Women in Tech: Season 2, Episode 1

Rhiannon:

Hello and welcome to Ashurst's Women in Tech podcast series. We are very excited to be back for a second season. In this series, we share the stories of inspiring women working at the intersection of innovation, law and technology. If you haven't listened to our first season, you can find us under Ashurst's Legal Outlook Podcast on Apple, Spotify, or wherever you get your podcasts. My name is Rhiannon Webster and I'm a partner in Ashurst's Digital Economy team. The Ashurst Digital Economy team supports clients' digital strategies and identifies how they can leverage new technologies from a legal perspective. In today's episode, we chat to Sue Khan, vice president of privacy and data protection officer at Flo Health. In our discussion, Sue and I talk about Sue's role in a company at the intersection of health, technology and data, with its mission to use data and technology to give power to women when it comes to their health. Here's our conversation.

Rhiannon:

Hi Sue.

Sue:

Hi Rhiannon. Thanks for having me.

Rhiannon:

So I'm really thrilled that you agreed to be a guest on this podcast. When we were brainstorming potential guests, we couldn't think of anyone more perfect than you for me to interview. Not only are you inspiring women working in the technology sector, but that technology is designed to empower women and build a better future for female health. And equally exciting for me, you are a data protection lawyer. So I would love to learn more about your role at Flo and can you describe what Flo is and what is your role within that business?

Sue:

Yeah, absolutely. Thanks again for having me here. So I joined Flo only recently in January and I've joined, as you mentioned, as the VP of privacy and the data protection officer. So Flo's mission is to build a better future for female health because we believe that when it comes to health, knowledge is power. So we have a fantastic app and we want to put the power back into the hands of women. So we think it's really important for women to understand their body signals and stay well and live better lives. So fantastic kind of organisation, fantastic service. We're growing every day. We've got about, I think this is right, 50 million monthly active users worldwide and we just really want everyone to get to know their bodies better, females to get to know their bodies better.

So my role is to really look after the privacy function. Currently, in the team we've got two fantastic privacy lawyers, a privacy programme manager and a privacy project manager, and I report into the chief legal and compliance officer. But just generally speaking, in terms of my role at Flo, at a very high level, my goal is to help women feel really informed and in control of their health data, so keeping privacy simple, presenting it to users in simple terms so that they can use the Flo app with full confidence and without feeling worried about how their data's being treated. Ultimately my team, we're focused on protecting the rights and freedoms of individuals and safeguarding really their most intimate health data.

Rhiannon:

And it's not to be taken lightly, is it?

Sue:

No.

Rhiannon:

You've got 50 million active users. I find that quite extraordinary.

Sue:

Yes, and they're all around the world as well, which makes I think the role incredibly interesting is that I'm not just sort of looking at the GDPR, I'm looking at kind of laws across the world and user expectations frankly vary across the world as well. Privacy fluency and knowledge varies across the world and I think that just makes it even more fascinating a role. At a very kind of operational level, what I'd like to focus on is kind of three aspects of the privacy programme. So the first would be the general governance and compliance piece. So making sure we've got the right policies and procedures in place, the right training, vendor onboarding is robust from a privacy angle, our data protection impact assessments are conducted appropriately.

And then the second bucket really is sort of the advisory piece for the team. So you'll know Rhiannon, and privacy advice can be extremely contextual, it can be highly nuanced. And I think that's where the team really starts to add value for the business, to help with product development, be involved at an early stage when the engineers and the product teams are building the service. And then I think the final bucket really is horizon scanning. So because we're in such a complex kind of world when it comes to privacy legislation, we need to do a lot of work to actively monitor what's coming and prepare the business accordingly.

Rhiannon:

And how do you keep up with that in such an evolving industry and area of law?

