Privacy & Compliance: Why Women & Minorities Need Apply

When I was invited to speak at the Philadelphia Leadership & Diversity Conference last year, my first thought was that I was honored. My immediate second thought was that they must have asked the wrong ‘Al Raymond.’ Now, I’m not the whitest guy on the planet, but if you look at my LinkedIn profile picture you’ll see that, yes, I do have a bit of a St. Tropez tan going on, but I would not be considered the best example of a diversity candidate to speak at a diversity conference. So what value could I bring to the conference, and what could I talk about with any degree of credibility?

When I told my team of the invite and what my first impressions were, they had a bit of a chuckle too. But when I explained to them my struggle for a suitable topic, they reminded me of a few very excellent and insightful points that I had overlooked. I should remember, they told me, that our Privacy team was 87% female. And 50% of those females were minorities. (Our inside joke is that I am the minority candidate on the team). And that they were all very happy where they were in their current careers.

They were spot on. And this got me thinking about what I wanted to talk to the Conference about: the fields of Compliance in general, and Privacy specifically are a fantastic and natural place for female candidate to look for their future careers. I have found that there is something about a female approach to a Compliance or Privacy challenge that varies significantly from a male’s perspective. The women on my team, and women in Privacy in general, bring a very nuanced approach to thinking about Privacy issues and solutions. And it makes sense: Privacy and its kissing cousin, Compliance, are built on a foundation of accordance with laws and regulations. If you know anything about the laws in the Compliance and Privacy space, you know how many shades of gray are involved in the black letter laws. More than 50 shades, for sure. Most laws in our world have enough ambiguity to drive a Jeep Cherokee through, so it helps to have people who can think in terms of gradation, yet be practical.

I speak from experience on how women think differently from men in this space. I started out in information security, and I was primarily focused on protecting data. It was an easy exercise: build a moat around the data and don’t let anyone get to it. Thus, the data is protected; problem solved. But the discipline of privacy differs from information security in that one of the tenets of privacy is the principle of access. It states that an individual should be informed of the existence, use, and disclosure of his/her personal information and should be given access to that information and be able to challenge the accuracy and completeness. That is a whole lot different concept than simply making sure the data center has locks on the doors with hungry Dobermans running around it at nite.

Thanks to my team’s counsel, I spoke to the Conference participants about the worlds of Privacy and Compliance and how they both present a relatively under-publicized and untapped goldmine of opportunities for both women and minorities to seek their professional fortunes. Both are places where people are judged on their merits and accomplishments, and it makes it easier to stand out as star employee that way.

I enjoyed my time in InfoSec and still stay interested in technology and cyber security issues, but the evolution of my professional journey into Privacy, which has allowed me to be surrounded by so many competent and talented women and minorities, has been a force multiplier for my career that plain old hard work just could not have produced alone. It stands as the single best career decision I have ever made. And you can too.

(Lack of) Privacy as a competitive differentiator

I have been struggling with the recently fashionable notion of 'privacy as a competitive differentiator' or 'competitive advantage' for some time now (here and here). And I can see similar struggles in some of the literature posted by my peers trying to 'sell' the idea of our privacy position/program as way of distinguishing oneself from your competition – a truly rational exertion, by the way. The optimist in me sees the potential to show how different (better?) you are than your peers by how you treat customer data, and thus leverage that behavior for some (unknown or intangible) benefit. Maybe this is privacy professionals self-talk to make ourselves feel good about what we do, and rationalize that our activities are not just pedestrian compliance functions. I'm sure, however, actuaries have the same goal. As do accountants, account payable professionals and maybe even custodians - all looking to contribute to the company's overall benefit by 'monetizing' the excellence of their services.

Yet I'm still not convinced we have made measurable progress with the public on this issue. I've yet to hear a groundswell of consumer sentiment in which privacy is the primary motivator to buy a product/service or to switch to that product/service. Sometimes you do hear consumers mention privacy, true, but it always seems to be subordinated to something else – bad customer service, low product quality, rude employees, etc. Not that companies have not tried to quantify how much privacy as a service/feature might be valuable to people. There have been some recent attempts by a few companies (AT&T, AshleyMadison.com, Google) to try and put a price tag on 'privacy,' though the end state in those cases look more like a state of secrecy or 'pay not to be annoyed.'

I think, instead, that the lack of privacy controls or an honest culture of privacy within a company will lead to a disadvantage. If nothing else, what this inverse situation will create is a floor, rather than a ceiling, against which all companies must at least raise their privacy-related behaviors (without already being obligated by regulation, that is). Think about cell phones: how viable would a cell be if it was fantastic in every way possible except that it had a 1 megapixel camera? Game over. To even be considered a contender in the mobile phone space today, you have to have at least an 8 megapixel camera. That's just table stakes. Here is where I see the arms race for privacy programs going as well.

(Some) consumers still see privacy as analogous to air - completely necessary to the existence of the arrangement, but generally not taking notice of it until it is in short supply or not there at all. What we need to do as privacy pros is get better at selling how great breathing is.

