Dana Garbo has been in the privacy domain of healthcare for over twenty years. During that time, she’s seen organizations approach privacy compliance in a law-by-law manner, despite the constant evolution of technology and related digital risk, industry innovation, and implementation complexity.
At this stage in her career, Garbo no longer views that approach as sustainable or scalable for many organizations.
“It’s just not possible to promise anyone that a company can comply with every single emerging law perfectly from one day to the next, in the same way that an individual household can’t make all of their desired home renovations overnight,” she explains. “You don’t have infinite budget, infinite time, or infinite personnel. With the perfect storm of emerging privacy laws, rapidly evolving technology and related digital risk, and implementation timelines and other requirements that change, you have to find a way to standardize and harmonize your approach.”
Garbo got an opportunity to do just that at Medline Industries LP as the company’s chief privacy officer. There, she’s fortunate to be in a position to spearhead Medline’s adoption of the NIST Privacy Framework. Using this risk management tool—which is agnostic to any one law, technology, or region—makes it possible for any company to enable and embed privacy by design principles into an organization’s systems, products, and services through an authoritative yet flexible road map. This “privacy engineering” supports privacy risk management both within the organization as well as throughout its data processing ecosystem.
The framework reinforces privacy risk management by connecting business drivers, organizational roles and responsibilities, and privacy protection activities, according to NIST.gov.
But Garbo is doing more than just championing the NIST Privacy Framework at Medline. In her role, the chief privacy officer believes that she and her team have a duty to not only work to improve Medline’s internal privacy practices, but also “shape the future of the privacy domain” outside the company.
That’s why she and her team are active participants in the AdvaMed Data Stewardship & Privacy Working Group and the NIST Privacy Workforce Public Working Group (PWWG). The former is a working group of the AdvaMed Center for Digital Health that advocates for patient-centered data stewardship and privacy policies. In 2020, as a former cochair of that working group, Garbo shepherded AdvaMed’s first-ever US Health Data Privacy Principles through development and board approval. Garbo and her team are behind an AdvaMed working group effort to map HIPAA to the NIST Privacy Framework in 2023, in addition to the PWWG work with NIST.
The PWWG is part of NIST’s workforce advancement effort and goal to create the content of the NIST Privacy Workforce Taxonomy through development of Task, Knowledge, and Skill (TKS) Statements aligned with the NIST Privacy Framework and the National Initiative for Cybersecurity Education Workforce Framework for Cybersecurity. The PWWG is a forum for participants from the general public—including private industry, the public sector, academia, and civil society—to work together as volunteers in a consensus-driven public process.
All of this is harmonious with Garbo’s belief in the concept of privacy by design, a concept that informs her work at Medline and her interactions with privacy working groups. Privacy by design stems from Ann Cavoukian’s seven foundational principles back in the 1990s.
“She basically said you don’t think of considering the privacy elements of a commercial transaction or a processing activity at the end,” she explains. “You inject privacy considerations into everything you do early and at every stage or gate, rather than at the eleventh hour while you’re trying to get a finished product or service commercialized and in the hands of customers. It’s about getting everybody to think about privacy rights and privacy promises at every step of the development of products or services or technology platforms that are used by organizations.”
Garbo’s advocation for privacy by design and privacy engineering aligns with the organizations with whom she partners. “Embedding privacy by design into your business not only safeguards personal data and minimizes risk but also nurtures trust and unlocks value,” says Kabir Barday, founder and CEO of OneTrust. “This is what OneTrust aims to enable through our platform. Bringing this philosophy to her role as CPO at Medline, Dana shows that running a privacy-first organization means more than compliance. It’s about positioning the business to thrive and be resilient, transforming the technological, ethical, legal, and societal challenges companies are facing into opportunities to build trust.”
Garbo was selected by NIST cochairs to colead the project team creating TKS Statements for the Risk Management Strategy category, under the Govern Function of the NIST Privacy Framework.
“The need to manage risk is a reality. If we want to shut down all potential risk in our commercial operations, then we’d just be out of business. That wouldn’t be the right outcome for us or our customers and patients,” she says. “Operating in a business environment means there is always a need for nuanced decision-making based on risk management principles, which is why risk-based frameworks exist and why I’m eager to adopt the NIST Privacy Framework.”
Garbo says the tool will not only assist Medline in maturing its privacy program through a pragmatic enterprise risk management methodology, but also help develop a workforce that’s capable of managing privacy risk.