Sarah: 00:00

Know that you need a mentor. So sometimes it's not easy for some people where, you know, sometimes you have new people to the field, but they are not that young. And so they have the feeling that they, if the mentor is younger than them, it would be complicated. But then at the end of the day, they realize that it's not about like, you know, being, uh, taught something or whatever. It's really, uh, you know, working and in hand to achieve their own purpose. Having like a coach, you, someone who knows because not they know better, it's just that they know more because they've been in their this, uh, very, uh, at the same place at before. That's it.

Intro: 00:35

Are you ready to know what you don't know about Privacy Pros?

Intro: 00:38

Then you are in the right place.

Intro: 00:40

Welcome to the Privacy Pros Academy podcast by Kazient Privacy experts, the podcast to launch progress and excel your career as a privacy pro.

Intro: 00:51

Hear about the latest news and develop in the world of privacy,

Intro: 00:56

Discover fascinating insights from leading global privacy professionals

Intro: 01:01

And hear real stories and top tips from the people who've been where you want to get to.

Intro: 01:07

We are an official IAPP training partner.

Intro: 01:09

We've trained people in over 137 countries and counting.

Intro: 01:15

So whether you're thinking about starting a career in data privacy, or you are an experienced professional,

Intro: 01:21

This is the podcast for you.

Jamilla: 01:30

Hi everyone, and welcome to the Kazient Privacy Pros Academy podcast. My name is Jamilla and I'm a data privacy analyst at Kazient Privacy Experts. I'm primarily responsible for conducting research on current and upcoming legislation as well as any key developments. With me today as my co-host is Kazient CEO. Jamal Ahmed is a Fellow of Information Privacy and CEO of Kazient Privacy Experts. He is a leading global privacy professional, world-class trainer and lead mentor at the Privacy Pros Academy. Welcome Jamal.

Jamal: 01:58

Hi, Jamilla, how are you? I'm good, thank you. How are you? I'm so excited for two reasons. Number one. Thanks to all of the great work that you and the rest of the team have been doing we've just been named as the top three best GDPR podcast for 2021 by Threat Technology. And the reason I'm so pleased about that, it actually looked at the data from four other different, um, sources. And based on that, they've said we're top three. And given that we've only been going since February, and this is I think where we're still under 20 episodes, I'm so delighted with that. And of course we have an amazing guest. We have Sarah joining us today. Why don't you tell us a little bit more about our guest?

Jamilla: 02:35

We're very excited to introduce. Sarah, who is our guest today, Sarah Taieb is the Data Protection Officer at UGI International, a law graduate. Sarah was the Global Data Protection Officer at Ipsen Group and a Senior Associate at Hogan Lovells. Sarah is also the creator of the group Mentoring in the Data Privacy Field, which has over 350 members, and she's also the Vice Director of the French branch of the EADPP, the European Association for Data Protection Professionals. Wow, what an interesting bio. Thank you for joining us,

Sarah: 03:05

Hi. Thanks for inviting me, it’s a pleasure.

Jamilla: 03:07

We're looking forward to getting to know a bit more about you and your career, but first off, as we always do on this podcast is the icebreaker question. So what is the best piece of advice you've ever been given?

Sarah: 03:15

Oh, wow. That's a good question. Let's say follow your dreams. Go ahead and you'll succeed.

Jamilla: 03:23

That is a great piece of advice.

Sarah: 03:28

And I think it applies to all of us privacy or not privacy people.

Jamilla: 03:30

Definitely. I think whether you're in the sector or not, I think follow your dreams is a great piece of advice.

Sarah: 03:36

As privacy people, we have lots of dreams, obviously, with all going, all going on.

Jamal: 03:39

Absolutely. You need to stay steadfast and committed to your dreams. Otherwise, if you give up, you are never going to realize your dreams because nothing good is easy. Jamila, what's the best piece of advice you've ever been given?

Jamilla: 03:51

My mom told me to always moisturize my neck. Okay. Because that’s what ages first. Really? Yeah. And there's a picture of my mom up here, which is why I looked and I was like, Oh, she did tell me that.

Sarah: 04:02

You know what, my mom told me the same, but I don't do it.

