Episode 92

full
Published on:

17th Oct 2023

5 Secrets To Build A Privacy First Culture And Prevent Data Breaches

Are you worried about data breaches? We've got the episode for you.

In this episode, serial author and leading privacy professional Judith Ratcliffe gives you key steps to demonstrate your value and save your organisations millions in potential fines.

We discuss:

  • Proactive strategies to shield against data breaches.
  • Immediate steps to mitigate potential fines and punitive actions.
  • Expert tactics to solidify your indispensable role, presenting data protection as a strategic goldmine for cost-saving.

In this episode, you'll discover the magic of building a thriving workplace community, why personal branding will make your job easier, and how to unlock opportunities to amplify your influence through powerful networking techniques.

Judith is a leading privacy professional, and a serial author who has been championing individual rights and helping organisations and government departments to get privacy and data protection right for over a decade.

She's also worked in financial crime prevention and she was a hospital radio broadcaster for seven years. So I'm sure you'll share some tips on how to get this podcast even better. Her first privacy and data protection book, Privacy and Data Protection in Your Pocket, Personal Data Breaches is out now.

And earlier this year, the Law Society of Scotland journal published her opinion piece on why we need the UK government to commit to providing services through offline channels

If you're ready to transform your career and become the go-to GDPR expert, get your copy of 'The Easy Peasy Guide to GDPR' here: https://www.bestgdprbook.com/

Follow Jamal on LinkedIn: https://www.linkedin.com/in/kmjahmed/

Follow Judith on LinkedIn: https://www.linkedin.com/in/judith-r-6659452b/

Ready to become a World Class Privacy Expert? Book your call to join the World's Leading Privacy Program

Get Exclusive Insights, Secret Expert Tips & Actionable Resources For A Thriving Privacy Career That We Only Share With Email Subscribers

 https://newsletter.privacypros.academy/sign-up

Subscribe to the Privacy Pros Academy YouTube Channel

► https://www.youtube.com/c/PrivacyPros

Join the Privacy Pros Academy Private Facebook Group for:

  • Free LIVE Training
  • Free Easy Peasy Data Privacy Guides
  • Data Protection Updates and so much more

Apply to join here whilst it's still free: https://www.facebook.com/groups/privacypro

Transcript
Judith:

The Competition and Markets Authority in the UK has teeth and likes to use them. Stop making up excuses to keep personal data that you don't genuinely need. I've seen really daft excuses. Destroy data within reasonable time periods. There's going to be a lot more action taken on the consumer protection front because of infringements of privacy rights.

Intro:

Are you ready to know what you don't know about Privacy Pros? Then you're in the right place. Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts. The podcast to launch, progress and excel your career as a Privacy Pro. Hear about the latest news and developments. in the world of Privacy. Discover fascinating insights from leading global privacy professionals. And hear real stories and top tips from the people who've been where you want to get to. We've trained people in over 137 countries and counting. So, whether you're thinking about starting a career in data privacy, or you're an experienced professional this is the podcast for you.

Jamal:

Welcome to another episode of the Privacy Pros podcast. And we've got a very exciting episode today. I'm your host, Jamal Ahmed, Author of the international best selling, The Easy Peasy Guide to the GDPR. And today our guest is Judith Ratcliffe. She is a leading privacy professional, and a serial author who has been championing individual rights and helping organizations and government departments to get privacy and data protection right for over a decade. She's also worked in financial crime prevention and she was a hospital radio broadcaster for seven years. Her first privacy and data protection book, Privacy and Data Protection in Your Pocket, Personal Data Breaches is out now. And earlier this year, the Law Society of Scotland journal published her opinion piece on why we need the UK government to commit to providing services through offline channels.

Jamal:

So Judith, with the increasing prevalence of data breaches and cyber attacks, what advice would you give to privacy pros and businesses to enhance their cyber security and data protection efforts?

Judith:

That is such a great question. I think my take is that they aren't actually increasingly prevalent from my perspective. They're just hitting the headlines more and reporters are getting increasingly interested. So we're hearing about them more. My top tip number one is stop collecting data that you don't genuinely need. I know I say this a lot, but it's quite an important one. And also destroy data within reasonable time periods. Stop the excuses for ongoing retention after those time periods end and stop making up excuses to keep personal data that you don't genuinely need. And when right to erasure requests come in 99. 9 percent of the time you should arguably just be destroying that data, but I've seen really daft excuses. In one organization and I posted on LinkedIn about this actually told me that they were going to potentially give my information out to journalists as part of freedom of information request responses.

