Today Anthony was joined by Tamzin Evershed to discuss Privacy in The New World. Tamzin is the VP, Chief Privacy Officer at American Express Global Business Travel.

Highlights:

  • Tamzin talks about the increasing convergence of the Ciso & Chief Privacy Officer role
  • How the ‘fast-forward’ button has been pressed on digital transformation
  • Tells us what she would be investing in if she was a CEO
  • Explains what a ‘Zoom shirt’ is!

Transcript

Anthony: [00:00:01] Hello, my name is Anthony Brown, and I’m very pleased to bring you another episode of our Privacy and Data Talks podcast, where we’re bringing you insight, ideas and opinion from many of the world’s leading privacy and data thought leaders. Today, I’m very, very pleased to welcome Tamsin Evershed, who is let me get this right, the vice president and chief privacy officer for American Express. Global Business Travel.  Tamsin is a very experienced lawyer, who has held senior positions in boutique and large international law firms, global technology companies, software businesses, and has extensive data protection and privacy experience.  Tamsin welcome to the show. It’s great to have you on board. How are you?

Tamsin: [00:00:50] Very well, thank you. Lovely to be here.

Speaker1: [00:00:53] Good. Good. So can you I mean, just give us a brief overview of your your current role and the work that you’re doing at American Express Global Business Travel.

Speaker2: [00:01:05] Yeah, absolutely. So American Express Global Business Travel as the name might give away. We are a travel management company, so we were a business to business travel agency. We also do meetings, events all around the world. We operate in 140 countries and we’re 50 percent owned by American Express. So we have a lot of brand value that we have to carry. We have to deliver well. So my role is is a very big role. As you can imagine, we have a privacy program that is based on binding corporate rules. So the way we operate is everywhere in the world. No matter where you are, your data will be handled in accordance with EU principles and then we tack on whatever local requirements there might be. We are also very acquisitive. So I spend a lot of my time converting the privacy programs of other companies when they come on board. So often they are in far flung places where the idea of EU principles is something new to them. So that takes up a lot of my work. And I think on a day to day basis, really, I’m probably I’d say I’m a bit of a builder. I have to operationalize those paper policies that we all got into place by 25th May 2018.

Speaker2: [00:02:27] And that really means rolling up my sleeves, architecting processes that people can really engage with at work. And my biggest joy, in fact, is bringing people together so that we have a process where it was seamlessly where people interact with it, where it’s frictionless almost. And I think another part of my role really is engaging the clients. I think that’s one of the things that I really enjoy doing, talking to my peers in other companies, telling them about our program, reassuring them on how we’re treating things so that they can trust us with their data. And naturally, I also have to be a bit of a fixer sometimes. So I’ve developed a very acute sense of looking at a problem very quickly, working out where the problem is, fixing it as quickly as possible. But I work with a very lean team. I have to work in a Matrix organization. I have to recruit people from all areas of my business to get what I need to do done. And I think on my 360 has some anonymous feedback that my efforts, that collaboration between departments were in fact heroic. And sometimes they do feel heroic but there isn’t a dull moment, I would say.

Speaker1: [00:03:46] Well, I could imagine and having known you for quite a while now Tamsin I know that sprinkled in all of that is an amazing sense of humour and lashings of fun as well, that you try to bring to your world. And no doubt your job as well is when the chips are down and things are difficult that’s obviously something we all meet and not least over the last few weeks as well. And actually on that note I remember that we had we had a zoo meeting a couple of weeks ago and I was in situ where I am now and anyone who’s watched any of these videos so far will realize that I got a different background today. And in fact, just as a note, this picture here have been created by my daughter, Amelie, who really wanted me to have it within one of the videos. But anyway, you and I were talking a couple of weeks ago and I was back in situ. I mean, one of our offices here and I think you commented at the time that you hadn’t seen anyone in the office for a while. So that was a surprise. And I think interestingly as well, we continue to have a chat about some of the zoom sort of habits and behaviors that people have developed ove that we found very amusing. I think, for example. Well, the first one is the Zoom shirt as you coined it i.e. pyjamas, pyjama bottoms with a zoom shirt over the top, or in some cases, perhaps I’ve seen people wearing full pyjamas with a proper shirt over the top. So don’t ask me, please, to reveal if I’ve got suit trousers on or not. Now, with this shirt so I’m you know, maybe I’m wearing a zoom shirt myself, but I won’t confirm either way. And also the sort of interesting behavior that we seem to have developed, which is waving goodbye on the zoom So, you know, at the end

Speaker2: [00:05:41] I’ve worked out what we’re doing there. There’s that  uncomfortable moment with being very English, there’s  that uncomfortable moment when you say goodbye, and then you have to find the button to turn off the meeting so there’s that moment where we are waving to each other.

