Episode 2 of the Data Democratization Podcast: Privacy tips and tricks from Nada Bseikri, VP and Privacy Officer of Apple Bank, New York

Our second guest on the show is Nada Bseikri, a privacy pro from Apple Bank, New York. Nada has a unique perspective: she has both a legal and a software engineering background. Nada shares her best tips for making privacy go beyond compliance, and we’ll also find out why privacy carrots are important. 

Subscribe to the Data Democratization Podcast on Spotify, Apple Podcast or wherever you get your shows! Listen to the previous episode or read the transcript about data privacy in banking.

Jeffrey Dobin: Good morning, data gurus and welcome to the second episode of Data Democratization! My name is Jeffrey Durbin, I'm here with my co-host, Alexandra Ebert, GDPR expert and Chief Trust Officer at MOSTLY AI. Today we're joined by Nada, Vice President, Senior Counsel from Apple Bank, New York. Yes, that Apple Bank. The second largest state chartered savings bank in New York. Alexandra, Why should people listen?

Alexandra Ebert: Well, Jeff, there are so many things today. You will learn from Nada that the quickest path to success with other teams outside your group, especially when working in the field of data privacy, is to improve privacy awareness with those cross-functional teams. Your own subject matter expertise is not enough. You should definitely make friends with the IT folks. If you can effectively increase awareness, the result will be improved collaboration and speed in achieving your goals.

Jeffrey Dobin: Our featured guest is Nada Bseikri, a lawyer and privacy expert who began her privacy and tech journey in Seattle, Washington, and made it to the Big Apple, N. Y. C. But There's no East Coast West Coast rivalry here. First, she is going to hit us with three recommendations for our peers in the data privacy field.

Nada Bseikri: Thanks for having me. My first recommendation is making sure that you socialize privacy concepts and practice practices before you attempt to operationalize them within your organization. The second recommendation would be to lean on both carrots and sticks when you're looking for organizational buy-in from stakeholders and partners alike. And the third recommendation, given that privacy is so interdisciplinary, learn about the privacy related discipline that's not your own

Jeffrey Dobin: So let's dissect these and go into these one by one. So starting with the first one about socializing these concepts, can you share here a story or an example of what this looks like in practice?

Nada Bseikri: I think given the various functions that a privacy office serves, you can't do everything and operationalize all of your privacy objectives without collaboration and involvement from other business units from other partners, etcetera. So the one that comes to mind for this as an example, is carrying out inventories of your personal data across your organization, you will necessarily need to collaborate. The folks who have the most proximity to those business units and most proximity to the personal data processed in those spaces are the business owners. Trying to carry out an inventory in a vacuum is a really difficult feat.

Before you could bring those folks along for your inventory journey, I think you need to step back and explain the rationale, particularly if this is a new exercise and other functions that your organization haven't had a need to inventory for other non-privacy reasons before. Being clear on the rationale, being clear on the objective, being clear on what you're looking for as an output. While maybe this isn't stakeholder level buy-in, you do still need to engage with the folks who are going to be doing the actual work of the inventory.

Without priming the environment for your operation, I think you're positioning yourself for a lot of confusion, a lot of pushback.It may look like it's arbitrary without an organizational level purpose. So just like with anything where you do want to achieve meaningful collaboration, socializing the privacy rationale and the means to achieve your privacy objective is critical.

Jeffrey Dobin: How do you get someone to buy in when it's not necessarily super important for their own specific role, even though it overlaps with your initiative and project?

Nada Bseikri: I think the important thing there is the balance of carrots and sticks. If you were doing something like an inventory or an assessment, or you are reviewing a contract with the vendor and you are looking to raise specific issues relating to data processing, whatever the function may be, you wanna both address the carrots and the sticks, and so it may be that compliance is your stick. That's the easy thing for others around an organization to rally around.

But that gets you only as far as checking those compliance boxes. You're not going to really move the needle on program maturity if that's your only tool to lean on and engaging with folks with respect to buying. The carrots really depend on how your organization functions and what ate your organization's interests. It could be the case that you are very customer facing and customer loyalty or expanding the customer base is very important to folks you're working with or going to work with. And privacy is an important factor in retaining and developing loyalty and a customer base, respectively. It could be the case that other operations or rather functions at your organization may have use for something that you are already tackling.

For instance, maybe you have a data governance group that isn't necessarily focused on privacy at your organization but has an interest in finding out what you have learned from your inventory. So there could be some additional support, whether on the resource front or financially or in the way of colleagues who can help carry out the initiative. You could join forces on that front, and that's kind of your carrots in that context. So I think it really depends on what your organization looks like, but there certainly are ways to identify what's important, in your space. And use that as your pitch.

