E9 – Olga Kislinska, Privacy Compliance Manager, Nike
Data Diva Olga Kislinska
37:03
SUMMARY KEYWORDS
privacy, consumers, people, china, marketing, product, business, experience, understand, project management, specifically, necessarily, questions, big, geos, regulation, role, talk, transferable skill, data
SPEAKERS
Olga Kislinska, Debbie Reynolds
Debbie Reynolds 00:00
The personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.
Debbie Reynolds 00:07
Hello, my name is Debbie Reynolds, and this is "The Data DivaTalks" Privacy Podcast, where we discuss privacy issues with industry leaders around the world with information that businesses need to know right now. Today I have a very special guest, Olga Kislinska, who is the privacy compliance manager at Nike in Portland, Oregon. Olga and I met, and we hit it off really well. Actually, I think we talked a bit quite a long time before this podcast, and after this podcast, so I hope you guys enjoy our conversations and the things that Olga has to share. I think this episode is especially important, especially for people who are looking to transition into privacy. Olga's story is fascinating in terms of how she sort of made her way into technology and marketing and then into privacy as a data geek like me. So stay tuned, this is gonna be a really great episode, and I'm sure you'll really enjoy it and learn a lot.
Olga Kislinska 01:09
Thank you, Debbie, for having me. And before I get into anything, I just want to say how excited I am to join you and how great it was to have the conversation that we had earlier, just like you said to nerd out on privacy and our paths. And it's just really good to talk to someone who is as excited about this stuff as I am. You know, I love my job. And it's really great to meet folks who are as passionate as I am. So my journey is a little bit unusual, I think, for somebody in this field, although I'm noticing because this field is fairly new. And, and exponentially expanding. I am encountering quite a few folks who may do not start out in their careers or in their fields of study in the area of privacy or legal or security. So I am I'm one of those. I had started out I have a Bachelor of Science from Arizona State. I had I have a fairly blue-collar, you might say, backgrounds. I've been working in this industry. I kind of knew what I wanted to do. I've been working for marketing agencies since I was 17, kind of doing a little bit of grunt work, but primarily involved in project management and product management. And I've just been, you know, kind of a nerdy kid, and I followed my, you know, my nerdy path, if you will, through to the marketing world. I'm just, you know, kind of passionate about messaging and how things can, you know, change people's minds. And, you know, as somebody who's an immigrant, from a country where there wasn't really, commercial marketing was not really common yet, when my family moved, and coming to the U.S. where it was just such a prevalent thing, advertising, and marketing, it just felt like such an exciting field. And so I, you know, united my kind of technology and personal, you know, nerdy quality with my passion for, you know, marketing and advertising. And so I've been doing that for a really long time. And in my career, before I switched over to privacy, I was heavily product and project management. I was a producer, which is essentially a project manager for an agency managing a team of other producers, where we've created digital, and video experiences for my last client before I switched over to Nike was Intel. So you know, fairly heavy technical content. And I think while working with Intel, I started to understand just how it feels very, how should I say they're very knowledgeable and careful around security and privacy there, they lean very conservative in those fields. And so I started to understand just how intense and how important certain rules are and certain regulations are and it's not just you know, we're not talking about paper tigers here, we're talking about something that is enforceable, that, you know, the security measures need to be in place when you collect data, that privacy consent, the consent, and choices important for consumers, be they consumers like you and me or be they business consumers and so I just got you to know, my passion switched over a little bit into this field of choice consent and giving consumers rights. I thought that that was very different because you know, to be honest with you on the marketing side, in order to create a campaign or an experience that is memorable, that is edgy, that is provocative, that is new, you're not looking at staying compliant, you know, you're looking to push that line as far as you can, to the side of exciting and exciting rarely means that rules are being followed. And so it's just been my experience. I don't know. The folks on the marketing side may disagree with me. And of course, everybody's experience is different. And I speak for myself here, but that's just been my experience. And so switching over to the site of privacy, it was almost, it's almost like the, my goal became a little bit of the opposite, all of a sudden, I found myself talking to marketing and brand leads about how they should tone down their messaging and how they should, you know, add extra steps and increase friction, which was not necessarily the goal of my guidance to them. But I found that the pushback from them was, you know, we, we can't, Our experience requires a smooth transition from point A to point B, we can't possibly be asking consumers to consent at that point, or, or read something at that point, or read a privacy policy, for example, I found myself on this kind of on the other side of this bigger animal that drives the business forward. And but I think that it is not impossible to have both of