RadarFirst Blog

Scaling a Privacy Program for the Future

how privacy is prioritized at one of americas largest banks | radarfirst

In a special executive session of The Privacy Collective, Greg Sikes, Vice President of Product at RadarFirst, talks with Ron Whitworth, Chief Privacy Officer of Truist, one of America’s largest new banks, about what it takes to prioritize and scale a privacy program for the future.

Whitworth discussed the rapidly changing privacy regulatory environment and offered his perspectives on how teams can improve business processes and make faster decisions through digital transformation. You can catch the on-demand discussion here.

The merger between SunTrust and BB&T has made Truist the sixth-largest bank in the country. As the manager of Truist’s privacy and technology compliance programs, Whitworth discusses the importance of prioritizing privacy and incident management during a merger.

In our discussion, Whitworth advocates for putting clients – and their privacy – first while being creative and proactive to make the entire organization successful, stating “Approach privacy, not as a compliance exercise, but as a business enabler and facilitator. We are here to enable the business, we’re here to do it the right way.”

7 Key Questions to Ask of Your Privacy Team

What was helpful during the merger was that both companies had similar philosophies around privacy and putting clients first. For Truist, developing and scaling a new privacy program began by taking both companies’ philosophies and magnifying them. Whitworth offers key questions organizations can ask of their privacy teams, whether or not they are going through a merger:

  1. What is our objective, what are we trying to accomplish?
  2. How does privacy play into our mission and how do our core values play into that?
  3. How are we organized?
  4. How do we think about challenges?
  5. How are we getting work done?
  6. What is my team responsible for?
  7. How does our privacy program align with our purpose, mission, and values?

The Journey: Two Trains Running on Similar Tracks

Whitworth walks through the merger journey and outlines how Truist has built privacy into its products and services. When combining businesses, Whitworth says he was fortunate to have a blank slate to incorporate the best from SunTrust and BB&T.

Their thinking: “If the best of the two is not good enough, or if it’s not going to be appropriate for Truist, let’s do something different, let’s do it a third way.” Whitworth refers to the process as “two trains running similar tracks,” with two sets of privacy compliance processes, two sets of incident response processes – all while the landscape is changing.

One of the biggest challenges Whitworth faced is what we all face – the world doesn’t stop. Throughout the merger, Whitworth says they were additionally managing day-to-day operations and privacy risks.

Scaling Privacy Programs for the Future

For continued success in scaling privacy teams, what’s important is that the privacy program in an organization is up-leveled and cross-functional, granting privacy leadership access in areas – compliance, incident management, legal, technology, marketing, data office, etc.

For example, at Truist, they have the first line data privacy delivery and operations team that sits in enterprise data. Because for Truist, it’s all about knowing where your data is, using it, restricting it, etc.

“Being flexible and nimble, and reacting to the world around boils down to digital transformation and embracing automation, including building processes that help make us more efficient,” comments Sikes.

According to Whitworth, “We need to make sure we’re very closely attuned to the regulatory environment and the laws that are proposed laws that are changing right before our eyes, but at the end of the day, trying to build for that future so that we can easily react.”

7 Best Practices to Up-level Privacy in Your Organization

How do you keep the executive team and the board aware of the progress that you’re making with privacy initiatives? Whitworth outlines these seven best practices:

  1. Get invited to risk committee or strategic meetings.
  2. Involve the executive team in your privacy initiatives and projects.
  3. Be upfront with what you’re trying to accomplish.
  4. Approach privacy, not as a compliance exercise, but as a business enabler and facilitator.
  5. Be proactive.
  6. Make sure that the business understands that they own privacy too: their business, their clients.
  7. Establish a constant line of communication. You want to be able to bounce things back and forth. You want them coming to you for advice and guidance and just making it known that the privacy program is here to support them and to enable them.

“Privacy has evolved into something a lot more dynamic. I’m excited to see so many people jumping into the privacy profession. I think we’re all collectively going to make a huge difference in our businesses. It’s really an exciting time for everybody,” states Whitworth.

For more insight from industry professionals on issues around privacy security, incident management, privacy regulations, and digital transformation strategies, check out The Privacy Collective, RadarFirst’s resource that brings together the privacy community to connect and share.

Join the Conversation

Every month privacy professionals come together to share ideas and network at The Privacy Collective. Join for free today to attend upcoming events and gain access to our on-demand library of previous sessions.

Topics: The Privacy Collective