Data privacy is not just a compliance checkbox. It is a trust mechanism that increasingly determines whether customers want to do business with you at all. Adam Smith, Director of Cyber Governance, Risk, Compliance, and Privacy Operations at Nu Skin Enterprises, has spent over five years building privacy programs and embedding them alongside security across business domains. A certified CIPM and CIPP/E professional, he shares practical approaches to data governance, regulatory compliance, and building a privacy-first culture through recognition and cross-functional collaboration.
You can read the complete transcript of the episode here >
How should organizations prepare for phishing and social engineering attacks?
Adam emphasizes that preparation starts with training, but the format matters as much as the content:
- Keep training short: Embed it into the workday so employees actually engage with it rather than running it in the background while doing other work.
- Run simulated phishing campaigns: These reveal where the organization stands and what types of attacks need more awareness training.
- Maintain easy reporting channels: Outlook add-ons, Teams channels, or dedicated processes that make reporting a suspected phish frictionless.
- Build SSO awareness: If employees know which vendors have SSO enabled, they can immediately recognize that a password reset email from that vendor is suspicious.
The cultural element is critical: employees must feel safe reporting mistakes without getting their hands slapped. When security and privacy teams position themselves as partners rather than enforcers, people are far more likely to report suspicious activity early. This partnership approach mirrors how shifting security culture from friction to flow works in practice.
How should organizations respond during and after a security incident?
Adam outlines core principles that apply regardless of industry or data type:
- Have a documented Incident Response Plan: Without one, people panic and make rash decisions that introduce more liability. With the Uber case establishing personal executive accountability for cybersecurity preparedness, this is no longer optional.
- Assemble an Incident Response Team immediately: Know exactly who to bring together when an attack is confirmed.
- Prioritize transparency: Data subjects need to know about potential harm quickly. Whether through a public-facing site or email communication, the organization must communicate what happened and what it means for affected individuals.
The trust dimension is increasingly important. Organizations are now judged not on whether they experience incidents (everyone does) but on how transparently and quickly they respond. Planning to fail gracefully, with encryption, tokenization, and blast radius limitation, demonstrates to customers that you took their protection seriously before the attack occurred.
What metrics and practices prevent data loss?
Data loss prevention starts with knowing what you have and where it lives:
- Personal data inventory: Know what data you collect, the business purposes for it, the legal justifications, and the jurisdictions of your data subjects.
- Data flow maps: Understand how data moves through the organization so teams know how crown jewels are used and should be used.
- Asset inventory partnership: Work with infrastructure and operations teams who likely already maintain asset inventories. Translate those assets into data classifications.
- Blast radius planning: Segment and encrypt sensitive data so that if an attacker gains access, lateral movement is limited and exfiltrated data is unusable.
The key insight: if you think cyber attacks will never happen, you are setting yourself up for failure. Planning for how you will fail, limiting damage and demonstrating preparedness, builds more trust than claiming invulnerability. This connects to broader database activity monitoring and data protection strategies.
How should organizations navigate GDPR, CCPA, and other privacy regulations?
Getting started with compliance frameworks is complex, but Adam recommends a principled approach:
- Start with inventories: Your personal data inventory and process register determine which regulations apply. If you know where your data subjects are, you know your obligations.
- Classify data types: Health data triggers HIPAA. Special categories trigger additional GDPR obligations. Financial data triggers different requirements. Classification drives compliance scope.
- Use free resources first: The GDPR EU website, European Data Protection Board publications, and state attorney general guidance provide substantial starting material at no cost.
- Consider consultants: They can teach you to fish rather than giving you a fish. A consultant accelerates the initial program setup and helps you understand staffing needs.
- Buy versus build: Third-party tools for data inventories, subject rights, cookie compliance, and training often outperform internal builds and reduce technical debt.
Regardless of specific regulations, universal principles apply: purpose limitation, data minimization, transparency with data subjects, appropriate legal basis, and sound retention policies. These principles underlie every jurisdictional law.
How do you break down data silos through governance?
Data silos form because people do not know what they do not know. Adam’s approach to breaking them down:
- Cataloging: Document what exists in schemas and tables so that teams across the organization can discover available data without going out of band.
- Technical metadata logging: Track data lineage from ingest through the entire lifecycle to understand where data flows and where governance policies should apply.
- Embed privacy in workflows: When a data scientist wants to build predictive models, privacy should be involved to ensure proper consents are in place and data minimization is applied. Without this, well-intentioned employees introduce risk unknowingly.
- Governance policies along the lifecycle: Access controls, retention enforcement, and purging at appropriate timelines prevent data from accumulating beyond its useful life.
The practical example is telling: a data scientist trying to predict repeat customers might grab an entire table when they only need four data elements, and the organization may not have consents for that processing. Without visibility and governance mechanisms, adding value to the organization simultaneously introduces risk to it.
How do you build a privacy-first culture through recognition?
Culture starts from the top but sustains through recognition at every level:
- Foundation in values: Security and privacy must be embedded in mission statements, vision, values, and strategy. If they are not foundational, they will not trickle through the organization.
- Champions and advocates programs: Cross-functional groups (guilds, chapters) where engineers, product owners, finance analysts, and HR can collaborate on privacy and security questions.
- Dedicated communication channels: Teams or Slack channels where anyone can raise concerns like “I noticed this vendor is not using OAuth” or “I think I’m using too much data for this project.”
- Recognition programs: This is the differentiator most organizations miss. Recognize people for their privacy and security contributions through:
- Shout-outs to their managers
- Laptop stickers, lanyards, or pins
- Inclusion in performance evaluations and bonus criteria
- Public call-outs in team meetings
When recognition ties back to evaluations and compensation, people are genuinely motivated to participate in security and privacy programs rather than treating them as overhead. This approach to building cybersecurity teams and culture scales across organizations of any size.
