From Manual to Automated: Building Privacy Programs That Scale 

Intro  0:00  

Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st Century.

 

Jodi Daniels  0:21  

Hi, Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

 

Justin Daniels  0:35  

Hi. I’m Justin Daniels. I am the shareholder and corporate M and A and tech transaction lawyer at the law firm, Baker Donalson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cyber security risk. And when needed, I lead the legal cyber data breach response brigade.

 

Jodi Daniels  0:59  

And this episode is brought to you by no one can hear when you press the pom pom on my hat. Would you like to try again? POM? Okay. This episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business. Together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best selling book Data Reimagined: Building Trust One Byte at a Time. Visit redcloveradvisors.com. So how come you? May you didn’t make you encouraged me to wear my big winter hat because I was a popsicle for my first call. But you don’t have a hat on.

 

Ron De Jesus  1:52  

I have many hats, I know, but you’re not wearing one. Maybe you should wear your hood. Not gonna wear a hood. I don’t know. Let’s see. What do we think? Okay, I’ll wear the hood if you want.

 

Jodi Daniels  2:03  

No, okay, no hood. That’s a little scary. So for any of you listening, you, I have to go to the YouTube channel and you should see my very pretty Pom Pom Pom Pom Hat. Okay, alright. But today is so exciting, I am delighted to bring on one of my very long time privacy friends, Ron DeJesus, who is the field Chief Privacy Officer at Transcend driving practical privacy governance and industry advocacy. He previously led privacy at Grindr, Tinder and match group built Global Programs at tapestry and American Express, founded de Jesus consulting, and remains an active community leader through the IPP and LGBTQ privacy and Tech Network. And we are delighted, Ron, that you were here with us today.

 

Ron De Jesus  2:54  

Well, thank you for having me, guys. I’m super excited to chat.

 

Jodi Daniels  2:58  

All right, Justin, you get to kick us off. So Ron,

 

Justin Daniels  3:01  

why don’t you tell us a little bit about your career path?

 

Ron De Jesus  3:05  

Sure? Again, it’s been a very long journey. In my 20 year career in privacy, I actually started at a boutique consulting firm based in Toronto, and sort of get my feet wet when it came to dealing with with privacy regulations in Canada, specifically, I then jumped to the big four. So I went to Deloitte and started helping global clients. GDPR wasn’t to, wasn’t in effect yet, but really got a sense for kind of, you know, the global implications of the different EU states. And, you know, at the time, there was still, you know, lots of work around glib and, you know, COPPA, all those good ones, HIPAA. I did a lot of HIPAA work back in the day, too. And then I built my first internal program at American Express. They were one of our clients. And then eventually did programs at tapestry, which owns coach Kate Spade, and got my feet wet in retail. Jumped over to Teck at Tinder, which was really great. It was at the cusp of 2000 sorry, the cusp of GDPR. Really do some great work with engineers. It was my first time working with engineers, actually, and so it was a really great time to actually learn how teams actually operationalize things like data deletion. You know, how do data deletion workers work? For example, I really got a sense of how to work with product teams that were implementing core features at this really incredible, you know, I guess I’d say conglomerate of dating apps. So I was at the helm of Tinder for a while, and then I went to Grindr, so lots of dating app experience became. Am their second chief privacy officer, and now I’m at Transcend, as Jodi had mentioned, their first field chief privacy officer, where I spend a lot of my time really just engaging with the privacy community. I really do believe that this job is 90% you know, engaging with my peers and tapping into my network and really learning about how people like, you know, Jodi yourself, you know, and your clients really try to operationalize this, you know, this onslaught of global laws and regulations even AI now. So I not only engage and sit on panels and kind of create content, but I also bring that back to Transcend, you know, so that they better understand what is happening in the weeds in real life, to make improvements to our platform, which, again, we offer privacy and AI governance tooling for for you know, fortune 500 companies. So, so right now, as I’d mentioned before, we got started, I’m in Paris. Before that, I was in Dublin attending open AI’s first ever privacy hackathon. So I’m all over the place. I’m traveling all over, all over the place, and I simply love it. It’s just, I think, one of the best jobs in privacy to just be, you know, responsible for just engagement. So yeah, no complaints here.

 

Jodi Daniels  6:35  

Yes, you are the Where’s Ron like the Where’s Waldo of privacy and anyone listening. If you are curious and want to go on a globe trotting tour, I encourage you to follow around, because it is super, super fun. Now, let’s kind of take a little bit of a step back. Tell help us understand what led to you creating this field, Chief Privacy Officer. Role. It feels like it’s the first in the industry, and how that might be a little bit different than kind of your classic Chief Privacy Officer role that we often see in companies.

