In the early 2000s, the internet was still a Wild West. Jurisdiction—previously a question of geography—had to be redetermined as retail operations moved online. Consumer activity could be tracked in ways that were previously impossible. Companies were building capabilities faster than regulations or social norms could adapt. But some boldly stepped up to that challenge. “It was the lawlessness of the internet that attracted me to privacy,” says Della Shea, vice president, data governance and chief privacy officer at Symcor, a provider of payment processing and client communications services.
As social norms, political landscapes, and globalization have evolved, data security and accountability have become vital components of an individual’s digital welfare. In 2000, users were concerned about cookies that tracked when they visited a website. Now, organizations have troves of information about individuals, not only collected directly from them, but created about them through their digital activity. “It’s the same landscape, but the issues have gone deeper in terms of potential impacts,” Shea says.
At Symcor, Shea deepens a culture of accountability by evolving the way the organization handles the information that flows through its system by incubating the idea of a privileged custodian of data. “Organizations have to understand the criticality of the role that accountability plays as their businesses become more digital. Similar to corporate social responsibility, we are borrowing from this mandate,” she says. “What are the values you want to set for your organization, and how do those values translate into data values?” For Symcor, those values are confidentiality, privacy, and security. Shea and her team apply these values to Symcor’s data practices through four pillars: compliance, privacy by design, operations, and industry leadership.
First, Shea and her team develop the necessary structures to ensure the company adheres to required regulations, contractual obligations, and industry standards. Along with legal requirements, they monitor social norms, which often change more quickly than regulations. “Just because the laws and regulations don’t keep up, it doesn’t mean that the principles go away,” Shea says. “The goal is understanding the principles of what the laws are trying to accomplish and creating those as part of the foundation for your values.”
Shea humanizes the information that Symcor processes in part by changing the language she uses. Instead of data she uses the word information, and she personalizes that information by asking colleagues to think about the human aspect of their work. “I’m trying to get people to think about the volumes of data flowing through our organization as something other than bits and bytes,” she explains.
Humanizing information changes the conversation from what can be achieved to what should be achieved, which sets the stage for operationalizing Symcor’s values. Under the principle of privacy by design, Shea and her team incorporate privacy solutions into product design at the beginning of the process. They work closely with Symcor’s product development teams to build systems that comply with both laws and client expectations. “We are a part of the entire product development process from ideation stage to launch,” Shea says.
She and her team apply the policies and values that they establish at the executive level throughout the day-to-day activities of the staff through a model they call data stewardship. In order to make the high-level vision functional on an operational level, she identifies specific requirements and ties them to individual roles and performance metrics. She and her team implement privacy, security, and compliance requirements into performance metrics at every level and work cross-functionally to ensure every department is on board. “We have strong buy-in from the CEO and downwards that this is a major priority for us,” Shea says.
She also leverages opportunities to engage with the industry beyond Symcor by participating in industry initiatives and studies sponsored by regulatory authorities. “Companies that collect and store data don’t operate in a vacuum,” she says. “The information they collect comes from real people living their lives and trusting that their privacy is protected.”
Although Shea’s role operates in the background, it has a significant impact on society. User information, after all, is more than just statistics. “I didn’t expect to have an entire career built on a curiosity that was sparked in the early 2000s around the lawlessness of the internet,” she says. “But it’s a great privilege to be able to process very important, very sensitive information belonging to Canadians.” She takes this work seriously, from a legal perspective, a business perspective, a technological perspective, and, most importantly, an ethical perspective.
Bringing Business and Regulation Full-Circle
Before joining Symcor, Della Shea worked as the director of privacy and information risk at Royal Bank of Canada, where she helped launch many of the bank’s early digital products and initiatives. She received a joint MBA from Northwestern University and York University, and holds numerous security, privacy, and product management designations. This background gives her insight into both the business opportunities and the regulations that restrict them. “Having experience in policy, business, and technology has really helped bring the ideal type of background to connect that digital transformation,” she says. “You have to have that full-circle view.”