Dr. Ann Cavoukian

Wordcount: 6238
Average reading time: 31 minutes
Date published: 7/4/2019
Follow Ann on Twitter: @AnnCavoukian
Global Privacy & Security by Design Centre
Website: https://www.gpsbydesigncentre.com

Steve:   Good afternoon. Today our guest is Dr. Ann Cavoukian. Ann’s the executive director of The Global Privacy By Design Center and is also a senior fellow of the Ted Rogers Leadership Center at Ryerson University. She’s the former three term privacy commissioner for the Canadian province of Ontario in Canada. During her time there, she created the Privacy By Design framework. Framework that seeks to proactively embed privacy into the design specifications of information technologies, networked infrastructure, and business practices. She’s received numerous awards for our significant contributions to the world of digital privacy, including the top 25 women of influence, power 50 by Canadian Business Magazine, and recently top 10 women in data security and privacy. Needless to say, a lover of privacy and freedom.

Without any further ado, it’s really my pleasure to be able to sit down with you for a conversation on this important topic. So, welcome to the Nonconformist Innovation Podcast.

Ann:      Thank you very much for inviting me.

Steve:   Listeners of the podcast may have heard of you or heard about Privacy By Design. And so, before jumping into this conversation about Privacy By Design or PBD for short, can you tell us a little bit about your background? What were the insights that led you to develop this framework that would eventually become a global standard that we now know as Privacy By Design?

Ann:      It’s interesting. When I was first appointed commissioner, so I should tell you my background. I’m not a lawyer. I’m actually a psychologist. I studied psychology and law in graduate school. When I was appointed as privacy commissioner, of course my staff consisted primarily of lawyers who of course believe in regulatory compliance, which is always after the fact. After the privacy infraction or data breach has taken place, you get in and you investigate, and then you apply an appropriate remedy. All of that is very valuable, but I wanted a model of prevention. I wanted something up front to prevent the privacy harms from arising, much like a medical model of prevention. So, I came up with Privacy By Design over three nights at my kitchen table. It was all about embedding privacy into our operations, baking it into the code, bake it into the data architecture, make it an essential part of your policies, so that you could ideally avoid creating privacy harms.

That was the background, and this was a relatively foreign concept, at that time anyway, in terms of legal community. But I, over time, explained that in my view that was a preferable approach. Of course, we need regulatory compliance after the fact, but we would have fewer cases to deal with ideally, If we could prevent the privacy harms. I was delighted, in 2010, I should just tell you. In 2010, so once a year there’s an international privacy commissioners and data protection authorities conference usually in Europe. In 2010, it was in Jerusalem. At the end of a three or four day session, we have a half day of a closed session just for commissioners. We’re allowed to introduce resolutions that the entire assembly of commissioners and data protection authorities vote on. I introduced a resolution that Privacy By Design should be created as an international standard in an effort to avoid the harms from arising.

What I was amazed at was it was unanimously passed. Everyone agreed to this. After, I spoke to a number of the commissioners. Afterwards I realized that we all understood that we were only seeing the tip of the iceberg of privacy harms. In this day and age of massive ubiquitous computing, massive online connectivity, social media bounding, we all realized that the majority of the harms, the base of the iceberg was avoiding our detection. We are only seeing the tip. That was unacceptable to all the commissioners. We thought if we complimented regulatory compliance with Privacy By Design proactively upfront, that we would have much better chance of addressing the majority of the harms, which right now are remaining largely unknown, unchallenged, unregulated. That’s how Privacy By Design started. Since then, it’s been translated into 40 languages all around the world.

Steve:   That’s incredible. The way I like to think of this as we look at Privacy By Design through the lens of innovation. I love that you did it over a period of three days sitting at your kitchen table. Some of these ideas just come at random times and you have to tease out wonderful ideas. You don’t have scratch pads or notebooks sitting in your shower or wherever good ideas happen to come. Sometimes, I have to take a nap if I forget something, So, I hope it comes back to me, but I think back to something that everyone also can easily understand. For example, Elvis Presley didn’t set out to disrupt Jazz music. He set out to create rock and roll and a product that came from his soul.

