Stronger Data Controls Let Companies Move Faster with Devan Brua

Why data governance has become a growth constraint (0:00–1:42)
James Deaker:
 In digital media today, data is simultaneously one of your biggest growth opportunities and one of your biggest sources of anxiety. Most executives would rather focus on building products, shipping features, or growing revenue than dealing with privacy regulations, consent frameworks, and AI governance.
What often happens is avoidance. We’ll deal with it later. We’ll fix it when legal flags it. We’ll cross that bridge when we get there.
The problem is that the bridge is already here. Increasingly, companies are finding out the hard way that data practices don’t just create compliance risk — they also quietly cap growth, slow innovation, and undermine trust.
To unpack this properly, I’m really pleased to be joined by Devan Brua. Devan is the founder and CEO of PrivacyWise, where she works with companies ranging from startups to public firms. She helps them build practical, business-friendly approaches to privacy, data governance, and AI — not as a box-checking exercise, but as a competitive advantage.
Devan and I have worked together over the last few months on a new diagnostic tool in this space, which we may get to later. But today I want to talk more broadly about the mistakes, the mindsets, and the maturity curve that companies go through as they try to get data right — and why this matters.

A real enforcement case that should worry executives (1:47–4:20)
James Deaker:
 Before we get into common pitfalls, I want to ground this in a real-world example you sent me a few weeks ago. You pointed out an enforcement action by the California Privacy Regulator against a marketing company, ROR Partners, for failing to register as a data broker. Can you give a bit more context on what happened and why cases like this are such a big deal for companies that rely on data?
Devan Brua:
 The ROR Partners situation is really interesting because this time it wasn’t about a data breach or intentionally bad behavior — the kinds of infractions you usually hear regulators going after. This was simply about classification and the fact that the company didn’t register as a data broker.
California regulators determined that ROR Partners was a data broker because they were a marketing firm using billions of data points to build consumer profiles. Those profiles covered a wide range of demographic, socioeconomic, and behavioral information on millions of Americans, primarily in the wellness space.
They worked with wellness companies and brands, creating custom audience segments and providing those segments as part of their targeted advertising services. They packaged the audience segments into their services.
What happened was that the regulator said: that’s a sale.
There’s been a lot of discussion around what constitutes a “sale” or “share” of data, and this case made it very clear. It didn’t matter that the data was bundled as part of a service. Regulators determined it was still a sale. Therefore, the company was acting as a data broker.
What makes this such a big deal for many companies is that a lot of marketing, ad tech, and data-driven organizations assume they’re just acting as service providers. Many B2B companies deal with large volumes of data and assume that classification applies to them.
But regulators are increasingly looking at what companies do with data — how they package it, how they share it, not only with customers but also with third parties — and they’re saying that a sale is a sale. You can’t bypass these requirements by bundling data into products or services.
James Deaker:
 When you first made me aware of this case, it scared the hell out of me. And I’m sure examples like this scare a lot of executives, even if they look isolated on the surface.

How Devan entered the privacy and governance space (4:30–7:41)
James Deaker:
 You and I have worked together on and off for a number of months now. Even though we’ve been meeting regularly and building tools and frameworks in this space, I don’t think I actually know how you got pulled into data privacy and governance in the first place. What brought you into this work?
Devan Brua:
 It’s the same cliché answer that many privacy professionals have, especially here in the U.S. — GDPR.
I was working as in-house counsel at a software company in Colorado when GDPR passed in 2016. At the time, I was already responsible for a number of other compliance requirements within the company. When GDPR passed, it landed on my desk by default. The message was essentially, “Here — you deal with it.”
What became really clear to me very quickly was that privacy isn’t just a legal problem. It’s actually not even just a compliance problem in terms of meeting requirements. It’s a cross-functional operational problem — but many companies were expecting their legal departments to handle and solve it alone.
I would get pulled in after product teams had already built features, after sales teams had already made commitments to customers, after engineering had integrated new third-party services. My job was to make it compliant, which really meant trying to retrofit compliance onto decisions that had already been made.
That just wasn’t working. It was extremely frustrating because the same problems kept repeating themselves in different forms as new regulations passed and new states introduced their own requirements.
Product teams didn’t know what questions to ask. Engineering teams didn’t know which vendors they needed to flag. Sales didn’t know what commitments they could or couldn’t make without creating liability for the company.
What I realized over the next several years was that the companies who did compliance well weren’t the ones with the best lawyers, the biggest budgets, or the largest teams. They were the ones who had figured out how to integrate compliance obligations into how they actually operated.
That usually looked like real cross-functional collaboration across the company — no more operating in silos, no more marketing saying “I’m going to do my thing” while product does theirs. It meant making sure people were talking to each other, so issues were flagged early and discussed before they slowed growth.
The single most common mistake companies make with data (7:46–9:32)
James Deaker:
 Given that you’ve now worked in this space for many years and with many different companies, what’s the single most common mistake you see organizations make when it comes to data and privacy?
Devan Brua:
 They don’t actually understand their own data flows.
Most organizations have a general idea of what data they have and where it’s coming from. But in reality, there are so many points of entry for data — especially for companies engaging in online retail or online advertising.
In addition to normal day-to-day functions like employee and HR data, companies are collecting large amounts of consumer data through their websites, their applications, and sometimes even their products themselves.
A lot of organizations don’t fully understand all the different types of data coming in, where it’s going, who’s touching it, who has access to it, how it’s reused, whether it can be reused, and when — or if — it’s ever deleted.
Those are all questions that need clear answers.
And even when companies do undertake data-mapping exercises, often at the advice of consultants or as part of a new initiative, they tend to treat them as one-time projects instead of ongoing disciplines.
Data governance isn’t something you do once and move on from. It has to be something you stay on top of continuously.
That’s why I keep coming back to this being a cross-functional problem. It needs to exist across the entire organization as an ongoing process that’s built into how companies think about what they’re doing and how they’re moving forward.