Jamilla: 04:05

I always forget, but there you go.

Jamal: 04:07

You see, the best piece of advice I think I've ever been given, and I'm not sure how appropriate this is for our Privacy Pros Academy. They said to me, it's better to apologize than ask for permission.

Sarah: 04:17

And that’s a good one.

Jamal: 04:19

Yeah it gets me in a lot of trouble, but um, yeah, but it does help to make things happen in any case.

Jamilla: 04:24

I have heard that one before. It’s an interesting one.

Jamal: 04:26

Awesome.

Jamilla: 04:26

Right. Let's get to know more about you, Sarah. So what first sparked your interest in data privacy?

Sarah: 04:34

I had some classes at the university, but it was not like a passion at that time. And uh, I have to say I came to privacy by total accident. It became a passion, but it was an accident. I'll be quick, but I'll tell you the story behind it. I debated between being an M&A lawyer or an IP lawyer, but not a privacy lawyer because at the time it was not very trendy to be a privacy lawyer, and it almost did not exist back in 2007 when I started. And so I did the training at Freshfields in the corporate team, and I realized I hated corporate. I love the people in the firm, but I hated corporate. The choice was made, so I wanted to be an IP lawyer, and so I decided to pursue an IP certificate at the University of Richmond where I was studying, and then I look around for training in IP because then my dream was about to come true, and so I had an interview and I was hired Lovells at the time, which became Hogan Lovells, but there was a misunderstanding. So I thought I was going to be in the IP team while I was in the IPMT team, but in the MT section of the IPMT team. So I was supposed to do IP and I did technology which included data protection, but out of nowhere because I wanted to do IP. And so by accident I learned about privacy from scratch and it was like love at first sight from the very first day. I was like, I love it. This is my dream. I love it. You know, life is great, full of surprises and nice accidents. So that's how I came to privacy, and I worked with great people at Hogan Lovells and taught me everything I know today.

Jamal: 06:07

Did you get to work with Eduardo?

Sarah: 06:09

Eduardo Ustaran is the best.

Jamal: 06:12

Amazing. There you go. We shared a client in common with Eduardo for one of our real estate portfolios, which was amazing. And working with him is definitely an experience.

Sarah: 06:20

Oh, yeah, yeah, yeah. He knows.

Jamal: 06:22

All right. My next question for you is, you said it was love at first sight, but what was about privacy that really got your attention and made you fall in love with it?

Sarah: 06:30

It's different when you're in a law firm and when you're in house, obviously. So as a lawyer, it was so challenging and exciting to be a lawyer in privacy because you would work for the, in the finance industry, in the healthcare industry, in the insurance industry and everything. You could work for social media, everything. In the same day, you could have so many questions from different people. It was like every day was different. And I actually, uh, remember the sentence that my manager was telling me almost every day, like ready for new adventures, and every day was a new adventure. Every day was so different. From so many clients, so many questions and challenges. So that's what I really, really like. And as an in-house lawyer as, as a DPO, I think it, the passion is different. I think what I really like as Privacy Pro is talking the same thing and in the same day you can talk to the CEO, do a training to the marketing team, and also talk to supervisory authority on so many topics, do a DPIA and handle an incident. They can be full of surprises, bad and good, and you have so many things to do at the same time, so it never stops. We have so many news coming in, like UK adequacy as you know, new privacy regulation. Too much going on that it's never ending, it's a passion. I mean, how can you not be passionate about it? I mean, people internally don't understand me , but obviously I think it's obvious that it can only be a passion. I love it.

Jamal: 07:50

Thank you. I love your answer and your passion definitely is coming through there. Very clear for everyone to hear. My question for you, you just tapped on it there and this wasn't one of the questions Jamilla had planned, by the way. So you mentioned UK adequacy. What do you make of the news yesterday where they've asked for it to be reviewed? What are your thoughts on that?

Sarah: 08:06

I was a mess. I was like, No, no, no. You can’t do that. Don't do that. I'm a very optimistic person, but here I'm losing it. I'm losing my optimism. I'm like, yeah, I, I think it's almost over, but let's keep this little lights and let's see if we can have some better news. But I think we are almost lost here, and we will need to do so many nice SEC’s and supplementary measures that we, we could live without. Now we have so much to do on this side. I think it's a very, very bad news for Privacy Pros.

