Editor's Note: The Privacy Advisor features occasional stories on privacy pros and their work in the field. This month, The Privacy Advisor caught up with Ron De Jesus of Deloitte to talk travel, regulations and whether privacy is important to him when he's off the clock.
Ron De Jesus, CIPP/US, CIPP/C, CIPP/E, CIPP/IT is a manager with Deloitte’s privacy and data protection group. He has been providing privacy expertise to clients for more than eight years, through privacy program and environment assessments, privacy training and helping organizations understand their obligations under global privacy laws. He’s a graduate of the University of Toronto and most recently worked at American Express as director of privacy for its global network services business unit. The Privacy Advisor caught up with De Jesus to learn more about his life as a privacy professional.
The Privacy Advisor: How did you get into privacy?
De Jesus: When I was in university, I worked part-time for a consulting firm, kind of like an internship. That consulting firm specialized in the implementation of healthcare systems, and I was actually in school and doing a biology major, so I thought it was a good fit. I was actually planning on going to medical school, but I really started to enjoy the consulting life—traveling and meeting with different clients every couple of months, and I think that’s where I developed my consulting soft skills. Interestingly enough, the wife of the owner of this consulting firm owned her own consulting firm that specifically focused on health information privacy, so I actually jumped ship when I graduated and joined her firm because I was more interested in policy development and the effects of laws on organizations and also in how systems process and protect personal information. Ever since then, I’ve just really had an interest in the various types of privacy and data protection laws out there, whether healthcare-specific or technology-specific or whatnot; cookie laws, for example. I should have been a lawyer, to be honest with you.
The Privacy Advisor:Tell us more about your start at this small boutique firm?
De Jesus: It was based in Toronto. It specialized in health information privacy from a Canadian perspective, so I worked with a lot of Canadian laws including PIPEDA, Ontario’s HIPAA and the PIPAs of British Columbia and Alberta. Like I said, I started with that firm right out of university and pretty much fell into privacy. I didn’t grow up thinking I’d be a privacy professional at all, and I don’t think anyone really does. I was with them for about three or four years, and that’s when I really developed an appetite for assessing organizations against specific privacy laws and privacy requirements. I joined Deloitte in 2008 because I wanted exposure to American privacy law and also to get an opportunity to work with EU data protection laws, which I think are the ones that have the most history and which pretty much form the basis of most of the recent and emerging privacy laws. Deloitte provided me and still provides me with those experiences and opportunities.
The Privacy Advisor: Where do your main interests lie when it comes to the field of privacy?
De Jesus: I’ve done a lot of work in Europe, mainly in London, and a few other European countries. Those were really fun places becausewe actually had chances to interact with data protection agencies and to witness the nuances between the EU countries first hand. I once had a project in Florence, Italy, and it was interesting to observe the differences between what Italians consider “private” information versus what Americans do. For example, it’s not uncommon to see a photo, marital status and age on an Italian’s resume, and if you’re in the fashion industry (as this client was), for example, requesting and providing these details is pretty run of the mill—no matter what industry, really. Whereas if an employer asked for those details in New York, regardless of the industry, it would be like a lawsuit waiting to happen not only because of a so-called invasion of “privacy,” but also because of possible sexist and racist undertones. So it was just cool to observe cultural differences with respect to what’s considered “personal information” and what specific cultures define and value as “private.” That said, I think in terms of my interest level, it’s really with European data protection issues because I think Europeans have a more evolved understanding of privacy, and obviously their laws provide the basis for, and in some cases inspired, a lot of the laws that we see today globally. They’re also the laws that are giving a lot of American companies constant headaches, like the Googles and the Facebooks, which I find really fascinating. And I usually side with the regulators if I’m being honest.
The Privacy Advisor: Anything you don’t like about what you do?
I have the pleasure of working with and learning from a lot of great professionals and a lot of experts in the field, but what I don’t like from an industry perspective is that there aren’t a lot of younger people that are interested in the profession, at least from what I’ve seen at conferences and just in general. I think we, as an industry, need a fresher perspective on privacy. For example, some current EU directives don’t seem to be evolving with the times. Take the cookie law for instance—its requirements are somewhat nonsensical and antiquated from a technology perspective and may already be out of date in the next few years. So I think privacy, as an industry, and I’m not an ageist at all, but I think we need an injection of younger people and we need to get them interested, because they may be able to help regulators develop laws that are more relevant to the technology and that will be more relevant to their own and to future generations. That being said, you don’t see a lot of the Gen Y-ers caring enough about privacy to begin with, but that’s a whole other story.
The Privacy Advisor: How do you explain to people what you do?
De Jesus: Yeah, that’s a tough one. I mean, I’ve worked on my elevator speech. I’m a privacy consultant, but what does that really mean? I think it’s kind of the same dilemma for everyone that’s in consulting in general; when I try to explain to people that I’m basically assessing how companies use and collect and process personal information and ensuring companies comply with privacy requirements, it’s still tough sometimes for people to “get it.” But at the same time, I think it just goes with the territory. What really is privacy? Whenever I mention I’m a privacy consultant, people always get this awkward look on their face or think I’m this secret agent that does something really private.
The Privacy Advisor: Are you big on privacy in real life? Or are you an open book?
If you want to comment on this post, you need to login.