2022-10-31
Mercari’s Privacy Office: adapting to amended laws and spreading awareness in the organization
Welcome to “Meet Mercari’s Security & Privacy Team”! In this series of articles, over the next two months, we will introduce the teams that deal with security and privacy at Mercari. We will feature each team’s working environment, culture, working style, as well as the fun and excitement of their field. In the first installment, we spoke with the CISO Office, a virtual team led by the new Mercari Group CISO.
The second article will deal with the Privacy Office, a group of privacy professionals who support the entire Mercari Group. Mercari is a company committed to ensuring a safe and secure marketplace for our users to buy and sell through things like the systems we use and our dedicated customer support. The most important aspect of protecting our users is guaranteeing privacy, which includes personal information. That’s why we took a closer look at Mercari’s Privacy Office—in order to ensure that our users can conduct transactions without worry, they not only handle day-to-day security breach detection, but also monitor and handle matters related to legal revisions, support new businesses, and implement internal measures to increase employee security literacy.
To talk about these topics and more, we will be joined by Aya Ogawa, Konosuke Matsuba, and Haruna Watanabe, who is on childcare leave. Actually, in compiling these articles, I learned that the Privacy Office is a team that was just launched in July of this year. But even though this is a relatively new team, we will be taking a deep dive into how the team is currently operating, their progress, and how they have organized themselves.
こFeatured in this article
Aya Ogawa (@a-ogawa)Ogawa started out practicing law at a law firm before then moving jobs to a corporate legal department where she spent six years doing legal work for various businesses. Ogawa has been involved in privacy-related matters through her legal work related to data marketing at her previous job. Ogawa joined Mercari in November 2021; she wanted to improve her expertise in the privacy field, and at the time of her joining Mercari was already planning on establishing the Privacy Office. Ogawa is dedicated to the privacy-related matters of the whole Mercari Group.
Konosuke Matsuba (@macchan)Before assuming his current position, Matsuba worked for a local government body and Accenture, Inc. In 2019, while working at a city hall, he was seconded to the Mercari Policy Planning Team. There, he worked on building and strengthening Mercari’s personal information management system, as well as other such projects. At Accenture, he worked as a manager in the public service sector, where he was involved in research, strategy, and support for the formulation of strategies for national and local governments. He joined Mercari in May 2022. Matsuba is responsible for the launch of the Privacy Office and the handling and safe management of personal information protection for the entire Mercari Group. Using Mercari’s Your Choice policy, he works remotely from Gifu Prefecture where he resides with his family.
Haruna Watanabe (@haru.w)Joined Mercari in October 2018. After working as an engineer recruiter in the Recruitment Team, Watanabe was transferred to the Merpay Compliance Team, where she was in charge of operating and improving internal rules regarding the handling of personal information, as well as dealing with both internal and external inquiries. In January 2021, Watanabe was transferred to the Security Planning Team, where she works on strengthening the personal information management system for Mercari Group, promoting privacy measures, and complying with revised laws and regulations. Watanabe uses the Your Choice policy to live and work from Fukuoka Prefecture. Currently on child care leave.
From legal revision to internal awareness
──Last time, we talked with the CISO Office. This time, I am very excited to be talking with the members of the Privacy Office—hello! First, would everyone please briefly introduce themselves?
@macchan:My name is Matsuba, but people often call me “macchan” at work because it’s my name on Slack. My personal role in the Privacy Office is to increase the presence of the team and to convey the importance of privacy to everyone in the company.
@a-ogawa:Hello, my name is Ogawa. The Privacy Office leverages the legal experience and knowledge of its members to work on privacy matters for the whole Mercari Group. For example, I respond to internal inquiries about privacy and provide feedback from the perspective of my interpretation of the Act on the Protection of Personal Information. I also work together with other members to consider ways to improve privacy awareness throughout Mercari. Thank you for featuring our team on Mercan!
Aya Ogawa (Privacy Office)
──My pleasure! Now, what would you say is the overarching mission of the Privacy Office?