 

Ron De Jesus  7:10  

Yeah, great question. Jodi and so you are you both? Are you familiar with the traditional kind of field, CISO, kind of role where I think, yeah, so Ave, sorry, I’m sure you are, but we, I think so Transcends. Idea was to take a this kind of, this concept of a field CISO and obviously expand it to someone that had the prior Chief Privacy Officer experience, but with a little bit of a twist. So I think traditionally, field CISOs are pretty involved in the sales process, you know, and really, that’s probably built into their their comp and what they provide to the company. I as field CPO, I do help our sales team, and I’m, you know, part of really critical prospecting that sort of thing. But Transcend really wanted this role to focus on community building and content creation thought leadership. So prior to Transcend, between Grindr and Transcend, I was actually running my own consulting firm, similar to red clover advisors, just, you know, a boutique firm that was helping with privacy program operationalization, and I started, actually, Jodi, to get into content creation. So I developed a LinkedIn, I would say, an Instagram, kind of exclusive content series where I would walk people through what their privacy rights were, and my focus were, it was on lay people. And I started to really see that there was a, I would say, a gap in our industry around content creators, if you will, you know. And so I kind of dove into that space. And when the field CPO role came, you know, it was, um, it kind of ticked all my boxes again. It was focused on thought leadership. But at the same time, some that was someone that was comfortable talking to people attending conferences, going on panels, you know, developing live content, which I do at the IPP, for example. And I applied, and actually knew Ben Brooke, who’s the CEO, just through networking, and I reached out, and I was just like, hey, this sounds super interesting. And he was super excited. And, and the rest is history, you know is I’ve been there now for about a year and 10 months. Feels like more than that, but in a really good way. And and, yeah, I’ve seen a couple of other field CPO roles popped up. And I think the last thing I’ll say before I pause, is I actually am surprised that other big platforms in the privacy tech space have. Really, you know, taking advantage of a role like this, that is, you know, having someone that is a figurehead for how privacy actually works in the real, real world, and that connection. So when I talk to our prospects, for example, I’m there showing them, Hey, I’ve implemented legacy tooling. I’ve been in your shoes, and here’s how we do it better. But also, you know, I’m, I’m there as a, as more of a, I’d say, technology neutral person, and providing that perspective on how they can, you know, what’s best and fit for purpose for their program.

 

Jodi Daniels  10:38  

So, yeah, well, it’s very exciting, and I know that the content that you produce is widely sought after and approachable, which is something that’s really needed in this industry. The call I had right before this was someone struggling mightily to understand CCPA regulations and what does that mean, and they’re scouring the internet trying to find information it is, is hard. This job is hard. Yeah,

 

Ron De Jesus  11:04  

super hard. And I how I approach the content is, I really am more I’m a curious person. You know? I’m not the I’m not an AI governance expert. I don’t think anyone really is yet. So, so, for example, if I’m talking to someone around, how they think about AI governance, I’m really just curious, and I want to know more about you know, how you CPO, who’s given, who’s been given the AI governance hat? How are you navigating those challenges when we’re still struggling with whether or not due to the digital omnibus? You know those high risk requirements are going to apply soon. So it’s, it’s really for me, when I create content and when I’m talking to someone, I’m asking questions, I’m just really more of a student. And so that’s what I I’m hopeful my content brings is just pragmatic guidance to folks that are still, you know, struggling together in this space so.

 

Justin Daniels  12:08  

So, speaking of struggling, where do you think most privacy programs struggle?

 

Ron De Jesus  12:17  

Yeah, believe it or not, I think you know, and I hear this at every IAP folks are still doing a lot of stuff manually, whether it’s, you know, understanding where their requirements are from a kind of global footprint perspective, we’re still in the Excel spreadsheets, you know, Filling in whenever. You know, the 20th law comes into into play. We’re putting in what does a notice require? You know, what is, what is a breach notification going to implicate? So I think a lot of programs are still relying on these manual tools. And I think you know, again, as as we try to cope with what product teams are doing when it comes to engaging vendors in the AI space, for example. In order to scale, I think we all need to realize that we need, you know, and this is not an ad for Transcend, but we need to, really, you know, take advantage of automation and automation our programs, whether, again, that’s having, you know, a really robust data discovery tool, or having D SARS not be, you know, triaged manually. I think a lot of programs, believe it or not, even in the f1 1000 world, I’ve heard a lot of folks still kind of, maybe not so ready yet to to to engage a vendor. And that’s still surprising to me, because, you know, I’ve, I’ve engaged vendors since, you know, 2015 when, when one of the first platforms came into to fruition. So, yeah, I think, I think that’s where most folks struggle, is that they’re still trying to do things manually that really just should be automated.

