Jose: 00:00

The certifications are very good to establish yourself in the privacy community, but the certifications plus the knowledge of how to apply all that you learn. That's where I think it's the game changer for privacy professionals.

Intro: 00:16

Are you ready to know what you don't know about privacy pros? Then you're in the right place.

Intro: 00:21

Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts, the podcast to launch progress and excel your career as a privacy pro.

Intro: 00:32

Hear about the latest news and developments in the world of privacy.

Intro: 00:37

Discover fascinating insights from leading global privacy.

Intro: 00:40

Professionals and hear real stories and top tips from the people who've been where you want to get to.

Intro: 00:47

We're an official IAPP training partner.

Intro: 00:51

We've trained people in over 137 countries and counting.

Intro: 00:56

So whether you're thinking about starting a career in data privacy or you are an experienced professional, this is the podcast for you.

Jamilla: 01:10

Hey, everyone, and welcome to the Kazient Privacy Pros Academy podcast. My name is Jamilla, and I'm a data privacy analyst at Kazient Privacy experts. I'm primarily responsible for conducting research on current and upcoming legislation as well as any key developments. With me today as my co-host is Kazient’s CEO, Jamal Ahmed. Jamal Ahmed is a Fellow of Information Privacy and CEO at Kazient Experts. He is a leading global privacy professional, world class trainer, and lead mentor at the Privacy Pros Academy. Welcome, Jamal.

Jamal: 01:41

Hi, Jamilla, how are you today?

Jamilla: 01:42

I'm good, thank you. How are you?

Jamal: 01:44

I'm fantastic. I'm looking really forward to speaking to Jose.

Jamilla: 01:49

Yes. Our guest today is Jose Belo. Jose is a legal professional and data protection officer specializing in data protection and privacy. Jose is currently head of data privacy at Valuer.ai, and he has worked in privacy and data protection in various countries, including the UK, Luxembourg, and Portugal, specializing in compliance and data protection officer roles in the financial and technology sectors. Jose is a former Cochair of the IAPP Lisboa (Portugal) and Luxembourg chapter, and we're delighted to have you here today, Jose. Thank you for joining us.

Jose: 02:23

Thank you for the invitation. Pleasure to be speaking with both of you.

Jamilla: 02:27

Thank you.

Jamal: 02:27

Wow, that is a lot of credibility and authority there. Jose, it's such an honour to have you. Thank you for making the time to speak with us.

Jose: 02:35

Thank you, Jamal for the invitation. Really looking forward to our talk. We've known each other for a while, so it's going to be a pleasure talking to you.

Jamal: 02:41

Yeah, it's always a pleasure talking to you, Jose.

Jamilla: 02:44

So with our podcast, as everyone knows, we start off with an icebreaker question. And Jose, I know you've got an interest in AI, so to come up with this question, I actually asked my Amazon Alexa for an ice breaker question, and this is what she came up with. She said the best ice breaker question is, what is your favourite emoji.

Jose: 03:08

Alexa, you put me on the spot. I don't actually like emojis.

Jamal: 03:13

Why don't you like emojis, Jose?

Jose: 03:15

I don't know. I never use them to be completely honest. I don't know why. Maybe I'm too old. I don't know. It just didn't happen. Smiley face, I think the two dots and the parentheses is the most I'll go. So Alexa. Sorry, I'm not a millennial. It's a good icebreaker question. It really sets the tone as to how old I am.

Jamal: 03:38

All right, fair enough. So what I'm going to do when I interact with you in the community, Jose, I'm going to start using loads of emojis now.

Jose: 03:46

Please do.

Jamilla: 03:47

My favourite one is the eye rolling emoji. I feel like I've been using that a lot this year.

Jose: 03:54

After that question, that's the one I would use for Alexa.

Jamilla: 03:58

Luckily, I've got the microphone button switched off on her. Otherwise she'd be listening in, but she's not on at the moment. Yeah, there we go. I learned that from you, Jamal. I didn't know that she could do that. She could be turned off. But there we go. So our first question for you, Jose, is what sparked your interest in data privacy?

