Building Privacy Programs for Your Organization

Ron Whitworth

Ron Whitworth is Chief Privacy Officer at Truist, the sixth largest bank in the U.S., which recently completed a merger of SunTrust and BB&T. He manages the Enterprise Privacy and Technology Office (EPTO) within Compliance Risk Management.

Ron is certified by the International Association of Privacy Professionals (IAPP) as a Fellow of Information Privacy (FIP), a Certified Information Privacy Manager (CIPM), and Certified Information Privacy Professional for the United States, Canada, and Europe (CIPP/US, CIPP/C, and CIPP/E).

Available_Black copy
Tunein
Available_Black copy
partner-share-lg
partner-share-lg
partner-share-lg
partner-share-lg
partner-share-lg

Here’s a glimpse of what you’ll learn:

  • How Ron Whitworth’s background in media and journalism led to his career in privacy
  • The biggest privacy and security challenges banks face
  • How banking technology has evolved to comply with modern data privacy and security laws
  • Where should companies implement data privacy and security?
  • How Truist manages data privacy amid expansion of privacy laws
  • What makes a successful privacy professional?
  • Ron shares his top privacy and security tips

In this episode…

The evolution of technology has given rise to highly-regulated data privacy laws. In today’s digital era, organizations and privacy professionals need to modify their technology to comply with these laws. So, how can you implement a privacy program that complies with these advancements and secures your client’s data?

According to Ron Whitworth, automated data governance allows you to understand and manage your data. With this technology, you can make strategic and informed decisions about where your data is and how you’re using it, so you stay compliant while establishing trust with your consumers.

In today’s episode of She Said Privacy/He Said Security, Jodi and Justin Daniels talk with Ron Whitworth, Chief Privacy Officer at Truist, about implementing privacy programs in today’s changing privacy and security landscape. Ron shares some of the major privacy and security challenges banks face, how banking technology has evolved to comply with updated privacy laws, and how he manages data privacy amongst changing privacy and security standards.

Resources Mentioned in this episode

Sponsor for this episode…

This episode is brought to you by Red Clover Advisors.

Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.

Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.

You can get a copy of their free guide, “Privacy Resource Pack,” through this link.

You can also learn more about Red Clover Advisors by visiting their website or sending an email to info@redcloveradvisors.com.

Episode Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

 

Jodi Daniels  0:20  

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies.

 

Justin Daniels  0:35  

Hi, Justin Daniels. Here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

 

Jodi Daniels  0:50  

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, media and professional services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit redcloveradvisors.com. Today is super exciting, because we have a longtime privacy friends who we used to do all kinds of fun presentations together until He then moved away. We have Ron Whitworth who is the Chief Privacy Officer of Truist and Truist is the sixth largest bank in the US having completed a merger of SunTrust and BB and t in February. Welcome Ron to the show

 

Ron Whitworth  1:53  

you. That’s great to see you as well. I missed my Atlanta knowledge net friends. That was quite a quite a chapter there. I’ll be back I’m sure.

 

Jodi Daniels  2:04  

You know, they gave awards for like best chapter, I think. I think we’ve been best chapter.

 

Ron Whitworth  2:10  

It’s up there for sure.

 

Jodi Daniels  2:13  

Justin, are you ready to kick us off?

 

Justin Daniels  2:15  

Let’s do it. That’s where you know, I kick us off

 

Jodi Daniels  2:18  

already. You start.

 

Justin Daniels  2:19  

Okay. So, we always like to ask our guests How did your career evolve to your current role?

 

Ron Whitworth  2:27  

Sure. So it’s hard to believe I actually had some friends posting on Facebook yesterday that it was the 25th anniversary of my college graduation that felt a little thing, right? Yeah, how long it’s been but I actually considered the privacy to be my second career. I started off as a as a college sports journalist, I was covering the Wisconsin Badgers and was in the media and and then decided after about six years, I was going to go to law school. And when I went to law school, I started focusing on media law and communications law kind of parlaying my first career into second career. And at the time, you know, 2006 2008, and that timeframe, privacy was considered kind of a subset of communications law. And I was very fortunate to have landed in a firm that was very forward thinking about privacy. At the time, there were only three or four law firms that had dedicated practices to privacy, which is hard to believe now. But I had the great fortune of being able to dig in for that firm and go out and get certified and just kind of get get to be an expert in privacy for that firm. And really, so I had an early entree into into privacy and data security and approached it from the legal side, that in recent years, I have moved in house and have gotten more into the financial services industry. And I’ve moved out of legal, so over the last five years of initially at SunTrust. And now at Truist I sit in the compliance risk management group. So it’s, you know, I’m the Chief Privacy Officer running the privacy program, no longer on the legal side, but of course, the legal, you know, skills do do translate and are helpful as well. So it’s been a long journey, but, but it’s been great to be involved in privacy, and especially today, the way that it’s really exploding.

