•  Third-party assessment: Ensures that third-party   Effective data security and privacy can be a differen-
               vendors agree to protect your confidential      tiating capability that enriches personal services and
               information and have a capable cybersecurity and   experiences. But drawing the line between privacy and
               privacy program in place to do so.              convenience can be tricky. It’s essential to respect
                                                               customer privacy while delivering a convenient,
             •  Employee training: Establishes a privacy awareness   customized experience. Programs that saddle users with
               and training program to educate users on current   onerous privacy controls can make services and products
               cybersecurity threats, data-management practices,   frustratingly difficult to use.
               and good cybersecurity hygiene.
                                                               A Proactive Approach to Privacy
          Addressing Human Factors                             In a data-driven ecosystem, keeping the bad guys at
          Data privacy is an inherently personal discipline    bay will require that CRE companies proactively assume
          that should reflect the human values of tenants and   responsibility for the security and privacy of tenant and
          occupiers. That’s where Privacy by Design comes in.   occupier data. Doing so will require that they carefully
          This user-centric model emphasizes individual rights   assess and address their individual threat landscape,
          to privacy, with protection of personal data the default   attack vectors, and business processes across the
          setting for all systems and business practices. Risk is   organization. Also critical is regular employee training on
          considered at the earliest stages of development, and   data-privacy risks and responsibilities. What employees
          privacy is embedded into the very fabric of IT, business   and stakeholders don’t know can indeed hurt the business.
          processes, and culture.
                                                                         Shahryar Shaghaghi is a Principal with the
          Privacy by Design addresses data privacy as a shared           CohnReznick Advisory and national leader of its
          ethical value, much like businesses have adopted               Cybersecurity and Privacy Practice. He is a
          sustainability as a pillar of corporate responsibility.        member of the IT Risk Management faculty at
          Organizations that embrace Privacy by Design will be           Columbia University. He has successfully imple-
          better prepared to build a customer-focused business   mented some of the largest global information security and
          based on transparency, trust, and the ability to protect   privacy programs and has helped chief technology, risk, compli-
          personal data.                                       ance, audit, legal, finance, operations, security and privacy officers
                                                               achieve their goals and optimize their strategic programs.



                                                                                                                23