these sides, find some sort of middle ground and serve the consumer together. You can have a phenomenal and edgy and provocative experience and allow the consumer to feel comfortable that their data and their likeness is used, is used in a responsible way. So I think that's one of my big learnings that come into privacy-first being kind of shocked by the contrast of our goals with marketing, but also learning how to find kind of this parallel path, a different dimension where we can both find that our goals are being met in the most compliant way, and also in the most effective way from my perspective of marketing. And I hope I'm answering your question in the way that you had explained. I also want to say that as a discipline coming from a role that is a project management and product management. On the agency side, it was not a super difficult transition into privacy, I think, the skill set that I had as a project manager and somebody who would create statements of work, you know, suss out all the different details of an experience, be able to understand what research resources are needed, how specifically an experience can be developed, from, you know, being just an ideation phase to something that is actually released, actually launched, and be able to assign monetary value and hourly value be able to kind of tease everything apart to understand the specifics. Because that's, you know, the, we can have great ideas, but we need to find out like how much they cost them when we can have the things done. I think that skill set translates very well to becoming your privacy analyst the privacy technologist because that is essentially that's the same skill set with probably a lot more technical and industry know-how because you essentially what we do is we set out the concept and the legal guidance that is sometimes coming from regulators it can be intentionally vague, or it can be just by nature of the beast somewhat gray in terms of what specifically you can mean. And that's when somebody like me comes in and teases that apart and figures out specifically what steps need to be taken for us to be compliant with specific guidance. It's almost like a translation service between legal and product or engineering or marketing folks. It is a way to compartmentalize and flowchart and figure out all the different steps that need to be taken, and what is the risk? And what are all the different, you know, from the engineering perspective, all the different steps that need to be taken for us to stay compliant? from a user perspective and user experience. What is the journey needs to look like to be compliant? That is, first of all, it's extremely fun for me. So because it's every time it's different at every time, you can use all of the templates and knowledge that you have, and it's still going to throw you for a loop almost every time. But it is the same type of mindset that somebody is not necessarily agency or marketing project management, but in the discipline of project management can easily translate into privacy.
Debbie Reynolds 09:55
This is fascinating. I think some of the points that you brought up are really interesting. I want to sort of highlight. And I think part of it is having smart people that understand that people have transferable skills. And also you have to have a passion for it because privacy isn't the most exciting thing, I guess for some people, you know, for me, it's, I like it for the same reason, because it's different, it's different every day, it's like some new change happens every day, you know, every project, you know, there is no boilerplate template really, that you can put on, you know, a certain issue because every company is different, every project is different in some ways. So obviously, you have, you know, you try to have your best practices and forms and stuff like that, there's always something that throws you for a loop. So I think having people also that can react and change and pivot if they need to, based on you know, the content, what people want to do, and also, you know, what the company wants to do. So I think those are really important key points, especially for people who are looking to sort of pick a path like you. So just sort of being interested, you know, in privacy, being able to, to understand what skills you have already that you translate there. And then also, you know, is being lucky to have smart people in positions to hire you and put you in, you know, put you in play that knows Olga can do this job because she has all these, you know, she has a passion, she has a skill, she does it really well, what are your thoughts,
Olga Kislinska 11:35
I would agree with that completely. I am lucky enough to be working for a boss who is, well, multiple leaders in my team who are all kinds of forces of nature in their own right. But there's an appreciation for diversity in background, a diversity of all kinds. But what I guess helped me open the door for me is the understanding and the wisdom on behalf of my leadership, to see a transferable skill set. As an asset, I did not have any official privacy background before I started at Nike. And they realized just how there are certain things that are easily trainable. And sure, there's that maybe steep ramp up on certain areas, but the foundation and the skill set is there. And certainly, the ramp-up is steep with privacy, but it never ends. That's the thing for folks who have a deep privacy background. I, based on my conversations with them, they experienced the same thing, which is you never stop learning. You never stop having to ramp up on something. So it doesn't, you know, if the skill set is there, if the person is able to be trainable, and are passionate about something, and they can learn, they know how to learn, and become experts in something fairly quickly. That's all we need.