Jose: 04:18

oin back then, talking around: 2000

Jamal: 06:00

Great. When you first came across the GDPR, what was your initial thoughts?

Jose: 06:05

I thought, how did 27 countries agree to this? Because with 95 46, it wasn't easy. Every single piece of legislation from each country was very different. So that was one of the main reasons for the GDPR to come along, just to try and put European values on privacy in one regulation. Because it was not only tough for businesses to deal with 27 countries and their 27 data protection laws, but also what I thought, if those laws were so different, and privacy is such a cultural thing, it's very difficult for regulation to be able to compress 27 different concepts of privacy. The concept of privacy is something that I deeply care about, but the cultural concept is something I deeply care about because privacy isn't the same for all the countries in the world. So for 27 countries to come into an agreement on what privacy and data protection means was something that confounded me. I was really happy to see that they came to that agreement. To be completely honest, I don't really think that they understand how deep the GDPR would go. I don't think us privacy professionals understood but now that we understand it, it seems like a small miracle that the GDPR happened when it happened.

Jamal: 07:19

the proposed proposals around: 2015

Jose: 07:44

ess. So for this to happen in: 2016

Jamal: 08:58

Absolutely. Continents like Africa, we've got the NDPR in Nigeria, and there are so many different pieces of legislation in draft stages all over the world. And I believe US is now talking about federal data privacy. Interesting times for privacy all over the world. Jose, you spent three years as a cochair of the International Association of Privacy Professionals in Portugal, Luxembourg. Can you tell us a little bit more about that and the IAPP for anyone who might not be familiar with?

Jose: 09:28

know the theory, but back in: 2016

Jamilla: 11:21

So is that what you'd advise people that wanting to go into state of privacy and wanting to take the CIPPE exam, would you advise them to go through the Privacy Pros academy rather than just studying for the exam by themselves with a book?

Jose: 11:34

Yes, because the exam has its own tricks and it's almost like you have to understand the way that the questions are posed. You have to understand what they mean. You only learn by someone that has already done the exam. You can only learn the theories there. The concepts are there. You can study them by yourself. But how they all intertwined, that's a different matter. How the GDPR intertwined, how one sector, one section connects with the other, you can only get that through a seasoned professional. So, yeah, that's something that I always recommend people that ask me about taking the CIPPE, what should I do? Go studying with someone that knows, that is an accredited professional. That's the best way to go on it. But it's not an easy exam to pass. How many times? I said it three times already. It was a tough one. That was one tough example. One very tough exam.

Jamal: 12:27

The way I describe it, Jose, it's a humbling experience.

Jose: 12:32

Very humbling. I've talked to partners in law firms that failed the exam on the first try. It's not that they don't know. They know. It's just the way that everything is connected, that you can only get through education with professionals that know how to deliver it.

Jamal: 12:45

Absolutely. And I think one of the things a lot of individuals struggling with is, yes, sometimes they've actually picked up the book. They've managed to teach themselves how to pass the exam. But the problem is, the reason everyone sits the exam is not to get a certificate. It's to increase your prospects of a career, increase your prospects of a financially rewarding, meaningful, challenging career. And one of the things they struggle with is the confidence in the theory, like, they’ve passed the exam, they've got the CIPPE, but they don't actually know what that means in practice. They have no confidence when they're speaking to hiring managers. They can't convey that confidence, and they can't get someone else to believe in the fact that they actually have this benchmark of knowledge. And the only time that comes is when we have students and we put them to the actual official IAPP training and give them the master classes. The confidence that these guys have compared to people who just learned how to pass the exam is the difference between getting hired and not getting anywhere at all. It really does pay off.

