There are many misconceptions around privacy when it comes to high-growth fintechs. TrueLayer's senior legal counsel, Julie Ngov, explains how legal teams can create a robust culture of privacy.
The biggest misconception is that privacy is something that the legal team owns. But the reality is that everyone ‘does’ privacy - product teams, sales teams, people teams, operations teams - and everyone in the business is responsible for how the company manages user data.
Understanding this, and making it an operational reality for every single colleague, is the only way that privacy can scale. TrueLayer’s total headcount has more than quadrupled in the last 16 months, while legal headcount has barely changed at all. Without ownership from commercial, engineering and product colleagues, privacy would be left behind.
That said, it’s essential as the company’s legal expert that you set the standard, lead from the front, and define how privacy is seen and managed business-wide. I joined TrueLayer as one of our first 40 employees, which is extremely early for a legal hire. But as a provider of open banking APIs, the nature of our business, and the data with which we’re entrusted, meant that we had to set out on the front foot and get the right measures in place in terms of how we handle data.
We needed very quickly to reach a state where everyone understood data protection, privacy, and the responsibilities we had to our customers and commercial partners. I also needed to make sure that the constant stream of new joiners were able to self-serve on that information without relying on legal, as the company continued to grow. Here’s how we’ve tackled that challenge at TrueLayer.
Any privacy programme will always be a work in progress, but having that codified information makes it easier to implement
When you first join a fintech, it’s easy to get overwhelmed with everything you need to know just to stay afloat. The business likely has existing systems in place for legal processes, and you’re expected to understand and improve them alongside getting to know the team and dealing with ongoing legal requests. Adding privacy into the mix can be daunting, especially when there are different ways of approaching and handling data across the business.
But you won’t be starting completely from scratch. The requirement under article 30 of the GDPR for businesses to document their processing activities meant that there was a base layer, both of good data hygiene, but also of familiarity with data processing, amongst my colleagues.
From there, I was able to survey each team, understand their depth of knowledge, and get up to speed on what they do with regard to data and user privacy. Mapping out this information helped me identify high-risk areas and start to create a privacy programme that addressed and resolved any issues.
Any privacy programme will always be a work in progress, because the business is constantly developing; but having that codified information makes it easier to implement across the company. Having a source of truth where this knowledge lives, is updated, and can be shared is a massive time-saver for the legal team, because colleagues can self-serve on vital information without my involvement.
To make sure your privacy programme actually gains traction with the business, it can’t just be a unilateral effort. It’s important to develop the right culture towards privacy, right across the business. It’s one thing to understand that privacy is everyone’s responsibility, but it’s quite another to make it actually front-of-mind for colleagues at every level.
We make this happen through “privacy reps” at TrueLayer - people skilled enough and trusted to talk about data, acting as the champion and advocate for good data practices out in the business. This helps us to achieve a broad understanding of the ‘why’ behind our privacy practices, which makes them more likely to be implemented.
Our privacy champions help to build a positive, open culture around privacy and data. Whenever we iterate our programme, we offer these colleagues dedicated training so they can act as the point of contact for their team, taking their knowledge out into the business so that everyone knows who to approach with questions or concerns.
We started small, with two champions forming the pilot project. Once the process has been tested, it can be formalized, so we can codify responsibilities and create an environment where legal can step away from being involved in every data and privacy-related question.
Establishing privacy champions is even more important in the remote environment we’ve been navigating for most of 2020 - legal can’t be everywhere all the time, and it’s even harder to have visibility of processes with a distributed team. The more champions we can have around the business, the better the outcomes for privacy.
Another challenge that remote work presents is iteration. Without the small interactions you see day to day in an office, it’s harder to see how well your privacy programme is working across the business. But as the company grows and scales, so too will your privacy programme need to adapt.
Meeting regularly with key internal stakeholders in different teams, specifically to cover privacy updates, is crucial - regardless of whether you’re remote. Change might take a while to implement, but these discussions are essential in ensuring that improvements happen all the way across the business, with tone at the top being reflected in best practices in each team.
Training new starters and existing team members needs to scale too. Everyone at TrueLayer goes through privacy and data training sessions when they join. We prefer in-person training sessions; they’re always more effective because you can gauge enthusiasm and understanding, and tailor your sessions to suit each group. Now, remotely, it can be a challenge, but it’s possibly even more important to make sure the business is aligned - while visibility on how colleagues handle sensitive information is reduced, our hiring volume has increased. We want to make sure that everyone, from new joiners to existing employees, is up to speed with the latest updates and processes.
As the business expands internationally, legal needs to be one step ahead … make sure you know what you’re walking into, as the commercial team looks at new territories
As the business expands internationally, legal needs to be one step ahead - when you’re operating in European countries, you have the benefit of GDPR, which theoretically has a uniform impact across jurisdictions. Beyond that, make sure you know what you’re walking into, as the commercial and product teams look at new territories. For a specific jurisdiction, do you need a team on the ground, or can you outsource to a local provider? Can your current legal team navigate the regulatory landscape, or will you need to add specialists? The last thing you want is for legal to block expansion, so be proactive about the privacy landscape you’ll face tomorrow - not just today. Of course, not everything will work all the time, nor will processes last forever. Since my first week at TrueLayer, I’ve established many processes to help the company handle privacy. Some systems work when the company is in its early stages, but are less effective when the company reaches a certain size.
But by being strategic, looking ahead and making well-informed judgements as to where the business will be in a few months’ time, I can improve the current processes, plan the future, and map out privacy for our next phase of growth.
This is a chapter from our eBook, 'The fintech GC survival guide' - download and find out how better legal processes can enable growth. Alternatively, check out our free confidentiality and data processing agreement templates and make scaling privacy simple for your business: