Interview with Adam Mason

March 2008

Interviewee: Adam Mason, Vice President and Counsel, Corporate Responsibility System Technologies Ltd.

Subject:  Can Enterprise Privacy Management be Automated? – A solution from CRSTL

Nymity:  Most organizations manage privacy with policies, procedures and with employee training.   Is it possible to automate privacy management?

Mason:  Establishing policies and procedures and training are important first steps.  Where companies fail is in not ensuring that the policies and procedures are embedded in the culture of the organization.   Technology is an important tool in achieving this.

Nymity:  Is the goal compliance?

Mason:  The goal is broader than compliance - it’s identifying the weaknesses in the company’s controls and processes and remedying these based on best practices in the industry.

Nymity:  How does CRSTL approach automating privacy management?

Mason:  We have developed databases that include all legal requirements and the controls that are central to effective privacy policies.  Our technology based workflow solution ensures that the people within the organization who deal with customers on a day to day basis understand and apply the policies.  The system also delivers the information that they need, updated in real time, so that training is reinforced and immediately available topically.

Nymity:  How does a risk management approach work?

Mason:  Every transaction cannot be monitored.  The cost to the company and the interference with business processes would be prohibitive.  We work with our clients to ensure that the risks that may have the greatest impact on the company - whether financial, regulatory or reputation - are addressed and controlled.

Nymity:  Is privacy management controlled centrally?

Mason:  We take a top down approach but the application is decentralized.  By that I mean that while the tone is set at the top, the policies, procedures and controls are specific to each business unit. The technology deployed allows us to focus specifically on the responsibilities of individuals within the organization who may impact the overall status of the company’s compliance.

Nymity:  What types or organization are best suited to automate privacy management?

Mason:  We have clients who have centralized, top down privacy management.   Other companies distribute responsibility through to all employees who have customer contact or access to personal information.  The system is flexible enough to handle either approach.

Nymity:  What is the business case and expected return on investment?

Mason:  The business case is one of a more efficient application of controls.  The CRSTL Solution provides enhanced monitoring and reporting available to senior management to gauge adherence to company policies and procedures. This translates directly into less policing and a better usage of management time.  Many of our clients cut their costs associated with compliance by about 35%.   The other principle benefit is the reduction of risk and interference in business processes.  

Nymity: In closing, what other areas do you help organizations maintain compliance? 

Mason:  We have products specific to financial institutions such as banks, life insurance companies, P&C insurers and trust companies.  Our Anti-Money Laundering module is receiving a great deal of attention in view of the changes that are being instituted in June 2008.  We also have modules for companies listed on the North America Exchanges (TSX, NYSE and Nasdaq).  We are in the process of developing a new Investment Dealers database.  We also do custom development for our clients’ specific needs.