Jose: 13:38

The CIPPE certifies that you understand the GDPR and its complexities. The CIPM certifies that you understand what a privacy program is. Also, the compliance. A very different matter is to join both to practical experience and how you can relate those two certifications into doing what you need to do in a compliance job. It's not an easy thing to do. You were talking about the master class. I think they're very important because that's where you connect the theory that you've learned with the CIPPE and the CIPM towards the practice, the experience that you're going to need going into a company and doing compliance or becoming a DPO. The certifications are very good to establish yourself in the privacy community. But the certifications plus the knowledge of how to apply all that you learn. That's where I think it's the game changer for privacy profession.

Jamal: 14:29

Absolutely.

Jamilla: 14:29

So, Jose, what would you say has been the proudest moment of your career so far?

Jose: 14:34

Founding the Luxembourg chapter, that was a special moment for me. I went to Luxembourg and as usual, I go and search for the IAPP Knowledge Net chapter there. When I arrived in Luxembourg, that was the first thing I did. To my surprise, there was none. I emailed the IAPP and said, look, we need a chapter over here. And they just said, well, why don't you start it? And I said, fine, I will. And it was a very interesting experience to start the chapter. Luxembourg is a hub of technology, finance and start-ups, especially fintech start-ups has major players like Amazon and PayPal there. So the chapter made sense to the IAPP. Made sense gladly to be established as soon as possible. And it was a very interesting experience because I understood I had been cochair in Portugal. But to start a chapter from scratch, that's something that was a very interesting experience, because it took us one year just to do all the networking, all the presentations of what the IAPP stands for, how policy neutral it is. And we talk to regulators, we talked to law firms, we talked to banks, and everyone became very interested with IAPP. And I'm very happy to see the chapter move on without me now, as I finished my tenure as co-chair, and I'm very glad to see it prosper. So, yeah, I'm proud of that one.

Jamal: 15:54

Yes. That's a great legacy you've created and leaving behind as well Jose, congratulations. Thank you.

Jose: 15:59

It wasn't just my legacy, it was also my co chair's legacy. Johann and Philip, they were there. I just arrived in Luxembourg. I knew how chapters worked because of Portugal, but they were the ones that connected chapter with the privacy community because they've been there. They were privacy professionals before. They still are, of course. They were the ones that connected all the dots. So it was a very interesting idea with me connecting with the IAPP and then with the local communities. And it's been working well, and I'm very happy with it. Very happy.

Jamilla: 16:29

Were there any differences between the IAPP that you set up in Luxembourg to the one that you're part of in Portugal?

Jose: 16:35

Yes, so in Portugal, we didn't have that many CIPPE’s. When I started as a co-chair, the chapter had been started five years or six years before that, but with the GDPR, there was an explosion of CIPPE’s in Portugal. We caught up when I started in my ten tenure as co-chair, I was lucky to see the chapter also explode. We had almost 500 hundred, six hundred in one event. That was rare before. It wasn't unheard of, but it was rare. The interest in privacy grew a lot in Portugal during that time. Portugal was also shifting towards digitalization. We are a frontier country of Europe. We're closer to America than to the other part of well, if you count Azores. I'm right, Azores are an island in the middle of the Atlantic. Privacy was starting to become a sector, an industry in Portugal. Luxembourg already had privacy established everywhere. Compliance was something that was very important because of all the regulations that not only the privacy regulations like the GDPR, but also the financial regulations on compliance, AML, KYC, etc. And so it was more established than in Portugal, but it still was a lot of networking that had to be done before we came. We had to do all the networking in Luxembourg because the IAPP just started and we had to push out the name of the IAPP and what it stands for.

Jamilla: 17:52

So we spoke a little bit about GDPR and its inception, and the EU now have proposed a new legal framework for AI. So what are your thoughts on that?