@a-ogawa:The Privacy Office’s main mission is to build and strengthen Mercari’s privacy governance structure and support the growth of the entire Group. We are currently in the process of responding to the revised Act on the Protection of Personal information that went into effect in April of this year. However, since we’ve only just “restarted” as the Privacy Office on July 1, and since we have just four members, we are now scrambling to establish a policy for handling privacy at Mercari.
@macchan:As you may know, working to revise the privacy policy for new projects is one of the major pillars of our efforts. Since October 2021, Mercari Group has had full-scale operations for Mercari Shops up and running, and plans to offer services such as Mercoin, a crypto asset exchange business, in the future. As such, we are working to organize the privacy-related information handling policies that will be associated with these services. Of course, we routinely respond to various other internal and external inquiries and privacy concerns.
Konosuke Matsuba (Privacy Office)
──Privacy, in the sense that we mean it, is a relatively new field, so it is likely to generate unexpected tasks, not only in response to existing services, but also in response to new industries. So that’s why another one of your major roles is making sure that all Mercari members understand how important this stuff is, right?
@macchan:Yes that’s exactly right. Mercari has grown quite a lot in its relatively short life as a C2C platformer and continues to take on further challenges to develop new services, even after becoming listed on the Prime market of the Tokyo Stock Exchange. To ensure the success of our diverse services, we at the Security Office work very closely with members involved in each area of business development and make sure that they are handling personal information properly. Of course we believe that Mercari is an organization more than capable of complying with laws and regulations, but on top of that, we can also be constantly looking in the mirror—considering whether we are meeting the demands and expectations of society beyond simple compliance, and we believe that the Security Office has a role in cementing a code of conduct throughout the company.
From lawyers and consultants to HR professionals—why is the Privacy Office so diverse?
──Now I want to pivot slightly to discuss the more unique elements of this team. First of all, it’s worth mentioning that both of you come from different backgrounds— Ogawa-san comes from a legal background whereas Matsuba-san comes from the public sector!
@macchan: That’s right, I first worked at a city hall for a local government. As you say, I think all of our diverse backgrounds is very unique part of our team.
@a-ogawa: Yeah that’s true—we all have different areas of expertise.
@macchan: Some members have a solid understanding of the technical aspects of working with the product side, while others are lawyers, former consultants, or even former HR managers with strong internal networks, everyone has their own skills and strengths. Each member embodies the All for One value—everyone is always helping each other, and each member brings their own experience to our work.
──Ogawa-san, what do you think?
@a-ogawa: I think what makes us unique is that we are inherently a “cross-organizational” team and we have a lot of freedom to collaborate across the whole Group. The Security Team and the Privacy Team are led by the CISO, who is the head of security, and the two teams hold offsite meetings together, where we basically gather in one location and cover a wide variety of topics throughout the day. We get along very well. Each member is an expert in their field, but we don’t butt heads over our work, which I think shows how much mutual respect we all have. We have an amazing work environment that is encouraging and collaborative.
The uniqueness of the Privacy Office, which is also something that can be said of the Security & Privacy Team as a whole, is that we are able to respectfully discuss and debate a broad range of topics. It may not sound particularly exceptional, but in a field where the right answers are often not so black and white, I think it is very valuable that we can be honest and straight with each other. We make time for meetings every day within the team, and I get the sense that our vision for the team is expanding the more we discuss and share.
Mercari provides a work environment where individuals can grow along with other members who have diverse values and unique perspectives. About half of the members of the Security Team come from non-Japanese backgrounds. However, I don’t think that these differences of nationality or culture at all impede our ability to work well together, and I feel that there is no better team to work for in terms of a comfortable working environment.
──In that sense, I suppose it’s almost a given that this particular field will attract a diverse group of individuals, because of the variety of issues that arise. By the way, what made you want to join Mercari in the first place?
