Cisco Systems’ Michelle Dennedy speaks to the financial impacts and sales slowdowns that can result from being unprepared for data privacy regulations such as GDPR.
As the world’s largest networking company, with a product suite that includes wireless and mobility, security and surveillance, data centers, video collaboration, Internet of Things, VoIP and remote connectivity, a nearly immeasurable amount of data flows through technologies that carry the imprimatur of Cisco.
With the EU’s General Data Protection Regulation enforcement date fast approaching, we talked with Michelle Dennedy, vice president and chief privacy officer at Cisco, who carries a responsibility of ensuring that this global powerhouse is compliant with data protection and privacy regulations. She provided us with her perspectives on the risks for poor data privacy management, the need for privacy maturity, and the increasing monetization of data.
ANSWERS: With such a significant employee base (roughly 73,000 people), how do you ensure data privacy compliance is baked into Cisco’s employee culture?
MICHELLE DENNEDY: I think our organization is probably indicative of a lot of large companies; we are a moving city of data and we’re global.
The way I look at the strategy around privacy compliance and its execution is to identify what the common culture is we want to show our internal and external people. Getting under the skin of our daily purpose is the number one thing to getting the culture right for data protection and privacy. You have to know what is the data that supports your core culture and mission, and why you are coming to work every day.
We continually ask, “What is our mission as a company? Who are our customers? What do they care about?” Cisco is in every industry, every government and every place. Information tells a story about every individual on the planet, and we’re the networking people.
We are an IT provider and a network communication connection provider. It’s all about what I call privacy engineering, and we build that fabric into our development communities.
ANSWERS: Do you think data privacy compliance is more and more becoming a topic of discussion among boards and executives (i.e. data privacy is no longer just something for the IT, Legal or Compliance departments to solve for)?
DENNEDY: For 20 years, all we’ve been doing is thinking about data—how to do it better, how to make it better for the business, and how to make it ethical and safe.
I’ve been saying for a very long time that when it comes to data privacy, while it is about human rights, you also want to follow the money. There are really big penalties now, and the people who typically only think about money need to see data privacy as a competitive advantage somehow.
How do you make that happen? Sometimes it’s an external pressure of a really, really huge penalty. Beyond the monetary penalties, the signal that governments are sending is that companies have had decades to get this right and haven’t done so. Now, the penalties (and GDPR in particular) are of the same level of things like product or food safety problems, violations of antitrust law, or collusion and fraud. The level of damage is commensurate with what the politicians have decided is a public requirement.
ANSWERS: What do you see as the biggest data privacy risk that is receiving inadequate consideration?
DENNEDY: The biggest mistake that some are making is procrastination. It’s not too late to start, but I think there are many who are underestimating the complexity of the requirement and how systemic a sea change this is, once you start looking at data as an asset.
Another mistake is treating a new law, from any jurisdiction, as if it is a one and done event like Y2K. I hear people already saying, “I can’t wait till May 26, and we’re done with GDPR.” I’m cautioning them all. Listen, this is a sea change. It’s similar to how there will never be a time when we don’t look at things like food safety, like air traffic control, like all these other really important protective devices. You’re seeing that reflected in other nations around the world who are stepping up their games and raising their level of data scrutiny.
ANSWERS: Shifting gears, Cisco’s 2018 Privacy Maturity Benchmark Study states that “… privacy-mature organizations are experiencing shorter delays in their sales cycle due to customer data privacy issues.” What specific kinds of data privacy issues cause sales delays, and how can privacy maturity offset those delays and shorten the sales cycle?
DENNEDY: When you think about what privacy maturity is, you can look at a number of different frameworks. For instance, there are the generally accepted privacy principles which mirror the OECD principles and fair practice principles. These all have very similar high-level requirements across every piece of regulation and regulatory framework. We tried to map data along the same type of parameters as security, with a zero to five scale: a zero rating is if privacy issues are handled ad hoc, “whack-a-mole” style; a rating of five is what we call optimized in both security and privacy – everyone’s trained, everyone knows exactly what to do, every process runs perfectly.
The idea for this study came from a past life when I was practicing as an attorney in the privacy space. I would get a call from one of our sales reps who would say, “I’m doing a deal with Giantco International Company.” I’d say, “Okay, great. What are you selling?” The response would be, “We’re not really sure of everything that we’re selling. We just want you to say yes to everything.” So that’s the first delay to fix: “Do you know what you’re selling, and what kind of a data footprint the sale involves?”
If they haven’t trained and you haven’t been thinking about data or done privacy impact stuff, you can imagine a slowdown. Next, imagine the sales reps in this scenario come back and say, “Here’s what we’re selling,” and then they ask your company to take on unlimited liability as the data controller. If your response is, “What’s a controller? Where are we selling again? Does this apply?” you’ve got another slowdown stemming from inadequate knowledge of the laws.
Then who gets to decide, “I’ll take that risk”? As you can imagine, anyone such as a sales rep who’s directly funded every three months to get something done is probably going to “accept the risk.” Except that now our data is systemic. One salesperson “accepting the risk” is taking on a whole lot of risk and compliance issues for the entire entity. People under pressure at the end of the quarter may cut corners; totally good, kind, ethical people but they don’t really understand the risks, and then they take a risk that can come back years later and you’ve got massive liability. Another slowdown: determining who’s in charge of saying yes to the risks.
You can see all of these add up. When the deals become routine, when you know what you’re doing, when you know what you’re selling and when you’re looking at data through that lens, significant risk is taken off the table and you’re actually transacting for things that matter to your customers again.
ANSWERS: In working with customers, what is your overall sense on their preparedness for GDPR (specifically) and on applying adequate data privacy protections (in general)?
DENNEDY: It’s a mix. I think there are some companies that realize that financial controls are data controls, and data controls are financial controls. They really just have to exercise a bit of a new muscle.
And, there are some that understand that they will be first in line as over-the-top type companies or implicated in every regulatory tour of duty. I don’t know whether they are prepared or not because the world is a tricky place. I will say they put a lot of effort into it.
Then, there are other people who still just haven’t got it. They are still saying, “I’m this kind of company. What’s the real risk they’re going to come and get me?” First of all, the “they” is your customer, and the “they” is your employee. And yes, there are regulators involved here but you may even be looking down the barrel of criminal penalties in many places. There are no criminal penalties under GDPR, or personal liability for data protection officers under GDPR, but the European member states are certainly allowed to have those types of requirements in their laws if they want to. We are seeing laws like that coming out in places like Japan, Hong Kong and other places. We’re going to continue to see that movement until people understand this.
If you think data is not important, you just have to simply look up a tiny bit from your area of work and say, “This is not new because we’ve wanted to connect with humans since we were able to crawl out of caves.” Our ability and our expectations to do so and the way we do commerce, and education, and connect with our families are all dependent upon getting this right. So once you start looking at it from that angle you can see this is never going away. It’s money. This is our new currency. This is how we’re going to spend our time and weigh the value of our interaction with each other.
For additional content concerning the use of personal data in the digital age, be sure to explore the rest of our multimedia series: A new dawn for data privacy and transparency.