Skip to content
Data privacy

Thinking about privacy by design and data minimization

Brian Clayton of Conduent shares his thoughts on what companies can do to manage data privacy in the face of GDPR.

Today, nearly every company relies on some form of digital processes and analytics to thrive – the more information the better to understand and serve customers. But more and more companies are grappling with the realization that a healthy balance of privacy and transparency is essential.

We recently had a conversation with Brian Clayton, associate general counsel and chief privacy officer at Conduent. As the person driving privacy policy and implementation at the world’s largest provider of diversified business services with leading capabilities in digital interactions, automation and analytics, Clayton is at the heart of the issues around privacy and transparency for both Conduent and its clients worldwide.

ANSWERS: How do you see the situation playing out between regulators who are requesting greater access to data with the need for corporations and financial institutions to protect client privacy?

BRIAN CLAYTON: I think what you see is a real dichotomy, right? You’ve got the regulators wanting to see, know, and access more. Then you have the corporations pushing back, saying no, we want to protect our customer data and our internal data.

I think that’s a good thing. I think you end up with better regulations. If you take financial institutions as an example: suspicious activity reporting came about sometime in the 90’s to prevent fraud and terrorism. At first, I think you had corporations and financial institutions saying we don’t want to have to do this. Regulators said it’s for the greater good, do it. Now it’s become second nature. Over the last 15-20 years, it got ironed out; got a little more cost effective to do because more people are doing it. It’s just become the norm. It’s a good dichotomy. I think it ends up providing for better regulations.

ANSWERS: Do you think we can effectively reconcile national privacy regulations with international requirements?

CLAYTON: The short answer is, yes, you can do it. But it can be complex, right? Often times you get involved with conflicts of law provisions. I think the key is managing and ensuring an informed decision, and that you document your decision.

An example would be, with GDPR coming out, the right to be forgotten. Let’s say you’ve got Bob, who works for your European-based company (which also has European employees). Bob is in Europe providing services and then quits. Maybe Bob was in the pension plan and was providing consulting services. Bob calls up and says, “I want to be forgotten.” GDPR provides for the right to be forgotten. You’ve got to think, in the U.S. he’s in my pension plan, so I can’t take him out of that. I need to leave him in there.

For an audit trail, for the billing and work that he’s been doing, you need to keep his information so when you send your customers a bill, you can say, “Yes, it was Bob, and we charged $25.00 an hour for Bob’s work.” That’s how it is. GDPR allows you to keep data if you have a legitimate purpose. But it makes you think about, “Do I really need all that information about Bob if he wants to be forgotten?”

Maybe not, maybe you can anonymize some of it, maybe you can delete it. Maybe you don’t even care about his name. You just need to know it was an employee, a full-time employee who was at level three or whatever, and he billed at $25.00 an hour. It will make you make an informed decision and document it.

The way I think privacy is going, one of the key concepts you hear a lot about (and this is primarily GDPR) is really privacy by design and data minimization. Think about what you’re doing. All too often when you hear about people doing processes, they’re getting a spreadsheet. Maybe the spreadsheet has a name, address, social security number, date of birth and salary. You have think to yourself, “Does the person doing that work really need to see all of that information or do they just need to know it’s a person, and that person worked five hours?”

Brian Clayton, associate general counsel and chief privacy officer at Conduent
Brian Clayton, associate general counsel and chief privacy officer at Conduent

ANSWERS: How are you advising your clients to evolve their data privacy policies given new regulations like GDPR?

CLAYTON: I think the best way to do it is with a gap analysis. When I talk about GDPR, I tell people that privacy is not new. There was a directive which came out some time in the 90’s. GDPR is the first major rewrite in about 20 years. So you should have some type of privacy plans in place already, right?

So you’ve got a privacy policy which complies with existing laws of privacy. Now let’s take those and do a gap analysis: Here’s what you have today, here’s what you need for GDPR. That gap is going to show varying degrees. It might show you haven’t even thought about a concept because it wasn’t really something that you had to do before. For example, perhaps you need to do a privacy impact assessment (PIA) and look into how your breach notification or breach process works, for things that go bump in the night; you have to have a process to triage that.

