TPM Teardown: A TPM approach to setting up a GDPR initiative
Decoding TPM Strategies for Success
Presented by
(6 minute read)
👋 Hey TPM Craftsman, let’s get crafting.
This newsletter edition is focused on the all the pillars!
What’s inside?
👨🏫 Intro: Intro to TPM Teardown, an insightful dive into realistic TPM scenarios
🤝 TPM Teardown: What does it take to set up a Global GDPR Initiative?
📚 Sponsor: Vanta, compliance is easier with a little bit of help.
Let’s get to it! 👇
Intro
👨🏫 TPM Teardown, what is it?
I’m experimenting with a new style of writing.
📧 After reading this, reply directly to this email to tell me what you think.
So what’s going on??
I’ve always enjoyed the idea of a Product Teardown: an act of disassembling a product to understand why and how it works.
⚙️ I’m here to introduce the TPM Teardown: an insightful exploration into the strategies, challenges, and triumphs encountered in managing complex tech projects as TPMs.
We’re not trying to be overly critical or negative in a Teardown. We’re more like spectators or objective scientists trying to learn from an observed experience.
🤔 So what can you expect from this TPM Teardown style?
Let’s take a look at a scenario where a TPM is faced at putting together a large, cross-functional GDPR initiative.
*Disclaimer: this scenario doesn’t claim to cover every detail. Pay attention to what might be missing.
Without saying more, let’s jump into our first TPM Teardown.
TPM Teardown
🌎 The Challenge: Setting up a Global GDPR Initiative
In this edition of TPM Teardown, we're diving into the world of global data compliance, specifically focusing on GDPR.
💼 Setting the Stage
🙋♀️ Let’s follow our TPM friend, Alice.
She’s a seasoned TPM who faces the formidable task of orchestrating an organization-wide GDPR compliance initiative. With our creative liberties here, let’s say Alice works for InnovateTech: a leader in cloud services with a sprawling global footprint.
🎯 The goal? To align the company’s vast and varied data handling practices with the rigorous standards of GDPR - and not just any data, but every bit of it, regardless of where it's processed or stored.
⏰ The Timing? The clock is ticking for Alice and her team. They have a clear, non-negotiable deadline: to achieve full GDPR compliance within 12 months. The goal is not only to meet the legal requirements of GDPR but also to establish a benchmark in data handling that sets InnovateTech apart in its commitment to data privacy and security.
🤝 Stakeholders and Relationships
Alice is a smart TPM. She knows that initiatives of this scale largely depend on the quality of relationships she builds with her partners.
The first necessary relationship is obvious to Alice.
Primary Executive Sponsor: Data Protection Officer (DPO) - Claire. She is the one requesting that this initiative be prioritized in the first place. Claire is the primary decision-maker, ensuring that the project aligns with GDPR standards and the company's data ethics.
Alice needs to work closely with Claire so she sets up regular 1:1’s to stay connected.
Beyond that, she begins to build relationships with any other data-related team she can find. These data-centric roles will likely be core contributors to this initiative.
Data Product Manager - Raj: Leading the product data strategy for customer-facing applications, ensuring GDPR compliance in user data handling. Raj will help solidify requirements.
Data Engineering Manager - Lena (Global Data Infrastructure): Managing the overarching data infrastructure. Lena will help drive high quality engineering to meet GDPR requirements.
System Architect - Alex: A pivotal figure in mapping out the system architecture. Alex will help dive deep into the nuances of the company’s tech stack.
Legal Counsel - Sarah: Sarah provides critical legal oversight, ensuring all GDPR compliance strategies are in line with current data protection laws.
Compliance Officer - David: David is responsible for ensuring that all GDPR compliance efforts meet regulatory standards.
For each of these, she gets time on their calendars to see how she can best partner with each of them.
Next, she considers who might be interested in the progress of this initiative, but not necessarily regularly contributing. This is the informed group.
Chief Technology Officer (CTO) - Amit: Staying informed on the technical feasibility and resource allocation for the GDPR project, providing strategic oversight.
Regional Heads (EMEA, Americas, APAC): Updated on the compliance progress and its impact on regional operations.
Marketing and Sales Team Lead - Carlos: Informed about the implications of GDPR on customer data usage, aligning marketing and sales strategies with compliance standards.
