Privacy requirements for a financial services company get complicated, which is why Elise Houlik loves a good whiteboard—a place to draw the customer data being pulled, where it’s going, and what controls are in place to protect it.
Maybe one box represents employer data, then an arrow shows that information heading to a new insight tool, and then a separate box illustrates the data getting de-identified, with names and locations taken out.
“You get me some dry-erase markers, I’m off to the races,” said Houlik, chief privacy officer at Intuit.
The 40-plus-year-old company behind familiar services like TurboTax, QuickBooks, and Credit Karma relies on a combination of sensitive, sometimes personally identifiable information (PII) like social security numbers and addresses.
Safeguarding the privacy of that data requires more than a few markers. Houlik is charged with not only protecting the data, but translating the privacy complexities—both technical and regulatory—to employees.
“I wouldn’t expect everybody to walk around with an encyclopedic knowledge of all the different global privacy laws…That’s why I have a team. That’s why we’re around,” said Houlik.
Data difficulty. One of the perks (and challenges) of having a 100-million-plus customer base: there’s a lot of data.
When an Intuit product team has an idea that harnesses the mountain of information, a team member may be tempted to use, well, all of it. A common question, said Houlik: Why can’t I do this with this set of data?
“You almost start at the very end,” said Houlik. Once the end-goal is established, the privacy team can discuss the essential data that supports it, and how to ensure that PIIn is not exposed in the process.
In March, Intuit announced a QuickBooks Small Business Index, which provides insights on the health of companies with under 19 employees. The index is powered by anonymized data from QuickBooks Online Payroll, along with a separate, economist-built model.
Intuit data elements like employee totals, industry sector, and job vacancies are critical to supporting a tool that indicates the health of the small-business economy. Personal identifiers for the individual employees are not.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
The privacy team collaborated with the index-makers from the beginning, said Houlik, raising regulatory considerations for the model’s various geographies and reviewing parameters for anonymizing the data.
“We can’t build those models unless we get the PII out of there,” said Atticus Tysen, chief information security and fraud protection officer at Intuit.
Personal identifiers had to be replaced with unique, non-identifiers. Houlik helped to ensure that the de-identification process aligned with regulations.
“The biggest strength that I’ve seen is her ability to really translate a lot of complex legal issues into business decisions that we can make together and make trade-offs on,” said Tysen.
Compliance complexity. Many sectors of law have hundreds of years of decisions and precedent. Privacy law? Not so much.
“There’s nothing to look at,” said Houlik.
While a US federal law called the Gramm–Leach–Bliley Act controls how financial institutions handle private information, many state laws also exist or are in the works, like the California Privacy Rights Act (CPRA), which took effect on January 1, 2023.
The EU’s General Data Protection Regulation (GDPR) also provides a level of essential standards for companies that handle customer information, and the various laws can be difficult to navigate.
While a privacy officer’s job may involve showing product teams and engineers the whiteboard of privacy requirements, a strong leader has a way of spreading the principles organization-wide, said Saz Kanthasamy, principal researcher for privacy management at the International Association of Privacy Professionals.
“It’s a team effort. It’s not just privacy dictating the requirements,” Kanthasamy told IT Brew.
Not on mute. During one Zoom meeting, Houlik was about to unmute her line to share a privacy concern with a new project. “And an engineer, not on my team, beat me to it, and said, ‘Well, how does that work under the GDPR?’ Because, from my understanding, we can’t do this,” Houlik told IT Brew.
And he was exactly right, Houlik said. “That’s the dream.”
A consistent, accessible explanation of privacy requirements, understood throughout an organization—a clear message on the board.—BH