Ensuring privacy solutions are legal by design

March 16, 2021

Giorgia Vulcano, ahead of her appearance at PrivSec Global next week, explains the benefits of using collaboration to embed legal solutions in privacy products and services at an early stage

Giorgia Vulcano is EU Privacy Counsel at The Coca Cola Company. Here, she answers our questions her privacy journey and Coca Cola’s Legal By Design framework

Can you give me a bit of insight into your career pathway and how you ended up in your current position? What was it about privacy that caught your attention?

I’m originally from Rome and have studied law between Italy, Spain and the US. After my studies I decided to move to Latin America and start my career as a human rights lawyer, working mainly on cases of impunity and human rights violations committed by military dictatorships.

I was working with people whose life had been completely disrupted because of their values and opinions, who had to live in secrecy their beliefs whilst being under the constant surveillance and control of the militaries, their employers, or even their neighbours. And despite the military dictatorships in Latin America being a long time over, the repercussions were still strongly felt by society. Your personal choices, your surname, your relationships or the school you went to, subjected you to different degrees of interference.

It was the first time I saw how the right to privacy was intrinsic to other human rights and freedoms.

While I kept my human rights role active, I moved to work as a legal counsel for digital startups, finding a way to reconcile my curiosity for innovation and technology with the concept of human centricity.

Although privacy wasn’t yet a hot topic, we were already beginning to have discussions around the uses of personal data.

This path redefined my role as a lawyer, as I experienced the importance of putting individuals at the center of a creation process, protecting them from the impact of technology and defining the true value exchange before launching a product or service on the market. I shifted from working with lawyers to taking into account the diverse perspectives that a cross-functional team may bring to the table, and learning about methodologies like design thinking and agile for problem discovery and solution creation.

At this point in time, startups were already looking into data quality versus quantity, thinking about how the data they could access could actually bring value to the final end user and impact their business model. Although privacy wasn’t yet a hot topic, we were already beginning to have discussions around the uses of personal data.

In the post Cambridge Analytica era and as the GDPR was entering into force, reflecting an increasing attention and ask from society for data protection, I decided to move to Brussels, the center of policy and legislation. I joined Deloitte first and then Coca-Cola as a privacy lawyer. Today I address data protection challenges through new ways of working, replicating the agility of startups to trigger innovation at scale whilst protecting our employees and consumers. I’m also increasingly focusing on the legal and ethical implications arising from emerging technologies, applying legal design to remove silos and facilitate cross-functional teamwork.

Can you tell me a bit about “Legal by Design” and the rationale behind its framework?

Simply put, Legal by Design is a creative problem-solving process, a different way to address challenges and explore for opportunities when faced with a new project, service or product. By anticipating the causes of a problem at the very early stages of a process, we can design solutions that fix possible legal issues, right from the very start.

The result is a product or service that is legal by design and that does not require manuals, instructions, contracts and disclaimers to regulate its improper or illegal use.

For example, would we still need to fine drivers who exceed the speed limit if we create cars that cannot, by design, go beyond the allowed speed limit?

Would we need to conduct audits to uncover fraud if we can rely on new generation technologies like blockchain that are designed in a way that make double spending impossible?

With this in mind, I created the Legal by Design framework as an open source tool for lawyers wishing to overcome silo-working and address at 360 degrees legal issues, unlock their creativity (yep, lawyers can too be very creative!) and protect individuals from the real and potential negative implications they may endure as end users of a particular solution.

The framework mentions the aim of “blending legal and non-legal at the early stages of the product/service lifecycle” – Can you give me an example of what this would look like in daily practice?

Normally, lawyers are called in when a business solution has been finalized and is ready to be launched. Without having been involved in previous stages of the business creation process, the lawyers will be asked for their legal inputs on the final solution.

For example, let’s imagine that in the midst of the Covid-19 pandemic, Company X wants to create a new, contactless temperature detector to monitor staff and customers’ access stores, airports or the workplace. A team of Engineers, Developers, UX designers, Researchers work together to design and build a device.  

The biggest obstacle that I see today is one side, the fact that lawyers are still perceived as external advisors rather than as creative team members.

Once the team has validated its prototype and is ready to launch on the market, it involves the lawyers to validate whether the device is up to code. Among others, the lawyers will assess whether the data processing operations undertaken by the device are GDPR compliant and in line with the guidance of the local Data Protection Authorities.

They will review, for example, what data is processed, how the temperature is displayed, whether the security controls are adequate.

The lawyers will formulate their recommendations and share them back with the team for implementation. The costs and time for implementation will vary depending on the difficulty and effort required.