Jose: 18:02

First of all, I think the success of the AI regulation is dependent on the success of the GDPR. GDPR has its struggles, as we talked about, it has been a very positive influence not only in Europe but also around the world. But it does have its struggles. It's bottlenecks. Those bottlenecks need to be addressed quickly, and I think that EDPB and the DPA’s are aware of those bottlenecks and are trying to solve them because from what we understand, AI regulation is going to be done by the DPA’s. So if they cannot enforce properly the GDPR, it's going to be very difficult for them to enforce the GDPR plus the AI regulation. So I think that we still have time until the AI regulation is approved, the powers that the DPAs have all over Europe, so that when a regulation is passed and enforced that the DPA can then start working with the GDPR and the AI regulation. I do think that there are many contact points between both of them. There should be because it's data processing, it's just a different kind of data processing. But I do think that it warrants a separate regulation. There's been a lot of talk about other types of technologies that may need a separate regulation to leave blockchain. But I do think that Europe has taken a very brave step forward in regulating AI so early, because there's a lot of that we don't know about AI. It’s the beginning of a journey that has been becoming more and more solid all over Europe. And I do think that AI is the future. And I'm very happy that Europe has made this benchmark on regulating AI with European values, which I think is important.

Jamal: 19:40

Yes, absolutely. The GDPR came in and it really transformed how personal data is viewed, not just in Europe, but across the world. And I think picking up the artificial intelligence is the next big thing and trying to get an early grip and a handle on that and regulate it. I think it's definitely the way forward. I'm actually very impressed that they managed to bring these guidelines in or have this at this stage so early and so quickly. Given how long it took data privacy to come into a unified regulation where all 27 member countries are happy with it, have you seen any gaps or any concerns that you might have with the AI proposals?

Jose: 20:21

The most important one, I think, would be the ones that impact data subjects the most. We can talk about facial recognition, for instance. It's a hot topic. It's a topic that impacts the fundamental rights to privacy and data protection. It’s used towards law enforcement, for instance, it’s something that needs to be addressed. It is addressed in the regulation. I don't know if it's going to do well during the negotiation process because a lot of countries do rely already on facial recognition and it's widespread all over Europe. There's this balance that needs to be attained, achieved between security and our privacy. That trade-off is a very difficult one. We are not living in easy times. I do think it's interesting that facial recognition has been rendered almost difficult to use with all the masks that everyone is using. So I don't know how they are going to go about it. This need for masks continues throughout the years. I do think that facial recognition is something that needs to be addressed. It's something that concerns me because we do push for privacy and data protection all over Europe. But we also know that there is processing that is almost in a black box that we don't know anything about. I remember the city of Caen was introduced municipality TV system where they would detect the first step was to detect if you have a mask or not. That was the way that they set it up. The scale of it was interesting because they were going checking your emotions. Why the city of Caen wants to know how you feel is interesting. If you're feeling sad that they send you chocolates, fine by me. I wouldn't mind that either. But we always think of the nefarious act of checking your emotions and it's human emotions so it's privacy. Yes, it's privacy. Data protection. Yes, it's data protection. But it's also something that it's not something that we're used to like analysing your emotions. What happens if you don't get it right? Everyone is different, we’re at the early stages in facial recognition. But I do think the facial recognition is something that it's addressed in the regulation. They are thinking of banning it. I don't think that that's going to go through in the end because a lot of countries have already established a lot of CCTVs with AI systems collecting emotions.

Jamal: 22:43

Yes. When I last looked at it, I think what they've proposed now is they're going to ban the real time usage of it. So what that means is you could probably rewind 30 seconds and start using it. But it's just that live real time using they are trying to ban against. What's interesting for me, Jose, is the UK we're no longer part of the European Union but as you say the idea is that the supervisory authorities are going to be enforcing this and if the UK does adopt similar regulations or buy to this. What that means for the adequacy decision and how that is going to interplay with everything else I think it's something very interesting times for privacy professionals working between London or UK and Europe going forward.

Jose: 23:25

artner saying that I think by: 2025

Jamal: 25:15

Absolutely.

