#5QsforCPOs: Andrea White – Chief Compliance Counsel and Privacy Officer @ Toyota
In our #5QsForCPOs blog series, OneTrust conducts short, informative interviews with CPOs and senior-level privacy pros to uncover insights about their organization’s privacy practices, and to gain further understanding of their thought processes as a privacy team leader.
1. What career experience best prepared you to become Chief Compliance Counsel & Privacy Officer of Toyota?
I would say it’s actually the combination of my experiences that best prepared me for my role at Toyota. I was in the legal department as a transactional attorney for about 12 years, and moved out of the department into our new eBusiness unit, which reported directly to the President. That was during the Internet bubble, so my team and I had the opportunity to work on all sorts of fun, exciting projects. We were creating new things all the time. I found I really enjoyed the business side of the company. So, in 2002, when the CIO asked me to develop a new business unit within our Information Technology division, called Enterprise Information Security and Privacy, I jumped at the chance.
I was in the IT division for about six years, and I think the experience of being on the technical implementation side really helped prepare me for when the CIO and General Counsel asked me to focus primarily on privacy.
When I became the Chief Privacy Officer in 2006, the function was located within the Legal Group. In 2015, a new organization was created, called the Compliance and Audit Office, and I’m now part of that organization.
It’s been a very dynamic career track which is good for someone like me who enjoys change. Over the years, I’ve developed a great network of colleagues who I’ve worked with, sometimes in different capacities. A strong network is especially critical during times of change. It helps to have at least a core group of people you’ve worked with before who know the organization and the subject matter. That helps a lot when everything else is changing.
2. What has been your number one privacy priority at Toyota this year and why?
It’s hard to choose just one –– there are actually three priorities:
- Keeping the lights on, so to speak, while we are in this incredibly dynamic period of change.
- We want to be car technology leaders in the industry and we have some new activities that are very futuristic. Cars are rolling computers… that’s the bottom line, and they can and do collect a lot of data, so there are sometimes privacy issues related to new technology and related business practices that need to be addressed.
- The GDPR is going to provide a very challenging set of requirements, and while I don’t think we’ll be heavily impacted, I think we’ll have to make some changes and do things differently than the way we’re doing them now.
3. What would you say are Toyota’s biggest privacy strengths and weaknesses?
Our strength is something I’m very passionate about, and that is: culture.
When you’ve had to oversee compliance with a variety of laws that are external, as well as internal-facing policies, it’s very challenging for an organization to be able to consume and understand all the requirements, which is why culture is so important.
You can’t expect every team member to memorize every word of every policy –– so, we’ve focused on a culture of awareness so our people at least get an internal sense of what the right thing to do is. And, when they aren’t sure, they know to call someone for help if they don’t know the right answer.
There’s no question that having privacy champions is also very critical.
Toyota went through a big breach about six or seven years ago, and it happened to involve employee data, not customer data. It was significant breach with one of our vendors, and the data exposed was all of our employees’ information, including covered dependents.
Having gone through that, our learning curve around privacy went straight up, and not just for me and my team –– everyone experienced that breach with me, and it raised the overall level of awareness. Even if you’re someone who never touches people’s information, if you worked at Toyota six or seven years ago, you experienced a significant breach and now understand a bit more about what privacy is, what it means, and what happens when you lose it. As a result, Toyota now has a network of mini-privacy champions throughout the company.
I don’t know that we have any weaknesses, however, we do have a business challenge when it comes to the sales unit.
Supporting the sales function in an organization can sometimes run counter to strong privacy practices. One of our sales unit’s core competencies is marketing and advertising to people. A natural sort of business imperative is to collect as much information about our customers as possible so we can market to people. The challenge here is satisfying the business imperative and the privacy imperative. We’re constantly having to find a balance so that we don’t impede the business, but we also protect peoples’ information.
4. Which privacy subjects are you most passionate about and why?
Building respect for privacy into the culture of Toyota was and is something I’m very passionate about.
Many years ago, when I was made the first Chief Privacy Officer, I engaged management with the idea that privacy is a trust issue, and that Toyota’s brand is all about trust. Sometimes we describe our brand value in terms of “QDR” or “Quality, Dependability and Reliability.”
People buy our cars because they can trust them to work, and to keep on working, and that’s why our brand has so much value. Privacy, from a company’s perspective, is handling customer data so that it is properly respected and protected. The idea is that privacy is simply an extension of our brand, and that if people trust what we do with their information, it’s consistent with the way they trust our products generally.
5. What’s a quirky thing or a funny story that your privacy team doesn’t know about you… yet?
One funny story that everyone pretty much knows is that I went to the high school prom with Kevin Spacey. I finally had to bring in my yearbook and prom picture so people would believe me. I was a big theater geek in high school, and so was Kevin, and all our friends were theater geeks.
Another quirky thing that most people don’t know is that I’m a marine turtle fanatic. I love sea turtles. Loggerheads and Green Sea Turtles are my favorite. I help with the turtle nests in North Carolina in the Summer, and I scuba dive or snorkel with the adult turtles in Hawaii in the Winter. They’re amazing creatures and I know way too much about them than the average person should, but I find them fascinating. When I retire, I’ll probably become a marine turtle advocate and work with programs that help track and support endangered species to ensure their survival.