Debbie Reynolds 13:04
Yeah, I would love to talk about it, and you touched on this a bit. But I'll let you sort of go more in detail about this. And that is sort of the working between the legal folks and the product people who have to take the baton all the way to the finish line because I feel like even in conferences that we go to talking about privacy is very legal centric, or legal heavy, which is fine. But I think there are so many people behind the scenes that are translating what these regulations mean to teams that are creating, like you say, products or experiences. And, you know, again, you know, that's why I'm so happy that we talked because, you know, I'm a, I'm a how-to girl, you know, I'm an operations person. So I like to be able to, you know, talk high level or talk concepts all day, you know, as I said, I can do, you know, the leather patches on the tweed, jacket, you know, talking with a professor at a university, and I could talk to a kid about privacy. So, I think being able to understand those two languages and understand what it takes to take what someone says about a law regulation and turn it into, you know, figure out with product teams, how to actually make it work and make the product go, can you talk about that?
Olga Kislinska 14:34
Absolutely. That is a big kind of open question. But you're right I, I find myself living in that world between legal and application and engineering and product for you know, 90% of what I do day to day, and I happen to work with probably the most talented lawyers that there are. Some of them specialize in privacy; some of them are a little bit more generalists. But as much as they are able to break down the bigger concepts into specific guidance, there's only so far that legal guidance goes before. Like when it's delivered to the product teams to engineering teams. The questions that usually come up from product and engineering are, you know, what does this mean for me? What does this mean specifically? What kind of identifier then can we use? What type of data can we transfer from one place to another? What color does this button have to be? And where can it be placed specifically on a page? You know, can you explain why infinite scroll is a problem with privacy? And, you know, we thought it was a user experience issue. Why is it a privacy concern? You know, so these questions are so very specific topic, and they are not even privacy questions. They're, they're experience questions, they're engineering questions, for us to kind of move forward as a business move forward as a company, we are at their service, we want to help them actually create a product and make a change. And, you know, it's not that there's resistance. It's just if I'm on the engineering side or product side, I genuinely just want to know if I'm doing something the right way if I'm going about something the right way. You know, I don't understand privacy. I don't understand legal. I just don't understand my discipline my craft. And just tell me, tell me what I'll get done. Just tell me what to do specifically. And that's where I think somebody like me comes in somebody who's a technologist or analyst. I think there's a range of different roles, titles that it can be, but it's a translation service. I am somebody who can break down for them. For example, in the user experience, if the consumer in certain geo (location) signs up for either membership or for marketing email on your website, what specifically has to be present in the experience? And what has to happen if a user indicates that they're of a certain age? And what that, you know, what is COPPA require? And what that has to actually look like? And that just because COPPA requires that we don't collect data from anybody under age in the U.S., at least under the age of 13. What does that mean? How do we prevent that from happening? Right? And so those specific issues are where the value of technology lies over technologists lies. A lot of this, what I've described just now, is reactive. It's answering questions and follow up with engineers. I think another big part of the role is proactive. It's training, it's constant, proactive, lunch, and learns, and meeting folks for lunch and explaining to them not just the importance of privacy, but the importance