I recently had the pleasure of attending the 1st Annual Innovation and Technology Law Symposium held by Seattle University’s School of Law. It was an one day series of moderated panels on Innovation and Regulation in Blockchain and Financial Tech (FinTech). Panelists included faculty from the school as well as experts from Microsoft, from Washington State Department of Financial Institutions, and a few startups too.
Although all the discussion was for the most part captivating, the most intriguing part of the conference though was the final panel on regulatory sandboxes. This ended up having direct parallels to the privacy regulations I’m most interested in and working on each day — especially when Youssef Sneifer of Microsoft Payments remarked that it was no small feat to acclimate the software developers in his part of Microsoft to the realities of working in a regulated environment – something that most software developers don’t have experience with. And he’s not alone in this remark!
Although I’ve worked in regulated industry most of my career, first CE/UL/FCC for satellite communications hardware and then later laws like HIPAA while developing software for medical devices, his point really struck me – because most of the web and app developers tackling the changes needed for privacy laws like the GDPR have little to no experience working in a regulated environment – they are more likely to be told to “move fast and break things” and that’s just not the way things work when working with radio or healthcare – and now it is no longer the way when working with people’s personal data.
So I asked, how does one help create a culture of compliance where there formerly was little or no regulation or enforcement, like in the case of privacy? Youssef replied that it had to start at the top, that the leadership had to set the tone that compliance was a top priority, was non-negotiable and that developers and managers were responsible to understand the requirements of the law and make it happen. Lucinda Fazio, the sole regulator on the panel, added that, when a regulator sees that regulatory compliance is being reinforced in the company, the regulator reacts differently if/when that company makes a misstep. Aaron Gregory of Remitly added that ultimately it becomes about trust and ideally becomes part of your brand – becomes a fundamental for your employees.
Later, another attendee mentioned that he agreed with Youssef but that you especially needed to get the sales team on-board too for compliance culture to catch. Shortly after that a third attendee stopped me in the hallway and mentioned the importance of finding the distinct “whys” (they’ll be different) for different groups or individuals throughout the organization – why regulatory compliance should matter to them, whether financial law or privacy law or what have you.
I think they were all right – you need a strong privacy mandate from the top down AND you need sales and marketing to see regulatory compliance as something marketable and not just an encumbrance AND you need to find the whys for the software developers and other roles in your company to begin make compliance – financial, privacy, or what have you – part of a company’s culture. And that’s the challenge for all of us working on the web and on apps now – in a post GDPR world – helping to get those cultures started and flourishing in our companies.