As for the third one. Given how interdisciplinary privacy is, it's not strictly a legal discipline or a technical discipline or a business operations discipline. It's a fusion of quite literally everything withing an organization. My recommendation is to make your own life easier, but also for the folks that you're collaborating with is that you become familiar with other privacy related disciplines other than your own. So if you are very savvy on the legal side, consider finding opportunities for more technology exposure. If you're a technologist, consider getting a grasp of the legal landscape. You have a sense of where your legal or compliance colleagues are coming from.

Opportunities to expand your competencies will make your engagement with colleagues easier, they will help you spot issues when you are carrying out your own day job as it relates to privacy. The goal isn't really to become a professional in that space as well. It is intended to help you spot issues so you can either pull in the right people and know when to pull them in or begin asking questions about how to resolve the privacy related concern or considerations.

Jeffrey Dobin: I love that. And you also mentioned this cross disciplinary focus. You mentioned, that if you're in legal, maybe it makes sense to focus on technology. And I think that's a really good segue to talk about your journey and your path. I'm sure people would love to learn how you made these discoveries, why you ended up where you are.I would love to hear a little bit about how you got involved in tech yourself. So what brought you into the privacy field? And how did you specifically get involved in technology as well?

Nada Bseikri: My privacy journey started about five or six years ago. At the time, I was practicing as an attorney in the Seattle area, focusing primarily on business transactions, entity formation, a little bit of IP in the secrecy space to the extent that a number of clients floating questions about appropriate data processing privacy notices, things that related to the offerings that they were putting out for consumer. That was the first time that privacy was on my radar screen.

I think it was also around that time that I was aware or first aware that my technical competencies were really non-existent. I had a legal background. I double majored in political science and law. I couldn't be further away from all things tech related. I knew that if I wanted to pursue a path in privacy, I didn't need to become an engineer necessarily. But I did need to get a sense of the lay of the land privacy technology wise as it relates to data processing within an organization.

I actually left my job and moved down to San Francisco for a fellowship in software engineering. I focused on python programming and web application. I am not an engineer, but the takeaways were incredibly valuable for me. I think it helps me understand, even at a foundational level, working knowledge level, the machinery behind data flows and storage when you are using a web application or a website. That was incredibly helpful. Not enough to have me function as a technologist myself, but they did make having conversations with folks who are in IT, who are in infosec much easier. On the flip side also, explaining to folks who have less technology exposure, when there may be issues warranting escalation to somebody who's better equipped on the technical side to address them.

After that experience, my first role in the San Francisco area was with a company called TrustArc and they focus on privacy solutions in software and professional services. I primarily worked on cross-border data transfer issues with clients and preparing them to align their practices with the requirements of frameworks like the privacy shield framework. Of course, the privacy shield is no longer with us, but at the time helping those organizations bring their practices online and ramp up for certifications under those frameworks.

I left San Francisco and went back to Seattle and joined my alma mater, the University of Washington, as Assistant Director of Privacy. That was a really exciting role.Public universities at the size and scale of the University of Washington really do function as municipalities. They have so many functions that don't even relate. The academics, the research space is incredibly innovative and exciting and posed a lot of really interesting and novel privacy questions and considerations that I was eager to explore.

And now I'm in New York. I'm VP and Senior Counsel for Apple Bank, which is a regional bank here, and it's my first role in financial services. But for anyone who's been in privacy and have worked across industries, you know that the
principles remain the same. I've been on since May, a lot of programs are developing, and a lot of exciting things on that front.

Jeffrey Dobin: You mentioned that in your past, you were focused on cross-border data transfers and you mentioned working within the APEC framework. Can you share a little insight on what that means and what challenges exist around those rules?

Nada Bseikri: At the time, my work with the APEC cross-border privacy rules was very similar to the work I did on the Privacy Shield front. The idea was, with respect to different aspects of a client's privacy program for both frameworks, we were assessing their practices with respect to notice, with respect to consent, with respect to security, with respect to their management and, supporting those clients as we were working to close compliance gaps that we've identified in the assessments we prepared for them and really getting them prepped for participation and certification under those two regimes. Both frameworks have their own requirements for how you handle personal data and the policies and procedures that you have in place to support those, making sure that you are able to demonstrate your compliance and making those changes internally to bring everything up to speed. So that was my focus there.

Jeffrey Dobin: We looked a little bit into the past, why don't we focus a bit now on the future and specifically in the next six months or so? What are you currently focused on? And how do you measure success in your role?

