How to Build a Global Privacy Program That Enables Growth

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st Century.

Jodi Daniels  0:21  

Hi. Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:35  

Hi, I am Justin Daniels, I’m a shareholder and corporate M&A and tech transaction lawyer at the law firm, Baker Donelson, advising companies in the deployment and scaling of technology, since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels  0:58  

And this episode is brought to you by Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com, well, hello, happy Tuesday, what’s up? I don’t know. What’s up.

Justin Daniels  1:21  

I don’t know, you’ve been on the phone all morning.

Jodi Daniels  1:26  

I have, I have literally nine to five full of meetings the entire day.

Justin Daniels  1:47  

I think you should have a phone just attached here.

Jodi Daniels  1:52  

All right, but let’s chat.

Jodi Daniels  1:53  

What are we chatting about today?

Jodi Daniels  1:54  

Who do we have?

Justin Daniels  1:54  

Someone that you’ve known for a while?

Jodi Daniels  1:57  

I do, I know this person.

Justin Daniels  1:59  

Who I’ve recently got to know, so that’s because I’m cool, or at least you’re cooler than me.

Jodi Daniels  2:05  

You said it — not me.

Justin Daniels  2:09  

Okay, well, so let’s get to our interesting show today with our really cool guest. So today we have Heather Kuhn, who is the Privacy and Technology counselor at Genuine Parts Company. Heather is also a Privacy and Technology attorney with nearly two decades of professional cross industry experience. She teaches at Georgia State College of Law, serves on the Georgia AI committee and formerly chaired its Privacy and Technology section, leading conversations at the intersection of law AI and innovation.

Jodi Daniels  2:44  

Hello, Heather, hello.

Heather Kuhn  2:46  

Thank you for having me.

Jodi Daniels  2:47  

Well, welcome to the fun, or the party or the podcast, whatever you’d like to call it. And we always like to ask people how they got to where they are today. So if you can share a little bit about your career evolution.

Heather Kuhn  3:01  

So my path has been a little bit of a winding journey to get here. Law is actually probably my third career, I think that I’m on. So I had started out in kind of a variety of pathways where I was a high school teacher for a number of years, and then went into business operations, and finally, kind of landed on law school. And so I realized kind of all of these pathways that I had before really helped me kind of lock in on these skills and really channel that inner educator that I had in myself. And so I found a way into law school, found someone to pay for it and move forward. And so when I was here, I started off kind of embedded in an information security team, so I had kind of a non-traditional start to my career, rather than at a law firm. And then from there, I moved over to do the more traditional big law, and ultimately found my way to Genuine Parts Company. And so in my role now, I lead our privacy and cybersecurity functions across the globe. So Genuine Parts is a fortune 200 company. We have 60,000 employees. We’re in 17 countries. So it’s quite a mandate from everything that’s included in my role. I always joke that I am everything from cell phones to generative AI is kind of under my purview right now. So it’s been quite the journey here.

Jodi Daniels  4:26  

I can imagine, in some ways, someone saying, Well, you know, managing a privacy program might be kind of similar to trying to teach a bunch of high school students, because you have a bunch of people who want to do what they want to do, and don’t always want to do what the teacher, or, you know, the director of the program is trying to tell them to do.

Heather Kuhn  4:45  

I taught high school math, so teaching dealing with high schoolers, teaching them calculus all the way, and dealing with administrators, I find it’s quite consistent with my role.

Jodi Daniels  4:55  

Now, yes, I can see that I loved math, but I have a kiddo who. Yeah, math is not their favorite subject.

Justin Daniels  5:04  

So Heather, you know, as you talked about, you know, Genuine Parts operates across a massive supply chain and customer network, and so share with us a little bit about how you approach embedding privacy and security practices into such a complex, distributed business.

Heather Kuhn  5:21  

So for me, it’s really all about partnership, so understanding what the business needs, how to build that trust. You know, like many teams, we have a very small but mighty privacy team, and so we really try to seek out privacy champions across our business, working to kind of set the global standard and then act as a resource where we’re able to kind of leave some of those operational functions to the teams. We embed privacy, by design in the start of our projects as much as often, as much as possible. And so I really kind of harp on that message of early and often is the best way to involve us. So however you want to reach me, whether that’s email or teams or carrier pigeon, I just want you to reach out and find me. I promise I will. I will help you. Really want to make sure that, you know, privacy feels real. It’s not just a legal requirement, but it’s something that kind of speaks to the core of our company values.