Judith:

I was like, you can't do that. That's blatantly unlawful. And there are actually provisions in the Freedom of Information Act that say, if you're going to do somebody else some damage, you don't provide the information. And there's a clause in there that says, you can say, we can neither confirm nor deny that we've got this information if it's going to cause someone else some harm. And that's in the Freedom of Information Act itself. There are some really badly flimsy excuses out there. Another really flimsy one people always like is that, ooh you might at some point in the future sue us. So we've got the exercise or defence of legal claims excuse. And again, I'm just like, no. If it's not I have said I am going to sue you, or if you aren't about to sue me because you think I've done something bad, then really, you have no reasonable excuse for keeping that data. Obviously, you've got to look at all the facts in front of you, so this is not, in any way shape or form advice and I wouldn't dream of providing advice unless I had all the facts of the case in front of me but point of principle. Look at it is it within the reasonable contemplation of your organization? And if it isn't arguably you shouldn't be keeping it for the legal exercise of claims or defensive claims excuse.

Judith:

If you do use my top tip number one, which is stop collecting data you don't genuinely need and also destroy data when you arguably should then you'll have far less that can be breached in the first instance and will also again arguably save yourself expensive storage costs because it's getting more and more expensive. It's renter cloud Sometimes, or so it seems to me at the moment, in terms of they start off with one price and then it's okay, well the more data you want to store with us, the more you have to pay. So top tip number two, also very important, look to your internal personal data breaches. So these are far more than just the cyber ones. Stop your teams from doing things like taking the data and using it for whatever they feel like because they think they can. Check for consent for purposes that people wouldn't ordinarily expect and that's your employees not expecting it but also your customers and your patients not expecting it as well and always avoid the clanger which is oh we put it in the privacy notice so people expect it. Yes? No, that's not what reasonably expected means. Certainly not in my understanding. So let me give an example because I know it's a bit up in the air if you don't have concrete examples, but reasonable expectations. So when I open a bank account, my reasonable expectations are for my money to be kept by the bank so I can make savings, so I can store it up for however long and then maybe spend it on something or maybe pay my mortgage off or whatever it happens to be. But I want to pay things in, I want to pay things out, and I also expect that anti money laundering checks will happen on me, on the data that I provide.

Judith:

We know that happens and we accept that it happens because that protects us and it protects the bank. Fine, no problems with that. But things that I would not consider reasonable expectations, even if you've stuck them in your privacy notice to try to justify them, is you selling or renting my personal data to anybody else at all you sharing my personal data for, other organization's business purposes, with perhaps a minor exception in terms of the tax authorities, because they actually have a legal, reasonable excuse for doing it. But in terms of, let's say your processor wants to sell or rent my data to somebody else, I'm not okay with that. I wouldn't reasonably expect it. And I wouldn't reasonably expect your processor either to say, Oh, we've got this machine learning model. We want to run your data or Judith's data through it so that we can teach it what Judith does with her bank transactions, to check and see if other people's transactions are also valid., I wouldn't reasonably expect you to do that with my data, even if you're a bank. I wouldn't expect you to let other people do that with my data either. A real clanger is the credit reference agencies at the moment and data brokers. There are often clauses that I've seen in privacy notices that say, oh you now have to go to the credit reference agency's website or their privacy notices to see what they will be using your data for. And PS, you agree to this because you have to allow us to do a credit reference check on you and therefore, You have to allow the credit reference agency to access the data because they're the ones that we use to do this check, but therefore you're also signing up to whatever they want to use your data for.

