Robert Half execs: Our focus on data security and privacy creates competitive advantage
IN BRIEF
- With the ubiquitous nature of privacy laws and the introduction of AI and its direct impact on business operations, the CPO must be aware of all processes in the business.
- As the access to and use of AI have increased, we, as an enterprise, have embraced it, with the goal of increased efficiency and better solutions for our stakeholders.
- Creating a balance between the need for the free flow of data while protecting and acknowledging the individual’s right to privacy is difficult since the two notions are often at cross-purposes.
In this VISION by Protiviti interview, Joe Emerson, Protiviti Managing Director in the Security & Privacy practice, sits down with three Robert Half executives: Chris Hoffmann, Senior Vice President & Global Privacy Officer; Emebet Chesley, Vice President of Global Privacy; and Clint Maples, Chief Information Security Officer, to discuss the future of data security and privacy. Protiviti is a wholly owned subsidiary of Menlo Park, California-based Robert Half, the world’s largest talent solutions firm specializing in connecting highly skilled job seekers with companies.
Joe Emerson: Welcome, and thanks for doing this. There’s no question that privacy and data protection will continue to be major issues for the next few years. What are your biggest challenges? Where are you focusing your efforts?
Chris Hoffmann: There are difficulties, but we also see opportunities. As a global company with offices in more than 20 countries, we recognize that privacy and data protection are important considerations for creating a competitive advantage for us by building the trust of our stakeholders, including our employees, clients, and candidates. To that end, we put a lot of emphasis on both and face challenges that touch on both.
Emebet Chesley: From a privacy perspective, I think the answer is twofold: First, the ever-increasing array of privacy laws. It feels like each day there is a new privacy law adopted or modified. Each time this happens; we must analyze the law and its impact on our business and our processes. Second, the regulatory framework is not written with the goal of facilitating business and the transfer of data. This requires businesses to adopt business processes to meet the varying regulatory frameworks. These laws are not business-friendly, so modifying your processes can have a detrimental impact on your business.
Clint Maples: Well, from a security perspective, I think it is the evolution of the threat actor. Threat actors spend all day, every day trying to find a weakness or vulnerability in your environment. One mistake or one bad click can create material, expensive, time-consuming incidents that can have negative brand and financial consequences. Our employees are our first line of defense, and one mistake is all it takes to create a potential incident.
Emerson: The role of the chief privacy officer is in flux. How do you see the CPO role evolving? What do you see as your primary role within the organization? And do you anticipate any changes of responsibilities in the future?
Hoffmann: The CPO role seems to be evolving into more of a front-line role, akin to a chief trust officer role. The CPO used to function behind the scenes, with little direct impact on the business. Now, with the ubiquitous nature of privacy laws and their impact on the business, and the introduction of AI and its direct impact on business operations, the CPO must be aware of all processes within the business. Frankly, implementing the notion of privacy and security by design requires the privacy and security roles to be at the table for all conversations regarding new or modified processes for the collection, use or storage of data, especially personally identifiable information (PII).
As a global company with offices in more than 20 countries, we recognize that privacy and data protection are important considerations for creating a competitive advantage for us by building the trust of our stakeholders, including our employees, clients, and candidates.
Emerson: Thanks. Let’s talk about AI. We're already seeing AI—the development, use, etc. — have an impact on data and privacy. Do you have any major ethical concerns that are often overlooked or not considered closely enough?
Chesley: Robert Half has been using AI for quite some time already, and we have adopted processes designed to limit our use appropriately. As the access to and use of AI have increased, we, as an enterprise, have embraced it, with the goal of increased efficiency and better solutions for our stakeholders. We also recognize the possibility for intended or unintended misuse of AI. As a result, we have created an enterprise-wide AI Steering Committee made up of senior executives, whose purpose is to monitor evolving technologies and standards relating to artificial intelligence, and to develop and maintain an artificial intelligence governance program consistent with the enterprise’s AI policy.
Emerson: Barely a week goes by without hearing about a significant breach, often from repeat offenders. Are we becoming desensitized to these breaches? And if so, what do you foresee as the biggest danger or concern of that occurring? Are boards and the C-suite taking this seriously enough?
Maples: It's a real concern that we're becoming desensitized to breaches. We see the headlines, but the impact on individual companies—beyond a temporary stock dip or reputational hit—isn't always lasting. The biggest danger of this desensitization is complacency. If breaches become “business as usual,” investment in proactive privacy and security measures may stagnate.
Are boards and the C-suite taking it seriously enough? It's a mixed bag. Some are, especially in highly regulated industries or after experiencing a major incident. Many others are still treating privacy and security as a compliance checkbox rather than a strategic imperative. We are fortunate that our CEO and board have made it very clear that protecting the security, confidentiality, and integrity of the data we collect is paramount to our business and a prerequisite to our success.
The catalyst for change? Unfortunately, it might take something more than just breaches. Think sustained regulatory fines that significantly impact the bottom line, major class-action lawsuits with hefty payouts, or a truly catastrophic breach that causes irreversible damage. Consumer pressure, expressed through boycotts or demands for greater transparency, could also be a powerful driver.
It's a real concern that we're becoming desensitized to breaches. We see the headlines, but the impact on individual companies — beyond a temporary stock dip or reputational hit — isn't always lasting. The biggest danger of this desensitization is complacency.