 

Jodi Daniels  4:22  

I have to imagine that those media skills early on play a huge role today, because so much of privacy still is in the marketing, and sales and communications of any organization.

 

Ron Whitworth  4:36  

Absolutely. It really is. It’s mind boggling to see how the media industry is evolving as well and just how technology is impacting everything, and the way that we communicate, you know, the way that things are broadcast and this all the different nuances to it. You’re absolutely right and, and so it has been really fascinating to watch from both the journalism perspective and media perspective. In the privacy now,

 

Jodi Daniels  5:01  

what would you say are some of the big challenges that banks have nowadays, when it comes to privacy?

 

Ron Whitworth  5:07  

Well, kind of what we were just talking about, you know, how the world is changing around us. You know, for banks, it I think, in particular, we are very highly regulated, we deal with some of the most sensitive information out there, you know, people would say, health, you know, health care information, financial information, the vanguard of privacy that is often referred to, you know, we’re just dealing with highly sensitive information. But technology is changing everything in turn in, including in financial services, in terms of capabilities, and what we can offer to our clients, and the technology that’s available to give us capabilities to give clients information about their finances, and just a lot of innovative products and services that that really do implicate privacy laws as they stand now. And in particular, as we’re all aware, you know, the privacy world is changing before our eyes and new laws and proposed laws. And just we’ve got to be really on top of it from a banking perspective, because our clients expect us to be leveraging that technology to better their lives and to improve their products and services. But from a privacy perspective, we also have to be very, very cognizant of the you know, what can go wrong? And first of all, are we complying? And secondly, you know, how are we protecting our clients through that journey, making sure that we are looking out for them and that they were protecting and in their information appropriately as we engage in those technologies?

 

Justin Daniels  6:40  

Can you talk a little bit more about how technology is playing a role, like, in the pandemic, I can’t remember the last time I wrote a check, I can’t, I rarely use money, we’ve really become cashless. And that really presents some interesting opportunities and challenges when you’re a bank managing all these different technologies from a privacy perspective.

 

Ron Whitworth  7:01  

Yeah, it’s really fascinating. It’s great news for clients. I mean, there’s just so many nuances to technology and the things that you can accomplish, we just have a lot more information that we can serve the clients in terms of, you know, hey, what are your spending patterns, or if you make this change, or that change, your your financial picture can improve, and we just, it’s really exciting, you know, I get the opportunity to sit in some of the strategic planning sessions and some of the demos and that sort of thing about what’s what’s, what the capabilities look like. And it really is fascinating, just how different we can we can make people’s lives through technology. But I would say from a privacy perspective, I mean, technology is just changing everything in terms of the way that we oversee it, the way that we manage it. You know, we actually have a huge project going on within our company that we call enabling trust and privacy that is situated in technology, specifically the enterprise data office. And it’s all about, hey, you know, we’ve got a whole new world of privacy compliance coming at us here today, and it’s going to continue to evolve, we just now we’ve got to go build a lot more capabilities, we’ve got to be just much better at what we do. And the days of sort of, you know, asking the technology partners, hey, where does this data live? And you tell me, you know, what systems do we have? And where’s that data and just get that answer in an email, that obviously doesn’t cut it anymore, you got to introduce automation, and all sorts of tools and processes to make sure that you’re capable of even just even managing this data and living up to your promises and complying with these privacy laws. So it really is just changing dramatically right before our eyes.

 

Jodi Daniels  8:48  

I think a lot of other professionals who are trying to build privacy programs and nor their organization would appreciate learning a little bit, as you just talked about of how to use automation and building those processes out. Can you share a little bit about what what you see that’s been helpful and effective? You mentioned right, going from that manual approach to more of the automation and processes.