Jamilla: 25:18

I found it interesting what you were saying about AI being able to read your emotions because I always get told off for looking like I’m mad at everyone as my kind of resting face. So if that chocolate thing comes through, that they're going to think that you're sad and send you chocolate, I'll be in luck, I'll be getting it every day. The technology won't be able to see that that's just my normal face.

Jamal: 25:38

They might be worried. You’re about to go and harm someone Jamilla.

Jose: 25:40

Or people that are happy with a frown every day. Just send them chocolates. That would be a nice use of technology. Going with emotions probably wouldn't be privacy friendly and data protection friendly as well. But at least you get chocolates. Yes, at least it's not that negative charge of the facial recognition, trying to figure out if you're going to commit a crime or something like that. It's a more positive why aren't people happy? What can we do to make their lives better? If they go with that approach, maybe our questions around the technology would not be so, but usually see that technology is being used more and more towards more nefarious goals. So why not use it to improve the happiness of the people that are not happy? Why not?

Jamilla: 26:26

Definitely. Our last question we want to give you a chance to ask Jamal a question as we've been asking you questions all this time.

Jose: 26:34

How do you see AI regulation in the UK? Do you think it's going to happen? How do you see that intertwined with the Data Protection Act and the GDPR? How is it going to work out? The second question is the real one.

Jamal: 26:48

I think it really depends on who's in government at the time. If you look at the current government, they're very antiregulation when it comes to being able to do things with people's personal data. I mean, there was even suggestions that they're going to get rid of the GDPR, so we can do whatever we like and we're going to have our own adequacy decisions with the US, so we can do lots of trade with them. Now, when it comes to artificial intelligence, one of the things that we have to think about is when you take a city like London, I think we have the highest concentration of CCTV cameras to the population anywhere in the world. If you think about that, that means that every time you step out your house. It's likely that you're going to be picked up by a camera and you can go about your day, go shopping, go and see your friends but that facial recognition, the artificial intelligence behind that can actually track what you're doing all of the time, who you're doing it with, who you're spending time with, how long you're spending time there, where you're going, places of worship you're attending. And where you're going for your medical treatments. It could collect a lot of special category and highly sensitive information. The fact that we're no longer part of the European Union, I've seen no appetite from the current government to adopt any of these things. And I see them actually thinking there's lots of benefits in being able to survey people in that way in the matters of national interest or whatever they want to call it. I'm actually quite scared, to be honest. I'm quite concerned about how this could be used to infringe people's basic human rights. And it's not just about infringing on people's human rights.

Jamal: 28:13

When you know that you're being watched all the time. It's going to be very interesting to see how people change and conform and how that affects the human psyche and what that means for future generations growing up.

Jose: 28:23

Interesting.

Jamal: 28:24

It's an exciting time, but it's also a very worrying time for me.

Jose: 28:29

So we’ll be able to do the difference. The privacy professionals. Do you think that privacy professionals are paramount in informing the public of all the dangers that could lie ahead?

Jamal: 28:38

In my experience, I come across two types of privacy professionals. There's ones that are actually passionate about privacy and what it is that we're doing and really want to think forward and make an impact in the world. And there's those privacy professionals that are just doing it for the money. So it depends which one of those you're talking about. The ones that are doing it for the money, they'll make money whatever happens, as long as someone is paying them to dot the I's and cross the T's and do whatever they need to do. Whereas the rest of us, people like me and you, Jose, I think we have to be instrumental in shaping for what this looks like. We have to be really vocal about making sure that we're standing up for people's rights, especially the most vulnerable in our society, and those that who might not even be aware of all of the things that's possible with data privacy. And what's really interesting for me is a few years ago, even when the GDPR first came into force, we would talk about data privacy, the general public or training employees and organizations, and they wouldn't be so aware of what privacy is and why it's such a big deal. Just like, oh, it's a regulation, what does that mean to me? And it's only when you start having those conversations with them, they actually realize, wow, this is quite a big deal. But now I get people asking me, do they need to leave WhatsApp, because of their privacy? So how aware people are, especially in the UK, about when it comes to their privacy now, it's a completely different space to where it was only a few years ago.