Jamal: 08:38

I think it'll keep us very busy.

Sarah: 08:39

Sure. When you're outside, when you're inside, you’re always so busy. I mean, we are all busy, but internally we were hoping for better news. Yes.

Jamal: 08:47

Okay. If the UK is deemed not to have an adequate level of protection given how the Data Protection Laws, UK Data Protection Act almost mirrors and matches the GDPR. What do you think that means for other countries who are already deemed as adequate, but we know the review hasn't taken place after four years as it should have done. What do you think that means for them?

Sarah: 09:07

Officially, it doesn't mean anything to them. They're adequate and so they are part of a separate mechanism. We don't touch them. They are our friends. We love them and we transferred all of our data to them freely and we sigh of relief. Like at least that's what we are supposed to do. But then your question is very interesting because then if the UK is not adequate, who is adequate? I mean there were our best friends a couple of weeks ago, they were like the same, were on the same level and now all of a sudden, they are like an enemy. So that's very hypocritical to say that if the UK is not adequate, then who is monitoring if the others are still adequate, then the UK is, it'll be different because we have this surveillance legislation that we may not have in all of the other legislation in the adequate countries. But I haven't heard about such knowing in a way, I mean, knowing for the European Commission as surveillance legislation in the other countries, I think that this piece that we are,

Jamal: 09:59

I don't know if I agree with you on that Sarah. I mean, I know you are the lawyer, but when it comes to a country, let's just say Israel, and we're talking about surveillance, surveillance practices that Israel has, it's a lot more intrusive than what we have in the UK.

Sarah: 10:10

Yeah. When the adequacy decision was given, they had this in mind. They knew about it and they took the decision. I'm not saying it's good or bad, but I'm saying that that was part of the analysis. Here in the UK when they make the analysis, they decide that it's not that great, so maybe they have double standard whatever that I'm not going into that at all, and I have no idea how they handled that. But here, that's a key point and so, maybe they should go back to all the adequacy decision they made and look into that. But I wouldn't advise doing it because I don't want to have even more work. But I think, I think right now we have enough on our plates, so let's stick to the UK and then maybe later, like in 10 years , let's do something different. But we have enough with, uh, with the US and the UK right now.

Jamal: 10:52

All right. Cool. And now that I've got you on call, there was a discussion I was having in one of the, uh, study groups. I think it was actually in our Privacy Pros Academy on. With somebody quite new to privacy and they were studying for the exams and they were quoting word for word some of the actual texts from the GDPR. And one of the things they said is, adequacy decision needs to be reviewed after four years, so it's only valid for four years. And if it's not reviewed after four years, that country's deemed as no longer adequate. I said if that's the case, I would eat my hat and since they were a lawyer, they wasn't taking me very seriously. What would you say as lawyer to that same challenge?

Sarah: 11:26

Making sure that the adequacy decision is still accurate. I mean, it's still valid.

Jamal: 11:30

It’s still valid even though it hasn't reviewed after four years. The fact that it's still valid and we can safely send, uh, data over there without fear of enforcement action.

Sarah: 11:37

You know, at the end of the day, what counts is whether they're on the list of the European Commission yet, you need to. They are the lawyer side. I mean the legal side of things and the practical side of things. We need to be practical where if we're looking into little things of what’s not totally consistent, et cetera, then it would become a nightmare. They are listed, let's pretend everything's fine. again, you know, if we are bored, why not? Let's sign a petition saying, let's review all the adequacy decisions. But I think, again, we have enough on our plates. But yeah, no, no, But again, it’s true. Strictly speaking, I totally agree. The adequacy decision should be reviewed. Otherwise we come into a situation of the privacy shield, why wasn’t the privacy shield an issue? In addition to all other issues about national legislation in the US. It's also because there was no monitoring and we didn't have enough reviews. So that's one of the issues that was raised. So indeed that's an issue. But maybe the European Commission has enough as well, enough of their plate as well.