 

Ron Whitworth  9:12  

Sure. So as you know, Jodi, I mean, the third party space and privacy has grown exponentially over the last few years as well, really, over the last 10 years or so, there’s a lot of great companies out there that are you know, there to help us facilitate this and we’ve taken a look and even kick the tires with with a lot of them in terms of automating data governance, essentially, just, you know, tools and technologies that can help you understand, you know, where’s your data? Where did it come from, you know, why do you have it? Who are you sharing it with it? Why are you sharing it, sharing it with them, you know, and being able to kind of have that full picture? You know, 10 years ago, you might do that exercise once a year and it’s like, okay, we know where the data is, and then it’s like the static exercise Whereas now you have to be constantly working at that. And No, nobody’s perfect at it. I mean, everybody has room to improve. And and there’s, you know, it’s just changing all the time in terms of the types of data you might have. And is it even considered data in scope? Is it personal information? And if so, what are those obligations? What are we told people? Yeah, so we’ve used a lot of those tools and technologies to first of all, check ourselves, you know, we, you go out and in your privacy notice, and you describe what you’re doing and how you’re doing it, you have to make sure that you’re living up to that. So you know, even just scanning your website and understanding what is happening. And are we fully aware of what where our information is going and how it’s being used. We’ve changed a lot over the last few years in terms of engaging some of those third parties and building some stuff in house. it a little bit of both, you know, in terms of how we were going to manage this moving forward,

 

Jodi Daniels  10:55  

one of the questions people always say is who should own privacy? So thinking about that kind of project? Someone has to be the ringleader to corral everybody else together? Who have who has run that before, for example, the data governance projects before?

 

Ron Whitworth  11:14  

Yeah, that’s a great question. We spent a lot of time working through that internally here. And it’s funny, you know, we always have this debate about where should privacy sit, you know, should it be in technology, or illegal or compliance, or risk or wherever it might be? And the answer is all of those things, it has to be everywhere. So you know, it, a lot of my peers, and we have this conversation, and we start joking, it’s, you know, you need that expertise everywhere in all of those areas. And we but but to your point, at the end of the day, you got to have a strategic project, you’ve got to have project management capabilities. Our decision was, we’re going to to position that major project within the enterprise data office, because so much about this is the data capabilities. And just sort of having that mindset, having that ability to understand where it is how we can control it, when we have consumer rights, access requests, etc. They’re the ones that are going to be there to facilitate those. So we’ve, we’ve worked on an operating model, where, you know, the project management capabilities, the data governance capabilities is really off quarterback that of our enterprise data office. That being said, we’ve got a very strong relationship and Nexus and operating models, so that they will come to privacy or come to our legal partners, and we work together on all of this stuff. It’s not like it happens somewhere else. And we check in occasionally, it’s a day to day engagement.

 

Jodi Daniels  12:44  

Makes sense?

 

Justin Daniels  12:45  

So we talked a little bit about who owns privacy in the company, but our these privacy laws impacting how you manage privacy, because as Jodi alluded to, we’ve just had our fifth state Connecticut past privacy law. And

 

Jodi Daniels  13:02  

number one, I think childhood home state. Okay. I had to interrupt because, okay, we’re used to seeing the 50. States, I can do it all in alphabetic order. We used to go Connecticut, number one. Sorry, your very important question. Now keep going

 

Justin Daniels  13:19  

love it is good. And with privacy laws on at least 20 More state legislative dockets? How does that expansion of those laws amongst the states impact how you try to manage privacy,

 

Ron Whitworth  13:35  

it deeply impacted, you know, state law, you know, activity in the US has been enormous, particularly for, I would say banks of our size or smaller, you know, we have a new peer set. So it’s kind of happened in the middle of our merger, where we went from to Southeast Regional Banks to now is Jodi said a much larger bank, six borrowers and they treat, but for particularly for banks that are not the Giants, you know, they may or may not have had a lot of GDPR exposure. And, you know, for the large banks or large companies, even outside of financial services, they may have gone through this transformation, dating back five, six years, getting ready for GDPR, and all the other international privacy laws that might attach to that company. But for the smaller companies, the state law activity in the US has been enormously impactful. Just sort of drive making it clear to everybody, Hey, we’ve all got to do this. And some, some companies were, you know, three or four years behind a lot of the others in the industry getting getting started on this journey, depending on where they were on that GPR applicability scale. So California in particular, in particular, you know, when CCPA was first introduced, and as people were trying to digest it interpreted, a lot of the banks were coming together, even in person before COVID in big rooms were All the banks are represented and talking through in detail, you know, how does this impact our compliance obligations? And how are we going to approach this? And are you going to treat all consumers the same? Or are you going to, you know, isolate California, all those questions, I would say, really brought the companies together and really did a lot of benchmarking. And, and it’s been interesting to see how it’s evolved. But it’s continued with CPRA. And of course, Colorado, and Virginia and Utah, Connecticut, we got so many more balls to wrestle with now, but it has absolutely changed the game for everybody.

 

Jodi Daniels  15:36  

I love how the idea of all of those people representing those banks can come together on a common issue and really solve it collectively. I think that speaks volumes to the privacy industry, that we’re all here trying to help solve these issues that make sense for the individual and the organization. And so it’s really nice to be able to hear that that’s how that started.