@a-ogawa:I had been involved in a lot of privacy-related work at my previous job, which led me to want to further develop my expertise in that area. As a sort of public institution, Mercari provides services that are deeply rooted in the lives of its users, and its management is therefore highly-aware of privacy and its importance. I thought that if I could work at a company like that, not only would I develop expertise in the privacy field, but I would also gain new perspective. That’s what I was most attracted to. I also thought that it would be good for my personal development to work in a place like Mercari, where various people from diverse backgrounds seem to congregate.
@macchan:I wanted to create the Privacy Office. I wanted to be able to take charge of building a team from scratch, and work with highly skilled professionals who embody Mercari’s Be a Pro value. I was excited at the prospect of being able to experience such a crucial phase in the privacy protection field.
──My impression of you has always been that of a Mercari fan, as you even had your own series of articles right here on Mercan. Could you tell me a bit more about your decision to leave and then come back?
@macchan:Sure. Actually, at first I was only stationed at Mercari for a limited time while technically I was still employed by the city hall as a member of the Policy Planning Team. In 2019, there was a project started internally to strengthen Mercari’s privacy management system; I was one of the members on that project team.
──Oh I see!
@macchan:When my time being stationed at Mercari ended, I briefly worked as a consultant at another company, but I was approached by someone I worked with on that privacy management system project and they asked if I would come back to work at Mercari. I had a lot of respect for the members and managers I was working with at Mercari at the time, and I felt that the environment at the company allowed individuals to grow together and engage in friendly competition but while still feeling psychologically safe. So, I had this pipe-dream hope in the back of my mind that one day I would once again be able to work with my Mercari colleagues—I am happy to say that this year my dream became a reality and I feel very fulfilled here at Mercari.
──When you came back to Mercari, did you feel like you had missed a lot of things since you left?
@a-ogawa:Through reading various articles I was aware of Mercari’s values and new business ventures that happened before I re-joined. One thing that took me by surprise was the high skill level of individuals at the company. I was also shocked by how fast everything was moving. None of the articles I had read could have prepared me for the kind of enthusiasm Mercari employees have for their work. Also, while individuals are of course required to take a certain degree of initiative on their own, I loved that Mercari also encourages proactive collaboration and inter/intra-team support, because this allows everyone to think together to tackle even the most difficult of issues and tasks. When I re-joined the company, I was once again impressed by the degree to which the three values of Go Bold, All for One, and Be a Pro permeate the company.
Hisaharu Ushijima (manager of the Privacy Office) got curious about what his team was up to and came to listen in to the interview!
@macchan:Expectations and the division of responsibilities were made clear to me from the interview stage, so I had no problems there. As a general rule, Mercari employees use open Slack channels for all communication. This makes it easy to catch up on past interactions and whatnot when needed.
An industry of rapid change with difficult hurdles to match
──Are there any projects that have left a particularly strong impression on you?
@a-ogawa:Right now, I am in the process of revising our privacy policy for the release of a new service, which I think of as my “magnum opus” in a way! In revising the privacy policy with members in the 1st and 2nd line of our risk management structure, we continue to work with all relevant teams to ensure that the wording is easy for users to understand while also giving due consideration to making sure that things are running smoothly. We at the Privacy Office recognize this as an important point that requires our continued focus, as it is necessary to clearly explain to our users through the privacy policy and privacy guide.
@macchan:As we progressed, some things were going well and many were not. I think that we could be doing more to collaborate with internal stakeholders. In the privacy policy revision process, we have been able to regularly conduct interviews with Marketing and Product teams, but I feel that it would be better if we could create a privacy design that is more detail-oriented and that better represents both our users and our business. To break through and achieve this, we need to connect with members who are most likely to significantly impact our business and create more opportunities to more proactively communicate our efforts. For example, we want to promote our internal study sessions and open doors (opinion exchange sessions) to improve privacy-related literacy.
@a-ogawa:Due to resource limitations affecting our operations, we have inevitably become passive and reactive, often responding to inquiries after the fact. What we need is to be more proactive in communicating Privacy Office initiatives.
Ushijima-san joins in on the interview, nodding along and listening carefully to his team members’ thoughts.