Speaker1: [00:05:56] The left hand is doing one thing and the right hand is doing the other kind of thing. But we must maintain that we looked like ducks on top of the water and everything’s just going swimmingly. So. So anyway, As we know Tamsin so much has changed in such a short period over the last few weeks.   And people have listened to these podcasts so far will know that I’m not one for dwelling on what’s gone on over the last few weeks as we’re all trying to look forward and bring some joy and positivity to the world. But obviously, as we know that the world of work and home life, the lines between them have become very blurry, as we just mentioned there as well, with the zoom calls, etc etc.  How do you see the world panning out now for the privacy professionals sort of moving forward? And I guess you can attribute this to your own experiences as well.

Speaker2: [00:06:51] Well, I would say you can’t play down some of the difficulties people have gone through recently. We’ve all had to go through situations perhaps where people have small children and they’ve got to work while they’ve got small children around, I’m getting very used to seeing my colleague’s children on zoom because they seem to participate in meetings and people have dealt with difficulties with food shortages and things like that. But on the positive side, this is a brilliant time for the privacy professional. Absolutely. And I think it’s more the kind of privacy professional who can bring flexibility. You can adapt to this new world and you can properly risk manage. Then this is the time for you. And I think what I’ve been seeing definitely out there is a lot of organizations are now removing steps to process it in their bureaucracy. So you you have situations where perhaps they’ve got people on furlough so they haven’t got as many people to do the admin or you’ve got situations where they’re trying to avoid face to face contact. But that’s totally transforming the way people are using data. And I think that we’re going to see that those unblockings will remain. I think a lot of us have actually appreciated them. And also I think there are lots of organizations have been very risk averse to the digital age. They’ve played it safe and now they’ve actually been forced to get out there onto the Internet to have online interfaces with people. And I think they’ve probably been very happily surprised at how beneficial they’ve been. They’ve actually made things easier. They’ve saved money. Their clients actually quite like that. So I think those things will continue. And if I was investing money at the moment, I would be investing in online authentication products because we all know there is inherent risk in dealing in the Internet. Do we know who we’re dealing with? But actually, we are going to go down this route. So I think Covid has actually speeded up the digital transformation. And as a privacy person, we obviously have a key role to play in that.

Speaker1: [00:09:10] Yeah, absolutely. And there’s no doubt the fast forward button has been pressed for all types of businesses, all sizes of businesses. And I think there’s a recognition at the very highest levels of businesses that if you don’t, you don’t adapt and you’ve not adapted quickly you’re going to get left behind, you know, ultimately. So so, I mean, obviously, that’s really interesting Tamsin.  What have you been seeing, have you been seeing any specific sort of examples of this in your own life or work?

Speaker2: [00:09:39] Yeah, well, I just recently, for example, had to interact with the land registry. And they have a process whereby you have to identify yourself and they give you a form which you can download from the Internet, but they give you a form. You have to take that form to a solicitor with two passport photos, the solicitor then verifies who you are on the passport photos just as if you were getting an actual passport. And then you have to send all of that by registered post to the lodging solicitor with an original piece of ID.

Speaker1: [00:10:20] So sorry to interrupt, but this sounds like it’s 1992.

Speaker2: [00:10:25] It does, but this is the world and government organizations at the moment. But Covid has swept that all the way. Covid has meant that they’ve taken away that step. So I was able to do that without having to go to a photo booth to get the photos without then having to go to a solicitor, without then having to queue up at a post office. I could even get the postage downloaded for recorded delivery from the Internet. And if I’d been really clever, I’d have got one of the kids to go to the postbox. I mean that and I know it’s a temporary measure, but I think these things are going to continue to happen. And I think the driver at the moment might be Covid. But as time goes on, organizations are going to realise, hang on a minute, this actually has a commercial benefit. And I think for us as privacy professionals, our employers are going to look squarely to us and there won’t be any room for box ticking. We all know there’s a risk of fraud here. We all know that with online ID that’s going to lead to processing of personal data, that that really opens up situations where people can lose control of their data. So our employers will be looking to us to be flexible, to be risk managers, to be able to look at these situations and do the right data protection impact assessments, to give the right level of transparency. And I think that puts us right in the driving seat. It allows us to really demonstrate our commercial value. And I think we’ve always known we had commercial value. Sometimes it’s been very hard for us to to get that over to our employers. And I did note actually a piece of news that the Competition and Markets Authority, the information commissioner’s office and Ofcom are actually getting together to cooperate more fully in a forum. And I think that’s a clear message. They’re anticipating this trend too, that there’ll be so much more digital activity going on. And so a new world for us.