Privacy as The Boogeyman

If you’re like me, you might be noticing the frequency with which the perception, concept or practice of privacy increasingly makes its way into our daily life and vocabulary, across different mediums, and in many diverse contexts.

A regular feature I enjoy in my weekend reading is The Haggler column in the Sunday New York Times Business section. Basically, this is a column where readers write in to The Haggler (a.k.a. David Segal) asking him to intercede on their behalf against a company with which they have had some untoward experience and have gotten no satisfaction. People write in to The Haggler for help as if he is Obi-Wan Kenobi (That is, “Help me, Obi-Wan Kenobi, you’re my only hope”).

What I have noticed, and Segal just recently pointed out, was that many companies that The Haggler contacts in an attempt to help resolve the situation for their customer have fallen back on the comfortable position and response of refusing to talk about the disgruntled customer’s case with The Haggler due to the ‘privacy rights of the customer’ – even after the customer has agreed to waive their privacy rights do that The Haggler could act on their behalf! Usually in writing!

Segal notes:

"The Haggler has encountered this sequence of events more than a few times, and it always mystifies. If the real obstacle to discussing a matter is something other than privacy rights, invoking those rights is a very silly idea. Because after those rights are waived, it looks as though the company used a high-minded principle as a cheap excuse."

Excuse indeed. While generally speaking, companies rightly need to and should protect their customers data and transactions with them, it seems as though some companies reflexively use the boogeyman of ‘privacy’ as a reason to not be as transparent or forthright as they should. The ‘diplomatic immunity’ card of privacy should not used as an impediment to satisfaction, especially when the customer has either authorized a third-party to help resolve their disagreement, or otherwise is attempting to bring to light some unethical or questionable behavior by a company.

Transparency in practice and behavior is the present and future for companies who use, collect and process customer data in every format and medium. Period. Using the privacy of the customer as a kind of talisman that can only be understood or appreciated by the company is an outdated and inefficient model way of doing business. Plus, it’s just outright lazy. Companies who are transparent and forthright about their customer’s experience and want to do the right thing by them are also the ones that rank highest in customer service satisfaction surveys. Hiding behind the boogeyman of privacy doesn’t really scare anyone these days. Although it just might scare aware some business.

Great at Privacy? Tell the Marketing Department!

The contemporary trend for privacy professionals is to try and ‘sell’ the maturity and competency of their company’s privacy practices as a kind of competitive advantage. Much like our friends in info security have had to do for years, we had to justify everything we did with an ROI. Usually, we failed if we took that approach, since we would up in the same cul-de-sac of ‘cost avoidance.’ I have yet to overtly or blatantly see any company use privacy as a competitive advantage versus their competitors, but I hear it being talked about all the time in privacy circles. Usually in hushed, reverential tones.

I have written about this before, even going so far to insinuate that privacy ranks above many other considerations customers evaluate and ultimately treasure when doing business with a company, or even considering it.

Data, and lots of it, has always been a by-product of most businesses. That asset had historically been considered as just another company commodity to be managed or warehoused like an extra tractor or overruns from last season’s fashions. Protection and confidentiality of the data was mostly an afterthought. But today, data is like a new natural resource for companies that has brought new life – a digital B-12 shot - into an area that was once discounted.

But rather than thinking of privacy as some kind of operational advantage you have over some other company - which fails to excite average customers - I am increasingly intrigued with the idea of privacy as a marketing concept, or at least a concept to be marketed better. You might be tempted to dismiss my flippancy of the idea to equate privacy with gems like “Tastes great. Less filling,” “I’d walk a mile for a Camel,” or “With a name like Smuckers, it has to be good.” But indulge, please.

The term ‘creepy’ is very popular in the privacy lexicon these days. It of course means an app or service that knows too much about you, and causes you to have a strong emotional response, even if the results are beneficial. We initially react to these invasive products, apps or services and deem them creepy, but over time, the creepiness factor diminishes. Most of us are now used to customized Google search results, GPS on our phone, and prophetic Facebook recommendations following us from site to site; they no longer make our skin crawl (much). Now, one man’s creepy is another man’s targeted ad. (Think about this: caller ID was once thought of as an invasion of privacy – now it is the complete opposite: it protects our privacy.)

A very popular product/service in use right now that had a potential creepiness factor, but instead has been marketed so perfectly that consumers do not think of it that way is the Disney MagicBand. This plastic band worn in the company’s theme parks is an electronic band that can simply and digitally carry everything a guest might need—park tickets, photos, coupons, even money. It allows guests entry to Disney World, pay for goods at retail shops, and unlock their hotel room doors. It is literally a virtual key to the Magic Kingdom – and it knows a lot about you! I doubt though that anyone who has been reunited his or her lost children with the help of this band would still decry this product as creepy. We all surrender privacy when the benefits begin to outweigh the shortcomings. (E-ZPass anyone?)

Why? Because ‘creepy’ is only a poorly placed product reference.