Rock was different, not better than jazz. I guess you’ve already hinted at how in your heart and in your mind things had to be done differently, proactively from the design schematic through to implementation. Now, how people trade their privacy and their control in a surveillance capitalism world that we live in today, I think it is becoming a more urgent thing that A, businesses need to really rethink and become more aware of. Citizens also need to become better aware of their loss of control of their own information and how that can affect them.

Ann:      Agreed. Agreed. I wanted people to embrace privacy, to view it as a positive, not something that was going to stifle creativity and innovation, but the exact opposite. I tell both companies and businesses, governments, privacy breeds innovation and creativity. It breeds prosperity, because it allows you, you know what are the essentials of Privacy By Design is getting rid of the dated zero sum model of either/or win lose.

You can only have one interest versus another. That drove me crazy. I want you to do both. I want a positive sum, two positive gains at the same time. When you present it in that manner to both business and government, then they embrace it, because it’s not that anyone’s opposed to privacy. They just viewed it in the past as something that would stifle creativity and innovation. I told them it would do the exact opposite.

Steve:   Yeah, I love that. To really help reshape the way people think about it. There’s always this fallacy of a false dichotomy, right? You have to either choose A or B, but in business we see this all the time. That business leaders get their cake and they eat it too. I think we just need to reframe this. You made some really provocative comments on a Webinar last October that I appreciated. I smile every time I hear it. I quote, “Privacy is a business issue, not an issue of regulatory compliance.”

Ann:      Yes.

Steve:   “A proactive prevention of data breaches is a far better ethical use of private data.” So, since regulations usually kicking after the fact, how are companies making a business case for proactively preventing data breaches with Privacy By Design using this, you know, you can have your cake and eat it too mindset?

Ann:      Yeah, and that’s very much it. I used to say that even when I was privacy commissioner, that true privacy is a business issue not An issue of regulatory compliance. Because, I know businesses will do a far better job at protecting privacy if they think there’s going to be positive gains for them out of it. And I said, “Of course, if you do Privacy By Design, you will gain a competitive advantage.” Because, and I always told them, if you do Privacy By Design, don’t keep it to yourself. Shout it from the rooftops. Tell your customers the lengths you’re going to to protect their privacy and how much you respect them. This will breed loyalty. It attracts new opportunity. You keep the customers you have and you attract new ones. When you present it that way, it becomes a business case that this is good for business. You’re going to gain a competitive advantage, because you see people care very deeply about their privacy.

In the last two years, all of the public opinion polls have come in at the 90 percentile Pew Internet Research, etc. 90% of those surveyed, very concerned about their privacy. 92% very concerned about loss of control over their personal information. When you present this way and you tell businesses, “If you do Privacy By Design, you’re going to build trust.” Right now, there’s such a trust deficit. If you develop a trusted business relationship with your customers, they are going to be far more likely to say yes later on when you go back to them and seek their positive consent for a secondary use for the data they collected from you.

Now, I’ve heard back from companies, they always say yes, because that trust has been built. What they don’t want the company to do is share the information externally with third parties unknown, but within the company with whom they’ve developed that trusted business relationship, everything is on. That’s where they gain the competitive advantage. They benefit from embedding privacy into their operations along with their business offerings.

Steve:   Can you think of an example of looking at the economics, Facebook was recently find $114 million in Europe for violations of privacy and that’s just in Europe, but if they’re making, billions of dollars in revenue from selling information on the back end, that’s not much more than a slap on the hand. Of course, the crew at Facebook is going to see more value in how they use that data that they’re collecting. But, putting Facebook aside, do you have some examples in terms of where that loyalty, fostering that consumer loyalty and trust is economically more valuable than abuse of their privacy?

