Hands piled in a group showing the interview with Groupon’s global privacy and regulatory managing counsel on how the company enforces privacy without having a CPO
No CPO? No Problem! by Jared Coseglia, Founder and CEO at TRU Staffing Partners

Coffee with Privacy Pros: No CPO? No Problem!

Groupon does not have a CPO. Groupon also does not have a chief governance officer, and, according to Brock Wanless, Groupon’s global privacy and regulatory managing counsel, the company may not need to either. By fostering an environment of collaboration and commitment to customer satisfaction both within and outside of the general counsel’s office, Wanless, his team and his peers have made privacy by design a cornerstone of Groupon’s continued corporate success and sustainability and the gateway to maturing how it manages and leverages data holistically.

Wanless, like many in the privacy vertical, fell into the profession by accident. “I was hired at Groupon in August of 2012 by our privacy counsel, who was actually the first attorney hired by Groupon and [later] chose to focus on privacy as the legal department was built, to work on regulatory and government affairs issues,” says Wanless. “It was under her that I was first exposed to privacy issues and privacy as a legal discipline. It was not something I was working on at the time originally.” Even in Wanless’ early privacy career, privacy was but a piece of his overall job responsibility – a modality that would prove useful to Wanless’ future self in later helming Groupon’s global privacy program. It was when his supervisor and mentor decided to leave the organization that Wanless went full throttle into privacy as a career focus: “Our new general counsel took a leap of faith with me, agreed to have me take charge of the privacy group, build out and centralize privacy in a way that made it a global function, and I said yes.”

Brock Wanless, Global privacy and regulatory managing counsel at Groupon
Brock Wanless, Global privacy and regulatory managing counsel at Groupon

Wanless inherited a privacy program that was in “a strong genesis state.” He and his team have since evolved and grown the program in headcount, capability and value. Currently at Groupon, Wanless and the privacy office report into the general counsel’s office. “We now have a team of lawyers in the privacy office, but also teams of nonlawyers throughout the organization in various departments,” describes Wanless. His team has been able to operationalize privacy in a centralized global service model by leveraging partial human resources throughout the talent infrastructure at Groupon. Wanless describes them as “privacy leaders,” and they reside in engineering, human resources, security, product development, marketing and more. These leaders do not directly report to him, but they do work directly with him and his team daily. “The privacy program is managed in a holistic and collaborative way. Legal has fully dedicated resources and drives what we need to do to comply with the law, but we have a lot of people who operationalize and lead various aspects of the program in their own right,” adds Wanless. So how does Wanless encourage participation in the privacy program unilaterally across multiple disciplines?

At Groupon, there is a top-down culture that insists employees must care for the customer, and customers care about privacy. Groupon must approach privacy from a B2C, not just a B2B perspective. “As a consumer-facing business, we need to be sensitive to consumer expectations and trends,” says Wanless. “We apply that mindset in everything we do. We think of the customer first. We put ourselves in the customer’s shoes. What would our customer want?” For these reasons, Wanless feels Groupon employees – whether existing or future hires – have a heightened sense of privacy for the consumer. “The privacy program isn’t driven by pure compliance,” comments Wanless. Groupon’s privacy leaders indoctrinate an “it’s the right thing to do” approach to privacy throughout the company. This has made the privacy program successful in garnering support from nonlegal resources to not only participate in elements of privacy by design, but also use privacy processes to drive other business initiatives.

The next step is education. Privacy education has been programmatic at Groupon for a long time, but in recent years interest has dramatically increased. “The IAPP is a good resource,” says Wanless. “We have a corporate IAPP membership, and all our slots are filled. We have a lot of people internally with an interest in privacy.” Wanless also comments that employees at Groupon, “do it because they like it; they find privacy interesting.” In order for employees to find something interesting, they must have some exposure and perhaps be trained. For Wanless and his team, there is a joy and job satisfaction that comes from evangelizing an awareness and appreciation for privacy and then having that passion reciprocated. “It is fun getting an email from a colleague who is asking a really nuanced privacy questions. It means that person is learning and cares.”

Wanless is ultimately accountable for the privacy program at Groupon, but neither he nor the organization feels the need to brand him as such. “We don’t have a chief privacy officer, and I’m not sure if it makes sense for us to have one,” admits Wanless. This perspective, and perhaps lack of necessity for a figurehead of privacy, aligns with a company culture where privacy is ingrained in everyone and everything teams do cross-functionally. This achievement began with preparing for GDPR.

For Wanless and his team, the GDPR project was an opportunity to institutionalize more than just privacy compliance by rallying various resources throughout the Groupon internal employee ecosystem; GDPR provided a chance to create a culture of responsibility around data handling and expose the ability to leverage data to increase customer satisfaction. “We were preparing for GDPR very early,” says Wanless. “We spent a tremendous effort on planning during GDPR prep: who on my team would lead, how it would run, product integration throughout the company. Flash-forward to today … and a lot of the programmatic pillars we stood up for GDPR are now driving innovation and our responsible use of data. We are being more intelligent about the data we have.”

Leveraging data to benefit brand success sounds more like an information governance agenda than a privacy program responsibility. This points to the shifting leadership role in the dance between corporate privacy and information governance professionals, and privacy pros may now be taking the lead. “Information governance is engrained in how we operationalized GDPR. We don’t have a separate data governance function, so the responsibilities of that type of function flow through various teams that are involved in running the privacy program,” says Wanless.

This trend may be a tipping point in the evolution of privacy professionals and future career progressions in the privacy and governance space. The regulatory pressures and requirements of GDPR compliance forced a maturation of broader information governance policies and procedures, centered specifically on privacy. These corporate operations, like the privacy by design program at Groupon, are now evolving to serve the organization in ways beyond GDPR compliance. Many companies lacked commitment and investment in operationalizing broad information governance initiatives because these programs were opportunistic, not mandated. That changed with GDPR, and privacy professionals are rapidly evolving toward serving goals broader than privacy to help innovate and drive businesses forward by smartly managing data.

“Privacy is already big data,” says Wanless. “How we use it, leverage it, provide value to our customers with it … those are questions we answered in looking at how to build a privacy program.” Groupon boasts 47.2 million active customers, over 1 million merchants, 6,000 employees and is active in 15 countries and over 500 global markets. That’s a lot of data, a lot of responsibility and a lot of opportunity.