You are viewing content from a past/completed QCon -

Presentation: Managing Privacy & Data Governance for Next Generation Architecture

Track: Ethics, Regulation, Risk, and Compliance

Location: Pacific LMNO

Duration: 1:40pm - 2:30pm

Day of week: Monday

This presentation is now available to view on

Watch video with transcript

What You’ll Learn

  1. See what’s going on within Pinterest when it comes to privacy and data governance.
  2. Learn about the framework that Pinterest has developed to evaluate vendor use cases.


The number of privacy-related regulations are on the rise and more vendors than ever before are vying for the attention and validation of privacy programs. In order to advocate for resources and technological solutions, the privacy office must be accountable for vendor governance and procurement decision-making, and oversight.  How do you organize business use cases, requirements, and stakeholders to evaluate privacy and data governance vendor solutions? Who should be involved in decision-making for vendor solutions that have implications for compliance, but also require investments across the company?  

This talk will explore a governance framework for roadmapping, resourcing, and driving decision-making for next generation of architecture with privacy by design. We will walk through the key players, requirements mapping, templates, and vendor engagement models for informed decision-making.


Tell me a bit about your background?


I started my career as a systems engineer working on business strategy. One component of that was privacy strategy. After working in consulting, I worked at the Federal Trade Commission and have worked as a privacy engineer as my career has progressed. Now I'm a technical program manager at Pinterest, where I manage privacy and data governance from the engineering side. We ensure that with all of the emerging regulations, but also commitments to users and regulators and stakeholders, that we're maintaining compliance on the front end and the back end.


What are you going to hit on in the talk?


What we're seeing is as privacy data and governance become very hot topics, that means there's a lot of new vendors entering the space. As a privacy program, we're figuring out: how do we evaluate all these vendor use cases? What do we actually need? Which vendors are actually going to deliver for the next generation of our architecture? In this talk, I talk about a framework we've used as a governance model. We've set up a data security and governance working group that is cross-functional. We're looking at different business cases to evaluate. Our chief architect sits as the sponsor for that group. 

We're able to look not only deep at our upcoming business use cases and new data sets we want to collect to be able to determine one as a company, but we also engage on whether we should take on that risk of collecting new data types. If we do decide to collect new data types, then how do we make sure that we're handling it effectively? We're evaluating different vendors across a whole range of factors and thinking end to end about the next generation of architecture. We engage stakeholders from I.T. security, product analysts, and data scientists. We also have technical program managers who sit on the working group. We're thinking about the processes and technical architecture and policy. We're also involving our procurement teams and our downstream product teams as well. 

It's very cross-functional and just a body where we can talk about what we want to do since there are lots of vendors in the space. We want to understand what the success criteria are before we evaluate them and make sure we communicate with vendors. 


When you talk about a framework, are you talking about a process framework that Pinterest implements to address things, or are you talking about a framework to say this vendor is evaluated against this criteria? 


It's the latter. It's a framework for figuring out what our roadmap and our resourcing is for decision making regarding which vendor solutions we want to pick. 


Who is this talk targeted for? Is it is it targeted towards people that are like that chief architect that need to have a kind of a process for evaluating these things? Or is it targeted for like the privacy professional that is responsible for governing a program like this?


I would say it's both. If you are a privacy professional and you find yourself looking at a bunch of vendors who are pinging you on LinkedIn and meeting you at conferences,  t and you don't know where to start the conversation, then this is a great talk for you. If you're responsible for making those vendor decisions, this talk will be helpful.

I think it's also helpful for people who want to be a champion for privacy or find that it's falling on them even though they don't have that role or title. 


Can you give me an example of one of the trickier bits that you had to solve?


One of the trickerie parts of vendor evaluations is the timing of evaluations. When we started this process, it's always nice to say, you know, we're gonna set up a program, and we're gooing to set up a governance working group to evaluate use cases. But in real life, use cases are always happening. There's always this new seed. You come into it actually hot where the use case is already out, or maybe there's somebody that's already talking to a vendor. So we experienced that. And so we had to stand up a straw man pretty quickly for evaluating our use case. That's not how ideally how we would've done it and now we will evolve it over time.