Ann:      Yes. If I could just add one comment about Facebook, they’re facing very severe fines in the United States from the FTC, the Federal Trade Commission. I’ve heard in the range of 3 to $5 billion US for violations of consent decrees and other things. I would not think that Facebook has taken this lightly anymore. Their share price has dropped significantly, their stock. This is a very serious issue. Other companies, for example, there used to be early on a company called Bionym. What they did is they are in the business of biometrics, using biometrics for a variety of purposes. But, they led with embedding privacy into the design of their operations. Because, biometrics, your facial image, fingerprints, etc., this is very sensitive information. And so, this is something they’ve taken very seriously. It then gains the trust of their customers. Trust is absolutely fundamental and right now there’s very little trust in Facebook, very little trust with Google as well.

These companies are facing the repercussions of not having a privacy model, that is adhered to at all. That’s one of the problems with massive centralized databases of information. The Google’s and Facebook’s have this honeypot of personal information on millions of people. It’s under their control and they use it in whatever way they want. That’s the problem. This information should be under the control of the data subjects, the individuals to whom the data relate. I think you’re going to see a return to that. I know you’ve certainly heard that Facebook is now going on the far other side of protecting privacy and building it in. They’re singing a very different song book.

Sponsored by:

Listen via these channels


We will notify you about new episodes and important updates.

Nonconformist Innovation insights in your inbox.

If they walk the talk, that’s great, but that’s why we always have to look under the hood. Making sure that whatever is being said about privacy is actually being followed through.

Steve:   Yeah. I don’t know if you caught it, but there’s now a new lawsuit that alleges Amazon’s Alexa violates laws by recording children’s voices without consent.

Ann:      Yes, yes.

Steve:   It’s not acceptable to have these lax privacy policies and simply ask forgiveness after the abuse has already occurred.

Ann:      Yes. I totally agree. I mean, and the Alexas, I always tell people, if you have to have an Alexa in your house, turn it off. If you are having sensitive personal confident conversations with your spouse or your children or whatever it picks up your recordings and then it can be communicated elsewhere. You have to be very protective of privacy, especially within your home. It’s the last bastion of privacy.

Steve:   Yeah. There’s also the conspiracy theory, and this just happened to me and my wife the other day, we were driving to the grocery store and we saw a billboard that advertised Arnold Palmer spiked lemonade tea. I said, “Hmm, that sounds interesting. Why don’t we try that?” Now, yesterday she’s seeing advertisements on her Twitter feed for guess what? Arnold Palmer spiked iced tea. We haven’t even searched things online. These microphones are always suspicious of picking up.

Ann:      Always on.

Steve:   On that same webinar that I mentioned earlier, there was a question that came from the audience that I want to spend a couple of minutes diving into with you a little bit more. The question was isn’t privacy dead? And you came right out with an answer that just had me. I loved it. You said, “The hell with that. Privacy is growing.” What progress report card do you give on the global adoption of Privacy By Design since 2010? When you mentioned earlier the regulators at the International Conference of Data Protection Authorities and Privacy Commissioners passed this resolution that you mentioned. What are some of your proudest moments with the role that Privacy By Design has been playing in preserving citizens privacy and freedoms?

Ann:      Of course, I was delighted when last year when the new law in the European Union came into effect the general data protection regulation, the GDPR/ they’ve included my Privacy By Design framework in the GDPR as data protection by design and also privacy as the default, which is the second of seven foundational principles of Privacy By Design is also included in the GDPR. This is huge, because it raises the bar on privacy dramatically. What privacy as the default says is that you don’t have to go and search for the opt out box seeking negative consent. They don’t have to go and search for it and try to opt out of having your information used for some other intentions. Purposes that you never agreed to. No one does that. It takes hours to search through all the legalese in the terms of service and the privacy policy to find that box.

It’s crazy. Life is short. No one does that, but it doesn’t mean that people don’t care deeply about privacy. As I said, privacy is at an all-time high in terms of concern and concern for lack of control. Privacy as the default flips that on its head and it says you don’t have to ask for privacy, we give it to you automatically. We are only permitted to use your information for the primary purpose of the data collection. That’s the only way we can use it. If down the road we want to use it for a secondary use that may arise, we have to come back to you and seek your positive consent. That builds trust like nothing else. People love it. That’s where privacy as a benefit to business comes in, because it builds that trust and customers are willing to share more information with the company with whom they have a trusted business relationship.