Judith:

No, I am not. And you shouldn't be putting that in your privacy notice. And I'm definitely not consenting to that. Again, I don't expect credit reference agencies or data brokers to sell or rent my data to other people. If you've got my data for a credit reference check, all I'm expecting you to do is the credit reference check, hand my data back to the bank or to the counter terrorist agency or whoever it happens to be, and then I want you to destroy my data. I don't want you keeping it, and I certainly don't want you passing it on to anybody else. So that's the kind of where the reasonable expectations come in. So that's a couple of simple examples that hopefully make a bit of sense.But check out my book on personal data breaches out now it's called Privacy and Data Protection in Your Pocket, personal data breaches. There are lots of hints and tips in there about what personal data breaches look like, even the lesser spotted ones. There's also a handy guide to how to handle and mitigate some personal data breaches.

Judith:

Understand they are far more than just events and incidents and failing to follow your cyber security policies. And you need proper personal data breaches management and mitigation and avoidance in place. Not just incident management. And if a personal data breach has become an incident, from my perspective, it's already gone far too far. But yeah, check out my book, it's available from Waterstones, Wileys, and all good bookshops, but also you can walk into a store and independent bookshops and WHSmiths and all those. So yeah, does that help?

Jamal:

That was great tips. And what I'm reading through what you're saying there is essentially just do what you're supposed to do anyway, data minimization, that's one of the principles that we're meant to apply. So just make sure you're only collecting the data that you need. If you don't collect extra data, then you have no chances of breaching it. You can't breach what you don't have. And also storage limitation. If you're collecting data for the purpose, once that purpose is fulfilled, then you no longer need to hold on to it. Okay, there might be a vague chance that somebody somewhere might actually come back and sue you after 10 years, but that's not a reasonable expectation. And this is one of the challenges that I have when I'm working with clients a lot of time because somebody like legal counsel come and say, well under the statute of limitations, then they have about 10 years.

Jamal:

So we're going to keep it for 11 years just in case they come back. So I say, okay, how many customers? Let's say it's an employee situation. That's an HR situation. They're keeping this for 11 years after they leave us. That's okay. How many staff do you lose every year? What's your churn? And they'll be like, oh, okay, maybe let's say 200. Okay. Let's say out of the 200, over the last 10 years, how many of those have made a claim? Maybe we've had about seven claims. Okay. So you're saying out of a thousand people over the last five years at a big organization, only seven of them have made a claim. And out of those seven, how many of them made a claim after five years? Oh, none of them. How many of them made a claim after three years? Oh, none of them. So why are you keeping all of this extra data on thousands of people for anything beyond three years when there's no evidence and nothing to suggest you need it? Because if there is a breach and you have to pay per cost of these records, How much is that going to cost and how much is it actually costing you to store this stuff to begin with?

Jamal:

It doesn't make any sense. The price of that, why don't you actually go and get insurance policy to protect you against that? If in the unlikely event, someone does come that you've transferred that risk away. Doesn't that make more sense? Ah, yeah. I never thought about it like that. So it's just using common sense, Judith. And I like your no-nonsense, common-sense pragmatic approach. And for anyone who's listening, make sure you go and grab a copy of Judith's book. You can go and get it online from Waterstones or Wiley's or wherever you like getting your books, or you can get it online. Or you can go into the store and get it as well. Next thing I want to ask you, is looking to the future, what trends or developments do you predict or foresee in privacy and how can we get prepared to stay ahead of the curve?

Judith:

Again, there's so many great questions. And the thing is I like having a crystal ball. Do you remember Mystic Meg that used to be on the national lottery? I get to play Mystic Mag for the day, so I foresee three things. I foresee more than three things but three... Things came to the top of my mind when I thought about this question and so regulators seem to be starting to sit up and realize that competition and consumer protection laws are often broken when privacy and data protection laws are broken as well.

Judith:

So I think there's going to be a lot more action taken on the consumer protection front because of infringements of privacy rights. So not just the data protection ones, but those wider rights as well, like the informed choices thing. Businesses would do well to take note of this and to avoid a double whammy on infringements and also possible fines and other action. If you respect privacy first and foremost, and you can therefore also avoid the potential pitfalls in the competition and consumer protection arena as well. And also be aware the Competition and Markets Authority in the UK has teeth and likes to use them. So take note. The second thing is, and I know I go on about this a little bit, so you'll have to forgive me for that, but I foresee all privacy professionals understanding what privacy is wider than data protection alone. Because it's important and it matters, and because individuals also understanding their rights and asking for them to be respected and upheld wherever they are, and a change to the European Convention on Human Rights and the Human Rights Act 1998 to properly reflect that all organizations, commercial ones, charities as well, are on the hook for respecting people's rights, including before they're harmed, as much as governments are. I think that is very much on the cards as people become more and more aware of the rights they have. And I also think that more action before people are harmed is long overdue to be taken, and I think it's going to start to be demanded. And I think the law will move to reflect that as well.