Sue:

Great seminars from law firms, that really helps. We have to keep on top of what's going on. I think that lawyers such as yourself really help us with that and we try and make the time and space for educating ourselves. It's really hard when you have an intense day job to set time aside to say, "Okay, I'm going to read up on this new piece of legislation. I want to understand what the opinions are on this piece of legislation or how people are reacting to it." And we really need to take the time to do that. So really we're trying to, as a team, spend more time on that kind of knowledge and development piece.

Rhiannon:

I always find myself doing it. It's some light bedtime reading, which is probably not the thing to do before you go to sleep.

Sue:

Exactly. I think some may find that boring and it may well help them go to sleep. Me, I quite enjoy it. Is that really sad?

Rhiannon:

No, I'm with you. I do that too.

Rhiannon:

So what's the thing that sets Flo apart when it comes to privacy compliance compared with your perception of the rest of the market or where you've worked before?

Sue:

So I think it's nice to be in an organisation that genuinely takes privacy seriously. So we are the first female app to receive ISO 27001 certification and now there's a real appetite to work on the privacy standards, so the ISO 27701 certification. There's a real kind of interest and appetite to see if we can aim for that. That's probably the first time I've experienced that in an organisation where there's a genuine drive to be certified more and actually go beyond ISO 27001. I think that's really promising.

We've got a few initiatives that we're looking into to see how we can make privacy a bit simple and uncomplicated for our users. So we're doing a lot in that space and trying to understand what good consent management might look like. And we have a fantastic Trust Team that sits within engineering and their role as the Trust Team is to focus on privacy initiatives, which I think is really fascinating as well. So it's not that privacy just kind of sits within the legal function. There are kind of teams that are being built in other areas of the business to help support privacy as well, which I think is fantastic.

Rhiannon:

Yeah, it sounds like it's really embedded in the organisation.

Sue:

Yes. And our Support Team are amazing because they deal with requests, not just privacy requests, but requests from our users from around the world in the thousands every month. And when I first came in I wanted to understand what their SLAs were for responding to kind of privacy rights requests. And they were almost apologetic that it was within days. Whereas as we know, we have a month to respond to these requests. But I was just so impressed with the speed at which the support team deals with privacy related kind of rights requests. And just generally I think there's quite an engaged group of people within Flo and there's really good kind of privacy fluency. So I don't have to sort of explain what a DPIA is. Everyone kind of has a baseline knowledge and they just get it that privacy's not a hard sell, basically.

Rhiannon:

Absolutely.

Sue:

Which I think is great. And we've got things like cross-functional kind of pillars we call them. So we've got one with marketing, security, privacy, the Trust Team where we meet monthly to talk about privacy initiatives, which I think is fantastic. So lots going on. I don't know if you've also read about our privacy and security advisory board that we've recently set up.

Rhiannon:

I did. I saw you are a member of it, but it's cross company and you've got different people from different sectors in it, haven't you?Sue:

Exactly. So we've got these amazing experts from eBay and CloudFlare and Next Door. And really the purpose of the advisory board is for us to meet on a quarterly basis and discuss some of our privacy and security priorities at Flo with the sort of independent experts. So I'm really excited about that. We've only had an introductory meeting so far and I look forward to more.

Rhiannon:

It's almost like the role of a non-exec director, isn't it, to get that extra insight into what others are doing and bounce ideas off. Is that the idea of it?

Sue:

Absolutely. So they're there to support us, they're there to explore different ideas, different things that we're thinking about, lend a hand in terms of their expertise. So it's fantastic.

Rhiannon:

And how much do you get involved in the strategy of Flo? Because it sounds like, because privacy seems to be absolutely at the heart of it. So I imagine that you have quite a big role when it comes to setting the strategy and well what happens next.

Sue:

Yeah, absolutely. The good thing is that we're still quite a small organisation, so I think we're about 430 employees. So the benefit is that I think everyone gets to get involved in the strategy. Everyone has a say. The work that kind of everyone is doing across the business is incredibly important. From a privacy perspective, the chief legal officer who I report into, he's very sort of open to my ideas and he said, "You tell us which way that this needs to go, what you need to focus on." And it's really kind of encouraging to have that kind of support.