Jodi Daniels  6:13  

I like the carrier pigeon.

Heather Kuhn  6:17  

I gotta get my constituents.

Jodi Daniels  6:21  

So we kind of talked a little bit and joked about the tension right between privacy programs and all this data. But let’s talk more about it, because as customer and employee, data is flowing between systems and partners, and right it’s a massive, complex web that you have. How are you managing a business team who wants as likely as much data as possible, and but you also have these privacy and security measures that you’re trying to employ to manage and protect that data.

Heather Kuhn  6:55  

So I try the best I can to not get out the stereotype of being the Department of No. I tell my businesses, I want to find a way to get you to a yes, and I want to find a way where we say yes, and here’s how we do it safely. And this kind of goes back to that early and often comment of, if I’m going to do that, I need to get involved early that can really make a difference in how I can be helpful. At the end of the day, I need to find a way to sell auto parts. That’s what our company does. That’s how I get paid. That’s how we all keep our jobs. And so building ways that we can use privacy as a business advantage to sell auto parts is, I think, how I get my best buy in from my business partners. Because, you know, let’s be real. That’s what they’re facing all the time. If I can kind of commiserate on that pressure that they have to get down their jobs, I become a partner in this and not an obstacle that they’re trying to avoid. So things like data mapping, impact assessments really allow us to right size our privacy programs and privacy requirements, and then, you know, building that kind of transparency around it so people understand the why behind it, and rather just, rather than just, you know, Legal Department said it, I have to do it, and it doesn’t help me in any way.

Jodi Daniels  8:09  

I wanted to go deeper on what you just said with the partnership. And you had said, if you’re able to help them understand the enablement, and you’re all here to sell auto parts, and then they see you as that partner. Can you share maybe some of the ways you’ve found to build successful relationships? Because I think a lot of people struggle with, how do I get the business person to call me, or how do I get the business person to listen to me?

Heather Kuhn  8:37  

So I am everywhere. I feel like I’m constantly on a road show of kind of being that privacy person that everyone knows, and that has been kind of my biggest thing is really just the showing up piece. I’m showing up at team meetings. I’m accessible carrier pigeon here. You know, anything that I can do to be as accessible as possible, I think has made that relationship piece a lot easier, because it’s not kind of this daunting task of, oh, I have to involve legal. It’s, oh, this is Heather. I know her, you know, we’ve had a conversation. We grab coffee together, and we, you know, I can go to her with an informal question and not feel like, you know, I’m kind of on, on the hot seat from it. And so I think as much as possible, showing up and showing up in a wide variety of places in the company is a really — a big building block to being successful in that relationship building.

Jodi Daniels  9:30  

I did the same when I was building a program years ago. I did a road show and I met as many people as possible, because they need to, first off, there’s a lot of people who don’t know what you know, and then they need to hear it multiple times, and you have to be a real person, and not just this scary concept of a department. Instead, you’re all literally here. I love what you said earlier. You’re all here to sell auto parts. You’re all everyone at a company is working. At the company for a reason that you’re all charting. You just have different roles to make, make the company work and operate.

Justin Daniels  10:08  

I guess, an interesting question I have for you, Heather is, you know, you have both the privacy role and the security function, and you’re out doing the road shows and getting people to understand what that is. Do you ever find and how would you manage sometimes the tension between privacy and security, because a lot of times business people sometimes struggle with what the distinction is, because there’s so much overlap, but they’re not the same.

Heather Kuhn  10:38  

Goes back, I think again, to that education piece of having those conversations, we luckily have an extremely robust and active cybersecurity team, and so that actually was pretty established function when I came into the company. And so we do often get kind of lumped together. And now that I sit in legal, we’ve been able to kind of draw some of those distinctions between what it is, but I think that it’s really just about that conversation with them and understanding, you know, how they go together for their particular project. So not kind of in this, really, you know, meta, high level. What is it? But like for your particular project, you’re trying to launch this, how do I differentiate between those two requirements and where the overlap, where we can be, you know, the most efficient with our resources, whether that’s time or money. I want to find those efficiencies, right? I want to find the overlaps as much as possible, but also understanding that they are two different things that have distinct requirements, distinctive bases for where I’m coming up with those requirements. Because I agree that’s a very common thing, that they’re like, oh, that’s just all goes together and they keep it moving when I’m trying to be very intentional about what it is that we’re trying to focus on. And why do we care about these things?

