How a Global Brand Can Build a Privacy Program With Eduardo Ortiz of Carnival Cruise Line

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:37  

Hello, Justin Daniels here. I am a corporate M&A and tech transaction equity partner at the law firm Baker Donelson. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  1:01  

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and to check out our new best selling-book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. Ready for some fun?

Justin Daniels  1:41  

I’m ready to go on a cruise.

Jodi Daniels  1:43  

I know I am missing our cruise, it was really a lot of fun. Someone made me breakfast and lunch and dinner and dessert and entertained me and towel animals.

Justin Daniels  1:55  

But interestingly enough, on our cruise, we encountered a lot of interesting areas where we have privacy with apps and information. And so today will be a really interesting opportunity to talk about that because we’re traveling, and maybe we don’t think about privacy, but it’s always there it is.

Jodi Daniels  2:11  

So today we have Eduardo Ortiz, who is the Manager of Data Privacy and Information Governance at Carnival Cruise Line and leads key data privacy and protection programs. He is a passionate privacy professional and loves to amplify all things data privacy, expand his knowledge, provoke discussion, and incite action. We’re so excited that you’re here with us today. Can we go on a cruise? Where are we going? Yeah,

Eduardo Ortiz  2:36  

Yeah. Fun fact. I’ve actually never been on that cruise.

Jodi Daniels  2:40  

Oh, my goodness, we might have to change that.

Eduardo Ortiz  2:43  

Yeah, I’m looking to change that here pretty soon. But I’m so excited to be on the show with you guys. As I was sharing, you know, in some in some networking circles, I an exploration of some great resources to expand my skills. I was, you know, fortunate enough to encounter you guys as podcast and I’ve been listening ever since. And my favorite place to listen is in the sauna.

Jodi Daniels  3:12  

We’re so excited that our podcast is helpful and useful to your daily job. So thank you so much.

Justin Daniels  3:20  

Or you can just come well, you’re in Houston. So it’s not like you could just step outside. You’re in a sauna.

Eduardo Ortiz  3:25  

Yeah, yeah, that is true. That is true. But yeah, so So yeah, I prefer to sit down in the nice sauna and and listen to you guys have some really thoughtful discussions with some very experienced practitioners in the space. So it’s been it’s been great.

Jodi Daniels  3:44  

Yeah, get us started.

Justin Daniels  3:45  

Let’s get this party started. So, Eduardo, yeah, talk to us a little bit about how your career evolved to this point with Carnival Cruise Lines.

Eduardo Ortiz  3:55  

It’s, uh, you know, it’s been, like a lot of privacy professionals. I’ve taken a, you know, maybe an unorthodox kind of route to get here but I’m a reformed sort of classicist and educator so long ago, I wanted to be a teacher, a professor, actually, so went to school and got my all my degrees in Classical Studies, which is just broadly speaking, a study of kinda like the ancient Mediterranean. My my focus was more historical and linguistic but came back needed a job, moved back to Houston, it’s my hometown. I was living in Philadelphia at the time for grad school at Penn. But um, I learned quickly that you could make a lot more money in the oil and gas industry here then you could as a teacher, sadly enough, so. I knew I knew a guy who had a friend and took my first job at an exploration company, in their sort of information management space, and then just, you know, it naturally sort of evolved into more governance type work. And then at my couple of companies ago, large natural gas and electric utility, headquartered here in Houston. Privacy was something new at the time. And so naturally, they kind of came to the information governance space and said, Is there anybody here who wants to help us stand up a program? You know, develop principles and do road shows, and do all this kind of stuff? And I said, Sure, I’ll do it. And that was my formal introduction into privacy. And I never looked back. And since then, I’ve been able to work with some great people. And now I’m here at here at Carnival.

Jodi Daniels  5:50  

Basically, a typical privacy story, you were kind of asked to do something you said yes. And voila, here you are. And it comes from a variety of, of different parts in a organization, which I find really interesting.

Eduardo Ortiz  6:04  

Yep. And I love it, I’m so glad that I raised my hand for that opportunity. Because, believe it or not, the challenges that learning privacy, you know, it’s called out of me so many challenges that allowed me to use a lot of the skills that I learned, you know, in school, or that just kind of a little more naturally. So it’s been a great a great way to apply, you know, this, you know, kind of a liberal arts degree to something that is sometimes more technical.