Jamal: 12:36

As well. I'm sure they do. I love what you said there about taking a pragmatic approach, and that's one of the things that we focus on through the Privacy Pros Academy. We need to be pragmatic. We want to go out there and we want to solve, We want to be enablers for business, but we don't want to sit there and nit-pick at every little thing and say, You can't do this, or you can't do that. We are there as enablers. And a lot of people ask the question about data privacy. Do you see as a sword or a shield, um, when it comes to data privacy, Sarah, how do you see it? Do you see as a sword or a shield?

Sarah: 13:03

I think you need to be both. I think you need to show, at least when you're a DPO internally, you need to be a partner for sure. Every time for example, last time I was reviewing an email prepared by my trainee, and she was more the lawyer style, like, you need to do this, you need to do that. I'm like, no, no, we, it's a, we. We are partners. We are colleagues. They’re our internet clients, but at the end of the day, we are colleagues. We are in part of the same group, so we are not telling them what to do. We're telling them how we will do it together. I never say no to anyone, not because I'm too nice, just because there's no, no, there's how we will do it? How we will find ways to do things because otherwise I'm just here because we need a DPO. We are required to have a DPO, that's not the point. The point is to make sure that what we're doing is compliant. That's it. But that we help the business achieve their objectives. Someone will be the one helping you achieve your goals. But then you need to explain the rules. And so in a way, we are here to explain the rules. People need to know to be trained with all the legal aspects, and then you help them conduct their business with legal aspects in mind.

Jamal: 14:05

That's amazing, Sarah. It sounds like, uh, you've been to the Privacy Pros Academy. That's the exact same approach that we put forward, and there's too many people, especially on platforms like LinkedIn saying, you can’t do this, or you can't do that. It's not about whether you can and can't do that. It's how do we do this? How do we do this while safeguarding those fundamental rights and freedoms to the individual? And how do we achieve compliance and protect our clients or our businesses and make sure we protect them from enforcement action, from reputational damage and make sure that we inspiring and cultivating trust and confidence amongst our stakeholders at the same time.

Sarah: 14:38

Exactly, and if I can add something, it's, there are two key words as well to add is the risk analysis and the balance. You need to balance the interest, which is the principle of course in the GDPR balancing test and also the risk analysis you may take. This is not what we do because we have quite the conservative companion. We don't take too much risk, but you may do a risk analysis saying, we don't want to be compliant on this aspect because it's so important to our business model that we decide not to be compliant, but we keep our position and we can argue why our position is okay. It's not perfect, but it's okay. I mean, it's not necessarily what I do in this company, but this is what I had advised in the past as a lawyer or in my previous company. You need to always do this risk analysis. It's not black or white.

Jamal: 15:21

I completely agree with you, and depending on which organization you're working with and which industry, the risk appetite is going to differ from one place to another. So there is no one size fits all. It’s whatever is in the best interest of whoever you're representing at that time, I guess. So thank you for sharing that.

Sarah: 15:33

Exactly. And even within a new different company you can have a team who could have a bigger risk appetite than another one, for example.

Jamilla: 15:40

Found that discussion very interesting. I was just sitting listening to you both. Your passion really comes through in, in everything that you say, Sarah, but what is it that you love most about working as a DPO?

Sarah: 15:50

It may seem too nice, but it's really helping others in a way, As I was saying, I, I have the feeling that I help at my level, the business to do things properly in a compliant manner, but still do what they were supposed to do, what they wanted to do. Sometimes they are surprised that you're sure we can do it. I'm like, yes, why not? But we will do it the right way, but we will do it. And I think it's really accompanying the business, making sure they understand the rules and making sure that that we work together hand in hand. So what I really like and also all the challenges that it entails, all the communication skills that you need. It's so fun to be a DPO because you need so many skills. So then, you can’t be a master of all of them, but you can at least try and, for example, going from the law firm to being in the house, I saw the different skills you need. You don't need the same skills when you're a lawyer and when you're an in house DPO, it's totally different. And in house you need many, many skills. You need to communicate differently to the different people, of course you will not communicate in the same manner to the leadership team and to the HR team, depending on the levels, depending on the topics, on the projects, you will need to communicate differently. You need to communicate very regularly and try to be fun. Sometimes try to be more serious to carry, sometimes with the fear of sanctions. Every day you need to change yourself, your approach, you need to adapt to the projects you are presented. You need to adapt to the people. You need to adapt if you talk to the authority, if you talk to your colleagues. It's always evolving, always new stuff, always different positions to take and analysis and risk to take and so it lots of fun.

