Scott Shipman, CIPP/US, has a job in front of him: Build the start-up’s privacy program and do it right. For some, it could be an intimidating project. Founded in 2013, Sensity is doing some pretty cutting-edge stuff, using the global conversion to LED lighting to deploy a high-speed, sensor-based light sensory network (LSN) with sensors, analytics and wireless communications to enable solutions for applications and services like public safety, environmental and weather monitoring, parking management and location analytics. But this isn’t Shipman’s first rodeo.

After 17 years in the thick of it, he knows a couple of things about building smart privacy programs.

Scott Shipman

He was eBay’s second-ever lawyer, responsible for the company’s first terms of service and privacy policy as well as a host of other legal requirements. It was 1997, just before the dot.com boom. He calls it his baptismal into privacy and data protection. When the explosion happened in 1999, Shipman was suddenly a lot more important and was responsible for drafting each and every consumer-facing policy at eBay and was tasked with building a global privacy team.

It was very learn-as-you-go back then, Shipman recalls. The landscape certainly wasn’t anything like the way it is now, with companies touting their attention to privacy as a competitive differentiator. It was different then.

“There was one pervasive thought within the legal community in the U.S., and that was ‘Don’t pick your head up; don’t come up and talk about privacy; don’t talk to regulators; keep a low profile,’” Shipman said.

That was hard for him because his instincts told him to behave differently.

“I didn’t have anyone to validate my opinion, which was I felt like I needed to go to regulators and explain how we were doing it and why they shouldn’t be concerned about it,” he said. “I didn’t find a single voice that agreed with that approach.”

But today, he feels validated by those early instincts of his. There’s been a significant shift in the approach to privacy and data protection practices globally. But Shipman never had to change course. It was just what seemed right, and it’s how he ran the show at eBay.

Of course, he said, executing a privacy program that way was very doable because eBay’s philosophy has always been that it first and foremost has to meet customer expectations. It’s that kind of customer-first data protection attitude that has carried eBay to the success it enjoys today, Shipman believes.

“I’ve found that eBay is still known as one of the most trusted companies for privacy and one of the only to have never had had a consent decree with the FTC,” he said.

Building a team to help him do privacy right was a little more difficult back in the day because there weren’t a ton of qualified folks working in the field. Now a law professor at Santa Clara University School of Law, he sees that changing. But back then, you were hard-pressed.

“You couldn’t poach from other privacy teams because there weren’t any,” Shipman said.

The people who were protecting data were working in segregated teams; some in business and some in information security, etc. Shipman didn’t like that kind of fragmented approach and so, in what was a novel move at the time, built a single privacy group that spanned across eBay. It had a centralized function but took regional approaches. Leads were appointed in Europe, South America and the U.S. who focused on Privacy-by-Design business development. Then there were the compliance folks, who helped those business teams do audits, policy management, attestation.

“I think that model allows a large company to be very efficient with their resources in privacy,” Shipman said. “By way of example, traditionally, when I had benchmarked our organization against other companies, we were multitudes smaller by people and by budget. I have to think the combination of the company being focused on people first and the structure enabled some of that efficiency.”

What faces him now at Sensity is sort of a flashback to 17 years ago. Shipman joined Sensity as its chief privacy officer. Under Shipman, Sensity’s global privacy program will work with governing bodies, businesses and experts worldwide to build regulatory practices around LSNs and Industrial Internet of Things (IoT) implementations. He will develop privacy processes and practices, including customer confidentiality and data security requirements, as well as training Sensity employees on privacy issues.

Sensity is capitalizing on the global trend toward upgrading lights to LED to create an IoT developer platform that would allow virtually anyone to develop applications, from those that work toward lofty goals like predicting earthquakes and global warming research to those that simply use sensors to help users find an open parking space in a big city or gauge how much snow has fallen on the ground.

The goal is essentially to build a platform that would allow app developers to focus on developing industry-disrupting solutions rather than trying to solve how to collect the data the solutions require. This also simplifies privacy and security compliance of these apps for end customers, as Sensity acts as an “industrial” version of the Apple App Store, ensuring the apps meet various specifications and privacy requirements.

“That was a big part of the reason I took the job, because it’s clear that Sensity is a company that is on the verge of really changing humanity, the way eBay changed humanity and enabled people to do things they’ve never been able to do before,” Shipman said. “From a career perspective, that’s a lot of fun challenges and a lot of learning. From a privacy and security-need perspective, it’s really important that it’s done right.”

He also loved that such a young company is already clear on privacy priorities; they want a general counsel and CPO on board early.

“When you’re working at a passionate start-up, it’s a lot easier to get people moving in the right direction,” Shipman said. He added, however, that even before he arrived, Sensity was building systems with privacy and security in mind.

Careful not to operate in a vacuum, Shipman has been leaning on an executive advisory board of experts that includes Richard Purcell, CIPP/US, Peter Swire, CIPP/US, Dick Gephardt and Tom Ridge, among other well-known privacy pros. His next task is to assemble a team over time, using the same philosophy that’s always guided his approach.

“The goal for me is to be sure we do this in a way that benefits society,” he said, "in a way that ameliorates concerns around privacy and provides a meaningful contribution. Because the alternative is that people fear-monger about new technology and don’t understand the controls that might be in place, and then we as a society don’t get to benefit from and understand the data that surrounds us.”