Data means different things depending on the audience or context. The word “data” is even pronounced differently depending on the speaker (though Star Trek may have something to do with how most of us say it now). Regardless of how people define or say it, data’s universal value to businesses, public agencies, and private citizens is undeniable. This has made data privacy more important than ever before.
The growing attention paid to how data is collected and used has spurred legislation, most notably in the European Union and states like California, to give people whose data is being collected more say over how (or if) it is used. At RSG, we take our legal responsibility around data privacy seriously. Data is core to our business and operations. Given its importance, we have made data integrity central to our mission. How? By creating processes and systems to ensure the data we collect or use on behalf of clients is done in accordance with all applicable laws and regulations.
But we go much further than following the letter of the law. At RSG, data privacy is part of our very culture. To explore what this looks like in practice, we recently chatted with RSG’s Chief Information Officer, Tim Young, who also serves as our Data Protection Officer and Data Privacy Team Leader. Here’s what Tim had to say.
Data privacy and data protection are distinct concepts. Could you describe this distinction and what it means for the Data Privacy Team’s operations and overall mandate?
Many people think these terms are interchangeable. At the same time, there are important differences to consider. Data privacy describes who has access to data; it also encompasses guidelines for how data should be collected or handled based on its sensitivity and importance. Data protection describes the tools and policies to restrict access to data.
Data privacy requires justification for collecting and handling personal data. Collecting informed consent from data subjects is something RSG relies on in its business. Moreover, data privacy provides data subjects with a guarantee on how their data will be used and where it will be shared and provides them with several “rights,” including deletion, viewing, and portability.
Data protection, on the other hand, is a set of strategies and processes used to secure the privacy, availability, and integrity of the data. It is sometimes also called data security or information privacy. Data protection is usually technical in nature. It involves steps like data encryption, strong passwords, or multifactor authentication.
Nomenclature aside, RSG recognizes people entrust us with their personal information. This is a huge responsibility. To that end, we feature our Data Handling Policy in company-wide training. The training outlines our comprehensive information security program and policies designed to safeguard personal data. We maintain these policies in accordance with international, federal, and state laws and regulations. The training also establishes our individual responsibilities in safeguarding personal data and lays out administrative, technical, and physical safeguards to ensure the security of personal data at RSG.
How does RSG stay on top of the rapid changes underway in the laws and regulations affecting data privacy?
First, it’s important to understand what our Data Privacy Team defines as personal data. Personal data (or sensitive personal data) means any information relating to an identified or identifiable natural person (“data subject”). Protecting this data from loss and corruption is mission-critical.
When first enacted, the European Union’s General Data Protection Regulation (GDPR) was groundbreaking. We stay ahead of changes like these through a mix of continued education, technology, partnerships, and consistent and clear company-wide communication practices. On the personal side, I’m also a member of the International Association of Privacy Professionals, which is the world’s largest and most comprehensive global information privacy community. In addition, RSG leverages OneTrust’s DataGuidance portal, which tracks privacy and regulatory research. We also partner with a trusted data privacy attorney and managed service provider.
Most importantly, we have a cross-functional team of data-privacy-conscious RSGers. We meet frequently to discuss data privacy and advise the organization as a whole. Our team is responsible for staying up to date on global regulatory and statutory changes. We also address challenges in data privacy by educating staff on privacy-related issues and monitoring potential threats from external and internal sources. These activities empower us to ensure compliance in our existing or emerging business markets.
As a member of the Data Privacy Team, how do you define success? What does that look like?
Data privacy has become an imperative for any organization that collects or processes personal data—and that’s pretty much every organization now. The challenge most organizations face is finding the right balance between weighing the privacy concerns against obstacles to doing business. RSG’s Data Privacy Team believes creating a culture of privacy is the way we succeed at driving this alignment toward better privacy outcomes, which helps our business in the end.
Our broader perspective on digital ethics and trust drives our culture when it comes to data privacy. This moves the internal conversation from asking if we are merely compliant to asking if we are doing the right thing. This affects how the industry perceives us as consultants. Do we wait until the law tells us we need to do something or do we become leaders in this space and do it because it's the right thing to do? The Data Privacy Team embodies our commitment to the latter.
Our culture of data privacy also informs how personal data can and should be used to support our broader strategic objectives. This improves our ability to execute and drive alignment throughout RSG, increasing everyone's understanding of and desire to support our privacy goals. This leads to getting the best use out of our data for clients.
How has passively collected data (“big data”) affected the mission and scope of the Data Privacy Team?
Just a decade ago, nearly all of the data RSG collected for clients involved surveys. This meant there was almost always an interaction between RSG and the people whose data we were responsible for safeguarding. That’s no longer true.
Big data is data that is collected automatically—often without someone’s knowledge or informed consent. RSG now develops travel analysis data using third-party location-based services (LBS) data. In doing so, we believe we also have a responsibility as industry leaders in this space to develop these products and methods in a manner that is transparent. We believe we can do this while also adhering to all applicable laws and protecting individual privacy. This is what differentiates us from others in this space.
The Data Privacy Team has developed company-wide guidance that outlines RSG's approach to protecting individual privacy in our big data products. We have rigorously evaluated our big data providers to ensure they meet our stringent policies around data privacy and protection. We also have a global privacy policy that governs how we use and share data and leverage informed notice and explicit consent across RSG’s tools and products.
How does RSG prepare for and respond to external threats?
Bad actors rely on the “human factor” more than any other method to gain access. In fact, phishing attacks are behind most data breaches. Of course, I don’t want to share all the countermeasures we deploy at RSG. But I can speak to a few general strategies we employ to help us prepare for external threats.
As I described, we are continually monitoring data use throughout the organization. This includes creating and implementing a Data Handling Policy and Security Policy Guide. We also perform new hire and annual security training and conduct quarterly phishing tests.
Further, we leverage best-of-breed platforms that have a fully integrated portfolio of services and best practices. These ensure the highest levels of security and compliance for RSGers and our clients. RSG also conducts independent third-party penetration testing of specific applications, and we fully support the National Institute of Standards and Technology Cybersecurity Framework.
······························
Tim Young is the Chief Information Officer at RSG, where he serves as Data Protection Officer and Data Privacy Team Leader. Tim also recently served on the Forbes Technology Council and is a member of the International Association of Privacy Professionals.