Justin Daniels  11:49  

Makes sense. It does. I guess, to me, an interesting area of where you’re managing this, you know, is this role around privacy and ensuring customer trust as you kind of expand your digital capabilities, you know, e-commerce, connected systems. We’ll talk about AI in a moment. But there’s also the cybersecurity component to that. So how do you I guess, since you had the cybersecurity there, now you have to overlay this privacy area in that is that, you know, kind of going down the same playbook. I guess it’s, once again, really getting out there, getting to talk to people, how, how do you, how do you go about that?

Heather Kuhn  12:34  

So I think, you know, again, relationships is huge. Building that trust in whatever it looks like, whether that’s internal to making sure that our employees know what we’re doing, but also from a customer perspective, making sure that they can trust what we’re doing. So having things like clear notices and meaningful consents real user control anything that we can do to to build that again, as a brand differentiator, as something that we can use to our advantage, I think has been a good job making sure that really privacy is built into that customer experience, and not just in our legal documentation.

Jodi Daniels  13:15  

You mentioned training, Heather, and I’m just curious, people are always asking, what’s an effective training method. Do you? Do you have anything that you feel employees have really gravitated towards and they liked, whether it maybe be a fun game or it was, you know, just ongoing tips and an email or a video and and every company and culture is a little different. Just curious. If you have anything that you feel that was a really good way to train people.

Heather Kuhn  13:43  

So we kind of utilize all of those mechanisms. So we have our, you know, standard kind of pre-built trainings that we offer. We also do a lot of kind of in-person, virtually in-person trainings where they can ask questions. We have, you know, kind of our cybersecurity awareness month that tries to, you know, gamify a little bit some of it and make sure that we have some interactive ways, and then trying to expand that into Privacy Awareness as well. And, you know, capitalize on international privacy day that falls in January of, how can we, you know, really get to employees to understand what it is, and then again, they can better understand it through that perspective. I think it has been effective, I think as much as possible, when we’re able to tie it back to what they actually do. So it’s less of this really hard to define concept. It’s very tangible in, oh, that’s the exact, you know, I was on our website, and this is what I was doing. You know how it ties in exactly to what they’re working on, and their teams just tend to resonate better with them than just this general overall piece.

Jodi Daniels  14:52  

Thank you so much for sharing. I get that question a lot, and I know people really appreciate what’s working in other companies, or what are different ways. To do it so very helpful.

Justin Daniels  15:04  

She pointed at me because now it’s time for the AI question.

Jodi Daniels  15:08  

Yes, well, it’s one of your favorites. I wouldn’t want you to not have your favorite, but you know a lot about AI I do. I’m looking at how nice I am.

Justin Daniels  15:21  

Wow. Okay, so Heather kind of shifting a little bit to AI, and let’s do this question. I actually thought of a follow up, but just talk a little bit about how this rise of AI and automation might be changing the way that you think about privacy risks and controls and how you might operationalize them, possibly leveraging AI across the country, across the company.

Heather Kuhn  15:45  

So AI opens up, obviously, a whole bunch of new possibilities. It also opens up a whole bunch of new risks. So we’re definitely trying to plan that and work into, you know, expanding privacy assessments that are going to address AI concerns, thinking about it from a contractual perspective, really making sure that we understand not just kind of data going into the model, but also, what does it do with it? How are people working with outputs and making sure it’s that cross functional operation so we have legal it, product teams, everyone kind of at the table for it. I think, ultimately, though, it’s the new name for kind of a problem that we’ve already gone through, to some extent of a lot of the same techniques that we use when we’ve been expanding privacy or expanding cybersecurity, when it comes to, you know, kind of the early and often the relationships are all necessary, kind of muscles that we’ve built that we can use again for AI, obviously, this is the new, you know, shiny object that we want to make sure we’re focused on and paying attention to, because of kind of the vast risk and profile of it and attention that it’s getting. But I think that we can really benefit from utilizing kind of these skills that we’ve already developed in this new, you know, mission of, how do we do AI as a company?