Emerson: Looking at the international landscape of privacy regulations, they all follow a similar premise but have their own unique nuances. The General Data Protection Regulation (GDPR) often is portrayed as the beacon on the hill, though the enforcement actions from the European data protection authorities have been limited to date. Who do you think is getting it "the most right" in balancing regulation and enforcement and should the U.S. use them as the model to put comprehensive privacy regulation in place?
Chesley: I wouldn't say any one jurisdiction has it perfectly “right,” but some are doing interesting things. For example, GDPR’s emphasis on and creation of a fundamental right to privacy has created the foundation for other jurisdictions to implement similar legislation, selecting those laws that best fit their needs and concerns. Creating a balance between the need for the free flow of data while protecting and acknowledging the individual’s right to privacy is difficult since the two notions are often at cross-purposes.
The U.S. should absolutely look to these models, but it should not copy any one blindly. A successful U.S. framework needs to find a balance. It must be strong enough to protect consumer rights and drive real change, but also pragmatic enough to be workable for businesses of all sizes. Strong federal preemption, clear definitions, and reasonable enforcement mechanisms are key.
Emerson: Looking to the future—privacy's five-year plan—where do you think the U.S. will be on its journey in 2030?
Hoffmann: By 2030, I hope we will have a comprehensive federal privacy law in place in the U.S. I doubt it will be perfect, but I expect that. The patchwork of state laws with their different rules and requirements are becoming untenable, and the pressure from international partners—and the business community itself, seeking clarity—likely will force action.
Beyond legislation, I expect to see a few things: One is a greater focus on data minimization and purpose limitation. Laws will require the “collect everything” mentality to be replaced by a more thoughtful approach to data processing. Also, I see increased consumer awareness and agency. Individuals will have better tools and understanding to control their data, though whether they use them effectively is another question. Finally, I think there will be more AI-driven privacy tools, both for compliance and for individual control. Overall, a fragmented landscape will coalesce into a more uniform approach. At least that’s the hope.
Board directors and business leaders need to stay hyper-informed in a rapidly evolving landscape. There are many proposals on the table in terms of legislative initiatives, but no comprehensive federal regulation in the U.S. yet, let alone a global set of standards.
Emerson: Finally, let’s stay in 2030, by then I think we’ll be seeing significant impacts from new emerging technologies—namely, quantum, spatial and biometric computing—that could impact privacy in ways we have not even realized yet. How do you see those technologies impacting privacy?
Maples: Well, quantum, spatial and biometric computing present enormous privacy challenges. I’ll start with quantum: The most immediate threat is to encryption. Quantum computers could break many of the encryption algorithms we rely on today, rendering vast amounts of sensitive data vulnerable. We need to prioritize the development and deployment of post-quantum cryptography now.
As far as spatial computing, these technologies collect incredibly detailed data about our physical spaces, movements and even our emotional responses. The potential for surveillance and manipulation is significant. We need to establish clear rules about what data can be collected, how it can be used, and who has access to it. Consent mechanisms need to be completely rethought in this context.
When it comes to biometric computing, the widespread use of biometric data—fingerprints, facial recognition, voiceprints, etc. —creates a honeypot for attackers and raises serious concerns about bias, discrimination, and government overreach. We need strict limitations on the collection and use of biometric data, particularly by law enforcement, and strong protections against misuse.
The key with all these technologies is to get ahead of the curve. We can't wait until they're widely deployed, and the privacy risks are exposed or vulnerable. We need to be proactive in developing ethical guidelines, technical safeguards, and legal frameworks now to ensure that privacy is built in by design, not bolted on as an afterthought.
I see increased consumer awareness and agency. Individuals will have better tools and understanding to control their data, though whether they use them effectively is another question.
Emebet Chesley is vice president of global privacy at Robert Half. In her role, she leverages her strong legal background and expertise to strengthen Robert Half’s global information privacy initiatives, leading multiple teams throughout North America, South America and the Asia-Pacific region. Chesley has held multiple positions throughout her 18 years at Robert Half, most recently as senior director of the legal practice for client engagements at Protiviti, a Robert Half subsidiary.
Clint Maples is chief information security officer at Robert Half. In his role, Clint successfully identifies security risks while overseeing an information security program that protects data privacy, meets compliance requirements and ensures the protection of proprietary information. Additionally, he is President and Board Chairman of the Information Security Leadership Foundation, a community of information security executives focused on the education, mentorship and development of future security leaders.
Chris Hoffmann is a senior vice president and the global privacy officer at Robert Half. In this role, he supports Robert Half and Protiviti and is responsible for managing an international team of legal, business, privacy and security professionals, including overseeing multiple legal teams and the company’s global data privacy and IT security efforts and initiatives. Hoffmann has more than 30 years of experience, with a focus on compliance, policy, privacy, security, technology and complex commercial transactions.
Joe Emerson is a Managing Director and leader in Protiviti’s Data Protection and Privacy practice, where he works to strategize, develop and deliver complex privacy and compliance solutions for some of the world’s largest and most innovative companies. His career has included serving as an independent assessor pursuant to FTC Consent Orders, acting as a HIPAA Compliance Officer and Privacy Officer for major corporations and government agencies, managing privacy regulation readiness and performing compliance assessments.
