By Carly Huth, CIPP/IT

Gamelah Palagonia, CIPP/US, CIPP/G, CIPP/IT, CIPM, is the founder of Privacy Professionals and has been in the insurance industry for more than 30 years. Recently, she sat down for a fun Q&A on her career and how she became the first of her kind: “the first generation of insurance brokers who are privacy professionals.”

Carly Huth: Tell me a little bit about your background?

Gamelah Palagonia: My background is in insurance and risk management, with a focus on technology, digital risk and media. So it was kind of a natural segue for me to get into privacy. But in the insurance brokerage industry, there were no privacy specialists. As I got deeper and deeper into the risk management side, I recognized that there was this big hole in the insurance industry.

Huth: That’s something I hear a lot, given that privacy is still an emerging field. How did you become educated on privacy?

Palagonia: The IAPP helped me fill that void so I could become educated on privacy and the risks surrounding privacy. I decided to be the first of my kind, the first generation of insurance brokers who are privacy professionals.

Huth: How has this increased awareness of privacy issues affected your work in the insurance industry?

Palagonia: I developed a business model that includes risk assessments, privacy training, incident-response planning and all the great things I was taught by the IAPP and how to integrate that into the insurance program. It’s unique because insurance offered today includes coverage for regulatory actions, notice to affected individuals in the event of a breach, credit monitoring and credit restoration. It just seemed to me it was working backwards. Purchasing insurance to cover risks you hadn’t addressed is not a best practice. So I did the reverse. Insurance is great way to transfer financial risk, but the first steps are privacy risk assessments, training your employees and planning for breaches by developing incident response plans, and then your insurance policy works more effectively.

Yes, we sell insurance, but the first step is to focus on the risk. Whether it is healthcare, technology, retail, media, we try to educate first. The challenge is educating them about the risk, because it isn’t tangible. If your building is on fire, you see the risk. But if your data is compromised, you may not see it, but believe me, your building is still on fire.

Gamelah Palagonia

Huth: How are you spreading the news about the changing ways to address privacy risk in the insurance industry?

Palagonia: What’s difficult is that most people don’t understand privacy in general, never mind privacy risk management and the insurance that’s available for it. So it is a challenge.

Huth: Given this challenge, when you work with a new client, what are some of your first steps?

Gamelah Palagonia

Palagonia: Now that we have so many news reports every day of data breaches and regulatory actions, it’s getting a little bit easier. Yes, we sell insurance, but the first step is to focus on the risk. Whether it is healthcare, technology, retail, media, we try to educate first. The challenge is educating them about the risk, because it isn’t tangible. If your building is on fire, you see the risk. But if your data is compromised, you may not see it, but believe me, your building is still on fire.

Huth: I agree. What can an organization do to start addressing this risk?

Palagonia: We want to help businesses impact organizational culture, which starts with executive buy-in and commitment to build privacy into the culture. Communicating privacy guidelines and expectations from the C-suite down is essential. To have a real impact on privacy risk, you have to start with your employees; if they don’t understand the risk, it doesn’t matter if the business does. Behavior is hard to change. It’s the biggest challenge. We all must take part in protecting the information. At first, all the news reports of data breaches were helping, but now people are blurring it out.

Huth: I’ve heard some people call it “notification fatigue.” What resources do you suggest to combat it?

Palagonia: I love the IAPP; it has great, fun tools and interesting ways to illustrate risk. For someone new to the privacy field, definitely get certified in privacy with the IAPP. It helps to round out your knowledge. Certification is probably the most important thing a person can do right now, as well as remaining up-to-date, because the laws keep changing.

Huth: As a fellow IAPP member who is certified, that’s good to hear! But resources are only one important component of a privacy program. Are there some best practices you’ve gathered during your career as a privacy professional?

Palagonia: Insurance is great to provide the financial resource to respond to data breaches, but in line with the IAPP model, you have to first identify where your information assets are and understand the risk. Once you identify, you have to determine what laws apply, whether it be protected health information, personally identifiable information, trade secrets or corporate confidential information. Corporate confidential information is still an exposed area struggling to gain traction because privacy laws don’t apply to it. However, once it is breached, it can have a huge financial impact on the bottom line.  

Huth: That’s great advice. Starting a privacy program may seem daunting for any organization but especially for an organization with limited means.

Palagonia: We are sponsoring a pro bono project, starting with the IAPP Privacy in a Suitcase initiative. In May, we will begin offering nonprofit organizations free broad-based privacy training and discounts on compliance-based training. We think this will help a lot as, often, nonprofits don’t have the resources to put into privacy protection but they still have the same risks as larger organizations. We hope to help them get the resources they need.

Certification is probably the most important thing a person can do right now, as well as remaining up-to-date, because the laws keep changing.

Gamelah Palagonia

Huth: Pro bono work is absolutely fundamental. Before you go, I can’t resist asking you one more question. Can you respond to something that a lot of commentators are claiming: Is privacy dead?

Palagonia: I disagree 100 percent. They may feel privacy protections are dead because of some recent reports in the media. But people like me, and the IAPP, can help to dispel that myth. Privacy is our right to claim; it is up to us.

Carly L. Huth, CIPP/IT, is a privacy counsel for The Coca-Cola Company (TCCC), where she focuses on protecting both consumer and employee data. Prior to joining TCCC, Huth was an insider-threat researcher in the CERT Program at Carnegie Mellon University, where her research focused on the intersections of privacy and technology. Huth has been the lead author on several academic articles published in such leading journals as Computer Law and Security Review. She also has international experience, having worked with the Intellectual Property Team in the United Nations Conference on Trade and Development. Huth is a licensed patent attorney.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»