Justin Daniels  17:07  

Kind of focusing down a little bit on the legal department. Can you talk a little bit about how AI is impacting your daily workflow and maybe issues that you might have dealt with one way that you may now leverage AI.

Heather Kuhn  17:22  

So from, how do we use AI internally within our legal department, we are constantly looking for ways that it’s going to be beneficial for us, but also, you know, obviously balancing the considerations we need to as an attorney. So is it reliable? How do I check it, making sure I know my sources? So things like using it in contract review, trying to figure out ways, again, that I can do more as a an attorney by having an AI Assisted Review in my contracts to do kind of a first pass that then, you know, gets moved over to me in the issue spotting stage another place is, you know, for example, we have built an internal chat bot tools. So a 50 state survey that probably would have been given to an intern and taken them all summer to work on, you know, we can use that chat bot to say, Okay, do a first pass at the 50 state review for, you know, consent rules around recording or something like that. And then it will generate it, and the intern can double check it so things like that, where it’s that basic kind of just research skill, we can have a something that can use it, that can move us towards being more efficient. First pass is, you know, termination letters or communications with the business teams, all those things we’ve been trying to find all the different use cases that make sense for our team to utilize since, again, like many companies, especially, you know, as an in house attorney, you’re just stretched so thin. There’s not a lot of us. We have eight attorneys in our legal department for a 60,000 person company, so we have a lot of bandwidth that needs to kind of be filled. And so AI can help us, generative AI can help us in that capacity to speed up what we can do, so that I can really focus on, you know, the meteor tasks, and focus on my strategy, focus on kind of deeper diving, if the first, you know, passive things has been taken care of for me.

Jodi Daniels  19:19  

Heather, with all of your knowledge in privacy, security AI, we always ask when you’re out and about, maybe at a barbecue or party, what tip would you offer to those that are there?

Heather Kuhn  19:34  

We’ve said it a couple times here, but it still rings true for me. It’s that — build relationships early and often. Privacy needs allies across the business. We are inherently a cross functional part of the business. And so when teams trust you and see you as a partner, privacy becomes a shared goal, and that collaborative approach, I think, really gets you further than the strict kind of top down one. And so the. Have coffee with everyone. Go, you know, have lunches with everyone. Show up at all of the town halls and the team meetings and be all the places, because that really is going to get you, I think, the furthest and the fastest by building those relationships.

Jodi Daniels  20:17  

All right, everyone you heard it, go have coffee. Go have lunch. Coffee can be very busy the second half of the year.

Justin Daniels  20:24  

So Heather, when you’re not out there having coffee, championing privacy across your various stakeholders, even using the carrier pigeon. What do you like to do in your free time?

Heather Kuhn  20:35  

Well, free time is quite a rare commodity in my life. We have five kids, so our life is pretty crazy. And then, you know, I’m extremely active in the privacy scene in Atlanta. So I just finished up my role as the chair of the state the George bars Privacy and Technology section, sitting on the Georgia Bar Special Committee on AI, teaching at the law school, working on my master’s degree in cybersecurity. So, you know, somehow I’ve materialized, I think, more hours than 24 in a day, but ultimately, trying to, you know, I love being, I love mentoring. That’s kind of again, teacher at a heart, and always have been, always will be, so always trying to mentor people in every setting that I feel like I walk into, and then with those somehow the time that’s left, I’m probably found doing something active, and probably with kids involved, so soccer, cheerleading, pool and then going home to some delicious meal. My husband is cooked because he is the real chef in the house, and my kids will remind me of that anytime I try to cook.

Jodi Daniels  21:36  

So I would like the trick on how you have figured out to squeeze more into a day than than the 24 hours.

Heather Kuhn  21:43  

It’s my true magic skill over here.

Jodi Daniels  21:47  

That is a magic skill for sure. Well, Heather, we’re so glad that you joined us today. If people would like to connect, where should they go?

Heather Kuhn  21:55  

You can feel free to connect with me on LinkedIn. I always try to be responsive. I love the reach outs and always trying to connect in the community, but that it would be the best way to reach out to me.

Jodi Daniels  22:04  

Amazing. Well, Heather, we’re again. Thank you so much for joining us today.

Heather Kuhn  22:09  

Thank you so much for having me.

Outro 22:10  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.