Privacy Ref Blog

What you don’t know may (pleasantly) surprise you

Today I find myself in Louisville, KY performing a privacy assessment for a client. When visiting clients to perform an assessment, I meet with team members from all parts of the organization. Usually, I am accompanied by someone from the privacy office or legal team. Frequently, my escorts learn something new about the business and just as often are are surprised by what they hear.

Who is accompanying me

When doing an assessment, I encounter two types of individuals from an organization’s privacy and legal teams. There are those who are very confident that their organization is following policies and procedures. They are absolutely 100% legally compliant. These individuals assure me that personal information is being properly handled and protected. These individuals cannot see any reason that when the Generally Accepted Privacy Principles (GAPP) model is applied, that the maturity level will not be Optimized.

The other type, the more frequently encountered of the two, is disappointed by the lack of adoption of policies and procedures within their organization. There may not have been any notable data breaches, but that is just luck. They often feel the business units just don’t take privacy as seriously as they should.

Of course, reality is somewhere in the middle. Maybe the people sponsoring the assessment and accompanying me to meetings are posturing. They are certainly trying to set my expectations. In actuality, .

Pleasant discoveries in meetings

Walking into a room, with my escort, to discuss privacy with members of a business or operational area often finds the other attendees nervous. They picture my team and me breaking out the bright, hot lights and subjecting them to an interrogation about their departmental practices. The story they tell, naturally, must meet my escort’s expectations and how that person set mine.

By taking a conversational approach to these meetings we tend to dis-spell the nervousness of all of the attendees. We ask the attendees to tell us the story of their jobs, how they use personal information and how they protect it. This approach allows us to learn a lot in a very short period of time.

As the discussion progresses something surprising always comes up. Some process has been defined, some practice has been put in place, or some training activity has taken place that my escort never heard about. I love watching the facial expressions turn from surprise to pride. At the end of the day, even those escorts that thought things were on top of everything admit they learned something new.

Employees care

The fact is that your organization’s employee’s do care about privacy. They have undertaken some initiatives that you have not heard about. They may be doing a better job processing and protecting personal information than you can imagine.

Every privacy team should take the time to assess how their business is performing relative to their privacy program’s expectations. Regardless of whether the assessment is done by a third party or you do it yourself, you will learn more about the business and those surprises, those hidden gems, will pop out.

  • author's avatar

    By: Bob Siegel

    Bob Siegel, the founder and President of Privacy Ref, Inc., has extensive professional experience in the development and improvement of privacy policies and procedures, the definition of performance metrics to evaluate privacy maturity, and the evaluation of compliance. He utilizes a combination of alignment, adaptability, and accountability strategies to guide organizations in achieving their privacy goals. He is a Fellow of Information Privacy (FIP) and a Certified Information Privacy Professional, awarded from the International Association of Privacy Professionals, with concentrations in U.S. private-sector law (CIPP/US), US public sector law (CIPP/G), European law (CIPP/E), and Canadian law (CIPP/C). He is also a Certified Information Privacy Manager (CIPM) and Privacy Technologist (CIPT). Siegel is a member of the IAPP faculty, has served on the Certification Advisory Board for the CIPM program the Publications Advisory Board. Siegel also writes the blog “Operational Privacy” on

  • author's avatar

  • author's avatar

    CCPA is a Shiny Object
    CNIL’s Google Fine of 50 million Euros
    In praise of a privacy compliance program
    Looking to 2019 Privacy Plans
    Preparing your customer-facing staff

    See all this author’s posts

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on April 9, 2019 by Bob Siegel

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


May 31, 2019

We are now offering Privacy Professional Training from the IAPP at our Houston and Nashua offices in addition our Delray Beach location.

Latest Blog Posts

June 13, 2019

Fifty States, Fifty Laws

The big news lately is that individual states are proposing their own privacy laws. California has the California Consumer Protection Act and now New York and Maine have also proposed laws. There has been discussion of a federal law, however it seems unlikely that any kind of landmark legislation on privacy passes through to be signed. How is a business to be ready for up to 50 different laws?

Continue reading this post...

June 12, 2019

Privacy Comes at a Price
At Apple’s World Wide Developers Conference last week, the message was all about Privacy. Apple has been more privacy-minded than other tech companies – that’s not news and it’s why I have an iPhone. They’ve introduced some interesting privacy features, such as showing location tracking, which I think is pretty cool. I don’t leave my location setting on, rather turn it on when I need directions and then back off. It’s tedious, but I’m not confident that when I’ve turned off location services, apps aren’t tracking me even though I said “no”. Sadly, I don’t think no means no on the Internet. So, I’ll be able to see if I’m right or wrong. Continue reading this post...

Other Recent Posts