Jodi Daniels  6:40  

Well, we recently went on a cruise, it was wonderful. It was to Alaska, it was beautiful. I miss it a lot. And it was amazing. And, of course, because we’re thinking of privacy and security all the time, on our experience, we were mindful of all the places that we were giving data. Now, at the same time, maybe not everyone is taking their cruise with that lens, can you share? What kind of compliance do companies in the cruise industry need to think about that maybe customers don’t realize?

Eduardo Ortiz  7:15  

Yeah, sure, there’s a number. So I’ll kind of just point out some of the, the highlights, you know, cruise companies operate in a highly highly regulated environment. And, you know, they must comply with an array of international, national, local laws, regulations. So it’s, it’s beyond, you know, just a business, onshore, right. And so, some of the types are maritime laws, you know, cruise lines, they need to, you know, adhere to various sort of international safety, and life at sea laws. And so you essentially become, when you, when you start to think about it, you know, effectively, a cruise ship is just kind of a traveling sort of business, right? That, that crosses over several different jurisdictional areas, and, and at any given time, needs to be prepared to respond, you know, compliantly, to a lot of those challenges. So it’s kind of, it’s kind of hard, you know, because those those laws regulate, you know, aspects of our operations, the construction, the equipment, you know, the crew working conditions, then you have environmental compliance, right, which is a really, really big one, we, we pertaining to, you know, discharge of waste, sewage, that is, you know, all of that waste that gets generated on ships has to go somewhere, you know, there’s a lot of hazardous materials, we have a huge focus on preserving and protecting marine life. And, and, you know, we have a bunch of environmental protection plans in place to help us do that. There’s all types of health and safety things. And then of course, there’s, there’s privacy, right. And so, you know, given the global nature of, of cruising, there’s just various, almost all the laws, you know, that all the privacy and data protection laws you can think of apply to us. And so, it makes it especially challenging, because we have to, you know, we have to prepare to respond to, you know, to all of those challenges. So, those are just some there’s, there’s a and there’s a lot of customer touch points, you know, on a cruise ship that impacts privacy that you might not think about.

Jodi Daniels  9:42  

Can you share a little bit about what some of those are? Maybe provide a couple examples.

Eduardo Ortiz  9:48  

Yeah, sure. Um, you know, in some, are you so there’s a, you say you’ve been on a cruise. There’s areas where you can play games like casinos and things like that, right. And, and you as part of interacting with those experiences, you exchange a lot of your your, sometimes your personal information in your personal financial information, we have health and medical facilities and practitioners on cruise ships that are there to serve people with, you know, disabilities or people who encounter safety incidents, things like that. So there’s a lot of passenger engagement touch points, there’s, you know, some cool apps that you can use to, that you can download on your phone to enhance your experience. And depending on you know, where you are on the ship, you may, you know, be guided to enjoy, you know, this show or this, this, you know, fun event. And so it’s, it’s, there’s WiFi on the ships, it’s a really connected experience. And, and so you know, our app, some of our apps are in the App Store, and, and you can go and read the privacy policies around some of those things. But those are just some examples that I think people don’t necessarily think about, you know, when they’re when they’re boarding when they’re boarding a ship.

Jodi Daniels  11:14  

I think it’s always helpful to have examples. So thank you for sharing. They’re very fresh in my mind, because we were just on the ship a month ago. To me, it’s

Eduardo Ortiz  11:24  

what were some of the Yeah, what were some of the things that you encountered on the ship that that kind of stuck out to you from a privacy perspective? Start,

Justin Daniels  11:34  

the cruise card that you have that allows you to pay for stuff on the ship would be one, the app, which allows you to chat with your kids, you know, with Jodi and how that data is treated once you leave the cruise ship? And what can be done with that data?

Jodi Daniels  11:51  

Those would be the big two because they were getting on the ship. Well,

Justin Daniels  11:55  

yeah, that’s right getting on the ship, right, authenticating your identity

Jodi Daniels  11:59  

sent and then all the embarkation and disembarkation information, there was a lot there.

Justin Daniels  12:07  

That’s true, how they identify you to get off the ship back on the ship. And then even backing up from the cruise line is just the difference of going through US Customs versus Canadian customs and the pictures they want the information they would want. And then you get into children that are on the cruise. It’s just really an interrelated web of challenges that a cruise company has to face. Not to mention all the other laws and things that you talked about. So that was our experience of what we thought was interesting.