Speaker1: [00:12:40] Indeed. And I think obviously everything you’ve described, you know, we’re all aware of it. I guess, you know, everyone and even in a general sort of population who may not be, you know, completely au fait with privacy, is that there’s a growing risk of cyber fraud out there, its exploded over the last few weeks as well. All fraud, but cyber fraud is is here to stay, unfortunately.

Speaker2: [00:13:05] Yeah. I kind of think that people doing all the phishing attacks, they’re in lockdown, too. So they’ve got more time on their hands. Yeah, yeah, definitely. We’ve seen a surge of increase of these kind of attacks. One thing I would say to all my colleagues out there is if you can do a Zoom tabletop exercise to work out how you would respond to this kind of activity. Absolutely. Do it. We did a face to face on actually before covid became an issue within American Express business travel. And it was really telling. You will spot all the holes in your procedures and also you will probably have an opportunity to go to your CEO with a scenario where you’ve got a ransomware situation or what have you, and you will find out what their view is about. Things like do we bring in the police? Do we pay it, that kind of thing. And I think that steer in that tabletop exercise is essential. Also, the fact, you know, if you’re going to have your colleagues from America phoning you in the middle of the night are you always ready for that call, have you got anything ready that you would actually respond at 2:00 in the morning And another thing I’ve noticed, because obviously I see all my colleagues on LinkedIn is titles are changing.

Speaker2: [00:14:27] And I spotted this a while back. I think we’re seeing a convergence of information security expertise with privacy. I think traditionally the CSO sat in one corner of the business, the privacy. The chief privacy officer sat in another corner. They had to collaborate, but actually that wasn’t helpful having them in those two pillars. So what I’m saying with my with my peers is information security is coming into those titles. So I think the way of the future for anyone coming up and even for people in my position is we’ve got to hone those skills and I think it does make sense to have your information security activity reporting into someone who’s got a good legal knowledge of what those requirements might be. They may well, they’re very unlikely to be technical experts, but they need to be literate in I.T. and I think that’s a good way forward.

Speaker1: [00:15:24] Yeah, I totally agree with that Tamsin, we are seeing that Tamsin speaking to our clients and the individuals in our own network, I think increasingly the lines will become more blurred. And like you say, I mean, everyone who’s involved, you know, within the various teams are each one of them is going to have to acquire new skills over the course of time so they can speak the same language as each other, really, and ultimately be as watertight as they can. There’s too much at stake for these organizations. I think now covid the threat is passing. We’re all concerned, obviously, as we know about a second wave. But let’s not dwell on that. Let’s try and be positive here. We had a chat a couple of weeks ago. We were kind of musing about the new world where we’re working in. And we were trying to predict a little bit about how we see things moving forward. And I think we both agree that it’s been an interesting working week say, for example, you know, things continue in the same vein as they are at the moment and have been i.e.  People working at home all the time we thought it was  quite interesting over the course of time to see if Friday, which has historically been a day that people would maybe choose to work from home at the end of a busy week and catch up on their admin etc., will actually become the day that everyone prefers to go into the office because actually they may socialize with each other at the end of the week after a week when they’ve been stuck at home or doing remote calls etc etc. They need that touchy feely sort of thing with that team. They need to go out and have that social aspect. What’s your view on that?

Speaker2: [00:17:09] Well, absolutely. I totally agree with that. I mean, I think the zoom shirt is here to stay very much. What I hear from people, from my colleagues is how much they have appreciated not having to do that. The time that they’ve spent with their families, just the  lack of the pressure of having to go into an office. And I’m sure there are lots of employers who are now thinking, oh, my goodness, the world didn’t fall apart when everybody worked at home. Why are we paying for this expensive real estate? We could actually continue in this vein. And I think a lot will probably do that. And I think from my point of view as well, using these technologies, I deal with people all around the world and I’ve seen more on video conferencing of those people than I ever did when we all worked in offices. So I think we’re definitely carrying on there. And I would anticipate actually it’ll be great for Amex business travel because we run meetings and events and I can imagine that there’ll be a workforce predominantly working from home. Yes, they might choose to go into a smaller space and gather in groups on a Friday to socialize, we’re all human beings here. But I also think companies will want to have that quarterly bino where everybody goes somewhere and people work on issues in the business together.

