John Wunderlich is one of Canada’s leading privacy consultants. In this interview, John shares insights on privacy trends, lessons learned throughout his career, and three key privacy takeaways that all privacy professionals should seek to apply at their organizations.
John, why don’t you start us off and tell us how you got started in Privacy?
There was an interesting internal opportunity at Ceridian, where I used to work. This was before PIPEDA came into affect for commercial organization like ours. It was interesting for a couple of reasons.
One is that privacy impacted every silo in the organization. And since I was doing some Six Sigma process work in addition to my operational duties, I thought it would be a natural extension of Six Sigma in understanding the “Voice of the Customer” – in this case the individuals who were being paid by Ceridian’s customers.
The other thing that I found interesting about it was that I had done graduate research in press censorship during World War I and the notion of protecting privacy – even in the private sector – seemed a way to address some of the same civil liberties issues.
Many of the people I encountered at privacy related events in those days came from a more legal and/or compliance background. Many of them had a very different idea than I did about what constituted a process, and few had operational backgrounds.
As a result many of those people worked with policies and high level procedures at a strategic level. I’ve always thought that the better approach was to build privacy into the day to day processes of an organization.
And since Ceridian you’ve taken on some significant roles in Privacy before starting your own consulting practice, including the Senior Policy and Information Technology Advisor to the Office of the Information and Privacy Commissioner of Ontario and Director of Privacy at Cancer Care Ontario (wow, that’s a mouthful!). What are some key lessons you’ve learned throughout that experience?
I have always understood that in any business that processes a significant amount of information, there will be errors. No process is perfect. This is inconsistent with a view that ‘no privacy breach is acceptable’.
No one wants a breach, but pretending that they don’t happen is akin to a retail operation saying that ‘no shoplifting is acceptable’.
Both are equally true as normative statements, and both are equally ungrounded in reality. So when people I run into, or potential customers, tell me that they don’t have privacy breaches, my response is to tell them that they have a detection and reporting problem.
I hear you’re quite busy consulting in the GTA with Wunderlich & Associates. What are some of the most interesting challenges that organizations are facing today?
With respect to privacy there are three interrelated issues: 1) Cloud/Big Data, 2) BYOD, and 3) Liability.
Every business is looking at moving some or all of its operations or customer offerings to ‘the cloud’. This raises significant issues around data custody and control, cross border transfers and governance.
For those organizations that operate at scale, these questions are exacerbated by big data questions.
At the same time employees and contractors are using their own devices and services in an effort to keep ahead of the curve themselves.
It’s hard to attract cutting edge talent and then lock them into an old school set of IT Controls. But if you allow access to all the individual tools, how does an organization make viable privacy related commitments to its customers?
And I don’t think the impact of the emerging tort of privacy has quite hit boardrooms yet.
Class action law suits for breaches of privacy are only going to get more common. So when you combine growing data sets of unstructured data with employee use of their own tools and significant increases in potential liability, I think we’re only starting to see the impact of privacy on business decisions – whether it is in the public or the private sector.
If you could get one message across to all organizations, what would it be?
Privacy is a governance and accountability issue – every person in the organization from the top to the bottom has to understand that protecting personal information is part of everyone’s job.
Tell us a little about the Privacy by Design Certificate Program at Ryerson University.
People ‘get’ the notion of Privacy by Design.
Anyone who has done software or process development knows that it is cheaper, easier and more effective to build capabilities in at the start rather than trying to bolt them on later.
But the seven principles of Privacy by Design are high level and aspirational. People were having a hard time in turning those principles into achievable goals, so the Privacy and Big Data Institute has worked with Deloitte to create a framework using a fairly standard approach.
This framework, which is available for anyone to review and apply sets out controls and criteria that an organization can implement to build privacy into a program or product. My role has been as an advisor to the program – but the heavy lifting has been done by Ryerson and Deloitte.
What’s it like working with Dr. Ann Cavoukian?
What I can tell you is that Dr. Cavoukian is as passionate about privacy in person as you might expect if you’ve ever heard her speak or read op-eds. She expects as much of herself as she does them from around her and builds bridges to many communities.
Her commitment, her energy and her deep knowledge are why she has been so influential on the international and business scene notwithstanding the fact that she was a sub-national regulator with a remit focused primarily on the public sector.
Part of your role surely includes sharing best practices with some of your clients. What are some of the most common best practices you like to share?
Some best practices would include:
- Your first line of defense is a well trained and educated staff.
You can build a lot of security into your systems with technology and processes, minimizing the ability of individuals to break confidentiality, affect the integrity or reduce the availability of your information resources.
Protecting privacy usually depends much more on the people in your organization than the technology. That’s why training and awareness are critical to most successful privacy programs.
- Privacy breaches will happen. Every one is a learning opportunity.
If people are afraid to report privacy issues or worse, people are blamed every time there is a privacy breach, your organization will drive privacy breaches underground and not only will you have inaccurate perception of your privacy posture you will have put yourself in a position of not being able to get better
Be prepared – if you implement a privacy awareness and reporting program – to get a bump in privacy breaches. This doesn’t mean things are getting worse. It means you’re finally in a position to fix things.
- Transparency builds trust.
Proactively report breaches to individuals as soon as you can confirm the breach. Most people understand that mistakes happen. What is more important is how you deal with them. If you proactively notify people, and do it openly, you are more likely to build trust.
Those are great takeaways, John. Thank you for enlightening our readers!
John Wunderlich is an information privacy & security expert with extensive experience in information privacy and data security. He has designed, built, operated and assessed systems for operations and compliance in the private and public sectors for over 25 years.