Jodi Daniels  12:36  

But we’re nerdy. And it does come to towel animals, which are the best things ever. So and they’re really hard to try and do I took a class on it. It’s very hard to do. Okay, but we’re gonna come back to privacy now. So,

Justin Daniels  12:50  

Eduardo, one of the things that you had talked about was, is that just about every single privacy law from different countries apply, because you’re an international company, you set sail all over the place all across the globe. And so how do you begin to manage privacy and security when a cruise might have people from the EU, the US, China and all over the place? And you’ve got to figure out how to manage all these laws and do it in some coherent fashion?

Eduardo Ortiz  13:18  

That’s a tough challenge. Yeah, yeah, it really is a tough challenge, you know, our approach, you know, one approach that we’ve, you know, found, you know, successful in that we think demonstrates, you know, us going beyond compliance is really just, you know, take taking the most sort of restrictive approach that we can, right, and really just adhering to those to those laws that, you know, that place, sort of the heaviest challenges on us to from a compliance perspective, and then and then do our, you know, do our best to exceed, you know, complying with those laws. And so, that’s, that’s one of the ways that we’ve found is better for us, you know, we’re constantly monitoring, you know, the patchwork of the US State privacy laws and other laws globally, that are continuing to come online, we’re constantly monitoring those to look at, you know, the areas already for which we have coverage, and kind of just really honing in and focusing our operational efforts and our programmatic efforts on on the delta. Right, and just looking at, okay, you know, we do a lot of these things already, you know, XYZ new law has come online, and, and these are, you know, some of the different challenges, you know, brought about because of that law. So let’s focus on those rather than, you know, all of the things that that we already do. So, we we so that’s one one way another way is we we communicate regularly, you know, across our country. jurisdictions, we tried to set a global, you know, standard and, and, you know, leave it up to our individual brand, privacy SMEs to develop their own sets of procedures and processes and standards that align, you know, with, with the global approach, because it, it really supports sort of that, you know, some of the cultural and societal kind of uniquenesses that align with people’s privacy, you know, expectations and preferences in different parts of the world, because they’re not the same, right. And so, there, there’s a degree of autonomy there across our brands. But we really all roll up into this, this higher standard that that is very restricted from a privacy standpoint,

Jodi Daniels  15:56  

one of the questions I’m always asked is, where should privacy sit in the organization? And in our pre show, you gave a little bit of a hint of how you all organize that? I think, because you have such a global nature, that’s really interesting to people, can you share? How is the team structured to be able to address all these different laws?

Eduardo Ortiz  16:17  

Yeah, so so were, you know, at a different at a different company privacy sat directly under legal and legal was its own, you know, organizational function, even outside of compliance, right. And so was, so was ethics, but here at Carnival, you know, we all all of the functions I just mentioned, sit under this larger global ethics and compliance organization. Right. And so, and that is really because it supports, you know, our, our vision for privacy, and some of the other functions that sit under that organization, such that we are the people that should be, you know, doing the monitoring, and, and, and checking, if you will, that the different, you know, stakeholders are, that their processes and data transactions align with the guidance that we’ve set out. Right. And so, that’s, that’s how it’s structured right now. Right? It’s it sits under global ethics and compliance. And that really is because we want, we want an inherent focus on on monitoring the business, developing controls, you know, monitoring and testing frameworks to understand where there’s opportunity for improvement, where there may be areas to prevent and detect risk. But that’s really our function is offering, you know, providing that that guidance and that subject matter expertise not actually doing doing the work, if you will.

Jodi Daniels  18:03  

A follow up question is some organizations have kind of a central approach. And then they do some of that work. Some have that have been spoke kind of that champion idea where there might be a central team. And then there’s other privacy sneezer advocates through the organization, how does it work for you all, for example, if you have your and let’s just use corporate as an example, you have a corporate team. And let’s say the marketing team wants to do something new and interesting. Does your team work with directly with that marketing team? Or is there also a privacy person? Or even part of a person in marketing? Who’s responsible for privacy?