If I can add just one more comment. I should tell you it’s taken 20 years to get Privacy By Design into the GDPR, but it was well worth it. Patience and persistence. That’s what I always say, you have to do that. But, every morning I tweet the stories of the day from 5:30 and 6:00 AM my time, because a lot of them come from Europe and out east. I want to convey all these stories to the public. Invariably, I get at least one response that says what you referred to earlier, “Lady privacy is dead. Get over it. And I say, “You get over. What do you mean privacy?” It’s got a second life. It’s growing like never before. People are so dismissive of things and so shortsighted and that’s what we have to correct.

Steve:   Yes. I think every great idea and movement needs a positive… some might be dismissive and say you’re a cheerleader, but you’ve contributed so much with this framework. Now, one year into the GDPR, are you seeing that organizations have a backlog in terms of their ability to address and be compliant with these new regulations or aligned with them? What noticeable effect are you seeing in terms of organizations that have embrace this? Rome wasn’t built in a day, right? Is there’s still a lot of work to do? There has to be a learning curve to this.

Ann:      Right. Of course. All of this takes time. All of this takes time. But, I know that the regulators in the EU have been inundated with complaints under the GDPR, massive number of complaints. They have a lot to deal with and obviously limited resources. We have to be realistic in terms of our expectations. But, the fines are just beginning to come out and they’re significant fines. I think you’re going to see more and more in that in the next six months. You will see far more. Of course, the regulators are taking this very seriously.

I think once the actual results start emanating in a large way, people are going to be very, very pleased. They’re going to see the GDPR in effect. As I said, these things takes time. You have to investigate and apply the regulation properly. But, I don’t think we’re going to be disappointed at all. One of the benefits of the GDPR is that countries all around the world are trying to mirror it in some respect, so that they can achieve essential equivalence with the GDPR. That is raising the bar for privacy and data protection all around the world. Countries are strengthening their privacy.

Steve:   Absolutely. Here in the US, we’ll soon see regulations like the California Consumer Privacy Act of 2018 enforceable beginning January 1, 2020. among other things, this new law, the residents of California will be able to know what personal information is being collected about them, if their personal information is sold, and the right to opt out of the sale, etc. Do you think based on what you’ve been hearing about this new privacy act, is it doing enough to really push organizations to fundamentally adopt Privacy By Design and mirror what’s happening with the GDPR?

Ann:      Yeah, it’s a wonderful start. You have to start somewhere and having in data portability, access to your data is absolutely fundamental. It makes such a difference that you can access your data and say no. Opting out of the sale of your information to third parties, that you don’t want them to have your information. All of these measures are very, very significant. I don’t want anyone to minimize it. Transparency associated with people. I always tell companies and governments, you may have custody and control over someone’s data, but it doesn’t belong to you. It belongs to the data subject. It’s their data. So, give them access of course to their data.

What I’ve heard back from companies is that they benefit enormously from giving access to the data to the data subjects, because they’ve told me, actually, it’s increased the accuracy of our data holdings dramatically. Because, companies and governments will have massive amounts of data on hundreds of classes of individuals. They won’t know if information that they possessed about someone is correct or not, if there’s any mistakes. The data subjects know that. when they access their information, they alert the company and say, “No, no, this is mistaken. Here’s the correct information. That benefits companies enormously in terms of the accuracy of their holdings in terms of data. I think we’re making great gains.

Steve:   Looking forward, you know, I guess you might think of this either as self-regulation, trying to get ahead of the curve, when organizations are trying to be proactive. There’s this idea that privacy and security are somehow one in the same that. The state of security can be very subjective and varied depending on who’s implementing it, what depth security is implemented, etc. With Privacy By Design, you’ve set some very specific objectives for how policies can be implemented.

