As chief privacy officer to the world’s largest independent provider of claims management to the risk management and insurance industry, Robert “Bob” Jett knows the importance of keeping customers’
I have been working on data privacy since before it was a
recognised area of law. When I started out, what is now
understood as privacy was part of a company’s compliance
programme and fell to its compliance officers. Of course,
privacy still falls under compliance, but it has become a unique
feature of the compliance programme.
To oversimplify things for the sake of making a point, privacy
is just compliance with an IT flavour, and it is something I
have been giving presentations on to boards of directors and
executive management for over a decade.
It’s funny, because I still have a compliance-based approach. I
come to the meetings with only four slides. At first, everybody
looks at me like I am out of my mind, but they soon understand
that we don’t need many more to understand what privacy is
Essentially, privacy in an organisation can be reduced to four
fundamental questions: Which data are we collecting? Why are
we collecting it? What are we doing with it? And finally, where
does it go to die?
In reality, privacy and compliance programmes have to be a
lot more detailed, of course, but at the end of the day, if a
company can effectively answer these four “Ws”, I would argue
that it has a very robust programme.
While the fundamentals of privacy have stayed the same, the
environment businesses operate in has not. In particular, the
general public is becoming more aware of privacy issues, and
the last of the four “Ws” has taken on a new importance.
Companies cannot keep data forever and they must find ways
to get rid of the data they do not need in a secure manner.
Businesses must also remember that security is always
key when it comes to privacy. If you’re storing data in the
cloud then to a large extent you are relying on a third-party.
The quality of its controls and server management may be
exceptional, but it is a potential gap in your security.
As chief privacy officer, I work with the chief information
security officer daily. Together, we have built an incident
response plan for privacy and another for security, but the
two are intertwined. My management agreed to it because
we demonstrated that cybersecurity breaches are, almost
invariably, a threat to privacy. That’s why I would advise counsel
to always take the two threats together. You rarely discover
one without the other.
Technically speaking, security has improved a lot in the last
twenty years. We have created automated tools that can
support anyone’s privacy policies. So much that nowadays,
most ransomware attacks are due to human failure or insiders.
The old approach of making a brute force attack on a server
typically does not work anymore. Consequently, the bad
people have gone back to tried-and-true technics, like spear
phishing, which lead to attacks that take advantage of social
I have seen an 80% increase in phishing attacks in the past few
years and it has gotten even worse since the beginning of the
pandemic. These are often very targeted and very well thoughtout from a social engineering perspective. Hackers know that
we work and live on our computers and smartphones, and it
just takes one careless mistake form an employee for them to
download IDs and then access all or part of your system. It is
a little scary, and board members are generally very worried
about phishing, but privacy professionals are here to help.
I have been tracking what may happen, during and after the
pandemic, as regards to medical records. Form a privacy point
of view, they have always been sacrosanct, and I think that we
are going to start seeing that peel back a bit.
In the US, there has been a lot of hue and cry over vaccinations
because there is this tension between the Occupational
Safety and Health Administration’s requirements and the
level of security that is reasonable to expect from companies.
Employers have an obligation to maintain a safe workplace.
This includes protecting people from airborne diseases.
Therefore, for them to carry out their duty, they should be
allowed to inquire if their employees have been vaccinated
These things have never really been allowed in our modern
societies, so the ways in which this will play out should
be of interest to every privacy professional and general