Rhiannon:

And then, you said about those 400 approximate people at Flo, how many of those are men given the subject matter and the mission of your company?

Sue:

So it might surprise you actually we have a relatively even split, I think we're about 60/40 in favour of women, which I think is great because I think female health is not just a problem for women to solve. I think men should get involved too. So I think we're slightly in favour of the women.

Rhiannon:

I'm very impressed actually that you've got about 40% of men there and I think I agree with you, it's all about diversity, isn't it? With diversity you get the best-

Sue:

Outcomes.

Rhiannon:

... outcomes. Yeah, absolutely. And I think the point of all this also is that this shouldn't be a female problem.

Sue:

Exactly.

Rhiannon:

You've talked almost evangelically about Flo. What's the big thing that you think that other organisations could learn from Flo when it comes to using data in a compliant way and tech to improve the lives of women?

Sue:

So I think that we're like... Health tech is an incredibly ambitious and passionate industry and we're all learning at the same time. So I absolutely don't want to sort of sound 'preachy' here because I appreciate it's a really challenging industry. And I think some of the things that Flo do really well would include, we really listen to our users. So there is extensive market research and user experience research that we have conducted to really understand what empowerment means to our users when it comes to their data. And for me it's quite unique to Flo. It's not something I've really seen as much in the past in my career anyway. So Flo surveyed nearly 2,000 users aged between 18 to 45 in the US and this is post Roe v. Wade to kind of understand what the sentiment was around privacy and security amongst users of our service.

And over 80% said that they were concerned about their personal health data. And to me that is astounding that we have a legislative framework in place, but users are still worried about how their data's being treated. And I think especially in kind of a post Roe v. Wade world that's inevitable in territories like the US. So I think Flo's done an excellent job of really trying to listen to users to understand what they expect from us, to understand what they want. And I think in terms of internally, we talk about privacy a lot.

So as I mentioned, we've got privacy and security pillars that we've set up in the company. We have privacy champions, privacy kind of fluency is very high within Flo. And the privacy team as well, we are expected to add value and we are held accountable. So we work in Sprint just like the rest of the business and at the start of every quarter we have something called Planning Week where we sit with different parts of the business to understand what their priorities are so that we can kind of work together.

So I think kind of operationally Flo's done really well in that sense. I think the user research part is incredibly important because after all how our users feel about how we process their data is paramount. And I think just finally I think Flo is quite good in the sense that it's an agile organisation, so it's quite prepared for change - that they've shifted and introduced anonymous mode in response to the Dobbs ruling and there is a real appreciation that we are in an environment that's far from static when it comes to privacy law and we have to keep adapting and moving with the times.

Rhiannon:

Yeah, absolutely. The anonymous mode is, can you just tell us a little bit more about that and how that came about?

Sue:

Yeah, unfortunately I can't take much credit for anonymous. So it was launched before I joined Flo. It's definitely something I was fascinated with from afar before I even joined the organisation. So just a bit of background, I was actually in Austin when the ruling for the Roe v. Wade case had leaked and Austin as we know is sort of a blue dot in a red state. And I remember I was in my hotel room and I sort of looked out the window and I could see all the University of Texas students sort of marching to the Capitol Building because they were so shocked by the ruling and it was all over the news. It was, as you can imagine, an incredibly emotive time.

And the US media had coverage, from what I could see anyway, of both sides of the spectrum, both arguments I suppose. But I really got a sense of how much this ruling impacted Americans, how polarised views were on it. And from my perspective it was incredibly sort of an invasive ruling from when you think about the privacy of your body. So beyond data protection, just kind of the concept of privacy. So that was quite moving for me and I think Flo made an excellent decision to act fast and respond quickly. So we don't want to be in a situation where our users are pursued for legal action or they're prosecuted because they are potentially planning a termination or considering a termination.