Jamal:

Very interesting predictions.

Judith:

Again, individuals staying ahead of the curve get to know a bit about the technology. There's a very good report about algorithmic harms, and it's how algorithmic harms can affect you as a consumer. And it's by the competition in markets authority. It was from January, 2021. It's a very good report and it's written in the speech that you and I use to talk to each other. It's not written in legal speak . Read Jamal's book. Read GDPR Made Easy Peasy. Read my book on personal data breaches, they are also not written in legal speak. Read as much as you can around the subject and get to know stuff is probably the best way as an individual that you can protect yourself and then start taking action. Polite and respectful action, obviously.

Jamal:

Yes, always polite, respectful action. We want to win situations. We don't do any favors by belittling someone.Now, Judith, you've got to have a very accomplished career thus far. And I'm always in awe of what you're doing next. What are some tips that you can give to the person who's listening right now and how they can really enhance their career?

Judith:

I think I'll echo something that you always say to people, Jamal, which is you don't need to be a lawyer to be a privacy professional. But one thing you do need to do, whether you're a lawyer or not, I have studied law, granted, but I'm not a lawyer. But you do need to be able to understand the law, including the case law, and you need to be prepared to go out and read the law and read the case law, and to be able to tell people what it means. So you need to be able to understand the law properly because the regulators sometimes get it wrong. when they give out their guidance. And also always remember that while it is very helpful 99. 9 percent of the time, guidance is not the law and doesn't replace the law. So if you just rely on the guidance, you might actually cause yourself and your organization a serious problem later down the line when some bright spark pops up with yeah, but that's not what the law says and that's not how it should be interpreted. And somebody else goes, actually, yeah, they're right. So don't leave yourself open to that. Always get to know the law yourself. Have the guidance as a backup. Always bear in mind what the regulators are looking at and what their key focuses are, particularly because you can then say to people like I've often said hey, cookies are low hanging fruit.

Judith:

Let's sort those out as a priority. But also you want to get to know the wider law. I've harped on and on about wider privacy laws, get to know that because you'll see the wider harms, it will open your eyes to things that are otherwise missing, it'll open your eyes to why people are so annoyed or upset when you say, no, I'm not destroying that data. Have a wider look at things like the Josephine Hamilton and others post office case. I noted a lot of privacy aspects within that case. Have a look at that case yourselves.Have a look at the article I've written on it. See what you think. Start putting that critical thinking hat on. Because critical thinking, and again this is something that I know you've picked up on Jamal, critical thinking is so crucial for privacy and data protection work. You've got to be prepared to look at a system, a process, a policy, anything else, and say there's something wrong with that.

Judith:

We need to change it and we need to change it now, and this is why. If you're struggling with critical thinking, a very easy thing to do, if you have access, you should be able to have access to it either on BBC iPlayer, but there may also be some clips on YouTube. Have a look at a series called Judge John Deed. Have a look at the main character, the title character in that series. What he says when he is in that courtroom and how he dissects the cases and looks at them and makes his judgments. And that's what you need to do as a privacy professional in my view, because you need to make those value judgments and you need to be prepared to call it if it's wrong, support it if it's right, and also be able to explain why in wider terms. That's why I also say don't just look at privacy law, look at medical Law, look at the Montgomery v Lanarkshire Health Board case. That's very important in relation to informed consent and bodily autonomy. Look at things like the competition and consumer protection aspects, dark patterns. Look at the Federal Trade Commission workshop. I'm sure it's still up there on dark patterns. That's very informative, very useful.