@macchan:As Mercari Group grows in size, the volume of our privacy work will also grow in concert. So, in the future, we would like to increase the number of Privacy Office members and establish a system that allows the entire team to comprehensively respond to privacy concerns. At present, we have a very small team covering a wide range of areas, but the goal is to develop a team that is capable of high-level communication and problem solving, with a number of strong individuals in each area. To do so, we will need to collaborate with all internal stakeholders, including Defence Force, Marketing, and Customer Success. So our team should be able to respond to issues across the entire company, even if single team members may not have the requisite knowledge or experience.
Fostering intellectual curiosity—the true value we deliver to our users
──What kind of person do you think would be a good fit for this team?
@a-ogawa:A good fit would have to have initiative and be proactive. I also think it’s important to be able to have a “business first” mentality when responding to internal inquiries and consultations. Of course you also have to have experience in legal work and knowledge of security and technology. But, in my opinion, flexibility in responding to internal questions and consultations from internal members is an even more important skill, because even if you have solid textbook knowledge of the field, you’re going to have a hard time without the ability to flexibly adapt to various circumstances.
@macchan:As Ogawa-san said, we believe that, in addition to understanding legal and societal needs and demands, our stance and policies should be balanced in a way that they still support the company from the business point of view, and give it breathing room to grow further. Also, since there are no clear-cut correct answers in this field, in order to reach the best solution possible, Privacy Office members need a comprehensive understanding of both the user and business aspects of privacy and security. I think that people who can approach the work with that kind of awareness, are intellectually curious about the field, and who can effectively learn useful information for their work are suited for this position.
Haruna Watanabe, a member of the Privacy Office who is currently out on child care leave, was kind enough to make time to attend the interview virtually!
──My first thought hearing that is, “no one is that perfect!” (laughs)
@a-ogawa:I totally agree—I myself am lacking in many areas. (laughs) Of course not every individual needs to have every ability and skill; teamwork is paramount to our team, so I think the most important thing is the ability to build a relationship of mutual trust and work with a mindset of trust and openness.
@macchan:You don’t have to be able to do everything, you just have to have a mindset that allows you to continue to challenge yourself and grow! I am very aware that I have my own shortcomings in the privacy field, but what’s is important is maximizing the value of the team as a whole. So what we want are people who can work well with others. I know this may be a bit of a cliche, but I think “culture fit” is the most important attribute for joining this team.
──The environment surrounding privacy, including compliance with revised laws, is changing on a daily basis, as are the emerging industries with which Mercari engages. In such a fast-paced environment, it makes sense that you would want team members who have those qualities. Mercari’s current phase seems to hold a lot of potential for opportunity.
@a-ogawa: I agree. Mercari will continue to develop new services in the future and we know that we will need to improve the connectivity of all Mercari services moving forward. The role of the Privacy Office is to maintain fairness in data handling from a privacy perspective when linking data across businesses, and to proactively provide input wherever needed within the Group.
@macchan:Privacy and data protection are very much in the zeitgeist right now, not only in Japan but also in the EU and the US, and I feel that it is a field in which trends tend to change quite rapidly. I want to contribute by understanding whether the things Mercari Group is trying to do are actually in line with global trends. If not, I want to be a part of correcting course.
──Okay last question: what are your ambitions for the future?
@macchan: It is vital that all members of the Mercari Group, including management, are even more acutely aware of the importance of the personal information entrusted to us by our users. The Privacy Office will continue to focus on creating a better and better environment for privacy protection so that Mercari can continue to be a service that people feel is safe and secure to use. As the global population continues to age and we gain more and more insight into the privacy of individuals, we hope to strengthen the trust between Mercari and our external stakeholders by creating an environment that allows for the safer handling of user data, and by intrinsically linking that environment with the company culture.
@a-ogawa:Our goal at the Privacy Office is to create a state of transparent disclosure and communication of information as pertains to the handling of data so that users can continue to comfortably use Mercari. I want to build a robust, “user first” system that is open for two-way communication—responding to user inquiries and sincerely listening to user feedback.
A final snapshot of the team.