit rogue and come up with some ideas.

And you're like, no, what were you thinking? Don't do that. Every privacy professional's worst nightmare.

So yeah, we're all trying to steer people on the privacy awareness path.

And you're right, I didn't mention our blog post, but we do have a blog post published today.

So it has become quite the norm, I think, for companies in our space to do so well, to recognize what the company's doing, and then to share that with the external users and customers.

Yeah.

And I was just thinking, I was looking at LinkedIn this morning, and everybody's got blog posts, webinars, videos, newsletters, a lot of things, really great content coming out today.

And I was just thinking, this is ridiculous that Privacy Day is just a day.

You said you're making it a month. I think there's a Security Awareness Month.

I think we should at least have a privacy week. There should be at least more than just one day, given that it's going to take me a long time to catch up on all the content that I've seen published today, because there's a lot of good stuff out there.

And in recognition of the fact that we are, as we've mentioned, in a pandemic, I think not alone in recognition of the amount of privacy goodness that's out there, but also, especially from an internal perspective, it gives us all the ability to increase participation, both from our legal departments, as well as all of the whole privacy infrastructure and employee base around the company.

Yeah. Yeah, that's true. So it's funny because the role of the DPO, I tend to, and I many people tend to think about the role of the DPO is all about rule following and how are you engaging with the supervisory authorities and working with them and holding the line internally on rules and regulations.

But a big part of the DPO role is privacy awareness. And so one of the things I was going to ask you is, the role of the DPO has changed a lot and it's kind of this new thing.

I know there were some countries where a DPO role was mandated prior to GDPR, but generally the DPO role is kind of a new thing since 2018 or since GDPR, then GDPR went into effect in 2018.

How do you think the role of the DPO has evolved?

And I guess maybe like, what do you, well, maybe first start with what is the role of the DPO look like at TikTok?

And then how do you think that that's kind of the role of the DPO has evolved from 2018 to now?

Yeah, it's true. Everyone remembers their first day at school or their first day at college.

I remember my first day as a DPO because it was that sense of slight butterflies and not really knowing what you'd signed up for.

And you kind of feel like you should get a badge, right?

Like you feel like you should have like a little badge that you're like, I'm the official person.

Exactly. And for anyone who transitioned to the DPO role at the same company that they were working at, it was also quite a strange phenomenon because on one day you are classified as a regular employee and suddenly the clock turns midnight and you're the DPO.

And as you mentioned, you know, a few jurisdictions had it in place such as, you know, Singapore and Germany, but broadly speaking for the world, it was the first time people were, you know, stepping up to the plate and doing this role.

I remember needing to do some myth busting at the beginning.

People were unsure. What could they tell me? What could they now share with me?

Was I the regulator in disguise? So a lot, like I think many people and many organizations went through a transitional phase where they really figured out like where the role of the DPO can add the most value.

And so in 20, like thinking back 2017, I was at LinkedIn, I was living in San Francisco and we were discussing me taking on the DPO role.

I was unaware TikTok was at that very moment in time in 2017 being founded.

And then I later again in 2018, I moved back, became the DPO in 2018 was when TikTok launched in Europe.

It actually launched in August 2018.

So even a few months after GDPR. So it's actually been fascinating seeing the evolution of the role in a company that was basically born for want of a better term, you know, post GDPR into as more of a second generation entertainment platform.

And so at TikTok, like one of the ways we've looked at the role is we have established, you know, a very strong European privacy legal team.

And then we've established a separate office of the data protection officer, which I lead.

And that's actually pivoting into, you know, some of the way I realized, you know, the role is evolving as an industry.

I think more and more we're seeing companies approach it as it was for some, you know, at the beginning, an individual role while they were figuring out, you know, how it would best work.

And it's really evolved into, you know, necessitating a whole team to actually be adequately resourced, you know, to do the, to perform the tasks outlined in the GDPR.

Secondly, you know, as I'm sure you're aware, the emulation of the GDPR, such as the LGBT in Brazil, and more and more countries thinking, actually, DPO, that's not a bad idea.

I want one of those for my region. So I think companies are also having to grapple with, you know, like, where do we place the DPO?

Is it now moving into more of, you know, a multi-jurisdictional role? And then I know that, you know, you play a dual role at Cloudflare.

I'd love to learn more about how Cloudflare, because there's, it's truly bespoke to the needs of every organization.

So it'll be really fascinating to learn how Cloudflare is approaching it.

Sure. Yeah. And it's, I think it's, it's, you know, maybe also a very different approach, depending on what, where your company is, and it's both a stage of development as a company, and then also where its roots are, whether it's, it's born in Europe or in Asia, or the United States.

And I think the companies born in the United States, with that startup mentality, a lot of folks that I know wear dual hats, like I do.

So my role is, I'm head of the legal team for product privacy and IP, and then also the DPO.