And so we've created anonymous mode in which we ensure that no single party processing user data for an anonymous mode account has complete information of who the user is and what they're trying to access. So what we do is we decouple the health data from the personal information that's created in the anonymous mode account so that the user can still enjoy sort of cycle information and they can enjoy the use of the app. But no party will know who that user is. And I think that that's just an astounding kind of service that we're offering and I think it's really genuinely important to users, not just in the US but potentially around the world. And effectively we create a new account for the users, so if there is an official request to identify a user that we receive, we won't be able to satisfy the request, we won't be able to respond to authorities in the US.

Rhiannon:

Yeah, that's quite incredible. And if I said it's quite an extreme example where you've done privacy by design, but I think lots of companies in less of an extreme example when we're not talking about some basic human rights that we enjoy over here, could use that. Because there's quite a few, there must be many situations where companies don't really need data in identifiable format and they can still provide services to individuals in that way.

Sue:

Exactly.

Rhiannon:

Well it's quite the fact that Roe v. Wade has resulted in that is great.

Sue:

Yeah, I think it's commercially sort of says a lot about Flo as well because to your point, we don't need to be able to identify the user all the time and that's fine by us. And for some organisations they may prioritise that over protecting individuals' rights and freedoms. And so I'm just so proud to be part of a company that made a decision like this and I think it's an excellent solution.

Rhiannon:

And so moving a little bit away from Flo on onto your career to date, how have you ended up at Flo? What was your journey?

Sue:

So I started in the telecom space about 17 years ago with the Carphone Warehouse when they had just created TalkTalk, they just purchased AOL, showing my age, they just purchased AOL. And I was always the lawyer in the team that would kind of deal with the privacy matters on the side. It was like my side job, my hobby because at the time you didn't really see privacy teams within organisations, it just wasn't very common. But I was at the Carphone Warehouse and then I moved on to O2, the mobile phone network and that's really when the internet of things started to explode. So O2 had the exclusive with Apple for the first iPhone, apps were being launched left right and centre. And it was just really exciting to be a part of all of that really. So I know sort of loyalty apps are everywhere now, but at the time they were not very common.

So I got to work on one of the first loyalty apps that was launched by O2 and things like joint ventures with Vodafone and Orange or EE as it's known now at the time. So had a really interesting experience and I think what was also pretty cool about my time in telecoms is I was security cleared so I also advised on things like the disclosure of information to investigate crimes, investigating national kind of disasters really as well. So terrorists to tax and so forth. So that was quite fascinating for me as well. After O2 I moved on to Hasbro, the toy and entertainment company, and there I had exposure to things like smart toys and age appropriate design. And after Hasbro I moved on to Babylon and I think that just kind of opened up a whole new world for me where I discovered what I really loved doing.

So at Babylon, kind of the intersection of health plus AI, I think that's as interesting as it gets from a privacy perspective. So you've got two high risk processing activities combined. And like I say it just opens a completely new world for me, really enjoyed it. I grew so passionate about providing affordable and accessible healthcare to people through technology. And there I had the opportunity to work with NHS systems, with governments such as Rwanda where we were trying to introduce technology into really sort of traditional healthcare systems. So as you can imagine there's maybe not resistance, that's not the right word, but there was uncertainty as to whether or not technology really could create efficiencies in healthcare systems. Was that Babylon? And I absolutely loved it there.

And then while I was at Babylon, I started thinking, so I've got two daughters and menopause, perimenopause, it's coming for me, Rhiannon, and it's around the corner. And I started thinking I really want to focus on female health, I really want to focus on something a bit more specific. I know I love health tech, I want to focus on something a bit more specific. And I was kind of following organisations like Elvie, looking at the products that they were introducing to the market. Looking at sort of FemTech accelerators and just avidly following even companies like Flo to see what they were doing to help encourage women to spend more time to understand their bodies and to understand their health. And then I ended up at Flo and when the opportunity came up, I couldn't believe my luck and here I am.