Jamilla: 17:25

And the first thing you mentioned was about helping people and how passionate you are about that. And that kind of ties into your passion around mentoring. So why is it important for someone to have a mentor in the data privacy industry?

Sarah: 17:38

So this group came because I am, uh, part of the IAPP mailing list. And so people ask questions, you can answer or not. And yeah, there are so many questions, like maybe 10 every day. There was someone who was asking for mentor. It was saying, Okay, I am a US lawyer. I don't remember HIS profile, but it was, I'm very new to the field and would anyone accept to be a mentor for me? And I was like, Yeah, why not? I'm a US lawyer as well and I love helping people, advance their career. Why not? I can be your mentor. And then I saw like 10 to 20 messages of people saying, can you be my mentor as well? Can you be my mentor? I'm like, okay, so I have a job, but what I can do is maybe create a group, since there’s so much demand for it. So I will create a group. And I know many, many great people in the field, so I can add them, so mentors, mentees, and then we can make connections and people can find a new mentor to their needs. So this is how it started and I think it works quite well. It requires some work, so sometimes it doesn't really move. I don't do much on it. And sometimes I can find some more time for it, try to really fit the needs of specific people who really want to move forward in their career. So, if someone is really like, based in this specific country and wants to be a privacy consultant, I will put them in touch with privacy consultant with more senior in their own country, so maybe one day they can meet face to face and uh, try to make a one-to-one connections. I think it's, it's very nice. It's another way to help people and this privacy world full of great people.

Jamal: 19:06

Absolutely. And I think this whole mentoring aspect is what really, drove me to create the Privacy Pros Academy because I could see that most people, they're just one good mentor away from success, and success is so much closer than they think. But the mistake a lot of people often make, they spend a lot of time energy wasting it and trying to figure it out themselves when all they need is one mentor who's been there, done that, knows the path and can point them in the right direction and offer them that support when they need it. I think that's where some of the mentees that we have at the Privacy Pros Academy do really well because they've identified I need a mentor. They're saying, look, I know what you've achieved. I can see, and I just want to follow that proven formula to get from where I am, to get to where I need to be. So I share your values when it comes to mentoring there as well. That's what got us in touch with each other, So I'm really delighted.

Sarah: 19:53

I think you need some humility to acknowledge that you need a mentor. So sometimes it's not easy for some people who are new people to the field, but they are not that young. And so they have the feeling that if the mentor is younger than them, it would be complicated. But then at the end of the day, they realize that it's not about being taught. It's really working hand in hand to achieve their own purpose. Having a coach, someone who knows because not they know better, it's just that they know more because they've been in this very same place before. So it's really about helping people and there's no like hierarchy.

Jamal: 20:25

Coming back to Jamilla's first question, what's the best piece of advice you've ever been given? And I remember when I was at Kingston University in one of the extracurricular sessions, there was a great speaker who came in and he said, A lot of people say you learn from mistakes and yes, you can learn from mistakes and you learn when you fail, but it's expensive. It takes time and it takes a lot of energy. You don't have to make the mistakes yourself to learn from them. Someone can leverage from other people's mistakes, and I think that's where mentoring really comes in. I've made the mistakes along the way. You don't need to make those same mistakes. I can help you to avoid those mistakes. And I remember at one point, I went through so many different groups on Facebook. You have groups on LinkedIn, you have groups on WhatsApp. And I went to so many different groups saying, hey, I want to be the best privacy professional that I want to be. Where can I go to get some inspiration? Where can I go to find some knowledge? Where can I go to find the right people? And the thing that really frustrated me, Sarah, there were so many groups there with people with the wrong mindset. All they wanted to do was to learn how to read a book. Sometimes they didn't want to read the book, they just wanted to buy some exams and go and learn how to pass an exam. And I was like, this is not what I stand for at all. I want to know what I do. I want to be a person of value. I want to bring value to the table. I'm passionate about this. I want to go out and make a difference. I don't want to learn how to pass an exam so I can get a well-paid job. There's plenty of other ways of doing that. I want to be the best privacy professional I can, and because of the lack in what was already out there. It's really what drove me and my team to create the Privacy Pros Academy, the network that we have on Facebook, the network we have on LinkedIn, and of course this podcast as well. So thank you very much for highlighting the value of mentoring.