 

Ron Whitworth  15:58  

I agree 100%. I mean, there’s certain issues that I think banks can be reluctant on sharing information with, you don’t want to share any competitive secrets, etc. But you know, privacy and data security, for that matter. We’re all in this together with St. I would say the same thing over on the cybersecurity side, you know, let’s compare notes. What are you seeing? What are you experiencing? How are you tackling this challenge or that challenge? We’ve gotten a lot of great feedback from our peers. And you know, what’s funny is, especially in privacy, you’ll have very smart people completely disagreeing on what the law says how you should interpret it, how you should execute it, there’s not necessarily a right or wrong answer. So I found a lot of benefit, just listening to my peers, and they keep hearing how things are going there and implementing some of what I’ve heard, you know, at my company, so I agree with you. It’s been fantastic.

 

Jodi Daniels  16:52  

Yeah, it harkens back to my days when I was implementing Sarbanes Oxley at a large company, and I created the same thing. We created these benchmarking, because everyone was it was new to everyone. What does all this little two paragraph thing need two people. Now we have some very beautiful gray privacy laws, as you just indicated that people have to figure out what to do with. So with these programs, and new laws means you need people to help do all this work. What have you found to be successful in finding privacy professionals? And for anyone listening, maybe who wants to get into the space? What are some of the skill sets that you’re looking for?

 

Ron Whitworth  17:29  

Yeah, that’s been a real challenge, honestly, I mean, we’re hiring and you’re hiring Jodi yell, i It seems like everybody’s hiring, which is great news for privacy professionals. I think what we’re seeing and hearing, though, is that, you know, the folks who have 510 years of privacy experience that everybody puts in their job, Rex, they’re not readily available, I, you know, a lot of people are perfectly happy where they are, they’re not moving. And so we’ve got to got to really figure out a different way to fill the need. And one thing we’ve we’ve been successful with is really engaging data governance, skill sets, you know, pick people who are been more sort of records governance, or data governance type skill sets, they have really made a fantastic transition over to privacy. I mean, there’s a lot of it’s just very natural, because so much of it, as we talked about, about data. You know, we also have really found, you know, we find bright lawyers or bright compliance professionals that just have a lot of motivation to learn, that are willing to dig in and, and have a passion for this area, we’ve seen a lot of success where, you know, while privacy is deep and nuanced, and it might take years to become a true expert, there are ways for very smart people to dive in, get educated quickly and make a difference. And we’ve seen a lot of people make that transition where they weren’t in privacy a year or two ago, but they’re already you know, heavy hitters in the privacy world, they’re already making a huge difference. So I think there’s a real opportunity out there for people for bright young talent, in particular, if you just have a passion for this, that I do think passion is the key word because this is, as you said, Jodi, I mean, this is a great community. It’s an exciting area of law in area practice across the board. And it just it lends itself to people who are extremely passionate about their work about protecting individuals about protecting privacy. And I’ve just seen that that sort of energy and passion translate into direct success in the workplace.

 

Jodi Daniels  19:37  

Excellent to organizations I was looking for people step on up.

 

Justin Daniels  19:44  

Right. You know, Ron, I’d like to ask you a follow up to that. Obviously, you and I are both lawyers by by training, but can you talk a little bit about your thoughts around how necessary a law degree is because obviously Jodi doesn’t have a lot of grand she knows the space sit downs backwards and forwards. Although sometimes I think she has a degree

 

Jodi Daniels  20:04  

in her family, we’re good, but but love to get your

 

Justin Daniels  20:07  

perspective because law school is a big commitment, but I get the sense in the privacy space. It might be beneficial, but it’s not a necessity. Love to get your take on that.

 

Ron Whitworth  20:16  

Yeah, I agree with you. And I’ve had the same conversation, honestly, with a lot of people who are not lawyers about, you know, is it worth the time expense commitments, etc. It’s a huge commitment. I do think there is an extraordinary value to having a law degree. But it’s not necessary. There are so many different areas of privacy that do not require a legal degree. Jodi is a great example, as you said, I mean, there’s so many people who, who have made a huge impact as Chief Privacy officers, or, you know, in a supporting role in major companies that really haven’t needed a law degree. I will say that the, you know, the job prospects right now, I have talked to a couple of individuals who are quite frustrated because all the law firms are hiring, you know, if you’re a lawyer, you’ve got endless amounts of opportunity out there and privacy. Sometimes the non legal jobs can be a little harder to to get, and there’s some frustration with people like, Man, I wish I had that law degree. But it when you weigh the costs, and the benefits, I think, you know, overall, it absolutely is not a prerequisite to having a very successful career in privacy.