Jose: 29:57

So you've seen a major change on the awareness of UK citizens regarding data protect their own data. Do you see them protect their own data more?

Jamal: 30:05

I think I've seen people go on two sides of the spectrum. Before people used to be more in the middle, now they’re on either one side where they don't actually care, they feel like they're helpless. They're collecting all this data all the time and they just like, give in and give up. Or the other ones that actually they say, hang on a minute, I'm going to start wearing a mask. I'm not going to use my smart devices, I'm not going to take them with me when I go so they don't monitor my movements using Google Maps or anything. And so you've got people coming to either side of the spectrum now and less people in the middle.

Jose: 30:34

Less people in the middle. That's what I think. Also, let's hope that they all move to the very informed side, and hopefully our work will pay off in getting more and more information to the public. That's something that I really care about. That's probably one of the reasons that I think that the IAPP and academies like yours are so important. Not only educating the privacy professionals, but also helping to educate the people that those privacy professionals would then reach. That's why I think that very solid academic and educational background is important for privacy professionals because they are thought leaders in such a complex space. More power to you and to the academy for doing a very good job on that. And thank you for that.

Jamal: 31:09

Thank you. Thank you, Jose. Thank you. I really appreciate that. Now, before I let you go, I know, Jamilla said it was the last question, but I want to sneak in one more. I want to hear your top tips for aspiring privacy pros.

Jose: 31:20

Do the IAPP certifications. That's number one, by studying through courses, not by yourself, not only because of the way that it's explained in the academies and in the training sessions, but also the networking that you do. Studying with other people is very important because everyone comes from very different backgrounds and industries. And you learn a lot faster about how data is being processed in other sectors and industries through the talks that you have with your study partners. Second, be aware of almost everything that comes out in privacy. There's a lot to read every single day. LinkedIn is a great tool to connect with privacy professionals. You get a lot of information through those networking through those networking links that you have on LinkedIn, I learned almost every single day something new about how certain DPA decided something that is probably different from the DPA of Bulgaria or the DPA Portugal or the DPA of Luxembourg. So I would say LinkedIn or connecting with privacy professionals in LinkedIn, going to KNet events from the IAPP, that's something that is really important. They usually try to bring something that is up to date and the topic that is relevant to privacy professionals in that moment. And lastly, study a lot. I don't think there's any other way to say it because it's going to be easy, because the passion will come with the process. Studying doesn't become a chore and it can be something that comes natural to you. Be aware of all the things that are related to privacy and are around privacy, like AI, machine learning, automated cars, IoT, 5G, et cetera. There's lots of ground to cover study. You can miss out on something that can be important to your work.

Jamal: 32:56

r it. There's, I think, about: 70000

Jose: 34:44

Couldn’t have said it better myself.

Jamilla: 34:46

Thank you for joining us today, Jose. It's been a pleasure speaking with you.

Jose: 34:50

Thank you, Jamilla. Thank you so much, both of you, for a very good conversation. And it also made me go back to my early days in privacy and how this all started. I'm nostalgic. Those were amazing times. So thank you so much for taking me back.

Jamilla: 35:07

Thank you. Thank you, Jamal.

Jamal: 35:08

It's been a pleasure. Jose, I look forward to catching up with you in the community.

Jose: 35:12

We will. Thank you so much.

Outro: 35:15

If you enjoyed this episode, be sure to subscribe, like and share so you're notified when a new episode is released.

Outro: 35:22

Remember to join the Privacy Pros Academy Facebook group where we answer your questions.

Outro: 35:27

Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world-class privacy pro.

Outro: 35:35

Please leave us a four- or five-star review.

Outro: 35:37

And if you'd like to appear on a future episode of our podcast or.

Outro: 35:41

Have a suggestion for a topic you'd like to hear more about, please send.

Outro: 35:45

An email to team@kazient.co.uk

Outro: 35:49

Until next time, peace be with you.