A look at how ServiceNow handles data privacy – It all starts with trust
Summary: Mark Cockerill, VP, Legal (EMEA/APJ) & Head of Global Privacy, outlines ServiceNow’s four pillars of trust for handling complex data privacy regulations.
Data is more influential in today’s world than many of us realise and more powerful than the electricity that runs through our homes and the gas that warms them. However, despite data being the 21st century’s most valuable commodity, privacy regulations differ throughout the world, and each differ from one another in their own unique way.
As poetic as that sounds, ensuring that data is being handled properly and legally can be quite the challenge.
ServiceNow works in tandem with its customers across the globe to help tackle these significant challenges. This means that it’s my responsibility as the Head of Global Privacy to be knowledgeable on all the different privacy regulations in place throughout different countries and regions and the varying complexity of compliance requirements.
Companies based in Europe are very aware of their main data privacy regulation, the GDPR, which makes it one of the easiest regulations to break down and explain to our customers – people are so familiar with it and attuned to its implications. However, outside of Europe there are a multiplicity of regulatory regimes which affects the way ServiceNow interacts with its customers, in countries like the US, Canada, Australia, Singapore, Brazil, Japan and South Korea, to name just a few.
Additionally, these regulations are subject to change as inevitable advances in technology open the door to new possibilities of data acquisition, vulnerability and mismanagement. For example, laws in the US are evolving to take account of the new world and dynamics, with the California Consumer Privacy Act (CCPA) due to come into effect soon and many other US states are looking at introducing new additional privacy laws, or adjusting and strengthening those in existence.
Therefore, we’ve got to be vigilant, look up and stay ahead of the game when it comes to data privacy laws. Managing these and making sure both we and our customers are protected well before changes take place is a top priority of our global privacy team.
Going beyond the bare minimum
Data protection can be a very complex and precise operation. When looking at privacy requirements, we must ensure the solutions and tools we are developing today are capable of dealing with future regulatory advances and scalable to support our customers’ global operations.
These requirements are also complicated by the fact that every day consumers become more aware of data privacy in their own lives, and the risks that they are potentially exposed to when they hand over their information to companies. As a result, there is more and more pressure on companies to respond to these heightened concerns.
For the ‘data owners’ this is a huge challenge – and one that is complicated by the fact that it’s simply not feasible to go to one all-encompassing IT vendor that will optimise their business and keep their data safe. The reality is that larger businesses each use multiple IT vendors – each of which is potentially a ‘data processor’ – to support their numerous functions, each vendor located potentially anywhere in the world, each operating under its own governing body’s data privacy laws. With so many moving parts and people to communicate with and organise, keeping data safe and private is now a pooled task. It is in every vendor’s and business’ interest not to be the hole in the proverbial bucket. However, working with a handful of core strategic platforms then becomes even more attractive, once settled and comfortable with the delivery and quality of what they do.
Although ServiceNow is a data processor and not a data controller in terms of the services it provides to customers, we naturally are fully aware of the privacy protection requirements and challenges that our customers are faced with, to best appreciate the level and scope of reasonable expectations they may ask of us. We equally want our customers to appreciate how seriously we take data privacy – going far beyond the bare minimum.
Four strategic pillars
This is just a small part of what I am focused on achieving at ServiceNow, but it’s a vital important aspect. To keep a focus and drive on making that happen, there are three key strategic pillars I use to guide and support the work my team and I do: Trust, Education and Commerciality.
Of those pillars, it all starts with trust. Trust is equally important for both internal and external relations. We want to show the same level of respect to our customers, as we do to our own employees. To build up trust we need to show that we care, and that we’re reliable and knowledgeable. On a more practical level, it also means we have to demonstrate our commitment to achieving the right certifications and to having the right rules and policies in place. If people don’t believe that we truly care about the security of their data, then they cannot possibly trust that the worflows we create will give them the protection they need.
Allied to this is a need for consistency – we have to be aligned internally. No matter who you are dealing with, you should get the same answer every time. The key to this is delivering on our second pillar – education. We ensure our people get the right training and that our knowledge base is dependable across the board internally – regardless of the department you are dealing with. Again, the educational aspect isn’t just internally focused – it also includes our customers and educating them. This means explaining to them what we do, why it makes a difference and how we’re going about it and in turn, what further steps, or protections, like multi-factor authentication, they can put in place. Security and Privacy are very much a joint responsibility between us and the customer.
Lastly, as an enterprise, we have to be commercial in terms of the decisions we make and take a risk-based approach as to how we operate. We don’t just do the bare minimum to satisfy compliance requirements – it’s self-defeating and doesn’t encourage any sort of development of customer relationships, or demonstrate the evolution of our higher goals and targets. Instead, we bring together the first two pillars of trust and education to help push us higher with the third, to consistently be the provider our customers can rely on.
As the number of regulations increase and their complexity grows, so does the opportunity for error. What we do at ServiceNow is prepare as much as possible and don’t take things for granted. It’s about being proactive, seeking out new developments and navigating a minefield of possible risks.
Maintaining global privacy compliance and satisfying worldwide customer requirements of processors is certainly a challenge, but it’s one we’ve consistently risen to time and time again……and look forward to continuing to do so.