Cynthia Van Ort did not dream of becoming a CPO when she was a child, but her perspective on privacy today is rooted in a responsibility to think prophetically about the future of the industry in order to help shape it. Van Ort is the former North American chief privacy officer for Citigroup and the newly appointed global CPO for a large multinational corporation. She recently sat down with TRU Staffing Partners’ founder and CEO Jared Coseglia to give guidance to aspiring privacy pros and share her perspective on defining the core values of privacy as a practice and a profession.
“Privacy wasn’t a career path when I started working professionally,” says Van Ort. Like many early entrants to the privacy profession, she began her career in legal. She received her J.D. from DePaul University. “I was an attorney in the legal department at Harris Bank/Bank of Montreal supporting the privacy office and online banking.” In the early days of financial data aggregation, Van Ort recognized that privacy was an issue that would increasingly be critically important. “We had a data aggregation site where customers could go and see all their accounts from our institution as well as other institutions in a single dashboard. That required obtaining the customer’s financial information from other institutions to add to the dashboard,” Van Ort explains. She quickly recognized that in order for individuals to access the convenience of this service, they were required to give their user names and passwords for all their accounts to the vendor providing the data aggregation, essentially “giving away the keys to the kingdom.” These types of issues led Van Ort to build her career around data privacy and integrity. According to her, “data aggregation is only now finally in the spotlight because of associated privacy-related issues and government attention (like the CFPB) on providing customers the right to access their data in a safe manner.”
Being in the banking industry has given Van Ort a front-row seat to the complexity of compliance and the possibilities of privacy as a tool to help drive the business. Throughout her privacy career Van Ort has been responsible for developing approaches to identify and manage global privacy risks and resolve issues that may arise. She has led the development and global implementation of privacy programs involving the creation of privacy frameworks, specifically the development of policies, governance structures, standards, engagement models, training, metrics, reporting, risk assessment and more. “In banking we have substantial and effective authentication tools to prove that you are you. That’s security. But I wanted to make sure all employees were equipped to view our services through a privacy lens,” remarks Van Ort.
Privacy treasure chest and the security lock
Van Ort describes the difference between security and privacy using a treasure chest metaphor: “Privacy pertains to the rights of individuals over their information. Privacy is the treasure in the chest. Security is the controls that protect those rights. Security is the lock on the box,” says Van Ort. As she goes on to compare security and privacy, Van Ort notes a critical differentiation that is only now coming into the limelight as a result of recent headline news involving both security and privacy: “Privacy considerations are much broader than simply protecting the data. Confidentiality is only one element; but consider the rights of an individual to know how you are using their data. That’s transparency. ”
There have been several major public scandals in the last year that have drawn attention to the importance of transparency versus pure confidentiality. Though the Equifax and Cambridge Analytica events did not immediately impact regulatory standards, certainly not at the federal level, these moments did change consumer expectations and awareness of privacy. “I predicted there would be huge outrage after Equifax, but it settled down quickly,” observes Van Ort. “What did show up, though, is the desire for individuals to have control over their data,” adds Van Ort. This has inspired companies to seek “ways to help educate the consumer” about privacy. “Privacy notices are not helping the consumer and are not the best way to educate.” The challenge of educating the general population about privacy, for Van Ort, boils down to the competing agendas of privacy empowerment versus consumer convenience. “We need to empower people without requiring a huge investment of their time,” says Van Ort.
Privacy empowerment vs. consumer convenience
Van Ort recalls a moment with her daughter that humanizes and exemplifies this challenge: “My daughter uses a payment application that I think is unsafe. I sent her articles about the application and security around payment technology, but her response was simply, ‘I don’t care because this is so convenient for me.’ Consumers want to feel in control of their own data, and that means they have to know where the data is going and who is collecting it. Transparency. The interesting thing, though, is that people who want to be empowered also want convenience every day. Many people don’t care until something goes wrong, or until they are surprised by the use and sharing of the data.” So how does a corporation make its services and technology transparent, secure and convenient? For Van Ort it starts with simple questions: “What would our customers want us to do? What would they expect and what would they be surprised by? Even if we are complying with the law, are we adequately addressing customer concerns?”
“After Equifax, I thought Cambridge Analytica would be the tipping point,” says Van Ort. “But in the U.S., unlike other countries, we think privacy is protecting against identity theft – can they take your info and impersonate you? – but really privacy is a human rights issue. Cambridge Analytica made it clear that people do care about what’s private to them; however, despite the Facebook breach of customer trust, people are still using Facebook.” In fact, Facebook stock rose in recent weeks making Mark Zuckerberg the third wealthiest human on the planet, eclipsing legendary Berkshire Hathaway founder Warren Buffett. “Cambridge Analytica was interesting because people seemed so upset about data accountability,” says Van Ort. What the general population (and Congress) may fail to accept and understand is that “if you are using a product for free… then you are the product. Putting the onus on the customer to understand the difference between using and sharing data is currently too complex for the common consumer. It is, in my opinion, the responsibility of the privacy professional to help individuals understand where their data is going and why without requiring them to read a 50-page manual.”
The notion that privacy is about human rights draws attention to how U.S. and EU culture differ dramatically. Scandals aside, the GDPR has been another critical factor in evolving a global awareness of privacy. Regulation related to privacy is still highly nuanced in the United States, though the GDPR has set the tone and some standards for good privacy practices. “The GDPR has helped implement some commonsense requirements and, because of the enormous potential fines, has gotten the attention of companies collecting and using the data of EU residents,” says Van Ort. One question that many CPOs faced related to the GDPR was, “Do we implement all this globally or for just the EU?” From Van Ort’s perspective “the right approach is all-in for many GDPR requirements.”
Advice for aspiring privacy pros
So how does someone go “all-in” to build a career in privacy? When asked to give advice to aspiring privacy pros, Van Ort draws attention to two key characteristics that she feels are the foundation for a successful career in the space: “having a fascination with the privacy environment and where this is leading our world” and “being a highly analytical thinker.” For Van Ort, “so much of privacy is risk management, not just complying to laws, but assessing regulatory and customer attitudes toward privacy … and those change daily.”
Van Ort recommends as a first step “connecting with privacy pros at your current organization, volunteering for privacy tasks, becoming friends with privacy professionals.” Step two is getting education from the IAPP (International Association of Privacy Professionals). “The IAPP is full of information and one of the best sources across the board in every geographic region,” encourages Van Ort. “Certification doesn’t make you an expert, but confirms you have baseline knowledge in the area of privacy. It also demonstrates to hiring managers that you have an interest, you have pursued that interest and you have received accreditation or education to improve your credibility.” Van Ort also sites MOOCs (massive online open courses) as a resourceful way to gain some fundamental knowledge around issues that impact privacy, specifically as it relates to technology. “I am constantly self-educating,” admits Van Ort. She has found value in both Udemy as well as Coursera. “For 20 bucks you can take a video course on any number of topics.”
Van Ort offers this final bit of advice that has been a cornerstone to her success, in terms of both personal professional fulfillment and vertical mobility: “Surround yourself by great people, give them the space to make mistakes and don’t take credit for their successes. For any organization or any career, your biggest asset is always people.”