of their role in this whole puzzle. And what I found is that engineers and product owners from a digital side, they are very curious about this world, it is not something that they find it to be, you know, a nuisance or yet another thing that they have to do it is they're just interested from kind of a larger, almost a consumer standpoint, you know, so what, what kind of calling what is culturally acceptable in certain geos? Or how do we go about collecting a certain data point or certain data in China? So, for example, in providing some guidance to some of our experience teams, when they wanted to long show, for an experience in China, we help them understand that you know, the standard Chinese consumer does not use their email address almost at all. They use their phone number. And so creating a registration experience using email addresses not it's not necessarily a privacy issue, but it's probably a little bit, you know, it's not consumer-friendly, to say the least. And it's not going to be something a consumer is going to understand very easily or use very much if we don't include kind of what the consumer is used to the fields that they're used to using when they register, right. And so, there's a lot of this kind of collaborative, proactive training that a technologist does as well like I do these. There's a sectoral, not sectoral, and my apologies are all kind of geo-specific, very high-level privacy training that a couple of other folks and I had conducted some time ago that for some teams that did you, they just had a question. It was, you know, they just wanted to understand like, Hey, what are the geo perspectives and so we kind of went through in Europe, privacy is more of a human rights and the examples of GDPR and e-privacy regulation. We talked about how in China, it's a little bit more about data security and data localization, as well as in Russia. There's talk about data localization. There is, of course, the new law coming out of China, which is there's still any kind of open questions around it, which is fair, you know, not something that we weren't necessarily expecting, just because it's so so similar to maybe GDPR. So that's going to be a very interesting new concept for working with, for working in China and doing business in China, you know, thinking about the U.S., and how the U.S. is very different and how we have a more of a sectoral approach how we have, you know, CCPA, and we have COPPA and HIPAA, but we don't really have at least not yet. We don't have a kind of national federal regulation in place, you know, fingers crossed, but we'll see. I say that as a consumer, but, you know, I feel like having this basic discussion with, with our folks on the product side helps so much, because all of a sudden, they're on board, they get it, they get the basics, and they want to help like, okay, now what, what does that mean, for me,
Debbie Reynolds 21:12
And then, too, I think, when you're in privacy, you're working with all these different groups that may be in their own silos, in some ways, you're almost like a diplomat or ambassador in some way. So you have to definitely be diplomatic. And you know, I always tell people, especially in privacy, you know, not I don't try to judge, you know, someone's privacy laws in different places. You know, they're just different, you know, people have different experiences, they have different ways of looking at things. One is not better or worse. But just to be able to, just like you said, explaining kind of the culture around, you know, why things are the way they are, I think it starts to click for people. And then, too, as I said, I feel like because, and this is the reason why I got into privacy. You know, I was interested in myself, I'm like, wait a minute, like, What rights do I have? So that really sort of egged me on in terms of being able to get more interested in the privacy and following, you know, what it meant. And I never thought that it would turn into my personal interest in privacy turned into a kind of work or even a business. So that's really been really interesting. But yeah, I'd love to talk a bit about, you know, what, what is maybe some of the most surprising things that you run into in privacy is something that you just didn't expect coming up?