Speaker2: [00:18:37] They socialize together and people really get stuff done maybe on a quarterly basis. So I think that will be a seismic change. Actually, that’s coming our way for the privacy team. You know, that change of focus. I think we’re used to the idea that people homework , but it’s always been the exception. And now I think it’s time if we haven’t already done it, to dust off that homeworking policy because that homeworking policy was probably devised for one or two people in a particular circumstance. And I think when we reviewed ours what was surprising to me actually was we were probably very well covered on the IT side because, of course, we’re in charge of that. What we weren’t so up on and needed to think about was are we going to provide people with a shredder? And we have a policy that when you homework, you can get certain items on the company and you can order from a catalogue. Well, we need to add a shredder to that. Are We really focusing enough on the idea that you should lock your office door and you should be careful as careful with those bits of paper as you are when you’re in the office. And I think that’s a new thing.

Speaker2: [00:19:52] And also, we’ve talked a lot about zoom but everyone has got their different video conferencing choice. Yeah, so, um, I think we’re going to have to focus as privacy professionals a lot more on it than we did because it was almost a sideline. And so, for example, there’s monitoring that goes on Zoom and  all these video conferencing things. I mean, there are certain features on some of the days where when you’re not paying attention and you’re multitasking and the person who’s running the video can see, of course, with the cameras on a lot more. Now, that doesn’t happen so often. That’s one of the benefits of mass adoption of it. But that’s a form of monitoring. And you’ve got to get that past workers councils, you’ve got to consider. Have we adequately communicated that to our employees? There’s also recording, you know, something should be popping up to tell people they’re being recorded. Otherwise you could have lots of problems there. Um, and I think another point here about video conferencing, I don’t know if you’ve noticed when you go to conferences, often some of the privacy vendors, they will give you a little sticky to put on your video camera. And I would say in this new world, privacy professionals, it’s really important that we’re visible. Our job is to influence behaviours, as it always has been, and it always will be.

Speaker2: [00:21:22] And there’s something if you think about executive presence, the clue there is in presence. And unless you turn that camera on in the new world you will not be present in that. So I will say that it’s almost a reversal there on the expectation throw this __________________________away privacy professionals. This is an important thing. And naturally, we have concerns about security. I mean, everyone has heard about the issues with Zoom where they had an add in to the functionality that was sending information to  Facebook. And that caused a kerfuffle. And and we had to do a lot of work there. And there were concerns about people who aren’t meant to be there coming in. And my view on that is having gone through all of this and having signed on a number of these things, is they have all got something, but it’s our job to work closely with information security and really back them sort them out and have the answers there so that when your German workers council, for example, comes to you and says, we are really worried, this has come out in the papers, is this right? You’ve got it all done. It’s it’s keeping everybody reassured about the new world and it’s all working the way it should do. Yeah.

Speaker1: [00:22:41] Yeah. Well, I think ultimately Tamsin as you quite rightly said, I think the privacy professionals will need to be increasingly visible and much like yourself as well for joining me on this today and giving something back to the community. And this is what this padcast is all about, actually trying to, you know, give some insights and opinions and some stories, you know, to contemporary’s and other people, you know, within the community. So I think everything you said today has been very insightful. And I really hope that people take something very interesting away from it, from somebody who is sat right in the center of this new world of privacy. I think perhaps the conversation for another day. But something that we were talking about safety at home or the way people are going to be handling, you know, delicate or sensitive data working from home. I just wonder as well where the land is going to lie over the course of time in terms of employers looking at KPIs, how they’re going to measure what their employees are doing at home.

Speaker1: [00:23:52] I know some businesses. I’ve spoken to individuals, where their companies insist that they have their webcam on from X to X to prove that they are working. I mean, it’s incredible, isn’t it, when you hear that sort of stuff? I just wonder how that will develop. And companies are going to no doubt be working on KPIs to to look at what their employees are doing. And then there’ll be other privacy challenges with that. But we keep these padcasts short and sweet. And certainly this has been one. Tamsin, I’m really, really grateful. It’s always great fun talking to you, and I hope all of our listeners and viewers have enjoyed it. So thank you so much. We will catch up again, I’m sure, for another one in the future. But that was Tamsin Evershed bringing to us her thoughts on privacy in the new world. And shall we do the wave Tamsin? Oh, yes lets do the wave. Yeah, I’m going to get my right arm. Got the hand on the mouse to click this off. And thank you so much. I’ll see you soon. I see some good bye bye.

 

 

Don’t miss an episode!
Subscribe to our mailing list and we’ll send you an alert when the next episode is available