It may seem unctuous to the privacy purists out there, and you may have to hold you nose a bit while the rest of us ‘market’ privacy as a product. But really, if our discipline becomes a product, it becomes marketable and becomes ever more tangible, it become even more commonplace and routine. That’s a good thing. It raises the bar for everyone. It means people no longer will be pleasantly surprised to see an app, service or web site respecting their privacy preferences, it will be an expectation of every customer and their experience with our products. Just like we all expect to see a smile on Mickey’s face every time at the Magic Kingdom.

Data Privacy Day: My 12 Privacy Resolutions for 2015

In celebration of International Privacy Day, I’d thought I’d update my Privacy Resolutions for a new year. Here they are in no particular order:

1. Unsubscribe from all e-mails, newsletters, magazines, blogs, reddit, etc. that I don't read, never read anymore or never actively signed up for. I know my e-mail address is just going to be sold to other marketers or mailing lists anyway so I’ll start to cut down on the clutter.

2. Update and strengthen the passwords that I use for critical, financial and other data heavy websites.

3. Better yet: migrate all of my passwords to a password manager app like LastPass, DashLane or Password Box

4. Stop updating everyone on my location via smartphone apps. No one really cares and I’m probably just letting thieves know I am not home so they can rob me.

5. When putting mail in the mailbox for the Postman to pick up, I’ll never lift the flag anymore to indicate that there is mail in the box. The mailman will find it anyway. Leaving the flag up tells ID thieves that you have some mail that may contain some interesting personal data.

6. Pay all of my bills online. C'mon, it's 2015.

7. Stop using my debit card to make online or offline purchases, or buy gas; use a credit card only. Using a debit card gives a thief direct access to your checking account, making it difficult to prove fraud, and preventing you from taking advantage of consumer protection laws that most credit cards offer.

8. Do an exhaustive Google search on myself to see what information is out there so I can see what the blogosphere is saying about me, if anything.

9. Make sure the "Do not track" option is checked by default in my browser's setting.

10. Better integrate the concept of 'privacy by design' into my business and/or IT development processes; no more bolting it on once the process or application is complete and ready to be rolled out.

11. Better publicize the social media policy within the company so everyone knows what the rules are.

12. Finally realize that there is no such thing as 'free' on the internet. No free iPads or dinner coupons to Cheesecake factory, or trips to Disney World. Stop clicking on those offers or accepting the links on Facebook. And no, I guess I am not really the 1,000,000th visitor (!!!) to a site and have not really won anything. Pass it on.

My 2015 resolution, Ask:'What's the worst that could happen'?

I’ve decided to adopt a newer, a bit bolder approach to life and business for the upcoming year. From now on, when assessing a problem or potential solution, I will ask others, or myself, “What’s the worst that could happen?” Don’t mistake that line of inquiry for flippancy or indifference to risk; I am not trying to be glib in any way. What I am trying to do is push beyond the usual constraints that I have set for myself, either consciously or not, in life and in business.

I have a personal philosophy and saying that everything in life is about risk management. Literally. Everything you do in every way, in all its minutiae, is in one way or another a decision about the management of risk: should I sleep late or get up early; do I exercise today or do it tomorrow; do I take a multi-vitamin or not; do I walk to work or take my car; do I eat breakfast or skip it; do I ask for a raise today or hope the boss gives me one anyway; do I finally start my own business or push it off one more day; do I marry or stay single, and on and on. Each decision in a minor or major way is risk based, but since we have a level of familiarity, or comfort, with each of these decisions we tend not to think of them that way.

For 2015, I have decided that asking, “What’s the worst that could happen?” is the best way to push the limitations of possible options or outcomes that I have imposed on myself. Like many of us, I am paid to come up with results. If the truly worst thing that could happen is nuclear Armageddon (or maybe just a huge financial penalty by a regulator), then one would obviously not go down that path. Yet, if the answer to the question is ultimately the answer to the problem (and I imagine many times it will be), then just by asking it, I am doing my job in vetting all possible options for the solving of the problem.

What is the worst that could happen? Find the answer and work your way back from there. Unfortunately, we typically take the opposite track: we posit the optimal solution, and ask why it won’t work. In this traditional approach, we never get to fully vet the possible universe of solutions that might lead to a truly unique breakthrough for either the person individually (i.e. audacious career move, or a new product innovation for a company.)

This novel approach to risk management can be condensed to this: Optimize risk, not minimize it or avoid it. Why? Because it is easy to minimize or avoid risk altogether – just don’t do what you is being contemplated. You’ve probably heard these excuses from the risk-averse before: Should we outsource back-office operations to India? No! Too much country risk! Should we develop a mobile app version of our flagship software? No! Too much data security risk! Should we be on social media talking about our products to customers? No! Too much brand and reputation risk! All risks, without a doubt, so why no do nothing? Sometimes, nothing is the worst thing that could happen. Sometimes, however, the biggest risk of all might be in doing nothing.