And so that means I'm also, I'm not only kind of doing the DPO functions, and focusing on the operational issues around process activity, protection impact assessments, and those kinds of things, but also really working with product teams and other folks in the company to do privacy by design, and really kind of embed privacy advice throughout different flows in the company.

And every once in a while, it feels like maybe those two roles are a little bit in conflict, but especially, I think, you know, as you know, like when you're in -house, there's also this pressure to, to say yes to everything, and to, you know, really move fast and, and get things done, and not stand in the way with, with like a stop sign to say, nope, can't do it this way.

So, you know, we focus a lot on, on working collaboratively, and, and kind of embedding with teams early on to make sure that, that we're not the people who say stop, that we don't have to be the people who say stop, because we're getting in there early.

But yeah, every once in a while, it's, you kind of have to put it at the, okay, I'm putting my office of the DPO hat on today, and drawing the line, or, you know, coming up with the official response of something, or, you know, thinking about how does this rule strictly apply to us.

So, it is kind of an interesting position, and, and I think as companies grow, and the point you make is very interesting, too, about, you know, I know that there's some companies that have regional DPOs, or, you know, they'll have, you know, if they're really big, they might have their French DPO, and their German DPO, and UK DPO.

I don't think we'll be there anytime soon, but figuring out how you do kind of spread that across, across the globe, as a global company is kind of tricky, and, and I think also, you know, we don't want to have a posture where people in Europe get more privacy than anybody else, or just because your country happens to have a law, you get more privacy for your data.

And, and I think, you know, a lot of companies are in that same boat, and then also, just practically speaking, it's very difficult to segment data in a way to, to treat data from Singapore differently than data from Canada, or from Brazil.

So, I think, you know, trying to take that global approach, and trying to harmonize how you're handling privacy for all of your data subjects, I think, you know, calls for both kind of specialized knowledge of certain regions, but then also having that harmonized across the board.

So, yeah, it's going to be very interesting to see how these DPO offices kind of grow, and, and how they work with their counterparts on, on whether it's like the legal side, or a chief privacy officer, and, and how, how that evolves.

But I think, like, when I started at Cloudflare, I think that, you know, Cloudflare needed somebody to do privacy, but the role was DPO, and, and it was largely because of GDPR, because, oh, we have to, we have to check that box.

But the title didn't exactly match all of the things, which is why I kind of have these, like, dual hats now.

So, you mentioned, you mentioned, you know, ticking that box, and, and actually, that kind of ties in nicely to the fact that of the, the evolution, because it started out as, if you failure to appoint a data protection officer, you could be liable for 2% of global annual turnover, you know, what company is going to take that risk?

But really, I think, like, when it comes, we're talking on about evolution, and in a few short years, how it's changed, you know, from 2017, to now 2021.

I think it ties in nicely to not just a data protection officer, but you know, the concept of privacy, data protection compliance in general, just how some organizations in the past viewed it as a burden.

Increasingly, we keep hearing of actually now privacy is a competitive advantage.

And so I think it'll be interesting to see now, you know, if we look back in another few years, you know, how much further that will have evolved.

We know that many companies now have data protection committees or boards, you know, solely dedicated so that the highest levels of management can stay informed, and can be involved in decision making when it comes to privacy.

So I think that's probably something that we take for granted now.

But that, you know, that was not the norm a few years ago.

No, that's so true. And I remember a couple years ago, I feel like all the all the articles, or if you went to like an IAPP seminar on, you know, privacy conference, I mean, back when you could go to real conferences in the world.

And so many sessions were about how to get executive buy in, how to, how to, you know, sell the privacy program to your executives into your team.

And the, I think, tenor has very much changed.

And so you still see that a little bit. There's still there's still some of that.

But I think you're right that so many companies realize that this is not just a check the box exercise and expectations of data subjects around the world are so much higher for how and people are just savvier.

People just, you know, I mean, like, people know what GDPR is, and not just privacy professionals.

And people know that that private and like in California, we have a privacy law.

And so people who have never thought about privacy laws as a thing are realizing that they have rights or they have protections.

And I think all of that just kind of ups the ante for for companies and realizing that they have more sophisticated customers, more sophisticated data subjects.

And, and then also, you know, they're, they're setting the bar higher for what they're demanding.

So well, so what, you know, thinking back in kind of this past year, what do you feel like has been some of the biggest things that you've learned or some of the maybe the biggest topics that you've come up with?

What do you think your privacy learnings from 2020 have been?

That's, that's a great question.

And I guess to begin with, it would be remiss of me not to state that, you know, we really had a year like no other.

So there's possibly been a few more learnings this year than any other years.

And, like, I would say that, you know, you're learning how to champion privacy in a company where despite my one year anniversary coming up this April, I have never met my colleagues.

And also in a company that, you know, is extremely fortunate to have undergone tremendous growth.