Sarah: 22:00

Thanks for the great job you're doing. That's awesome that people can rely on you to find mentors and to have some coaching behind all the experience of becoming a privacy pro. That's amazing.

Jamal: 22:10

It's truly a privilege and an honour.

Jamilla: 22:11

So would you say that someone should have a mentor no matter what stage of their career they're in, even if they're relatively experienced? Do you think there is always benefit in having a mentor?

Sarah: 22:18

Of course. There's always a benefit. It's not always easy to find a good mentor at all stages. It's easier when you just start because you can learn from anyone basically. But, of course, I myself have a mentor. I mean, I have a partner at Hogan Lovells for example. Always great to hear what they have to say. Pieces of advice as Jamal said, mistakes they made in the past are a very, very good way of learning without making the mistakes yourselves. That’s a perfect piece of, of advice, I think. And so of course at every stage you need some mentoring, but sometimes you need this degree of humility to, to accept it because sometimes you feel, but I'm a seasoned professional who can teach me anything you know, and so, but I think you can learn at all age and any stage of your career. Otherwise, it's boring. You can imagine if you have nothing to learn.

Jamal: 23:04

I think this is the thing, when you go and find people with the right mindset, you realize that actually these are the people that actually value having a mentor. And I have different mentors in different areas of my life. So for example, that when it comes to business, when it comes to my personal life, when it comes to privacy. And one of the things I find is my mentors have mentors, and those mentors have mentors as well. So it never stops. If you're someone who's committed to self-development, you're committed to being the best, there will always be a mentor. And sometimes you have to invest in yourself to give yourself the opportunity to have the best mentor for that stage of life that you're in.

Sarah: 23:38

And thanks to firms like LinkedIn, for example, you, the mentor doesn't even know they're a mentor. You know, you can follow someone who is great that you don't even know, but you, you love their past, you love the way they think, and they're practical or anything. And you can just follow what they, they say, and they can be, uh, an unofficial mentor. You know, I have some people I follow I think are great. There are many people I, I think are great in the privacy world, so they are not my mentors, but I, I really like their post. I really like their way of thinking. You, you can find ways to find people. It's not real mentors, but it's people to follow in a way that in our world now, we can follow people and they don't even know if we follow them. That can be creepy.

Jamilla: 24:18

So apart from having a mentor, what advice would you give to someone who's starting out in Data Privacy?

Sarah: 24:24

That goes back to what Jamal said It's not just about books. Of course, you need to know the GDPR if you want to practice in the EU in the privacy world, but you need to get away from your books at some point because the soft skills are very, very important, at least as an internal DPO because you need to be aware maybe it's not the case in all companies, but I think in most companies, unfortunately, privacy is still something people don't want to hear about. They must do it. They know they have to do it, but frankly, it's more of a problem than anything else. So if you don't come with a fun approach, or at least some not too horrible approach, if you're nice, if you make it something not to worry about, but something to care about something that they understand the value behind it. It's hard when you're like a standout company in a way. For example, we sell gas and electricity, in my company, it's hard to understand, okay, the value behind compliance with privacy rules. But you need to understand the value of trust, the value of a reputation that everyone understands, and everyone understand that it's good to do the right thing. That's, you know, its compliance, not just GDPR. We have many rules. It's not just one rule. People need to follow the rules, but we need to make privacy something not to annoy. It goes back to the communication skills to, I think the people new to the field need to understand that they need to, as we say, the business partner to be pragmatic, to make the matter interesting and fun. Sometimes it's not easy to make it fun. You don't talk to people who are friends sometimes, but still least your presentation needs to be something, and nice to see a subject, not too legal. So that would be my piece of advice.