Here’s a potential situation. Under GDPR you’ve got a 72-hour-notice, whereas in the United States under HIPPA, you’ve got a 60-day window. So you’ve got something in place but you’ve got to drastically change it. Then you’ve other areas where you’ve nothing in place, and you need to implement them. Once you have a gap analysis, you just fill in the gaps and get it done before May 25.

ANSWERS: Do the regulations impact clients in some sectors more than others or some departments of a business more than other departments?

CLAYTON: Yes, absolutely so. Corporations dealing with consumers and a lot of especially sensitive consumer information such as religious affiliation, sexual orientation, and those types of things are especially impacted by regulations. By collecting those types of data, you are far more impacted than those industries that are not selling directly to consumers. There’s still going to be an impact but certainly not as much.

In terms of business departments, certainly the IT department is impacted. In years past, privacy was conflated with the IT department and I think that happens to some extent now. Maybe operations and certain industries and offerings are affected less than IT or HR departments, but every department is affected to some extent.

ANSWERS: With 90,000 employees in 31 countries, Conduent has to deal with data privacy issues in a big way while also helping its clients navigate these issues. How are you training your employees to handle data privacy issues appropriately?

CLAYTON: We do this in a bunch of ways, but primarily through training programs. We offer an online training module on HIPPA; we have an annual ethics training, and an annual business code of conduct training. Those things all touch on privacy. For GDPR, we’re creating a new training module. Online training is a great way for a large corporation to track who took it, when they took it, did they pass it, and were they actually there clicking through, so it’s a good way to monitor and certify employee compliance.

The key is to get people to think about privacy and know that when they get up from their desks they need to have clean desks. When they get up from their computers, they need to lock their computers. All those little things are a critical part of their training.

ANSWERS: What one data privacy issue jumps out as the one that most concerns you for the company? For your clients?

CLAYTON: For me personally, I’d say the answer is the same for our company and our clients: it’s hackers. Hackers are a scary, scary thought – somebody who gets in behind your system. I was at a privacy seminar about a year and a half ago. One of the panelists had mentioned that the average time a hacker can spend in your system without detection is something like 99 days on average. Data theft is another huge concern.

ANSWERS: How do you think GDPR will affect commerce in Europe?

CLAYTON: I think some of the positive impacts are that people will feel freer to share information because of better insight into what is being done with that information. You’re going to have knowing and affirmative acceptance of consumers and individuals when corporations process their data. So, if companies have that, presumably, consumers will be more comfortable sharing data. The legitimization of the company is being able to do data analytics, things that drive advertising, what you see when you’re online, things like that. They are being done in the background now, really without consent in some instances. So I think that’s some of the positive stuff. People who are fearful of Big Brother will still be fearful of Big Brother, but at least they’ll know what Big Brother is doing.

There are definitely going to be some unintentional negative consequences as well. The right to be forgotten, for example, with some of the large online consumers. I can call up and say, “Erase all of my data.” It sounds easy, but it’s hard to actually do. They’ve got back-ups, maybe you called and they shared it with five other affiliates. Or, maybe you’re part of a rewards program. Erasure can be challenging in some instances. Data portability can be challenging in some instances. It can be done, but the negative to that is there’s a cost impact and ultimately the consumers are going to absorb that cost. In addition, it might cause certain things to slow down.

ANSWERS: Do you think GDPR will impact the types of consumer information being collected, perhaps in order to avoid privacy concerns, regulations and penalties?

CLAYTON: I think it will, and I think that’s one of the intended consequences of the regulation. Again, it’s the concept of privacy by design and privacy by default. To use an example, I sign on to an online business to buy books and give them my birthday. The intent when they originally set that up was, we’re going to send Brian a coupon every year on his birthday so he’ll come back and buy stuff. But maybe they never did it, yet they’ve got that data in there.

So they say, “Hey look, we’ve got this data, and its Brian’s date of birth. Do we really need it? We’re not doing anything with it, so let’s delete it.” That’s what it’s designed to do. “Let’s stop collecting it. Not because we don’t want to be subject to the regulations, although that’s probably the case, too. But because we’re not doing anything with it, we don’t need it.” That’s one of the things regulations are designed to do – data minimization. People just collect and collect and collect and store and store and store.

Learn more

For additional content concerning the use of personal data in the digital age, be sure to explore the rest of our multimedia series: A new dawn for data privacy and transparency.

More answers