Olga Kislinska 22:45
Well, that's a great question. And it's an open question. I have a couple of things to tell you about. The very, the very first one is, fundamentally, there's something very different about this role, in contrast with my previous life of being kind of in the project management side. Whereas as a project management producer, regardless of my own level of expertise with a certain topic, you always kind of related to or presented opinions and input and ideas of the creative director or the technologist on the team. So you would set them up for success and create kind of plans and schedules for them and ability for them to kind of shine. This role is this. This is a very different role. This is the role of yourself being an expert in the field, and you're not necessarily setting up other people. In a meeting to answer any questions. You are the expert, and you answer the questions, or you guide the discussion. And I think that that's one thing important if we're talking to folks who are thinking about switching roles, from maybe marketing to privacy, that's one of the big things to keep in mind. Specifically, there are a few things I encountered in privacy that were very amusing to me, and very interesting to me, and surprising as well. One of them was when creating experiences that have user-generated content as part of the experience. And not necessarily, you know, on the scale of social media or social networks. But you know, it's not uncommon for digital commerce experience to include things like consumer reviews, or maybe photos from Instagram of consumers using certain product reviews and testimonials and photos of consumers using the product. They drive conversion. And that's just kind of common knowledge among digital commerce and so creating experiences that include user-generated content, you know, on the face of it, they seem fairly basic. from a technology perspective, it's just a matter of creating an experience for users to submit their content. But from a perspective of privacy and regulation, it is actually a much deeper, much bigger animal because not only must you have moderation in place for content before it is presented live for others to see on a live unnatural commerce page if you are to do business in China, and if you are to have these content reviews or images posted for Chinese consumers to see or by Chinese consumers, there is a whole other level of moderation that must take place, which is something that I had been calling reactive moderation and probably has many other names, which means even though something had gone through a full round of review, prior to being posted live, and it has no offensive content, either to other consumers or certain governments, there might be something in that content that could be deemed offensive by regional or a certain country governments after the fact, there could be a new element that all of a sudden, a very innocent topic or innocent term is now forbidden. And if, for example, in China, that people say, the Public Security Bureau, the PSB, if they find something on your website that they find to be offensive, it must be taken down within a few minutes, I believe it's ten minutes, it could be five minutes, I can't quite remember the number. And that is obviously not a lot of time. And so a process had to be, can you imagine, can you imagine trying to, you know, get to your own computer to delete something for yourself or your own email or your own Facebook posts within 10 minutes, it's hard to do. So imagine that on a big digital commerce scale. So a process has to be put in place, a very rigid process with both your vendors and internally, to ensure that there's always somebody on call and is able to take down content within an allotted amount of time. So again, this is not specifically a privacy issue. It is more of a government and security issue. And it is more of a compliance issue. I don't even want to say security. It's more of a government compliance issue. And we could debate for a long time on whether or not that kind of regulation is, you know, where it sits on, you know, in contrast with, with other rights that people have. But the bottom line is if you want to do business in certain geos, you have to abide by their laws. So again, this was one of the more surprising things to me. I think, you know, if, if you ever want to understand a specific story, you think like, oh, my gosh, this sounds so extreme. Is that really true? If you'd like to read more about this, you can just search the term Winnie the Pooh and China, and you will find that Winnie the Pooh as an image. And as a concept has been banned in China for a couple of years now because of a meme that the Chinese government found to be offensive. That surfaced a few years ago. So right, imagine like it would not be something that is a predictable term. You think why Winnie the Pooh would be offensive? Well, I will spare you the details. But it's a very interesting read if you'd like to do a little search on that.
Debbie Reynolds 28:53
Oh, my goodness. Yeah. That's fascinating. Yeah, I mean, there are just so many like nooks and crannies and things you have to sort of think about, and especially as we're sort of moving forward. So you're trying to push content out, you're trying to push a product forward, and you don't want like hiccups or, you know, bumps in the road. But as you know, that's sort of part of your role, try to kind of contemplate what the issues may be so that you can inform the people who are working on these issues so that they can be able to move forward and do the work that they are tasked with doing. You touched a bit on Federal privacy law, a bit especially for the U.S. I always like to ask people, so if it was the world according to Olga and we would just do everything you tell us. What will be your wish won't be your wish for privacy, either Federally in the U.S. or globally.
Olga Kislinska 29:51
Wow. In a perfect world. I would hope for us to adopt. I'm not necessarily saying something comparable to GDPR. Because some could argue that GDPR, in many ways, is maybe too restrictive for business, especially, you know, as time goes on, it's definitely not becoming more flexible. I think that there, there could be a happier medium between GDPR and something similar to maybe CCPA. But maybe, you know, GDPR is obviously a lot more inclusive of different, different situations. But the bottom line is, I hope for us to adopt something on a Federal level, because it's, it's just been such a confusing time for businesses and for consumers to, you know, you have CCPA, and but then maybe you'll have a different law coming out of California, that is going to override CCPA. And then Illinois has certain laws, and it's difficult to both do business in the U.S. and to assess risks. On the other hand, it's for consumers, not always easy to understand what their rights are. And I think that's my even bigger problem for consumers to okay, well, I live in Illinois, but maybe I do work in California, and like, what does that mean for me, right? And so a Federal approach would be great. I think Canada has a great approach to privacy, like I said, Europe, but perhaps maybe dial it back a notch. But ultimately, I would love to see privacy, some sort of privacy, regulation globally, just because I feel like there are certain countries in the world where privacy is not considered a priority. And that usually coincides with maybe other human rights not being considered a priority. And so if I had to, you know, choose a perfect world, I would want for there to be some sort of great equalizer. And, and for those countries have those years to adopt, not just certain privacy regulations and respect for their residents and their data and their information. But in addition to other human rights as well, because I think those are frequently connected.
