In this Volunteer Spotlight, The Privacy Advisor caught up with Medtronic Senior Manager of Privacy Risk Assessments Elena Ames. She leads a team that devised and maintains Medtronic's global data protection and privacy risk assessment program, which supports the company's innovation and regulatory compliance.
Ames previously dealt with compliance, risk and privacy in senior management roles at Land O' Lakes and Deluxe Corporation. She has expertise in compliance efforts for various regulatory frameworks, including current focuses on the U.S. Health Insurance Portability and Accountability Act, Canada's Personal Information Protection and Electronic Documents Act and the EU General Data Protection Regulation.
Here, Ames discusses her approach on aspects of regulatory compliance and her thoughts on current global privacy issues.
The Privacy Advisor: In what capacity have you volunteered with the IAPP?
Ames: I’ve been a co-chair of the Twin Cities KnowledgeNet for the last three years. The most rewarding experience I’ve had during my tenure has been serving our local community of more than 400 professionals, which has allowed us to connect more deeply and to encourage and witness the growth in our careers. I knew that this community was very friendly, but I didn’t anticipate just how supportive and engaged these people are!
The Privacy Advisor: What drew you to a career in privacy?
Ames: To be honest, it was almost a complete accident. I had been working in retail compliance in Arkansas for about nine years when a privacy leader in Minnesota took a chance on me and hired me into a newly created privacy role. Once I learned more about what the role entailed, the entire concept of “privacy” really hit home as a personal matter because of my family history. My grandfather grew up in the Soviet Union and, at one point, became an “enemy of the state.” He was sent to labor camps in Kazakhstan, where he was under constant surveillance and subject to random searches, interrogations and travel restrictions. I feel that, in some small way, my advocacy for good privacy practices helps me to reverse some of the damage that happened to people like my grandfather and prevent such things from occurring again.
The Privacy Advisor: In your view, what is the key aspect to a successful privacy program, and why is it so important?
Ames: My answer is probably a bit different than most privacy professionals. For me, a successful privacy program is not about conforming our operations to some set of “privacy principles.” It is about helping a business to meet its objectives by using data in an ethical way. Privacy laws exist not to stop businesses from being successful, but to help them succeed by gaining the trust of individuals.
The Privacy Advisor: When you’re tasked with interpreting a new privacy regulation for your company, what aspect of the law do you address first and why?
Ames: My first higher degree was in linguistics and my first job was as a translator/interpreter. When I interpret a new privacy regulation, I mentally return to the times in which my primary goal was to help two parties communicate effectively and efficiently. In that way, I became a link in their mutual success. Likewise, I now see that laws are constantly evolving, and these changes have significant business impacts. Using a risk-based approach enables a company to be faster and to engage in change management with significantly less pain. This approach will also help to quickly identify the best place to place boundaries around impacted operations, assess the extent of the impact, and help the relevant stakeholders develop a solid plan to achieve their business objectives. The most important part of being a privacy professional is coming to the realization that we are not applying privacy principles in a vacuum. We must engineer solutions that generate value in a responsible way.
The Privacy Advisor: What privacy-related topic do you emphasize most in discussions on risk management?
Ames: The topic that has been coming up most frequently of late is the valuation of data. As we are all aware, data elements have different values and, depending upon how they are used, different levels of risk. This means that context is critical. You can’t simply identify the data element and then assume that the risk analysis is complete.
The Privacy Advisor: What was the most challenging situation you’ve faced in your privacy career, and how did you overcome it?
Ames: Achieving business buy-in with respect to privacy-by-design principles has been challenging, but it is possible to overcome. First, the implementation of privacy-by-design principles must begin with change management. Second, those principles must be translated into actual requirements so that the business can understand and implement them in their solutions. Third, as a privacy professional, I am accountable for this and therefore must be prepared to prove that privacy by design is, in fact, embedded into the business. Because of that, it is critical for me to set up privacy “gates.”
The Privacy Advisor: What is the greatest privacy challenge that no one is talking about?
Ames: In my mind, the greatest challenge that is going undiscussed is how we move privacy from a “privacy person” concern to a “business person” concern. In other words, how do we get business people to own privacy in such a way that they become active privacy advocates? As a privacy professional, my role is to decode all that complexity, bring definition to all those gray areas and to create or supply my business with appropriate tools and solutions so that they make sensible decisions regarding privacy risks. In short, as a privacy professional, I want to keep my focus on comprehensive initiatives and on the removal of obstacles so that business can meet their objectives while using data in an ethical and compliant way.
Photo by Keagan Henman on Unsplash