Judith:

And complaints resolution is my number three, and that means you say yes to the complainant 99. 9 percent of the time. I know that might sound a little bit contrary to what you are taught, but it's about stopping the constant we can deny your right to erase your request And starting to say yeah, we accept, we shouldn't have taken the data, or we shouldn't have used it, so we're going to destroy it instead of finding any reason to keep it., Putting things right does not mean you are accepting liability or that your company is accepting liability. It doesn't mean that at all. It means you're putting things right. It means something has gone wrong. It doesn't matter if you messed up or the complainant misread the terms and conditions, we don't care what's gone on before. We're putting things right now. And if you're putting things right now, it also actually means that you don't have to worry about that much feared litigation, that much feared legal complaint that may come off the back of this later on. Because if you put things right, or do your utmost to put things right, and you can prove that, and it gets as far as a court of law, in the worst case scenario, you say to the court, yeah, we messed up. We accept we messed up, or you the court are now telling us we messed up, but look how we bent over backwards to put things right, and look how we were reasonable, and we said, yeah, we're gonna do this, and this. We've destroyed the data, we've corrected the data, we've told our processors to get rid of it. This is what we did and we put it all right. And at that point, you have effectively, as far as I'm concerned, mitigated what may then come out of any court proceedings.

Judith:

And you can nip those in the bud. What you've got to understand is, most people, don't have the money to take you to court. They don't. They don't have the money. They don't want to stress themselves out for years on end because it can take years to get stuff resolved in a court of law, even if it's something only basic. You've also got the fact that reputationally people can't afford to take organizations to court and that also applies to employees. Most of the time, even if they've left on a bad footing with you, your employee just wants to stop, restart. and move on in their next job and they can't afford to have a sword hanging over them going, Oh yeah, but all this is potentially going to come out in public, whether they believe they're right or wrong. They're not going to necessarily want to have that discussion in a public place because they can still be viewed badly, even if they've done the right thing. That's why whistleblowers are always stuck between a rock and a hard place when it comes down to it. So those things are all reasons why handle the complaints better and you will save yourself so much, so many problems. And if you want a soundbite from that, take away this, it's the human skills and our humanity that are of paramount importance to maintain and practice, especially in an evolving digital landscape.

Jamal:

Powerful. I love that. Some amazing tips there, Judith. Thank you very much. I have one final question for you. The question is... What is one challenge that you kept coming across earlier in your career? And how did you finally overcome it?

Judith:

That's an interesting question as well. So we'll return to the beginning and it wraps it up a little bit by coming full circle. So I told you about my legal research project. A few years later, I did some financial crime prevention work. Yes, I've done that too. And during that time I found a way to stop over requesting data that we already had for know your customer checks. So what I did was I had a look and I found in our systems, there were particular systems we had, and we had exactly the same data that we were then going back to our customers again for, and we didn't need to, because we already had it in the systems, they were systems that we were legally allowed to use and it was expected we'd use it, but nobody knew they were there. I was working the night shift at the time, so the day shift knew about these systems, were happily using them and clearing off cases. My team didn't have a clue. And, we were making life harder for ourselves and potentially annoying people by sending out letters that didn't need to be sent out. so that was one thing. But also. I worked out that we had a lot of non customers on the system, and what I mean by non customers is, so you know how you have application forms sometimes, and people fill them in, but they only partly fill them in, because at the last minute or halfway through, they actually think, actually, no, I can get this service better somewhere else, or cheaper somewhere else, or actually, I don't have time to sort this out today, so I need to come back and do it at some other point in time, but they leave you with the partly filled in application form, which is also why, as an individual, I say, take it home with you, don't leave it there, but when people do leave it with you, and it's not filled in properly, you need to be destroying it and shredding it, not putting it into the computer, or if it's on a website, you need to have a way if somebody leaves the website partly through filling a form in, the form disintegrates, it doesn't keep the data.

Judith:

So we had all this data that should never have been in our systems in the first place, because they weren't for our customers. They were for nobody who was doing business with us. And so under the data protection act, 1998, as was because the GDPR hadn't yet come in, we were doing things wrong under that. And of course my team had a headache because they were trying to find matches to people who weren't there. They were in an impossible situation. And when you've got efficiency and quality targets, It hurts. When you get case after case of but I can't even find this person on our system, how on earth am I supposed to check them against, whatever it is we check them against, but that's also where I learned, and this is something that I'm sharing with you because it's an important lesson learned.

