In a recent live Q&A, Tim Smith, Chief Privacy Officer at Unum Group, recommended a back-to-basics approach:
“Focus on the fundamentals of running a privacy office and incident response. Don’t get sidetracked by a lot of work that goes on in the business where there may be no direct privacy laws and regulations. Obviously, it’s important to understand what the business is doing, whether it’s with new communication modalities or big data. But it’s very easy from a privacy office perspective to get sucked into those. They’re bright shiny objects, they’re fun, they have a lot of leadership attention.
“But at the end of the day, the amount of time one spends on those can be disproportionate to whether they actually move beyond the pilot phase or how important they really are to compliance. Giving good clear guidelines and having a process to evaluate something like a communication or a texting campaign—those types of fundamentals are much more important.”
To Survive the Whirlwinds of Change, Be Prepared
As the poll results show, the majority of privacy professionals attending the live Q&A have not significantly altered their processes over the last few months. Smith said this indicates many companies are used to working with people in remote environments.
“To me, it probably reflects a more remote workforce, good policies and procedures, and obviously an incident management system that is either cloud-based and convenient for people to access from anywhere, or a non-reliance on a lot of paper and things that would really tie one to a location.”
Unum has certainly transitioned to a remote workforce well. Prior to COVID-19, about 90% of Unum’s workforce was onsite. Within a week, 99% of the company’s employees were working remotely.
Given Unum’s size, this is no small feat. A Fortune 500 company, Unum Group provides a broad portfolio of financial protection benefits and services through the workplace, and is the leading provider of disability income protection worldwide. More than 190,000 businesses in the U.S. and the U.K. offer Unum benefits.
Even a tornado that blew through Chattanooga, Tenn., where Unum is headquartered, failed to daunt remote workers—including a handful of Smith’s privacy staff. For some, the storm wiped out electricity and internet, and many employees were unable to access work materials through the VPN.
“Because of cross-training and the incident management system being cloud-based, we were easily able to pivot that work to other campuses while our employees got themselves back on their feet.”
Privacy Then and Now
While organizations seem to be moving from transition to adaptation when it comes to remote work, the shift has multiplied privacy concerns and disrupted business processes, and organizations have had to respond accordingly. Smith cited the difficulties many remote workers have with transitioning to a paperless office. Instead of printing papers onsite, employees are now digital-only.
Unum’s privacy team developed a toolkit for working from home and safer privacy practices—such as blocking home printing. Such policies are essential, particularly for heavily regulated sectors. Pre-pandemic, nearly 70% of incidents in the insurance industry involve paper, according to Radar metadata. The percentage is similar for financial services and healthcare companies.
Paper also accounts for a number of notifiable incidents in these same industries:
- Healthcare: 28%
- Insurance: 15%
- Financial services: 5%
Without proper safeguards in place, the number of paper incidents—including those requiring notification—will only increase.
The pandemic has also put regulators on high alert, and the Unum team put in “significant effort” responding to regulatory requests about COVID-19 preparedness. Speaking of preparedness, Smith and his privacy team were well-equipped to handle regulatory inquiries and other unforeseen events due to COVID-19.
He again alluded to the benefits of cross-training and enabling remote access to both a good, reliable privacy incident management system and written processes and procedures. “I can imagine it would have been tough if there were restrictions around location or access to incident management processes or documentation,“ he said.
Measuring the effectiveness of your privacy program is challenging in the best of times. It’s much harder—yet more critical—now. For incident management, Smith recommended monitoring incident volumes, turnaround times, and root causes. His team has focused on analytics and reporting.
Lack of Integration Hinders Privacy Workflow
We asked our audience to tell us the most significant obstacle to an optimal workflow for their privacy team. As you can see by the results below, the lack of integration among privacy, compliance, and security tools rises to the top.
Smith said the results weren’t surprising, especially as numerous vendors race to offer solutions to evolving regulatory challenges like incident response and individual rights requests. And, he said, financial services companies are questioning whether they even need to invest in privacy tools to comply with regulations like CCPA or if they can manage it in-house with spreadsheets. He said:
“The complexity comes from the fact that there isn’t one overarching compliance tool and that privacy impacts the entire organization—anybody who touches data. So would you have a TCPA tool, an incident management tool, an individual rights tool? Optimally, you wouldn’t, but I don’t think the environment is mature enough yet for one single tool.”
Technology Is Not a Panacea for Tracking COVID-19
To help stem the spread of COVID-19, governments are deploying contact tracing apps. These apps, which alert individuals who have been near someone showing symptoms of the infection, are riddled with both technical and privacy challenges—such as how these apps collect and store data.
“Fundamentally, the question to me is can technology solve COVID? The answer is: Technology has never solved anything in and of itself—it requires human beings, too. You have to get people to use the app if it’s going to be effective. You have to get people comfortable that their information won’t be hacked, you have to get them to use it, you have to get them to be truthful about it, and the test they take and enter into the app has to be accurate, or you’ll get a lot of false positives.
“The leading apps don’t work perfectly, and they’re dependent on a number of other factors, both human and non-human, both confidence-based and non-confidence-based to make them work. While they may be helpful, I don’t think the tracking apps will ultimately work. I think we’re a long way from technology being a solution.”
Living with the Shades Down: What’s Your Privacy Comfort Level?
Returning to work raises another privacy concern for organizations: How do we adequately protect employee privacy while ensuring collective safety in the workplace?
Health screenings, including temperature checks and symptom questionnaires, could be part of the morning routine for onsite employees. The U.S. Equal Employment Commission (EEOC) requires these screening results be kept apart from personnel files. And if a worker has a confirmed COVID-19 diagnosis, employers should notify their employees without revealing the patient’s identity.
Despite these privacy safeguards, many employees may find containment measures highly invasive. Smith likened it to a neighbor of his who lives with the shades down:
“Privacy is all about how an individual feels. One of my neighbors keeps his shades pulled, and for the three years I’ve been living in this house I’ve never seen inside. Another neighbor doesn’t have shades. The question is: Individually, what is people’s comfort level with a corporate goal? What is it that gets employees comfortable with going back to the office is an individual question. Layered upon that: What are corporations going to require, and are people comfortable with that?”