This is a good list to start with, but she’s sure that more stakeholders will come out of the wood work as the group identifies all systems that are impacted and the associated owning teams.
Now that the initial program team is assembled, let’s dig deeper…
Gif by theoffice on Giphy
🌐 Dependency Mapping and Systems Analysis
Alice partners with Alex (the system architect) to dive deep into the data flows of PII data from the point of capturing it from the users, all the way down to where it might be post-processed.
APIs Touching PII Data: Alice identifies APIs like 'UserAuthAPI' and 'CustomerProfileAPI', crucial for user authentication and storing personal profiles.
Databases Storing PII: 'UserDB' in Europe and 'ClientDB' in Asia, each holding sensitive data needing stringent GDPR compliance.
Data Pipelines: 'DataSanitizationPipeline', which anonymizes user data for analytics, and 'ComplianceReportingPipeline', which generates compliance reports.
Alice maps these components, understanding their interdependencies and data flow, vital for GDPR alignment.
Through this mapping, Alice identifies additional engineering teams that will be considered as core contributors:
Front-End UI Team: Led by Kevin, this team is responsible for updating the user interface with the necessary privacy language and user consent mechanisms in accordance with GDPR requirements.
API Development Team: Managed by Maya, this team oversees the development and modification of APIs that handle PII. This team will need to modify how they handle data in-transit.
🔥 Program Kick-Off: Launching the GDPR Compliance Journey
Now that additional exploration has been done to discover more impacted teams, Alice is ready to kick execution into high-gear.
This initial phase sets the tone for the entire project, establishing expectations, roles, and the roadmap ahead.
She facilitates a thoughtful discussion around the 12-month window, key risks that they might face, and the critical milestones the group needs to hit.
🚂 Execution Time: staying organized!
As the GDPR project moves into its execution phase, Alice employs a structured approach to ensure organization and effective management of the various moving parts.
Work Visibility:
Jira: Visualizing the work is half the battle. She unifies the teams on a standard way to track their respective GDPR work in Jira so the teams have visibility across orgs and associated dependencies.
Document Repository: Using a shared Google Drive, Alice helps the team keep track of all relevant documentation and critical decisions that evolve over time.
Dynamic Risk Register: Continually updated, this document tracks potential and emerging risks, with mitigation strategies and responsible parties for each risk.
Regular Check-Ins and Reporting:
Weekly Cross-Functional Meetings: Alice schedules weekly meetings with core contributors to discuss progress, tackle roadblocks, and adjust plans as needed. This keeps everyone aligned and accountable.
Monthly Executive Summaries: To keep the executive sponsor and informed parties updated, Alice prepares monthly summary reports highlighting key accomplishments, risks, and next steps.
Clear Communication Channels: Alice establishes and maintains clear lines of communication across teams. This includes regular email updates, dedicated Slack channels, and a standing office-hours time slot on her calendar with the product manager.
Through these strategies, Alice ensures that the GDPR compliance project remains organized, transparent, and on track. This systematic approach allows her to effectively manage a complex, multi-faceted initiative, adapting as needed to meet the initiative’s goals.
⏭ What’s Next?
This is where we pause our journey with Alice. It will be a long 12-month road ahead, but she’s well-equipped to drive this forward to success.
Now, as good TPM scientists we must ask the following questions:
1️⃣ What did you notice about Alice’s approach to this initiative?
2️⃣ What should she have done more/less of? (I personally think there should’ve been more conversation about metrics…)
3️⃣ Were there any gaps you noticed?
Hey…pssst…
What did you think about this TPM Teardown-style newsletter?
📧 Reply directly to this email to tell me your thoughts!
Gif by teamusa on Giphy
Speaking of compliance…
eBook: How to minimize third-party risk with vendor management
A robust vendor management program isn’t just required by compliance frameworks like SOC 2 and ISO 27001. It’s also a critical part of a holistic trust management strategy.
Implementing a vendor management program, however, has become more complex and challenging with the proliferation of SaaS tools and shadow IT. And many overstretched security teams are being asked to do more with less.
To stay compliant and secure — and deepen trust with customers and partners — security teams need a way to proactively manage vendor risk.
This guide from Vanta, the leading trust management platform, brings together perspectives from the frontlines of vendor security management. Get insights and best practices from security and compliance leaders.
If you found any value in this newsletter please share it with others who may see value in these topics. See you next time!