 

Jodi Daniels  21:32  

What advice would you give to someone coming in new to a privacy role? Maybe they’re going to lead the privacy program, they the company has never had someone do that before? What if what, what should they start with? What would you suggest is really important, maybe in their first, well, same 90 days, but really, it’s gonna take, you know, a while to get that program out. But where should they kind of begin?

 

Ron Whitworth  21:55  

Sure, I’m always a huge proponent of the IEP P certifications I’ve done for them myself. The CIP us is what I always recommend for new privacy professionals. I think that that certification does a tremendous job of providing a baseline level of knowledge that is important. You know, while folks don’t necessarily need to be a lawyer, I do think it’s very important for people to understand what these laws are, and what how they grew up. Why did they say what they say? And what’s kind of behind it? I think having that understanding of, you know, why are these laws requiring what they do, and how did we get here? And what are they trying to accomplish? And by the way, how does that compare to Europe and other jurisdictions where maybe it’s more robust and where that’ll tell you where we’re headed. I think I’ve yet to come across somebody who has gone through the time and expense to get the CI PP us as a starting point that has regretted it, because I think it’s that foundation that is really, I would say, is a prerequisite for our privacy professional.

 

Jodi Daniels  22:59  

Excellent advice. Where are you looking at me?

 

Justin Daniels  23:03  

Because during the pandemic, I had the opportunity to either maybe study for my IEP or get a drone pilot’s license,

 

Jodi Daniels  23:11  

which I recommended the drone.

 

Ron Whitworth  23:18  

I can’t blame you there. That sounds great.

 

Jodi Daniels  23:20  

It takes wonderful pictures now of our whole family.

 

Justin Daniels  23:23  

But I also have to deal with what are the implications for privacy on the drone camera and what it collects and the implications of all that, which is a topic for another day.

 

Jodi Daniels  23:34  

It’s true, I was not happy with the drone that was flying over our house that was not ours. I can imagine. See?

 

Justin Daniels  23:44  

Anyway, one of the questions we love to ask all of our guests is, do you have a best privacy or security tip you’d like to share from your experience? Sure. Well,

 

Ron Whitworth  23:53  

I think one thing is, especially important now is staying current with with technology, you know, I was told that from from the beginning of my privacy career, you know, back then they would say, hey, you need to get on Facebook. Now. Now, that’s sort of, you know, that’s what the older people like me do. You know, so now it now is, hey, you need to understand about NF T’s and crypto and the meta and, you know, all these terms that might scare people away because they sound scary, they’re hard to understand. We need to wrestle with those things and kind of dive in and experiment and just understand what’s happening in the world from a technology perspective. Because unless you really experience it yourself and you see for yourself, you know how things are working and some of the nuances that you will experience as a consumer. It’s really hard to advise properly, you know, when you’re whether you’re in a legal role or CPO role or it just kind of evaluating some ideas that percolate within your company. I’ve just always found it extraordinarily helpful to Be educated on the actual technology. You don’t have to be a technology expert or a whiz, you just have to have sort of a grounding so you know what you’re wrestling with.

 

Jodi Daniels  25:10  

Ron, when you are not doling out privacy advice and studying the latest privacy laws, what do you like to do for fun?

 

Ron Whitworth  25:18  

Well, I have three young children 10, eight, and six. So a lot of my time is spent. Let’s see travel hockey, gymnastics, soccer, MMA, fencing, rock climbing, and some of the activities that our weekends are, are really encapsulated by but I’m a huge sports junkie. Still, I mentioned I was a sports reporter. I still work out in the mornings, but I don’t play sports myself. But I’m a huge Washington Capitals fan. It’s the hockey playoffs right now. So my world comes to a halt until that season over. I’m a huge, huge sports fan. So I spent a lot of time playing, watching sports and particularly supporting my kids as they start to play themselves.

 

Jodi Daniels  26:00  

Well, thank you so much for sharing, we can appreciate the weekend activities and weekday of all kinds of suffering. We just feel like the carpool taxi. So if people wanted to connect with you, where is the best place to do so?

 

Ron Whitworth  26:17  

LinkedIn would be great. Connect to a lot of folks on LinkedIn and happy to connect with anyone who would like to connect there. That’d be that’d be fantastic.

 

Jodi Daniels  26:26  

Well, Ron, thank you so much for sharing. I know this was really valuable information that you’ve shared to anyone creating a privacy program working on one trying to figure out how to enter one as well. So thank you again.

 

Ron Whitworth  26:39  

Thank you for having me. I really appreciate it.

 

Outro  26:44  

Thanks for listening to the She Said privacy, He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.