Eduardo Ortiz  18:44  

Yeah, the the former. So I would say that, so I think maybe that’s more of the hub and spoke kind of thing. So if marketing wanted to do something, then we would work with that team directly to, you know, help them understand the do’s and don’ts of their ad tech, for example, right? And we would provide standards that supplement the policy to support, you know, the work that they want to do, right, and we would be the ones that, that really provide that guidance to say, you know, you can and can’t do these things. But we would like right, you know, I think that as time if, as, as our roles, you know, across the industry just become more technical by way of just evolution and all these things. We would like to have sort of these champions sit within each function, who’s, you know, who have some kind of formal slash informal privacy responsibility, such that they’re the go to person to work one on one with us, and we kind of do I mean, we kind of do have that, like if I were to work with You know, the marketing team today, there’s a core set of people that I already know I would probably be working with, right? But but it’s not us doing the work, it’s us providing the guidance, and then letting them go and do the work. And then we will, we’ll come back around and have a conversation and say, Okay, let’s see how you did. Thank you for sharing. Yep. So

Justin Daniels  20:25  

kind of speaking on that topic. You know, every time I’ve been on a cruise ship, they’re always trying to come up with new ways for people to have fun and can engage and have a great experience. So that three weeks later, like we are, we’re still wistful that we would be back on the cruise ship. And so, you know, what I wanted to ask was, can you talk a little bit about how and when privacy and security kind of engaged for offering new services, like maybe when you first introduced a chat app, so people could use that on the ship, because Wi Fi in an international waters can be kind of spotty, or some other example of a new service and how privacy and security can impact how that service is not only designed, developed, but also deployed?

Eduardo Ortiz  21:14  

Yeah, yeah, I can talk sort of just generally about, you know, some of the some of the types of services. So you mentioned, when you when you onboarded, that they gave you sort of a spin card, right? You mentioned also that, you know, you can download an app, stuff like that, right, we have similar, right, we have similar products and services that can enhance the customer experience. And so, you know, we’ve worked with teams that say to us, hey, we want to, we want to create this app that a user can download. And that will basically track them, you know, throughout their cruise journey, to help them, you know, get the best experience by pointing out, you know, things on the itinerary that they’ve already, you know, indicated as interesting to them, you know, and so, for us, you can imagine that, that’s, that’s, that’s risky, right, for all for all kinds of reasons. And so we work very closely helping the engineering teams, and legal teams, you know, talk and talk to each other and understand each other to say, Okay, let’s really, you know, sit down and assess sort of the, the impact to people’s privacy that, you know, the type of service like this would have, and a lot of times we find that, you know, the engineering teams, either are, you know, should maybe, should maybe come to us earlier, because what they want to do is really more involved in than they maybe initially thought it to be, or they’re just not really thinking through a lot of the privacy implications that that come along with, you know, an example like that, right. But but we do have, we do have fun services like that, that you can, you know, interact with, you know, through your, through your mobile devices and, and kind of carry with you, you know, carry on you as a person on your person throughout your cruise experience. But it comes with just, it comes with a really a process that really requires a lot of vetting to ensure that we’re upholding people’s people’s safety.

Justin Daniels  23:42  

And I guess what’s interesting about that story, Eduardo is like, when we were on the ship, there are people from Europe, there are people from China, Japan. And so when you’re thinking about releasing that app, and the engineers come to you, I bet you they’re not only not thinking about privacy, but it’s not just oh, US privacy laws, because you’re in international waters. But on top of that, you’ve got to figure out how to roll this out for residents of all these different countries whose laws

Eduardo Ortiz  24:11  

are different. Yeah, no, no, you’re right. And so we make sure that, you know, anyone engaging, you know, with those types of products and services, you know, is providing, you know, sort of their, their, their own, you know, actionable informed consent, right, we don’t we don’t allow anyone to engage with those services without allowing them to, you know, to opt into doing so, right. And then, if we, if we are at any point change, you know, what, what the purpose of those services is, we again, we go through another round of making sure that we have, you know, consent from Are users to engage in that kind of activity? And so it really is it, I would say that the impact we’ve seen, really is sort of a flow down impact that I would say maybe is realized in an uptick of people wanting to exercise their rights, right? So a lot of times, we’ll see, you know, people go have these cruise experiences, and then almost immediately after the cruise experience, right, they want to say, hey, delete my data, right? Or, you know, and, and a lot of times, we have to explain to them, Hey, you know, because of different, not just privacy laws, but maritime laws, and, you know, different international laws that were subjected to, we can’t just do that, you know, five days after you cruise with us, right, we have to, legally, we are complied to, you know, from an audit perspective, from, you know, just regulatory perspective, we’re required to keep on to some, some data for some amount of time. But that’s what those are, some of the challenges that I would, I would say, is people are more informed, definitely, and more aware of the rights that they have over their personal information. And so, you know, there is a challenge with deploying products and services that must meet, you know, the sort of this, this kind of, like you said, very diverse population of users from a privacy law perspective, but we take a very restrictive approach, we make sure we’re transparent, we make sure we have their consent, and then we sort of handle that on the back end, when people want to start exercising their rights, and, you know, taking, taking control of their personal information.