Judith:

It's where this is how you can show organizations that you, as the privacy professional, as the data protection officer, as the data protection team member, add value. Because, if you get protecting privacy, including data protection, included in every system, every policy, every process, and if you're pointing those things out and saying, that doesn't look right, Let's use that system instead of sending out another know your customer checks because we've already got this data. Unless of course somebody's changed address and all that kind of stuff. , as Jamal said, you should come and sense. But it's also about, if you've got people on your system who shouldn't be there. Get rid of the data. But if you do that every single time, you can stop complaints before they even start.

Judith:

You can save teams all the time, the costs and loss of morale that happens when they're handling those complaints. And you can also stop your teams having a headache and help them keep the resources, the time, and also the company money that's being used on handling things for your actual customers. So keeping the efficiency, the time, the resources, and the quality for the things that you're expected to use them for, which also saves money and saves profits. By not spending the money in the first instance. So that's how privacy and data protection can actually help you turn a profit by making all those savings on the basics.

Jamal:

Wow. That's some valuable gems there. So essentially what I'm taking away from that is look at the bigger picture. Be aware of everything that's going on. Get curious and be inquisitive. Is there a better way of doing this? Why do we have this? Can this information already be residing somewhere? Or do we have to go out and recollect it? And then just take those findings and follow up with them and see if we can improve efficiencies. Because if we can, then that means that the resources the business is spending can actually be better spent on serving better. Rather than wasted stuff on resources or on knowledge or on information that you already have and then everyone can actually get along and feel better about the work they're doing rather than going around like headless chickens trying to do stuff that doesn't make sense. Trying to check customers that aren't actually customers.

Judith:

Yeah, exactly. So exactly. And it's the same with all of these expensive AI and algorithm things and people like to jump on bandwagons and. The problem with all of those things, and even with the cloud, to a certain extent, you're just letting data and personal data breaches and complaints pile up, when you didn't need to let them in the door. Because what you were doing originally. Was or should have been absolutely fine. So there's an element of the, should we do this as well and challenging the new stuff coming in and being that skeptic. Obviously, you're not going to say no to absolutely everything and you're going to give your reasons why is part of your advice and you're always going to leave it up to the business to decide because you don't make decisions for them.

Judith:

And you always step back from that and say okay this is my advice. Ultimately, it's up to you, but bear in mind that if you do this. This might happen and that might happen. So it's all about things like that. And being aware also that, outsourced providers can bring in a lot more risks than they take away from you. Because you don't get to pass the risk to them and that also is something that a lot of people initially forgot because they thought aha I can outsource all of this risk to you and you have to deal with that and we don't and I think people got a rather nasty surprise at the end of the day when they discovered that actually that's it's not necessarily the case, and little hands come out for more and more money sometimes for compliance costs that are already paid for under the contract because you're actually paying those outsourced providers for a compliance service. So don't forget that either. If you're paying for a compliance service, Don't pay them more for costs on top for extra compliance stuff.

Jamal:

Great advice. Great tips. It's been an absolutely valuable value packed episode. There's so many key takeaways and I would love everyone that's listening to share their takeaways. Thank Judith, let her know. Let me know what was your favourite point that stood out and what your key takeaways are from this. And how you actually go and implement some of the key actionable steps that Judith has been highlighting throughout this episode. Now Judith before we finish up, we always let the guest ask me a question. And so I’m going to extend that courtesy to you as well. What would you like to ask me?

Judith:

I’m so glad that you've let me ask this question because i've been thinking about this for a little while. So Jamal I think we need three things from you. We need your Top three tips for privacy pros and how they can really make a difference in their organizations every day when they're working with privacy data protection. And how they can make a difference to their customers, but also to as the organization, but also to individuals as well.

Jamal:

Wow. Top three for how they can make a difference. So the first top tip I have is build a community around you, right? Build a supportive community, build a powerful community around you because sometimes. Privacy professionals can find themselves a little bit isolated. Other times they become part of a wider team and everyone just knows that you're that person that sits in the corner and they don't really understand what you do. But the moment you start building community, you start engaging other people and talking to them about what they're doing, paying interest, then you can understand what they're doing and then explain how privacy interacts or intersects with what they're doing. Find out what their goals are and see how you can support those goals through your privacy work.