Rhiannon:

Oh, it's so exciting. Thank you for that really lovely summary of your career to date. And then I imagine that when you started off that you would never have foreseen that journey that you made into privacy and through technology and through health. I think you are, I think probably showing both our age and I expect we're around the same age, that we've both had careers where you start off doing privacy at the side of your desk. Because as you say, privacy just wasn't a thing that people did. And then we've both now made careers from it, but then along with the tech, which has kind of gone alongside it and so you're forever learning in our roles, which makes it even more exciting.

Sue:

We're quite lucky I think that our side hobbies became actually really good career paths.

Rhiannon:

Yeah, very lucky. And we went from being boring dinner party conversations to things that people actually understood and want to get involved in.

Sue:

I'm still a bit boring at dinner parties, but yes.

Rhiannon:

Yeah, I probably am too. I'm probably just in denial about it. I think I'm interesting. So out of all of that, what would you say is your biggest career highlight?

Sue:

Oh, so I've been really fortunate. I've had the opportunity to work with amazing teams, amazing leaders. It's always a career highlight I think when you see somebody progress career wise and grow. And I'm sure a lot of managers and leaders and teammates will agree with that. So I've really enjoyed that part of my career in terms of working with excellent teams and seeing people sort of flourish in their careers. As I mentioned, the experience I had at Babylon in particular I think was super fascinating. I think coming from the perspective of a small startup and having to face the NHS or large insurance companies or large pharmaceuticals to say, "This is what I think data governance looks like." I'm really proud that I was put in the position to do that and I was able to do that. And I think during the pandemic and during lockdown, Babylon did a lot of work with COVID response, so kind of supporting NHS systems to kind of triage patients so that they could treat themselves at home and not necessarily put a burden on A&E departments.

And I was really proud of that work. I think the highlight of my career though, I have to say is probably qualifying in the first place. So I did not see that coming because I really didn't enjoy my law degree. I really struggled with it. I scraped a good grade, but I sort of left uni thinking, "No, that really wasn't for me." And I felt a bit lost. And I remember going to work at the Carphone Warehouse in their call centre, so I was taking sort of calls, I'd just finished uni, felt very confused with what to sort of do with my career. And it turns out I was really bad at customer services as well, so I wasn't doing a great job on the phones. And I remember my team leader at the time, he sort of took me aside and he said, "You've got a law degree, what are you doing here?"

And I said, "Oh, I don't think I liked my law degree, I really don't know what I want to do." And I remember him sort of marching me across the building to the legal department and he sort of nudged me towards one of the senior lawyers and said, "Go and ask her if they've got any jobs." So I did. And it turns out they did have a paralegal role available and I started sort of a few weeks later and then I realised that the practical application of the law is what I enjoyed and I really, really just had the best time even though I was sort of bundling and at the photocopier the whole time, I really enjoyed it. And so I think a few years later I qualified. So I think kind of walking into a business, starting off sort of in a call centre and walking out a solicitor, to me that was a career highlight.

Rhiannon:

Oh, that's such a great story. Thank you for sharing that.

Sue:

No worries.

Rhiannon:

So what skills do you think are needed in order to have a successful career in tech or in law and how can we help women obtain those skills? It sounds like a very, was it a man who took you across the-

Sue:

It was.

Rhiannon:

Okay. So ideally that would've been a woman, but that...

Sue:

Yeah, the lawyer that ultimately offered me the training contract at the Carphone Warehouse was a woman. Yeah, in terms of the tech space, I think you need to be a problem solver, a great team player, you need to be quite tenacious as well and resourceful and have a curiosity, I think about you. And I think women, girls, they should not be outsiders when it comes to the science or the tech industry, that's just ridiculous. The talent is no doubt out there. I'm definitely not an expert in this area, but I think at a young age, girls, they should be encouraged to explore career opportunities in this space. And that I'm happy to see girls who code sort of classes, more sort of mentorship schemes in this area.