There’s this idea of privacy enhancing technologies or PETs should look like emphasizing proactive leadership, systematic methods, and with privacy being a default setting at the design level, etc. I’ve mentioned this a lot. I don’t think we have, I think we have actually a lot of great technology today, but what is missing is this intention of leadership to actually have this privacy friendly way of using the technology, that is more considerate of the wellbeing of the consumers and of the users of the technology rather than profiting.

I understand businesses have a need to have a profit, but when it hurts the consumers at this level to such a degree. Let me put it this way. Privacy seems to favor the rights and freedoms of individuals, whereas security is meant to protect the organization. Am I far off in that assessment?

Ann:      You’re not far off, but I view it as you’re right. The term privacy subsumes a much broader set of protections than security alone, but in this day and age of daily hacks and cybersecurity attacks. If you don’t have a strong foundation of privacy from end to end with full life cycle protection, you’re not going to have any privacy at all. You need a solid foundation of security from end to end.

I view them as complimentary, not one versus the other. You need to build upon the foundation of security to get strong privacy, but you have to have both. That’s how I see it always as a positive sum, multiple gains in multiple areas. Two positive gains as opposed to privacy versus security. You need both. It’s a myth that you don’t need strong security to have strong privacy. We can have both. That’s always my advice is to ensure that both are strongly represented in your operations.

Steve:   As we’re hitting on the salient points of Privacy By Design, there’s one that hasn’t been mentioned so far regarding visibility and transparency. That the users have control, but they know how their information is being used. One interesting dilemma that I see is like Facebook’s acquisition of WhatsApp. There was a commitment made early on that they would not integrate those into the same platform. Now, there they are. For the obvious reasons, because it gives them more access to data that they can use for, you know, we know what purposes that they’re using that data for. But, users have no visibility into how that information is being used.


We will notify you about new episodes and important updates.

Nonconformist Innovation insights in your inbox.

Ann:      I always object to that. I think users must have visibility, transparency associated with data collected about themselves. It applies to them and they should have a right of access to it. As much as the Facebooks or companies that are collecting this information. That’s one of the big problems with centralized databases full of this information that the individual, the data subject rarely has any control over and giving them access to their own data transparency, visibility. Very, very important.

Steve:   You talked about centralized databases. If privacy is about personal control, then, how do organizations have a vested interest in giving personal control to its users? Decentralized technologies that are becoming more popular today like blockchain, combined with identity verification services appear to be growing in applications and their usefulness, because of the growing demand for user privacy and control over one’s information. Is this a positive trend? Do you think this is going to eventually affect this utopian vision I guess? Or you definitely a positive direction?

Ann:      No, I think it’s a very positive direction. I urge people to go the route of decentralization, because when you have decentralized information linked to the individual, the data subject, they are in control of that. You can have your information stored in a secure enclave in the cloud over which you have control. You can choose who you wish to share it with and disclose it to. You may recall that last year, Tim Berners-Lee, the creator of the World Wide Web, he went public and he said, “I’m horrified at what I’ve created in the world wide web. It’s a centralized model which promotes tracking and surveillance of people’s activities, retaining control in the companies that retain it.”

And he said, “I’m walking away from the web and I’m creating a decentralized model.” I believe he calls it solid. So that has led to such a significant movement of people going to decentralized areas. Like you mentioned the blockchain, which is peer-to-peer, you have control over the data in this public ledger with the peers you’re dealing with. There isn’t a centralized pot of data that someone else is controlling. Increasingly, in order to preserve and retain control, the decentralized model has far greater benefits to individuals, than the centralized, I call them honey pots of data.

Steve:   Yeah, without a doubt. I was delighted to see Berners-Lee come up with this movement. There’s quite a lot of companies already. Even Microsoft has made a lot of great progress in decentralized identity in blockchain and distributed ledgers and so forth. It will be interesting to see how this evolves. I think there’s definitely going to be challenges in terms of adoption, because you’ll see these billboards of access. But, getting near a ubiquitous deployment of decentralized identifiers as going to be time consuming.

It will definitely take a lot of time.

Ann:      Agreed.