Jamal:

That's the most important thing I would say is we need that community because without that community You won't have a clue what's going on You're always going to be trying to catch up with yourself And you'll always be left out of the bigger picture and then you'll end up trying to do firefighting And what we want to do instead is to have people come to you know that they can come and ask you questions If they're concerned about something if they double check something they know where to go And the more conversation you start having and the more you start talking about privacy, whether it's through formal or informal channels, the more the culture is going to change. And that's exactly what we want to affect is we want that cultural change. We want people to start thinking, Oh, Should I even be collecting this data? Oh, should I shred this or should I just leave it on my desk? And if we can just get people to start thinking the right way then everything else becomes much easier because now they are open to your messaging. They actually want to hear from you. They want to share things with you And that's a much more effective and an efficient and more rewarding environment to work from than it is just to be there by yourself, get your stuff done, tick the box, go home, come back, do the same thing every day, and then try and get people to complete their training, or try and deliver trainings, and you see the eyes gloss over.

Jamal:

So that's the first thing I would say is build a powerful community, and that's going to happen by having formal and informal conversations whenever you get the opportunity. One of the first things I do whenever I take on a project for a client is I will make sure that the first four weeks I have lunch with somebody different. I know sometimes it's a little bit more difficult in this remote work environment that we have, But there's nothing stopping you from getting the organizational chart, figuring out who the heads of department are, who the key stakeholders are and having that in your mind. So then you can get to know the people you're working with, find out what they're interested in, find out what their hobbies are, find out what they do outside of work and build those personal relationships.

Jamal:

Because at the end of the day, nobody's going to remember. What you said to them, but they will always remember how you made them feel. And if you can make them feel good about what they're doing, if you can make them feel understood, and if you can make them feel confident that they can come to you, then they're never going to forget that. And they're always going to be very open with you, making your work much easier, and also making it easier for you to achieve what you're trying to achieve, which is to uphold that trust that customers, clients, patients shareholders, whoever it is. give to you when they give your organization the personal information. So that's my number one tip is always surround yourself in a powerful community. Number two is treat people's information the way you would want your information to be treated. That's what we want to foster in the people around us. Forget what the law says. Forget what the principles are.

Jamal:

Let's start off with the basics and just say, hey, am I handling this? The way I would expect someone else to handle my information. If the answer is no Then think about what it is that you need to do to bring you up to that standard where you'd be happy with it. If the answer is yes, great Now think how can I even enhance this to go above and beyond and my third tip is you need to be constantly branding yourself internally and externally so one of the things that I realized is when I go and work with clients sometimes they will already know who I am because of the personal brand I've created on social media platforms like LinkedIn. So it makes my job easier because they already have a level of respect for me, they already have a level of knowledge for me, and they look forward to having those interactions with me. Whereas when I go somewhere and no one's ever heard of me, first I have to break the ice. Then I have to get them to know who I am. Then I have to show them, yes, even though I'm not a lawyer, I am a credit board. But you don't know nothing about our organization. Just a consultant who's walked through the door. You just started the other day. What do you know? You have to overcome those things. But if you have a strong personal brand, both outside and inside the organization, then that really helps.

Jamal:

So building a brand outside the organization, that's where things like podcasts, LinkedIn, conferences, webinars. Volunteer for these opportunities and I know it's very scary to be speaking in public to begin with but guess what? You get better and better as time goes It's one of those things where you need to practice and there's all of these coaching and skills and mentors available. So I have lots of different mentors for lots of different things and I recommend everyone Find an area that you want to upscale in. And if you really want to enhance your career and you want to climb that ladder, then the soft skills will matter more than the technical skills, the higher up the ladder you climb. So start investing in developing those skills now rather than later, because otherwise you'll find yourself in a position where you're always getting passed for promotion and you have no idea why.And the biggest reason people at the top get passed over promotion is because lack of personal branding. No one in the business knows who you are. And secondly, you don't have the soft skills that we need at the leadership tables. So that's the key thing. I would say if you're looking to really climb up that ladder invest in your soft skills Make sure you have a visibility of your branding both internally and externally.

