Jo Ann Davaris – Booking Holdings

In April 2016, just days after Jo Ann Davaris was named global chief privacy officer (CPO) for international consulting giant Mercer, the European Union passed the sweeping General Data Protection Regulation (GDPR), which laid out strict rules for how companies operating in the EU handle the personal information of consumers.

At that point, companies had exactly two years to achieve full compliance, or risk millions—even billions—in fines.

Talk about a trial by fire.

“What excited me the most about the opportunity at Mercer was the fact that I’d be building our privacy function from the ground up,” says Davaris, who spent 16 years at American Express before joining the New York-based Mercer. “The company didn’t have a global CPO before me, so there was a lot of opportunity to build something—but first I had to get to know the business and its goals.”

While Davaris has since moved on to Booking Holdings—whose properties include Booking.com, Kayak, Priceline, Agoda, Rentalcars.com and OpenTable—she says the lessons learned at Mercer loom large in her new role.

Hit the ground running

A self-described puzzle solver, Davaris worked closely with colleagues throughout Mercer—including the company’s chief information security, digital and data officers—to create a robust data protection and privacy program.

“In those first few weeks at Mercer, it was all about getting different departments to understand where they fit within this larger privacy landscape,” Davaris recalls. “What data do we hold? How do we use and organize it? It was really important to put everyone on the same page.”

Davaris emphasized that regardless of the organization, it’s important to build a culture of privacy—through methods like comprehensive training and light-touch awareness—aimed at educating all colleagues about the importance of data diligence.

Davaris broke the initiative into two “buckets.” The first, directed at company employees more generally, involved a combination of “detail-heavy” training sessions and less formal modules—including a series of three-minute cartoons—designed to reinforce what constitutes personal information.

“The idea is to tell people exactly what their responsibilities are when it comes to safeguarding data,” Davaris explains. “What does it look like when something goes wrong with data? When you have questions, who do you go to?”

In addition, other communications at Mercer that Davaris found effective include regular newsletters explaining data protection-related current events; a centralized hub or website where employees can get quick answers to privacy-related questions; and instituting an annual Privacy Day event around International Privacy Day (January 28).

Fine-tuning

By contrast, the second “bucket” involves creating training regimens for those on the front lines of an organization’s privacy efforts—specifically those in the legal, business development and information technology departments.

The main feature of these regimens is what Davaris calls “role-based training” that includes department-specific scenarios and real life examples—introducing internal privacy pros to other privacy experts and specialists who can help with any privacy-related projects they might be working on.

The goal, Davaris says, is to use real-world situations to illustrate how certain privacy issues should be handled. For example, accidentally emailing a file filled with sensitive data to the wrong client, or red flags that pop up with prospective vendors.

“What is important is to put mechanisms in place that can address a data issue before it gets out of hand,” Davaris says. “We want people being proactive, but in order to do that, they need to understand their own role.”

Helping hands

An organization’s data privacy initiatives don’t fall on the chief privacy officer alone. One of Davaris’ first objectives at Booking Holdings is to forge a closer relationship between the legal department and the company’s top tech brass, including chief digital officer, chief data officer and chief information security officer.

Davaris meets weekly with these colleagues to determine how to best address GDPR, CCPA and other privacy regulations.

“We’re not just running in our own lanes anymore; it has to be a coordinated effort,” Davaris explains. “These are people that all share a passion for data protection, and because of that we’ve been able to make that passion contagious across the company.”

On background

It’s a bug Davaris caught early in her tenure at American Express, when she was named the company’s director of policy and controls in 2005—within the first five years of her 16-year tenure at the company.

At a time when “Big Data” wasn’t yet a buzzword, Davaris helped create Amex’s first data protection policies taking into consideration the opportunity to build analytics products and tools while protecting personal and confidential data.

“The company already had an established privacy program in place, which is why it was and remains one of the world’s most trusted brands,” Davaris says. “But as data became a bigger and bigger deal, we needed tools in place to ensure we continued to honor that trust.”

In Mercer, Davaris saw the perfect proving ground for her bourgeoning expertise—a chance to help one of the world’s largest human resources consulting firms and investment advisories set the curve on data privacy.

Now, she’s looking forward to helping Booking Holdings bolster its privacy posture across all of the organization’s brands.

“In order for us to maintain the trust of our clients and our customers we don’t just have to know what we’re doing with data privacy; we have to be able to properly explain it and document it,” Davaris says. “Consistency is so important. At the same time, we know there will never be a day when we feel like the job is done. It’s never done. You have to be prepared to evolve. And that’s what makes this job so exciting.”