Steve:   Okay. So, shifting gears, I was really interested to see… With Privacy By Design companies can actually opt to present their solutions to become certified. Deloitte in Canada has an assessment and certification program that they’ve collaborated on with Ryerson University. There are some US based companies involved in that, like Michael Chertoff and the Chertoff Group, being on your board, etc. Cisco is leading the charge for US national privacy law. Tim Cook and Apple are also very supportive. Talk to us, what recipes for success would you give to US based tech companies and large enterprises for…is certification really an important and valuable milestone in terms of their progress with Privacy By Design?

Ann:      Yeah. What certification does is it shows independent bodies that you’re doing the real thing in terms of Privacy By Design as opposed to just saying it. We’ve now partnered with KPMG who is doing the certifications. It builds such trust. I tell companies that have been certified for Privacy By Design, don’t be quiet about it. Shout it from the rooftops. Tell your customers the lengths you’re going to protect their privacy. How much respect you have for them. They love it and it builds such trust and loyalty.

One of our major telcos here in Canada called Telus, they’ve obtained multiple certifications for various products and services. I applaud them for that. Their motto is customers first, privacy first. I applaud them and I tell them, tell the world what you’re doing to protect your customer’s privacy. It builds such loyalty and attracts new customers. It’s a real, you gain a competitive advantage.

I urge people to do that. Also in the context of the GDPR, a lot of countries like Canada and the US we don’t have privacy laws that are essentially equivalent to the GDPR in Canada. We used to until now. Our law is no longer sufficient. Our federal privacy commissioner is trying to get it upgraded. But, in the meantime, if companies do Privacy By Design and get certified, they present this to the GDPR and say, “Look, we’re doing everything we can to comply with Privacy By Designed to comply with the GDPR absence of law. That is essentially equivalent. We’ve gotten certified for Privacy By Design to show you in good faith.”

Because, for a certification, all you need to do is follow the seven foundational principles of Privacy By Design, you don’t need a law. It enables them to move forward and show the GDPR how much they’re doing. The EU has approved my certification on Privacy By Design. It’s now acceptable. More and more companies are engaged in doing this.

Steve:   Can you walk us through the certification process? Is this something that you just do once or do you do on an annual basis?

Ann:      What happens is once you become certified, you have it for three years. Every year, you simply have to report back to us that nothing has changed dramatically in terms of what we certified you for initially. People come to me to get certified with our consent, I send them to KPMG. KPMG then goes to the company involved and looks under the hood so to speak, does an assessment and audit of their practices to ensure that they’re following the seven foundational principles. Every year for three years, so the following two years, they just need to report back to us that there haven’t been any fundamental changes to what they were certified for in terms of KPMGs assessment.

And then, after three years they will be required to get certified again, because after three years things may have changed and new operations, etc.

Steve:   With the three-year renewal, sometimes these can be looked upon as not being as valuable if you just have to self-audit and self-assess that nothing has changed. Is there a lot of confidence and that self-assessment?

Ann:      I think there is. We’ve had great luck with this, because people know how seriously we take the assessment. We take them through all the protocols on what they have to do and they make corrections if it’s not strong enough, etc. The companies that come to us to get certified, they really mean business. They want to do a great job and assure their customers they’re doing the most they can to protect their privacy and their data. So, it hasn’t been a concern. Some companies that have come back on the second or third year, they’ll indicate to us where there have been changes and then we can go and just audit that particular aspect of it. So, it has not proved to be a problem at all.

Steve:   Do all sized companies need to be thinking about this? Or any particular sectors where it’s especially relevant? What does the target company that should most be thinking about this certification?

Ann:      Companies that are in play and are sizeable in nature, etc. As I said, we certified for products and/or services, not an entire company, because a lot of variety of activities take place. Those companies, I encourage to select the one or two products or services that would benefit the most from Privacy By Design certification. And then, they can decide if they want to expand it.

For companies that are just starting out, I encourage them to do it at the beginning, because there’s much easier to embed privacy into the design of your operations right from the beginning. It’s much less cumbersome and then it just continues after that. There’s a variety of different companies that can benefit from this. I encourage all of them to take a look at it.

