Jo Ann Davaris – Booking Holdings

Keeping personal data under lock and key

In April 2016, just days after Jo Ann Davaris was named global chief privacy officer (CPO) for international consulting giant Mercer, the European Union passed the sweeping General Data Protection Regulation (GDPR), which laid out strict rules for how companies operating in the EU handle the personal information of consumers.

At that point, companies had exactly two years to achieve full compliance, or risk millions—even billions—in fines.

Talk about a trial by fire.

“What excited me the most about the opportunity at Mercer was the fact that I’d be building our privacy function from the ground up,” says Davaris, who spent 16 years at American Express before joining the New York-based Mercer. “The company didn’t have a global CPO before me, so there was a lot of opportunity to build something—but first I had to get to know the business and its goals.”

Jo Ann Davaris – Booking Holdings Vanguard Law Magazine

While Davaris has since moved on to Booking Holdings—whose properties include Booking.com, Kayak, Priceline, Agoda, Rentalcars.com and OpenTable—she says the lessons learned at Mercer loom large in her new role.

Hit the ground running

A self-described puzzle solver, Davaris worked closely with colleagues throughout Mercer—including the company’s chief information security, digital and data officers—to create a robust data protection and privacy program.

“In those first few weeks at Mercer, it was all about getting different departments to understand where they fit within this larger privacy landscape,” Davaris recalls. “What data do we hold? How do we use and organize it? It was really important to put everyone on the same page.”

Davaris emphasized that regardless of the organization, it’s important to build a culture of privacy—through methods like comprehensive training and light-touch awareness—aimed at educating all colleagues about the importance of data diligence.

Davaris broke the initiative into two “buckets.” The first, directed at company employees more generally, involved a combination of “detail-heavy” training sessions and less formal modules—including a series of three-minute cartoons—designed to reinforce what constitutes personal information.

“The idea is to tell people exactly what their responsibilities are when it comes to safeguarding data,” Davaris explains. “What does it look like when something goes wrong with data? When you have questions, who do you go to?”

In addition, other communications at Mercer that Davaris found effective include regular newsletters explaining data protection-related current events; a centralized hub or website where employees can get quick answers to privacy-related questions; and instituting an annual Privacy Day event around International Privacy Day (January 28).


By contrast, the second “bucket” involves creating training regimens for those on the front lines of an organization’s privacy efforts—specifically those in the legal, business development and information technology departments.

The main feature of these regimens is what Davaris calls “role-based training” that includes department-specific scenarios and real life examples—introducing internal privacy pros to other privacy experts and specialists who can help with any privacy-related projects they might be working on.

Jo Ann Davaris – Booking Holdings Vanguard Law Magazine

The goal, Davaris says, is to use real-world situations to illustrate how certain privacy issues should be handled. For example, accidentally emailing a file filled with sensitive data to the wrong client, or red flags that pop up with prospective vendors.

“What is important is to put mechanisms in place that can address a data issue before it gets out of hand,” Davaris says. “We want people being proactive, but in order to do that, they need to understand their own role.”

Helping hands

An organization’s data privacy initiatives don’t fall on the chief privacy officer alone. One of Davaris’ first objectives at Booking Holdings is to forge a closer relationship between the legal department and the company’s top tech brass, including chief digital officer, chief data officer and chief information security officer.

Davaris meets weekly with these colleagues to determine how to best address GDPR, CCPA and other privacy regulations.

“We’re not just running in our own lanes anymore; it has to be a coordinated effort,” Davaris explains. “These are people that all share a passion for data protection, and because of that we’ve been able to make that passion contagious across the company.”

On background

It’s a bug Davaris caught early in her tenure at American Express, when she was named the company’s director of policy and controls in 2005—within the first five years of her 16-year tenure at the company.

At a time when “Big Data” wasn’t yet a buzzword, Davaris helped create Amex’s first data protection policies taking into consideration the opportunity to build analytics products and tools while protecting personal and confidential data.

“The company already had an established privacy program in place, which is why it was and remains one of the world’s most trusted brands,” Davaris says. “But as data became a bigger and bigger deal, we needed tools in place to ensure we continued to honor that trust.”

In Mercer, Davaris saw the perfect proving ground for her bourgeoning expertise—a chance to help one of the world’s largest human resources consulting firms and investment advisories set the curve on data privacy.

Now, she’s looking forward to helping Booking Holdings bolster its privacy posture across all of the organization’s brands.

“In order for us to maintain the trust of our clients and our customers we don’t just have to know what we’re doing with data privacy; we have to be able to properly explain it and document it,” Davaris says. “Consistency is so important. At the same time, we know there will never be a day when we feel like the job is done. It’s never done. You have to be prepared to evolve. And that’s what makes this job so exciting.”

Published on: October 8, 2019



Showcase your feature on your website with a custom “As Featured in Vanguard” badge that links directly to your article!

Copy and paste this script into your page coding (ideally right before the closing tag) where you want to display our review banner.


I was honored to be the subject of an article. I enjoy reading Vanguard articles and seeing how other attorneys got to their positions and see their jobs. It's also interesting to see how different law firms partner with the subjects of the articles.
– Henry Marquard, in-house counsel, Stanley Consultants Inc.
As promised in advance, my feature in Vanguard has increased my visibility within the profession and prompted more than a few people I have not communicated with recently to reconnect. One of the Italian law firms I have used in the past is now in the process of interviewing me for an article on their website and tweeting out the feature story. Activity and the number of people connecting with me on LinkedIn has soared, which is great. The Vanguard writers and editorial staff were great to work with—highly professional and made the effort to make the experience both fun and rewarding (they were also respectful of the time pressures and demands all lawyers face). I was very pleased with the experience and the final outcome. Needless to say, I have been very pleased. All in all working with Vanguard has been a very positive experience which generated good publicity for both Shawcor and myself. My sincere thanks.
– Tim Hutzul, General Counsel, ShawCor Ltd.
The piece highlighting my company, Bob Baker Enterprises, Inc., came out fabulous. Our company is in the new and used car sales and service industry. Everyone was great to work with and extremely professional. They produced a high-quality product and have provided expert assistance and guidance post-production of the article.
– Wade Poulson, General Counsel, Bob Baker Enterprises Inc.
It was a great honor to be featured in Vanguard Law. Working with every member of the team, from the initial interview with Erin Clark, through production with Victor Martins, writing the article with Taryn Plumb and creating the final content with Dave Gushee, was a true pleasure. Everyone was very professional, enthusiastic and supportive, and their creative approach and positive attitude clearly came through in the final product.
– Kevin C. Rakowski, Senior Vice President, Deputy General Counsel, Compliance with Radian Group Inc.


Spring III 2024



  • * We’ll never share your email or info with anyone.
  • This field is for validation purposes and should be left unchanged.