One example being in Ireland, where I'm based now, we grew from 20 employees this time last year to crossing the 1000 employee mark this year, which probably speaks volumes of why I went all in on Privacy Awareness Month for our employees.

But to go back to your question, I think both as an individual and as a DPO leading a team of specialists, really learning how to grow and adapt to the needs of the business, and ensure that privacy walked hand in hand, you know, with the business on that privacy journey.

Two very concrete examples jump out.

The first being COVID -19 and the data protection learnings that came with that, especially health data.

You know, we're not in organisations that ordinarily would ever think you would come across even the concept of working with health data and personal data.

So it was a great learning for me working with physical security, health and safety, employment legal, HR, on all the data protection issues that, you know, both remote working, and now as eventually we transition back to return to office environment, you know, what that will look like.

And secondly, very different was around the concept in GDPR of main establishment or elite supervisory authority.

I think like a big learning for me was, you know, it's very different maintaining the test of main establishment, and that relationship with elite supervisory authority at my previous company, to actually needing to put in place the correct, you know, procedures, structures, policies, and so on to actually meet the test.

So we were went on quite a journey last year.

And, you know, as an individual, it was personally very enriching, but as a company, we're really pleased to meet the incredible high standard that, you know, the Irish Data Protection Authority has, and that we get to work with them this year as our lead supervisory authority.

Nice. Yeah, I think for me, 2020, I mean, yeah, obviously COVID just really shook up everything.

And I think for us also 2020 was interesting year, because it was, you know, we had just gone public in the fall of 2019.

And, you know, so we were, we walked into 2020 as a company, kind of like, okay, you know, now, now we're out there, or this public company, and, you know, there's still some maturation work that we need to do.

And then COVID hit, and, and we had to figure out how to do a lot of that virtually, and not being in the office with our colleagues anymore.

And so, so yeah, that's, that's been a huge challenge.

But it's been, it's, it's amazing how well everybody's adapted, frankly, and how, and how well it's gone, given, given all the circumstances.

And then I think, for me, the other big thing for 2020, it was just, you know, shrimps, and the, the shrimps decision and dealing with, you know, the fallout of that.

And, you know, we're continuing to deal with the fallout of that and, and no more US privacy, you know, the US privacy shield going away.

And negotiations on a new one, not being in a great place, given the relationship between the previous US administration and the EU.

And so which kind of leads me to 2021, which I feel like, you know, for me looking into 2021, there's a lot of focus, I think, for Cloudflare on continuing to really mature our privacy posture internally, you know, for me, but then also to make sure that we are spreading out that awareness as you're talking about and modeling that both for employees, but also for our customers.

And then looking to see, you know, how, how things kind of look in this new environment with a new administration and, and cross-border data transfers and how that's going to go.

So for me, that's kind of a big, a big thing that I'm focused on for 2021.

What, what about you? Like, what are you thinking about for 2021?

I think you've hit on a big, on the big ones there.

You know, shrimps has definitely had, had, had everyone, you know, sit up and, and take notice.

I think, you know, other, other big ones, Brexit and the adequacy decision, you know, the ongoing implications we just spoke about of, of remote working.

I forgot Brexit. Sorry. That was a whole other, that's a whole other big deal.

It's just really the gift that keeps on giving. So on this side of the Atlantic, that definitely needs to be figured out.

Thinking, thinking a little bit further, I think you mentioned the new administration and for me, certainly more as a, as a witness and, and absorbing it.

It'll actually, it's just fascinating seeing the US privacy journey evolve and, you know, more and more calls advocating for federal privacy legislation.

So I'm certainly interested in whether the new administration, what impact they will have, you know, on that evolution.

From like bringing it back to basics, I think like we talk a lot about, you know, we can, about those big, big topics.

At the end of the day, GDPR is a principle based law and some of the core principles simply don't change.

You, and a bit earlier you mentioned around expectations from our users and customers and even our employees, it's just simply never been higher.

And so for me, I think that simply manifests itself, you know, continually in transparency.

I think back to the days when we used to go on business travel and I recall one such journey where, you know, I arrived in a hotel room somewhere in Silicon Valley.

Everyone knows what it feels like, probably like you're jet lagged.

You've just done a full day's work in the office.

You dump your bags, go for dinner and come back. And it was several hours later, I realized there was, you know, a voice activated device in the hotel room and there was simply no notice.

I had no idea it was there. Similarly on that same journey, sitting in a taxi and realizing I was being recorded in the taxi.

Again, no notice. So I think just from a personal perspective, like transparency manifests in our personal life and then we'll continue professionally to see more in-app notices, transparency reports and really a focus on privacy settings.

That's a great point and that's a great point to end on. Unfortunately, we only have a couple seconds left, so we'll leave it there.

Thank you so much for joining me today.

It was so great to talk to you and look forward to doing it again.

Likewise, thanks very much, Emmeline.