 

Jodi Daniels  14:08  

We see, we see that we do a lot of manual and we work with a lot of companies where That’s where they are due to budget, size, resources, tech, ability to integrate, there’s sort of a long list of obstacles. Yeah, and I’m curious, as you’ve started to see companies move from that to automation, is there an area where maybe they start first, or how they might be able to remove some of the blockers to get there. I mean, we all would love to, you know, snap our fingers and, poof, it’s all automated. But the reality is, we know it’s going to be a process and a starting point. Curious, if you can share where you’re seeing success for companies who are starting that journey?

 

Ron De Jesus  14:56  

Yeah, and like you said, Jodi, you know, everyone needs to do what’s. Right for their program, their budget, their culture. I never push anyone to any specific platform. I’m always like, you know, you got to do what’s fit for purpose for your organization. I think as you I think as folks who are starting to dabble in, you know, and kind of solicit information from vendors, I think number one, they should really be engaging internally and not doing this on their own. I think what we’ve seen is successful platform implementations really do have you know that consensus from within, and have, you know, the CISO on board, or, you know, if it’s if it’s a more data driven culture, the CIO, you know. So I we’ve been understanding that it’s important to to address the needs of not just legal compliance, privacy, but how tools, I think a successful tool is going to be able to be used across the business, you know, and so I think number one, it’s really getting a sense of your internal strategy around not only compliance, but above and beyond compliance. How can we use a platform that’s going to, you know, help us innovate and to enable the business. So really, I see the most successful implementations have that really, you know, good sense of of consensus from within.

 

Jodi Daniels  16:30  

And I would just add that for anyone thinking about moving technology vendors or bringing on a technology vendor for a slice of a program, is to give yourself enough time to do that, this is not a super short exercise. And also to be thoughtful to the requirements I see a lot of companies not know what it is that they need to think about what is important for them, and they all differ a little bit, whether you’re talking data discovery or privacy rights or cookies. I mean, some of those requirements might be, might be similar, but then you need to expand, expand those. What are the types of systems? Who’s going to be using it? Where is your data? Is it structured? Is it unstructured? All those kinds of questions, but thinking about the requirements first and just being prepared and looking at it like other software. And for some reason, I think privacy doesn’t get treated it’s like the second step child or something. I agree

 

Ron De Jesus  17:25  

with everything you’ve said. I think you hit the nail on the head, on all those points, especially the sense of I think a lot of people that are looking at vendors think that something’s going to work off the shelf, or that something is going to be a silver bullet for all of their compliance needs. And it’s not the case, you know. I think, you know, obviously a lot of vendors will have a really good out of the box solution. But as we’ve seen from the cppa enforcement activity, we shouldn’t be relying on vendors, you know, to really be our guide when it comes to how we address something like a GPC or our state level. Do not sell requirements, right? So I think that expectation of a vendor being the end all be all of our, you know, kind of the legal perspective as well. I think is a big mistake. Good vendors are going to have, you know, suggestions, and have really, again, as I said, solutions that are out of the box, primed to be used globally. But I think there really needs to be an I think it’s a misconception out there, Jodi, that these tools are just going to solve all their problems.

 

Jodi Daniels  18:46  

So oh my goodness, I see this all the time. I am so glad that you brought that up. Everyone listening. We are repeating. Tools are wonderful. Tools are helpful. You You have to review what what is there and make sure it is actually accurate for what your company is doing 100%

 

Justin Daniels  19:06  

so using your crystal ball, what do you think will be in store for the privacy folks in 2026

 

Ron De Jesus  19:12  

that’s a good question. I’ve already been asked that, and I was thinking about this before the podcast, and I was trying to think of something a little bit more, you know, worthwhile. But I think again, we’ve had, I’d say, a good year as privacy professionals to really understand what AI governance means to us. And so I think in 2026 I feel like a lot of privacy professionals are going to have a really, a much better sense and maybe more confidence building their programs to address the needs of AI initiatives. You know, I think we’re still waiting with bated breath in terms of what’s happening here in the US I’m saying here, but I forgot that I’m in Paris, so wait. You. US nationally or federally. What’s going to be happening, you know, on the kind of the AI front, but we’re seeing states take things into their own hands, with California Colorado. So I don’t think privacy professionals are going to play a wait and see game anymore. I think they’re going to start really just establishing their AI governance programs based on what they’ve learned the past, you know, 12 months from from their peers, from what we know about, you know, other f5 hundreds that are doing this really well. So, so yeah, I think that’s my prediction. More more maturity in AI governance.