Let’s now imagine instead that the lawyers are also members of the team of Engineers, Developers, UX designers and Researchers.

As the user journey is created, they can flag legal requirements and possible risks to the end users, so that the UX designer can fix the user journey accordingly.

They can anticipate to the Developers what privacy and security measures are required to best protect the personal data and minimize intake. The outcome of the process is not a solution that requires to be remediated but a solution that embeds in its design the legal solutions.

And ultimately, as a client, which of the two products would you purchase?

What would you say is the biggest obstacle in implementing a Legal by Design approach?

The biggest obstacle that I see today is one side, the fact that lawyers are still perceived as external advisors rather than as creative team members.

This perception is slowly changing but we’re definitely not there yet. On the other side, there is still much confusion around what Legal by Design really is. Many associate it to graphic design, the use of icons or visually exciting features. To overcome this misleading interpretation, when defining Legal by Design, I like to cite Steve Jobbs. He used to say that “Design is not just what it looks like or feels like. Design is how it works”.

How far does the Legal by Design framework go to fix the issue of siloed teams?

My starting point is that the complexity and uncertainties generated by the use cases we are looking into today (from a technical, legal and value exchange perspectives), require co-creation and trustworthy collaboration amongst professionals with diverse and unusual perspectives, where lawyers are not just external advisors, called in at the end of a given process, but team players and designers.

This framework aims to help lawyers create a common language within their teams to simplify complex issues and make them comprehensible to all, and to guide their work on the basis of a shared understanding.

We cannot remain competitive on the market if we don’t offer the utmost data protection to our users, and treat their information in a way that is ethical, transparent and fair.

It does so by combining the double diamond, which is a methodology commonly used in Design Thinking for problem-discovery and IRAC (Issue, Rules, Application and Conclusion) which is an approach used by lawyers, and thus relatable to them, in addressing legal issues. The Framework identifies and creates touch points between Legal and the Business teams, in such a way that either party has visibility on the status and roadmap of the creation process. This way, teams can better collaborate towards a common vision, share information and expectations and anticipate next steps.

What is the importance of ongoing communication between the legal department and a company’s chief privacy and security officers?

I don’t see one department functioning without the other, it’s a ‘design criteria’. We cannot effectively and efficiently address the legal, privacy and security issues in silos, they are too intertwined. How many products or services today have survived on the market (and without a backlash) by not jointly addressing these features and aspects?

The level of competition and innovation are such that consumers will eventually find the solution that best fits their needs and expectations of value.

Why should organisations consider the promotion of cross-team collaboration in privacy as essential in mitigating risk?

In order to mitigate risk, we need to understand where that risk lies and what is triggering it. Doing so from a unique, function-specific perspective has its limits. If I tackle the risk only from a legal standpoint, without understanding or anticipating what could go wrong from a marketing, IT, financial, communication perspective, to name a few, then my advice will only tackle one part of the problem. To uncover all issues and deliver quality responses, I need to bring together multi-perspectives who can contribute to the definition of a real, omni comprehensive overview of the risks at stake.

Why should a privacy team be diverse in order to succeed?

Like minded people will perceive problems and think of solutions in a like minded way. I personally find that being a diverse team implies taking into account the opinions of people from a range of backgrounds, who will feel, perceive, think, respond differently from you.

When we challenge, disagree with, or build on each others’ ideas we open the floor to unlimited growth and development. We cannot be truly inclusive, if we don’t create solutions that reflect diverse opinions and mindsets and that can be used by all.

How do you empower departments to collaborate on privacy?

By making privacy relevant to their work. I don’t just explain to them what the law says. They don’t have to comply with privacy just to be compliant.

Today, delivering value to our employees and consumers means embedding privacy in the final product or service. We cannot remain competitive on the market if we don’t offer the utmost data protection to our users, and treat their information in a way that is ethical, transparent and fair. We really work together to leverage the opportunities that a privacy protective solution offers to our end users.

What are your ambitions for the Legal by Design framework?

The Legal by Design Framework is an open source, working tool, ready to be used by anyone who wishes to do so. At this stage it’s an alpha prototype that can be tested, used, tuned and adapted to different realities and environments. I see it as a ‘work in progress’ to be updated over time as I collect user experience and feedback from the community.

My biggest hope is that it can deliver value for other lawyers aiming to achieve human centricity and simplicity in their way of working. The framework can be found here and you can connect with me via LinkedIn if you wish to discuss this topic further.

Giorgia Vulcano will be speaking at “Creating a PrivSec Cross-Functional Alliance”, at 9am on March 23 at PrivSec Global