Nada Bseikri: I'm happy to join today, everything that I'm sharing in the way of insight is my own opinion, not of my current or past employers'. Speaking personally for myself in thinking and imagining, what success looks like in a new role in a new industry: this is my first job in financial services, so I have been aiming to continue, really immersing myself in the frameworks and regimes that govern retail banking privacy.For my purposes, being conversant and understanding, being able to apply GLBA, both the privacy rule and the safeguards rule, understanding state level regulations, important safeguards and security controls that financial services organizations, or rather, financial institutions need to have in place. And inevitably, they find their way into vendor contracts and whatnot. So, it will continue to be a goal of mine to be better immersed in all things financial privacy.

Jeffrey Dobin: And when you immerse yourself, are you doing this because you're passionate about it? Or is it also because your job totally requires you to do it or is it a combination of the two?

Nada Bseikri: It's both, I think from an intellectual and academic level, having experienced privacy program design and strategy and ruling out initiatives and privacy spaces, different industries, it is interesting to see how the same themes and principles reemerge.

Notice exists across all privacy regimes as a requirement. The details about how you properly give notice may differ, but the principle still is the same. For certain frameworks, consent is really important, the details of what constitutes a valid consent or how you go about getting it may differ, but the principles are the samne. From an American perspective, thinking about sectoral laws at the federal level, I've dealt with FERPA in higher ed, from a distance, a little bit of HIPPA for health care, to the extent that the university I was at did have, a medical center, now pulling those principles and practices into a financial services setting with respect to GLBA just as an academic exercise is very interesting, but yes, absolutely.

It's imperative that I know how to navigate these applicable laws, for my own day to day. So it's been great to learn and I'm excited to learn more in the way of nuance and pro tips.

Jeffrey Dobin: What would be your prediction for 2021?

Nada Bseikri: Crystal ball here, I think we're going to see a lot of action on the state level in terms of legislation. There are a number of states that are back at it with privacy bills. New York has got its New York Privacy Act up for the third time. Washington too, their privacy bill is up for the third year in a row. There are a number of other bills in New York as well, some that, perhaps look a little more like CCPA. But in any case, around the country, I think we're gonna see at the state level that the landscape is changing, and we're gonna have to be cognizant of more than just California and what those implications are, as privacy professiona, for our own operations and practices. So yeah, we'll see! Let's talk in December.

Jeffrey Dobin: What about beyond the state level? Because you're right, there are many states that are looking at this, but what about on the federal level? Do you think the U. S. will adopt something similar to the GDPR to hold all states to the same standard?

Nada Bseikri: Given, that we have new administration now, we have already seen bills in years passed by members of the House and the Senate, I don't think they seem to have had as much traction as maybe the state level ones have had or at least to the extent that they haven't gotten over the finish line. So I don't know what that looks like. Perhaps the next four years we'll see things changed a bit, but more broadly, I don't know that at a federal level.

Maybe I'll be wrong about this, but that we would see something analogous to GDPR. GDPR is incredibly rigorous and compared to our kind of sectoral federal laws that exist now, there's a huge gap in what you would need to do operationally to become compliant. And I don't know if we're at a point federally. Maybe on the state level, but federally to move that far that quickly. If anything were to pass federally we would probably see elements of GDPR, but I don't think it would be a wholesale equivalent to what they have across the ocean. So we'll see. I could be wrong, but that's my best guess. If we see something, it will be bits and pieces of GDPR.

Jeffrey Dobin: Yeah. I really appreciate you joining us today and having you on the data democratization podcast.

Nada Bseikri: Thank you.

Jeffrey Dobin: It's been a pleasure. We're going to kick it back to Alexandra for our top takeaways of the day.

Alexandra Ebert: Thank you, Jeff. What an exciting episode! The three things you should absolutely remember. Number one, socializing privacy concepts and standards with non privacy colleagues is important. If you want to speed up collaboration across teams. Number two - to get by in, you need both carrots and sticks. If your goal is to mature beyond compliance, you must identify privacy related carrots. That may be compelling for your organization's decision makers. Number three. You don't need to be an expert, but you should aim to become familiar with disciplines other than your own that relate to privacy. Cross.disciplinary knowledge will make you valuable in spotting privacy considerations. And that will lead to important opportunities with stakeholders or partners in other functions, Thank you so much to Nada. And of course, for you to listening today. See you next time!

Sign up for the MOSTLY AI Newsletter

Contact us to learn more. We are happy to get in touch! hello@mostly.ai