Debbie Reynolds 32:22
Yeah, I think that's true. And then, too, I feel like this is our issue that impacts everyone in the world. So it would be wonderful if we can come to some type of consensus, just about basic things, like I told someone, like maybe, you know, cybercrime is bad. Like, can we like sign-on on an international level? If this is a bad thing or something like that? I don't know. So, you know, I feel like, you know, there has to be a way forward, instead of everyone's kind of do their own thing, obviously, countries will have things that are very specific to them, but being able to have some type of kind of a baseline for what we think is, you know, right, that we can all agree on, I think that'll be great. And I think a lot of people want a Federal law because it is like pulling your hair out. You just don't know what's going on. And then I, when I explain to people in Europe, about consent and stuff, so Europe, they're all about consent, right? So they don't share unless they consent, and us very much more of a notice country, you know, so you don't necessarily have to get consent for certain things. But you just as long as you notify the person, that's really what you have to do. So it's just, you know, it's definitely a cultural thing. Especially, I'm really interested to see what's happening with China with their regulations that they're putting into place. I know. They've been working on that for a while. And people are kind of shocked because the GDPR is very different than what people think about as people think about privacy in China. But a lot of their, like you, say a lot of their laws and regulations they are passing in China that are like GDPR very much based on kind of cybersecurity, and protecting individuals from like, theft or, you know, identity theft things like that. So yeah, we're almost at the end of our time. Is there anything that you would love to be able to tell people like, you know, so I get a lot of businesses from around the world and listen to this podcast, but is there do you have like a nugget of wisdom that you can give to people who are facing these privacy challenges in their business and what may be one piece of advice you think you would give them?
Olga Kislinska 34:50
The one thing I would say that I frequently say to my business partners and product and engineering partners is that privacy, compliance is not the antithesis to their goals. There are many ways that privacy in business can find excellent middle ground, we just have to collaborate and get creative things that may take a little bit longer, or things may take a little bit more resources. But ultimately, it's worth it for the long haul, to do things the right way. And the right way does not necessarily mean it will not be an excellent user experience, or it will be an efficient platform release or anything that the business or an engineering team would want to accomplish. We can still do it. It might just take a little bit of thinking.
Debbie Reynolds 35:50
I agree with that. I tell people like I make privacy a business advantage because, you know, I think a lot of people look at it. It's like, oh, like your parents told you to eat brussel sprouts. Like, I don't want to do that. But actually, you can work through those issues. And it can be an advantage if you know, learn how to do it. Right. And you can, you know, maybe doing it the first time may be hard, but then doing it the second time will be easier. Now you have like a path. Exactly.
Olga Kislinska 36:19
It's more like eating zucchini bread. You know, it's still vegetables, but it's a dessert.
Debbie Reynolds 36:24
Oh my goodness, it was so much fun to talk with you, Olga. I know everyone's going to really enjoy this episode. I'm always happy to geek out with you anytime soon. Just call me up.
Olga Kislinska 36:35
That sounds excellent. I'm taking you on because I love this. This is one of my favorite things to do. Debbie, you're awesome. Thank you so much for this. I am happy to talk anytime. And it's just been such a great opportunity. So thank you. Thank you. Thank you.
Debbie Reynolds 36:50
Oh, you're welcome. You're welcome. Well, I'll talk to you soon.
Olga Kislinska 36:53
Bye.