Another thing is sharing some of the lessons learned about how we looked at AI use cases for machine learning inside the company. We had to set up an environment for testing on the fly and everything from signing the NDA to evaluating the vendor and make sure that all the different business stakeholders across the company had a chance to try out the system for various cases were the responsibility of the data governance group. 


What do you want someone who comes to your talk to leave with?


I want them to understand the possibilities for setting up a successful working group around data security and governance where they're able to deliver results and come to success criteria and proof of concepts for vendor solutions that will help them run their privacy programs effectively.

Speaker: Ayana Miller

Privacy & Data Protection Advisor @Pinterest

Ayana Miller is an experienced technical advisor on privacy and data protection.

She has built and managed in-house privacy programs at Facebook, Snapchat, and Pinterest. Prior to working in Silicon Valley, Ayana worked in Washington, D.C. at the United States Federal Trade Commission and MITRE, a federally funded research and development center. With a focus on practical privacy practices in an era of social media sharing, she has been a speaker at marketing and tech conferences across the United States.

Ayana holds a master’s degree in public policy and management from Carnegie Mellon University and has multiple privacy certifications through the International Association of Privacy Professionals (IAPP), where she also served as an advisory member of the publishing board. 

Find Ayana Miller at

Last Year's Tracks

  • Monday, 16 November

  • Operating Microservices

    Building and operating distributed systems is hard, and microservices are no different. Learn strategies for not just building a service but operating them at scale.

  • Distributed Systems for Developers

    Computer science in practice. An applied track that fuses together the human side of computer science with the technical choices that are made along the way

  • The Future of APIs

    Web-based API continue to evolve. The track provides the what, how, and why of future APIs, including GraphQL, Backend for Frontend, gRPC, & ReST

  • Resurgence of Functional Programming

    What was once a paradigm shift in how we thought of programming languages is now main stream in nearly all modern languages. Hear how software shops are infusing concepts like pure functions and immutablity into their architectures and design choices.

  • Social Responsibility: Implications of Building Modern Software

    Software has an ever increasing impact on individuals and society. Understanding these implications helps build software that works for all users

  • Non-Technical Skills for Technical Folks

    To be an effective engineer, requires more than great coding skills. Learn the subtle arts of the tech lead, including empathy, communication, and organization.

  • Tuesday, 17 November

  • Clientside: From WASM to Browser Applications

    Dive into some of the technologies that can be leveraged to ultimately deliver a more impactful interaction between the user and client.

  • Languages of Infra

    More than just Infrastructure as a Service, today we have libraries, languages, and platforms that help us define our infra. Languages of Infra explore languages and libraries being used today to build modern cloud native architectures.

  • Mechanical Sympathy: The Software/Hardware Divide

    Understanding the Hardware Makes You a Better Developer

  • Paths to Production: Deployment Pipelines as a Competitive Advantage

    Deployment pipelines allow us to push to production at ever increasing volume. Paths to production looks at how some of software's most well known shops continuous deliver code.

  • Java, The Platform

    Mobile, Micro, Modular: The platform continues to evolve and change. Discover how the platform continues to drive us forward.

  • Security for Engineers

    How to build secure, yet usable, systems from the engineer's perspective.

  • Wednesday, 18 November

  • Modern Data Engineering

    The innovations necessary to build towards a fully automated decentralized data warehouse.

  • Machine Learning for the Software Engineer

    AI and machine learning are more approachable than ever. Discover how ML, deep learning, and other modern approaches are being used in practice by Software Engineers.

  • Inclusion & Diversity in Tech

    The road map to an inclusive and diverse tech organization. *Diversity & Inclusion defined as the inclusion of all individuals in an within tech, regardless of gender, religion, ethnicity, race, age, sexual orientation, and physical or mental fitness.

  • Architectures You've Always Wondered About

    How do they do it? In QCon's marquee Architectures track, we learn what it takes to operate at large scale from well-known names in our industry. You will take away hard-earned architectural lessons on scalability, reliability, throughput, and performance.

  • Architecting for Confidence: Building Resilient Systems

    Your system will fail. Build systems with the confidence to know when they do and you won’t.

  • Remotely Productive: Remote Teams & Software

    More and more companies are moving to remote work. How do you build, work on, and lead teams remotely?