Steve:   In wrapping up here, let’s say a company is interested in starting down this path of looking at Privacy By Design in terms of their products and services. Where do they begin? Should they reach out to you and your organization? Should they reach out to one of the partners like KPMG? What is your guidance for them in terms of assessing and getting started at a professional services or assessment?

Ann:      I always encourage anyone who’s interested in Privacy By Design to contact me. I can walk them through what’s required at a very high level and answer any initial questions that they have. And then, after that, once they try to implement it, if they need any additional assistance, I’m happy to provide it. If they think they’re in a good position that they can move forward with certification, then I refer them to KPMG. KPMG will reach out to them, visit their operations, and start the process.

So, there are a number of different ways to proceed with this. There’s a lot of work we’ve done on Privacy By Design. I’ve got a paper that I put out four years ago on Privacy By Design certification, operationalizing Privacy By Design. We did this with major companies, Microsoft, Intel, HP, Oracle, IBM. Partnered with us to develop papers to show the public and other companies that yes you can do this. You’re going to have privacy and security, privacy and data utility, privacy and business interests. We try to show them that this is realistic. I just urge companies to leap into this.

Steve:   That’s awesome. In summary, Dr. Cavoukian believes no one should have to surrender their freedom or sacrifice their privacy in order to keep our society safe and secure. You mentioned at the beginning that you’re going to be starting a new role as executive director of the Global Privacy By Design Center. Can you give us a bird’s eye view of what the center is? How that can benefit organizations? And what we might expect to see from that in the coming months?

Ann:      You know what it is, ever since the GDPR came into effect a year ago, there’s been so much interest in Privacy By Design that people are just, I’m very fortunate, flocking to me for advice and how do we do this? Some of my colleagues said, “It’s time to go private and start a consulting firm that where you can to offer your consulting services across the board.” I also do a lot of public speaking, because I try to raise the bar on Privacy By Design awareness, what’s involved, that it’s not tedious at all. If you implement it early on, the rest will flow, and the benefits will arise.

So, that’s one of the reasons I decided to go out on my own and start this is I want to increase the literacy, if you will, around Privacy By Design and show people the benefits that will accrue to them, both data subjects and businesses, if they do this. So, I’m just hoping to raise the bar and get the word out as widely as I can.

Steve:   Well, I’m enthusiastic and looking forward to hearing about your updates. Wish you all the best in your new venture. Here in the US, should companies be thinking about the Chertoff group, who’s one of your partners as their representative organization for US based customers? Or can they reach out to your new organization as well?

Ann:      I encourage them to reach out to my organization simply because, and I have the greatest respect for Michael Chertoff. He’s amazing. He was one of the founding members on my global privacy and security by design operation. He’s wonderful. He also believes in privacy and security. They go hand in hand. But, I think the Chertoff group does mostly security related activities, so they can certainly go to them. If you really want to focus on Privacy By Design, I would encourage you to come to my new center and we can work together.

Steve:   Wonderful. On Twitter you’re @AnnCavoukian. Is there a new website that people can find you at or an email address?

Ann:      It will be coming. If you can just stay tuned. You can still reach me on my old email, because I’m still teaching a course at Ryerson University. I’ll continue doing that. It’s an online course, but I will have word of this out and put out a notice in about two weeks’ time.

Steve:   About that time, I’ll get the information and add it to the notes of this show so people listening will be able to find you. Well, Ann, it’s been wonderful to be able to finally have this conversation with you and hearing all about all the updates and the new things you’re beginning to get started.

Ann:      Oh, it’s such a pleasure. Thank you very much for having me on. Let me remind people, privacy forms the foundation of our freedom. You cannot have free and open societies without a strong foundation of privacy. Let’s preserve privacy, not only for ourselves, for our children and grandchildren to come.

Steve:   It’s worth preserving. Thank you, Ann.

Ann:      My pleasure. Many thanks.


We will notify you about new episodes and important updates.

Nonconformist Innovation insights in your inbox.