Privacy Ref Blog

What you don’t know may (pleasantly) surprise you

Today I find myself in Louisville, KY performing a privacy assessment for a client. When visiting clients to perform an assessment, I meet with team members from all parts of the organization. Usually, I am accompanied by someone from the privacy office or legal team. Frequently, my escorts learn something new about the business and just as often are are surprised by what they hear.

Who is accompanying me

When doing an assessment, I encounter two types of individuals from an organization’s privacy and legal teams. There are those who are very confident that their organization is following policies and procedures. They are absolutely 100% legally compliant. These individuals assure me that personal information is being properly handled and protected. These individuals cannot see any reason that when the Generally Accepted Privacy Principles (GAPP) model is applied, that the maturity level will not be Optimized.

The other type, the more frequently encountered of the two, is disappointed by the lack of adoption of policies and procedures within their organization. There may not have been any notable data breaches, but that is just luck. They often feel the business units just don’t take privacy as seriously as they should.

Of course, reality is somewhere in the middle. Maybe the people sponsoring the assessment and accompanying me to meetings are posturing. They are certainly trying to set my expectations. In actuality, .

Pleasant discoveries in meetings

Walking into a room, with my escort, to discuss privacy with members of a business or operational area often finds the other attendees nervous. They picture my team and me breaking out the bright, hot lights and subjecting them to an interrogation about their departmental practices. The story they tell, naturally, must meet my escort’s expectations and how that person set mine.

By taking a conversational approach to these meetings we tend to dis-spell the nervousness of all of the attendees. We ask the attendees to tell us the story of their jobs, how they use personal information and how they protect it. This approach allows us to learn a lot in a very short period of time.

As the discussion progresses something surprising always comes up. Some process has been defined, some practice has been put in place, or some training activity has taken place that my escort never heard about. I love watching the facial expressions turn from surprise to pride. At the end of the day, even those escorts that thought things were on top of everything admit they learned something new.

Employees care

The fact is that your organization’s employee’s do care about privacy. They have undertaken some initiatives that you have not heard about. They may be doing a better job processing and protecting personal information than you can imagine.

Every privacy team should take the time to assess how their business is performing relative to their privacy program’s expectations. Regardless of whether the assessment is done by a third party or you do it yourself, you will learn more about the business and those surprises, those hidden gems, will pop out.

  • author's avatar

    By: Bob Siegel

    Bob Siegel, the founder and President of Privacy Ref, Inc., has extensive professional experience in the development and improvement of privacy policies and procedures, the definition of performance metrics to evaluate privacy maturity, and the evaluation of compliance. He utilizes a combination of alignment, adaptability, and accountability strategies to guide organizations in achieving their privacy goals. He is a Fellow of Information Privacy (FIP) and a Certified Information Privacy Professional, awarded from the International Association of Privacy Professionals, with concentrations in U.S. private-sector law (CIPP/US), US public sector law (CIPP/G), European law (CIPP/E), and Canadian law (CIPP/C). He is also a Certified Information Privacy Manager (CIPM) and Privacy Technologist (CIPT). Siegel is a member of the IAPP faculty, has served on the Certification Advisory Board for the CIPM program the Publications Advisory Board. Siegel also writes the blog “Operational Privacy” on

  • author's avatar

  • author's avatar

    CNIL’s Google Fine of 50 million Euros
    In praise of a privacy compliance program
    Looking to 2019 Privacy Plans
    Preparing your customer-facing staff
    Automation for Privacy

    See all this author’s posts

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on April 9, 2019 by Bob Siegel

« »

No Responses

Leave a Reply

Your email address will not be published. Required fields are marked *

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


April 5, 2019

See you at the Summit
Visit us at Booth 500 at the IAPP Global Privacy Summit. Bob Siegel will be facilitating the CIPM course. April 30th-May 1st, 9 am - 5 pm. Meeting time available to discuss your privacy needs is available for signup here.

Latest Blog Posts

April 19, 2019

Do you have 1 minute? Check out our New weekly Quick Privacy Ref-erence series.

At Privacy Ref we are always thinking of ways to improve the experience of our followers and clients alike. Weekly on our YouTube channel you will find a relevant privacy topic being discussed in a 1-minute video such as: 

  • Cookies walls and the Dutch DPA - Ben Siegel discusses his research on the Dutch Personal Data Authorities' guidance on cookies walls and freely given consent. A cookie wall is a notice from the website, informing the user about the use of cookies on the website, without a reject option. Ben provides insight into the difference between functional cookies and tracking cookies and why the Dutch DPA's advises that websites’ basics functions are to remain available for everyone and not just for those that accept all cookies (including tracking cookies).   
Continue reading this post...

April 12, 2019

Protect Your Privacy Spring Cleaning

I’ll be honest, my blog idea was generated from an article about spring cleaning.  Let’s face it, lots of things could benefit from spring cleaning:  homes, cars, desk drawers… How about your inbox?  Maybe the ever-growing number of presentation drafts in your documents folder?  How about the flash drive in your desk drawer?  Anything in the cloud that’s been hanging out for years?  Maybe there’s a number of bookmarks or favorites on your list that hasn’t been used or accessed in a while.

Continue reading this post...

Other Recent Posts