From energy efficiency enhancements and occupancy solution systems to Internet of Things and biometric solutions, and more, Johnson Controls works to enhance the sustainability and intelligence of buildings in 150 countries around the world — including major airports like London, England’s Heathrow Airport, hospital systems, university campuses, and sports and entertainment complexes.

As it is quickly becoming a “leading pure-play smart sustainable buildings enterprise,” Vice President and Chief Privacy Officer Sachin Kothari, CIPP/US, said the company is leading and differentiating itself beyond technology in the space, through its Privacy Center.

“Privacy leaders struggle because there’s so many risks out there. Everyone is thinking through that risk-based lens — how do we handle this law, this breach, or incident response. But what’s happened is because of that mindset, not many people have been able to identify that those are minimum requirements — those are the things you have to have,” he said. “But privacy, in this day and age, in any industry, is an opportunity to be a commercial differentiator. If you do it right, there’s tremendous opportunity here.”

Kothari said he saw and embraced the opportunity for Johnson Controls to take an offensive rather than defensive privacy position three years ago when he joined the company — after previously serving as the managing director of Global Privacy and Compliance at AT&T — and began growing the Privacy Center with the support of the executive leadership team. Kothari believes Johnson Controls’ Privacy Center sets a new industry standard in transparency and innovation in privacy.

With Johnson Controls’ wide variety of clients and services — including facial recognition security and automation technology to identity threat actors in public spaces, as well as tools to identify and track building occupancy and location data — privacy is a “key component” in demonstrating transparency and building the trust of customers and employees, as well as global regulators, Kothari said.

The Privacy Center outlines how Johnson Controls products and processes are developed to empower its customers within privacy and data protection laws worldwide, and how privacy by design is built into products and services. Visitors to the Privacy Center can find the company’s Global Privacy Notice, which Kothari said has been written in a streamlined way. It details how the company handles personal data, its philosophy around the importance of building privacy and data protection into its offerings and relationships, and the rights of data subjects with access to a privacy requests portal.

The key component of the Privacy Center is Data Privacy Sheets, documents publicly available on the website describing exactly how personal data is processed through specific Johnson Controls’ products and services, what personal information is collected, how it is processed and stored, how long it is retained and for what purposes.

“At the end of the day, we are processing data on behalf of our customers, everything from building data to individual data to public data. Anyone can say trust us, trust we are doing the right thing, have confidence in us, but being able to show how we do it, is how the Privacy Center really prevails,” he said. “We show exactly how privacy by design is built in. We show the data flow diagrams and how personal information is captured. This is how we’re able to differentiate ourselves and show why you should trust us.”

Going deeper, Kothari said the Privacy Center also explains international data transfer mechanisms utilized by Johnson Controls to transfer personal data, either on behalf of the company or a customer, including binding corporate rules and standard contractual clauses in the European Union, the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules and the Privacy Recognition for Processors, and the EU-U.S. Privacy Shield, which the company continues to comply with until a replacement framework is implemented.

“The Privacy Center itself is, first of all, a communication mechanism. It speaks to our customers, our vendors, our regulators, our employees, and our investor relations — what is Johnson Controls’ stance on privacy particularly as a company that is so diversified,” he said. “Privacy becomes such an important element for companies like Johnson Controls. That’s what the Privacy Center does, it shows what privacy and privacy by design means to us, and what our mission in general is as we look at this not just from a regional stance, but as a global operator across every jurisdiction.”

In today’s world, with technologies advancing rapidly and regulations emerging and strengthening around the world, Kothari said he believes it’s important for companies to do more than talk about building trust and confidence, noting Johnson Controls’ Privacy Center is an example of a “multi-pronged approach” showing a commitment to responsible and compliant data use and privacy in a transparent way.

“You must be able to show or explain your case. If you can’t do so in a simple, clear way that encompasses ethics, that encompasses compliance, that encompasses the ability to comply with regulations around the world, then it’s going to be a challenging environment for you regardless of where you operate,” Kothari said. “The way that you do that is not only through the communication of your charter, of what you stand for, what your policies are, but also being able to show how your products, how your services, how your commercial capabilities value and show what you are saying and how you are doing it. You can’t just tell the story and not show it.”