 

Jodi Daniels  20:40  

In that vein, we get a lot of questions and trying to understand what other companies are doing. If you could think about the various companies you’ve talked to, is there, is there a common theme of where they are, or, in our crystal ball scenario, where you which step you think more companies are going to take in 2026

 

Ron De Jesus  21:03  

when it comes to AI governance, Jodi or

 

Jodi Daniels  21:06  

yeah, we can say in AI governance, because that’s

 

Ron De Jesus  21:09  

Yep, yeah. I think again, as I had mentioned, I feel that folks in 2025 we’re still it’s all a wait and see game. A lot of the peers that I’ve talked to haven’t wanted to, you know, hit the green light on anything substantial, whether that’s hiring, you know, an FTE for an AI governance position position or investing consulting work on that. So I think again this 2020, 20 sorry, 2025. Was the year that we all just got a better sense for ourselves what other folks are doing or thinking about. So I think that folks are, unless you’re an f5 100, or, you know, an F 50, even, I think the smaller players were still waiting to see what the resource need was, what the leadership appetite was for investing in an AI governance, full fledged AI governance program, for hiring. So I think at 2026, we’ll probably see the kind of the trigger pulled on all of these things.

 

Jodi Daniels  22:16  

So thank you for sharing. Yeah.

 

Justin Daniels  22:21  

So Ron, do you have a best privacy tip you would like to share with our audience? I do.

 

Ron De Jesus  22:32  

I’m smiling because it’s probably something that you know a privacy professional is going to do, and not a lay person, but I think when it comes to just interacting with social media, I like to clean my digital footprint from time to time. I’m sure you both do being in this space, you know, whether or not it’s just, you know, clearing histories or, you know, using really privacy protective browsers. I will kind of a little bit of a twist on that. I think I instead of, you know, privacy tips, I’d actually encourage privacy pros to walk their friends or their you know, colleagues that aren’t in privacy through some of these things that are happening when it comes to the changes that are being made silently, right? You know, we know that a lot of these platforms are defaulting on to a lot of like aI training data used for AI training, or, you know, other things that could be seen as dark pattern ish, so I encourage folks to reach out to their friends. And, you know, I talk to my mom all the time, who’s always curious about my career, and I walk her through. I always use the Mom Test. This is the Mom Test that I use is, can my mom delete her data, or can she find that setting in Instagram? And if she can’t, then I feel like, you know, it’s not the best laid out control. So again, I always try. Sometimes I feel like we’re in a little bit of a silo when we talk about these things. And I’m always, again, as as a as a content creator, I’m always trying to reach the masses that don’t really understand what’s going on with their data. So I encourage folks to do that. So that’s, I guess that’d be my advice. I think

 

Jodi Daniels  24:19  

it’s a really great tip, and I think even for people in their own company, is to actually go through from the eyes of a customer, what does that customer experience? And the same would be true for educating and passing on all of our knowledge to other people.

 

Ron De Jesus  24:34  

100% Jodi, you won’t know. I mean, you’d be surprised at how many CPOs have not gone through their own. Do not sell process or their own. Like, have, haven’t downloaded their own, you know, com data from their own. You know, company’s D, sar process. It’s quite surprising. So yes, 100% I agree. Like, walk the walk and talk the talk. And, yeah, I think that’s a great piece of advice.

 

Jodi Daniels  25:00  

Now, when you are not walking and talking privacy, what do you like to do for fun?

 

Ron De Jesus  25:05  

You know, I recently, I’ve been traveling through Europe doing a lot of Christmas markets. So I, my husband and I, we actually really love going to different Christmas markets in Europe during this time, because it’s actually our anniversary last week of November. So I just love a good glow wine. I love a good hot red drink of alcohol when it’s when it’s cold out. So yeah, I really enjoy just kind of Europe town hopping experience, experiencing all the Christmas markets? Yeah, I keep hearing about all these

 

Jodi Daniels  25:43  

Christmas markets. One day, I’ll have to try and

 

Ron De Jesus  25:47  

assume there’s not one in Atlanta, right? I

 

Jodi Daniels  25:50  

don’t think we have any of these Christmas markets, but I keep hearing other people going and traveling the Christmas markets. And I, I wasn’t really familiar with that, until it feels like that’s the thing to do this year.

 

Ron De Jesus  26:01  

Yeah, I think the closest one to you guys is probably the one in Bryant Park in New York, but

 

Jodi Daniels  26:06  

which is fine, I’ve been to that one, and that was really fun.

 

Ron De Jesus  26:09  

It is, I agree I like it, but there’s nothing like, you know, just having red wine that’s steaming hot while, you know, you’re looking at a European backdrop. So I highly encourage it. I’m gonna need

 

Jodi Daniels  26:24  

to put that on my bucket list. Well, Ron, we are so excited that you came to talk with us today. If people would like to connect and learn more, where should they go?

 

Ron De Jesus  26:33  

Yeah, they can follow me on LinkedIn, under RonDeJesus, all one word. Or I’m on Instagram @RonDeJesus, I’m also on TikTok @chiefprivacyofficer

 

Jodi Daniels  26:46  

amazing. Well, Ron, thank you so very much. We really appreciate it.

 

Ron De Jesus  26:50  

Thank you both. Happy holidays. You too.

 

Outro 26:57  

Thanks for listening to the She Said Privacy/He Said Security Podcast, if you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time you.