Jamal:

So internally, how do we build our brand? Most companies will have something like an internet or a newsletter that really goes out or some kind of Opportunity to have informal gatherings .Start hosting lunch and learns. Start going around and talking to people. Start doing, contributing, and start seeing where else you can get involved and add value. You don't have to have a privacy focus. Lots of companies have all of these extracurricular activities. They're good opportunities to go and create bonds with people and then say, oh, by the way, I'm in the privacy department or legal department, wherever you are. and explain what you do and then find out what they do and show them how you can help them. Which loops back to what I started talking about at the beginning is building that community of people around you so they can really understand what you're doing. You can understand what they're doing together. You can achieve the organizational goals. You can explain the privacy programs, mission, and vision, and together you can delight the customers and the people that you're there to serve.

Judith:

Such great tips, Jamal. Thank you so much. And, I'm sure that anybody and everybody listening will be thinking Fantastic tips and they will be able to use those and it's really interesting what you said about lunch and learns because I've done a few of those myself and you're right, it gets you out there wider and it can get you across, particularly when you are working in businesses that are really very big and where you won't see everybody every day because people will be working, perhaps even internationally across the business, you can really reach people from Lunch and Learns and then spread your message that bit wider and they will take things back to their team and then come back to you to discuss even more. I want to thank you so much Jamal for inviting me on because it's such a pleasure to be here to actually properly be meeting you. And also, to be here, it's such an honour and a privilege. So thank you so much for that.

Jamal:

Thank you Judith. It's my privilege to be able to host you and thank you so much for coming and sharing all of these valuable tips with our listeners until next time. Peace be with you.

Outro:

If you enjoyed this episode, be sure to subscribe, like and share so you're notified when a new episode is released. Remember to join the Privacy Pros Academy Facebook group where we answer your questions. Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world class Privacy Pro. Please leave us a four or five star review. And if you'd like to appear on a future episode of our podcast, or have a suggestion for a topic you'd like to hear more about, please send an email to team@kazient.co.uk . Until next time, peace be with you.

Show artwork for Privacy Pros Podcast

About the Podcast

Privacy Pros Podcast
Discover the Secrets from the World's Leading Privacy Professionals for a Successful Career in Data Protection
Data privacy is a hot sector in the world of business. But it can be hard to break in and have a career that thrives.

That’s where our podcast comes in! We interview leading Privacy Pros and share the secrets to success each fortnight.

We'll help guide you through the complex world of Data Privacy so that you can focus on achieving your career goals instead of worrying about compliance issues.
It's never been easier or more helpful than this! You don't have to go at it alone anymore!

It’s easy to waste a lot of time and energy learning about Data Privacy on your own, especially if you find it complex and confusing.

Founder and Co-host Jamal Ahmed, dubbed “The King of GDPR” by the BBC, interviews leading Privacy Pros and discusses topics businesses are struggling with each week and pulls back the curtain on the world of Data Privacy.

Deep dive with the world's brightest and most thought-provoking data privacy thought leaders to inspire and empower you to unleash your best to thrive as a Data Privacy Professional.

If you're ambitious, driven & highly motivated, and thinking about a career in Data Privacy, a rising Privacy Pro or an Experienced Privacy Leader this is the podcast for you.

Subscribe today so you never miss an episode or important update from your favourite Privacy Pro.

And if you ever want to learn more about how to secure a career in data privacy and then thrive, just tune into our show and we'll teach you everything there is to know!

Listen now and subscribe for free on iTunes, Spotify or Google Play Music!

Subscribe to the newsletter to get exclusive insights, secret expert tips & actionable resources for a thriving privacy career that we only share with email subscribers https://newsletter.privacypros.academy/sign-up

About your host

Profile picture for Jamal Ahmed FIP CIPP/E CIPM

Jamal Ahmed FIP CIPP/E CIPM

Jamal Ahmed is CEO at Kazient Privacy Experts, whose mission is safeguard the personal data of every woman, man and child on earth.

He is an established and comprehensively qualified Global Privacy professional, World-class Privacy trainer and published author. Jamal is a Certified Information Privacy Manager (CIPM), Certified Information Privacy Professional (CIPP/E) and Certified EU GDPR Practitioner.

He is revered as a Privacy thought leader and is the first British Muslim to be awarded the designation "Fellow of Information Privacy’ by the International Association of Privacy Professionals (IAPP).