Why data governance must be cross-functional (9:38–11:04)
James Deaker:
 While you were talking, I thought of a question I hadn’t originally planned to ask. Given what you’re saying about understanding data flows, many lawyers — and I don’t want to over-generalize — don’t necessarily have the technical skills to go that deep into how data actually moves.
Is that why you say this needs to be cross-functional? Or do you also think companies need to develop more technical capability within their legal teams?
Devan Brua:
 Two things.
First, yes — that’s exactly why it needs to be cross-functional, at a minimum.
Second, that’s also one of the reasons I started my company.
All of these issues have real legal ramifications for organizations, so they often fall to legal teams. But legal teams typically don’t have the technical expertise — or more importantly, the bandwidth — to deal with these issues on a day-to-day basis in the way they really need to be handled.
When I was leaving the corporate world to build something on my own, I asked myself how I could provide value in this space. The answer was helping legal teams by providing the operational, cross-functional piece that they could plug into their organizations.
The goal is to help teams communicate more effectively and build processes that work across departments, instead of expecting one function to shoulder the entire burden.

Moving beyond “box-checking” compliance (11:10–13:39)
James Deaker:
 You’re clearly the expert here, but I hear this phrase more and more: compliance shouldn’t be treated as a box-checking exercise.
In practice, what does that actually mean? If companies are trying to move from a compliance mindset to a more strategic data mindset, how should they think about that shift?
Devan Brua:
 Box-checking is exactly what it sounds like — checklists, paperwork, and bureaucracy. People hate it. It feels disconnected from the business, and it’s usually seen as something that slows growth.
The way I approach compliance, especially data governance, is to move away from rigid lists of requirements and instead meet organizations where they already are.
Rather than introducing entirely new processes, you use the tools, meetings, and workflows that already exist inside the organization to address compliance requirements.
That does two things. First, it prevents compliance from becoming a separate, isolated activity. Second, it makes compliance feel relevant to the business because it’s embedded in how decisions are actually made.
When compliance is embedded this way, it stops being about rules for the sake of rules. It becomes about clarity.
People inside the organization gain a better understanding of the risks, the trade-offs, the consequences, and the mitigations. That shared understanding gives individuals a bigger stake in protecting the organization from things going wrong.
It also enables earlier conversations. Sometimes those conversations are informal — someone mentions what they’re working on, and it surfaces an issue that can be addressed before it becomes a real problem.
When everyone in the organization, not just leadership, understands the risks and is working toward the same goals, teams can make decisions faster and with more confidence. That’s why I say embedded compliance can enable growth instead of slowing it down.

The data governance maturity curve and operational silos (13:44–15:13)
James Deaker:
 Building on that, if companies aren’t just checking boxes and are trying to continuously improve, there has to be some kind of maturity curve.
Some companies are just starting out. Others are more advanced. As companies scale, where do they tend to get stuck on that maturity curve?
Devan Brua:
 It almost always comes down to silos — operational silos.
If you have Product Team A working on their product, Product Team B working on theirs, legal doing its own thing, accounting and finance operating separately, marketing and sales on top of that — and none of those groups are really talking to each other — things are going to go wrong.
What I see with less mature organizations are teams that don’t even know who the legal department is, or don’t know who to ask when questions come up. Those bridges simply haven’t been built.
There’s no shared understanding that this is one company that needs to operate together.
The more silos you have inside an organization, the less mature your data governance is going to be.