So I think the talent pool generally needs to become a bit more balanced in terms of gender. And I think that needs to be addressed quite early on. And I think employers in the tech space and other industries actually, they just need to be quite supportive of their female staff and they need to look at benefits or flexibility that may, this doesn't apply to all women of course, but it may appeal to women or alleviate some of their concerns. So Flo has quite a generous maternity leave policy. They're quite generous with their keeping in touch days. Not that I'm planning on utilising that policy, but that is one of the things that I checked when I joined.

And there's also a female health policy as well, so you can have paid time off if you're suffering from period or menopausal pain or discomfort, which I think is really, really encouraging. I think for women in general, and I am massively generalising here, I think encouragement can go a long way. So what I want to see more of is kind of everyone, men and women, encouraging women within their business to share their views on calls, give feedback, call out when women are being interrupted on calls. Or when someone is getting credit for repeating something that a woman just said on a call.

Rhiannon:

Mansplaining.

Sue:

Yeah, we've all been there. And I think both men and women need to stamp out these behaviours when they see them. And by the way, it's not about being soft or going easy on women at all, it's just ensuring that they have the space and a platform to be heard.

So I've worked with some incredibly inspirational women in the past who have made way for me to speak, but then they've also gone on to assertively challenge and correct me when I have spoken. And I think that that's fine. That's great. So I think there just needs to be sort of a bit more of that and I think everyone needs to be quite mindful of it.

Rhiannon:

Thanks, Sue. I'm coming to my final question, but I'm now actually going to split it into two questions because you've also divulged that you've got two daughters. So I was going to ask you what advice you would give your younger self, but can I also ask you what advice you are giving to your daughters or you will give to your daughters for their careers and their futures?

Sue:

Yeah, sure. Oh, gosh. I think probably the same advice that I would give to my younger self. Hindsight is a great thing, isn't it? It's at a very kind of personal level. I think I would just remind them that they're enough. So you're brave enough, you're capable enough, you're worthy enough. I've always kind of struggled with that, so I've always thought, "Oh, but I'm sure I'm not the smartest person in the room." Or when I was younger it was very much, "Oh, I don't know, I think I should hang around with this group of people."

And I think it's really important that everyone has their own sense of self-identity and self-worth. And they don't sort of compromise that unnecessarily throughout their lives. Just knowing that you are good enough I think is a really important message that I want my daughters to know. They don't have to be anybody else, they just have to be themselves.

I want them to believe that. I want everyone to believe that frankly, for themselves. And I don't want them to compromise. I don't want them to compromise when it comes to relationships. I don't want them to compromise when it comes to work or their friend circle or whatever it is. And I think from a work perspective, I would say sincere hard work is always rewarded. o it could be in the form of a promotion, it could be a pay rise, but it doesn't necessarily have to be. So it could be that you've just gained an awful lot of experience or knowledge or you've even gained a sense of self-worth. You always gain something from working hard and by working hard, I don't mean just sticking around the office because the partners are around and you want to show them you're still working when really you're just on your laptop and you're not doing much. I mean, really putting the effort in, it will always, always pay off.

Rhiannon:

Thank you, Sue. That was really insightful and very wise words.

Sue:

Thank you.

Rhiannon:

Thank you so much for joining us today. I'm sure everyone who's been listening to the podcast will enjoy listening to you as much as I've enjoyed this interview. So thank you very much.

Sue:

My pleasure. Thanks for having me.

Rhiannon:

Thanks for listening to season two of Ashurst's Women in Tech podcast series. If you enjoyed this episode and want to listen to the rest of this season, or catch up on season one of our Women in Tech Podcast, please subscribe to Ashurst Legal Outlook wherever you get your podcasts. While you're there, feel free to leave us a rating or review. If you'd like to find out more about Ashurst's Digital Economy team, please visit www.ashurst.com. In the meantime, thanks very much for listening, and goodbye for now.