Jodi Daniels  26:48  

Privacy industry, as on fire, we have new laws coming out all the time, you have people trying to create cool new services, like we just talked about, marketing is changing as well. And I’m curious, what are some of the big kind of internal challenges that you think your team is is experiencing, which is likely very, very similar to what other teams are experiencing?

Eduardo Ortiz  27:17  

Um, you know, I would say, data, you know, data is vital to any organization, and because of that, I would, you know, say that privacy, you know, by by just connection there is also is, is vital to essential, right, is essential to an organization. So, we have lots of data, right? And we generate, and transact lots of data as part of doing our business, right. And then at some point, that data, you know, meets meets its business objective, and needs to kind of get moved on throughout its its life, right. And so, I think one of the challenges is just making sure that, as an organization, everyone understands their, their role as a data steward. And really, you know, we use just like, we use every customer touchpoint as an opportunity to inform, you know, our, our guests of our data practices, we also use, you know, a lot of our employee touch points as opportunities to remind them of their responsibilities to be to be data stewards, right? Because ultimately, that that is what helps us drive some, some projects and programs from actionable insights, but it also helps set us up beyond compliance. And so that’s, that’s a challenge, I would say data is a challenge. Another challenge is just getting the business to see that we are really, you know, here to enable, you know, a lot of the ideas and services and products that that they, you know, come up with, we’re not here to block those, we’re here to support them. But we want to do that in a way that, you know, aligns with, you know, our policies and our standards. And so, we, we try to position ourselves as partners that want to be involved early. And sometimes that’s a challenge. But the earlier we can get involved, the better, the better we are, you know, the better we’re able to support those teams in the in the the more pleasant the experience, right. And so I would say those are two big challenges. The third one is we are a global organization. Right. And so we’re, we literally sit in different time zones, different countries. You know, I have counterparts that I was meeting with, you know, that seven in the morning, who are, you know, across the pond getting ready to go to sleep, right. So, so sometimes we need to, you know, there’s a slim sort of burden on us to make sure that we’re, you know, over communicating and doing everything that we can do to make sure that we’re meeting regularly. And that, that we’re aligned. But but those are three big ones that that are, that may be kind of obvious, but they just they impact us as well.

Justin Daniels  30:31  

So when you’re out at a cocktail party, or hopefully soon on a cruise in the evening, What might your best privacy or security tip be for your listeners?

Eduardo Ortiz  30:44  

Yeah, I would say that if, you know, if you are a privacy, you know, professional or expert, you know, you I, I see myself as having a responsibility to help my family, friends, you know, understand, you know, the value of their information and ways that they can protect it. Right. But if you’re not a privacy person, right, I would just say that, you know, be mindful of, you know, when, and, and how much of your personal information that you’re sharing, and just kind of remember that, you know, in different parts of the world, it’s not, it’s not so normal to just pass out your email, or pass out your phone number, right. And, and some, in some places that might actually be frowned upon if somebody were to, were to ask you that right. And so the next time you’re asked for a piece of personal information, whether it’s at the doctor’s office, or your kids school, I would just, you know, I would invite you to really consider why why people are asking for that information and what you are handing over.

Jodi Daniels  31:58  

And when you are not managing privacy for a global cruise line, what do you like to do for fun?

Eduardo Ortiz  32:06  

I love to run. So I am a runner, and I love to ride motorcycles. So that is what I do for fun.

Jodi Daniels  32:17  

Privacy, people like to hang out with other privacy people. And if someone listening would love to connect with you, where can we send them.

Eduardo Ortiz  32:26  

You can send them to LinkedIn, I’m on LinkedIn, that’ll be the best place to find me. I’m always open to new connections, primarily because I love to learn and listen. And so I always want to offer any support I can. But I think you know, my first my first instinct is to just listen and learn from all the very experienced people that I’m already connected with.

Jodi Daniels  32:53  

Well, we’re so excited that you shared all that you did with us today. Thank you so much again. Awesome.

Eduardo Ortiz  33:01  

Thank you. It was a pleasure.

Outro  33:06  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.