Hiring versus operating model: where companies go wrong (15:17–16:58)
James Deaker:
 Let me push a little further on that. It can’t just be about breaking down silos. There must also be capabilities that need to be developed in key functions.
You can’t just hire one privacy lawyer or one data lawyer. You can’t just have one data scientist. How should companies think about where to prioritize hiring and how big these teams need to be?
Devan Brua:
 It really depends on the organization, but you can do a lot with a relatively small team.
What I tend to see work best — regardless of company size — is focusing first on the operating model before jumping to hiring specific individuals.
If you hire specialists too early, you can actually reinforce silos instead of breaking them down.
One effective approach is creating cross-functional groups, like a data governance champions committee. Each department sends one representative to meet regularly — often once a month.
Those meetings are usually led by whoever is responsible for data governance or compliance, whether that sits in legal, compliance, or another function. The group discusses current issues, upcoming initiatives, and anything in day-to-day work that might raise a flag.
Alongside that, training programs, regular leadership discussions, and shared language across teams matter a lot. Those investments often deliver more value upfront than immediately bringing in additional headcount.
Where perception and reality diverge on data practices (17:03–19:32)
James Deaker:
 When companies come to you and say, “We think we’re doing okay on our data,” where do you most often see perception and reality diverge? Where do organizations think they’re stronger than they actually are?
Devan Brua:
 It’s usually consistency and scalability.
Many companies have put real effort in. They have policies. They’ve bought tools. They’ve implemented cookie banners. They’re doing something, and that’s not nothing.
But where things break down is in maintaining those efforts over time and scaling them as the business evolves.
You can’t just put up a cookie banner and never look at it again. You have to make sure it’s working properly. You have to understand what data is coming in through it, and whether the technical implementation still matches what you said you were doing.
Those technical requirements change more often than people realize — especially as companies work with different marketing firms, adopt new advertising approaches, or add new vendors. Pixels and cookies get dropped onto websites, sometimes without centralized oversight, and suddenly companies are collecting different data than they originally disclosed.
The same thing happens with products. Some of my clients build consumer-facing products that collect data. A product might start as Product A, and everything is well understood. Then someone on the product team has a new idea, a small group spins off to explore it, and they start using all the data the company already has because it’s “their” data.
But did the company get the proper consent for that new use? Often, those questions aren’t asked before teams move forward.
Without everyone in the organization asking the same questions and understanding the same level of risk, problems emerge quietly and compound over time.

Why diagnostics beat tools and repeated audits (19:37–21:10)
James Deaker:
 One of the reasons we worked together — along with Greg McDonald at Chelsea — to build the EDGE diagnostic tool was to give teams a fast, structured way to assess where they stand across consent, collection, governance, and monetization.
From your perspective, why is a diagnostic approach more effective than jumping straight to policies, tools, or repeated audits?
Devan Brua:
 A lot of times, organizations recognize there’s a problem and immediately jump to, “Let’s buy something to fix it.”
They want to throw money at the issue and purchase a tool, assuming that will solve it. But in reality, there’s much more to consider.
There are risk questions that need to be answered first. You might be investing heavily in addressing a very low-risk problem while missing more significant issues elsewhere.
A diagnostic flips that order.
Instead of starting with “What should we buy?” or “What should we do?”, it starts with “What is actually happening today inside our organization?” and “Where are we trying to go in the future?”
Once you understand that, every next step becomes more effective. Policies are grounded in how data actually flows. Tools are selected because they fit your structure, not because you’re trying to force them onto a problem you don’t really have. Audits become validation exercises instead of painful discoveries.

How stronger data practices enable growth instead of slowing it (21:17–22:54)
James Deaker:
 A lot of executives hear the word “privacy” and immediately think costs and constraints. Can you give an example of how stronger data practices can actually enable growth rather than slow it down?
Devan Brua:
 Stronger data practices allow organizations to make decisions much faster. That’s really the core benefit.
Teams aren’t guessing anymore. They’re not defaulting to “no” out of fear. Legal departments aren’t saying no to everything because they don’t understand what’s happening.
When teams understand what data they have, where it flows, and what the guardrails are, they can move forward with confidence.
I’ve seen this very clearly at larger SaaS companies and platform businesses that interact with consumers every day. When teams are aligned — and when they understand where risk lies and what they can and can’t do — they’re not afraid to share information or push initiatives forward.
That alignment allows product launches to happen faster. It allows sales deals to close more quickly. Everything moves faster when people are operating within known guardrails and feel supported by leadership, legal, marketing, and the broader organization.

What companies will regret underestimating as AI evolves (23:09–24:15)
James Deaker:
 As you look ahead a few years — with AI evolving and regulatory scrutiny increasing — what do you think companies will look back on and say they underestimated?
Devan Brua:
 They’ll say they underestimated how foundational strong data governance was from the outset.
Not privacy alone. Not AI alone. Data governance.
It comes back to understanding your data flows: what you’re collecting and why, how data is coming in, whether you actually need it, what you’re doing with it, and what you’re allowed to do with it.
Data mapping and data inventories are relatively newer concepts for many companies. They originally came into focus through information security — keeping data secure — but privacy and AI governance have made the linkages between systems and data flows much more important.
You can’t separate these issues anymore. Data governance sits underneath everything.

Closing and where to find Devan (24:15–24:43)
James Deaker:
 This has been incredibly helpful. Thank you for taking the time to share your perspective.
If people want to learn more about your work and what you’re doing at PrivacyWise, what’s the best way for them to get in touch?
Devan Brua:
 They can find me — and PrivacyWise — on LinkedIn. We also have our website at privacywise.com.
James Deaker:
 Excellent. Thank you. I’m James Deaker. I am The Yield Doctor. Thanks for watching.