Jamal: 25:56

Absolutely. So Sarah's top advice there is make it fun, make it approachable, and show how you’re actually here to help rather than hindering, getting in the way. And one thing I found, uh, Sarah, and I'm sure you'll agree with me, is when you come with that approach that you've just described, People actually start telling you the truth. When you don't come with that approach, you never discover the truth until it blows up in your face. Because oftentimes people feel like, you're here to call them out, or you're here to get them in trouble, or you're here to stop them from doing what they're doing. And unless you come with that, hey, I'm here to help. I'm approachable. Let's make this fun. You are not going to get into that. What's your experience of that?

Sarah: 26:32

So it really depends on people. So that's what you also need to adapt to people. Sometimes you don't know people before talking to them, so you need to adapt in the middle of the conversation, but you need to be yourself in a way. If it's something you really like, like privacy is your passion like for me, people will say it, it will be obvious to people that it's a topic that can be interesting and not just a legal check. Sometimes people come to see me and say, do you approve the project? I'm not here to approve anything. You are in charge of approving the DPIA. I'm here to help. I'm here to make recommendations. I'm not here to decide. I'm not the data controller. You know, in the DPIA, when they complete the form, usually they complete it as a first aid and then I do the analysis with them. Usually in the data controller section they put Sarah Taeib. I'm not a data controller. I am the DPO. I’m here to help you make things compliant. So we need to really make things clear from the beginning. Explain there are rules, of course we are going to comply with them, but let's make sure that your projects to be the one you wanted at the very beginning with some adjustments. And so, if you explain that at the very beginning that you're not here to be annoying, it works. And so if you have the fun and the passion, you're on top.

Jamal: 27:46

Yeah. Awesome.

Jamilla: 27:47

And I guess those are skills that you can't only learn in a book when you're studying for.

Sarah: 27:49

Exactly. But you know, there are different types of DPOs and you can be very successful with a different type. Everyone doesn't need to be fun and you know, we have very serious DPOs who are very good at their work. It's not an issue about the personality, it's more soft skills and listening to people, you know, you need to listen to what the project is about. You need to listen to what people do in practice every day to understand their needs, to understand why the project is so important to them, why they need their data, why the data needs to be sent to the US. Who is going to receive them, what will they do with it? But you need to really put yourself in their shoes and say, okay, if I were the finance director in the US and I'm consolidating all the data, will I want to have this data? Yes, of course I needed to do something totally relevant and totally, for me, it's totally legal, so I'm going to say it's fine if you need it. We will put rules around it, you know, we will restrict the number of people et cetera. We will put minimization in place, et cetera. But at the end of the day, you really need it. So I need to understand why you need it and what you're going to do with it. And if you don't understand the needs of your internal clients, then you're useless.

Jamal: 28:54

So much value in every single answer that you're giving here, Sarah. This is my favourite episode to date so far.

Sarah: 29:00

Oh really? That's very nice

Jamal: 29:02

Absolutely. Just I'm so happy, like you can see how much I'm grinning but you're pretty much saying all of the things that I've been trying to drum in. On that note Sarah, I've explained a little bit about the Academy to you, why do you think it would be valuable for someone who's looking to either start or enhance their career data privacy to come and join the Academy?

Sarah: 29:21

From what you told me about it and from my own research on you and your program, it seems to be very, very relevant when you start doing privacy to go through. It's a shame that I didn't know about it because I would've advertised it and I can now do it because it's a great approach. It's a holistic approach. So you have some, if I understand correctly, and you correct me if I'm wrong, you have some coaching, you have some legal aspects and the whole program of putting some into a star, someone who is new to a DPO style consultant style. So I think it's a great program. So you have all the aspects covered and so the person seems to be really accompanied in this adventure, which can seem to be like too much for one person, and then you are here to tell them it's okay. The fact that you help them with the CIPPE. It's a great value because I, I don't have it to be honest, I don't have the CIPPE, but I think nowadays because I'm an old, privacy pro, but nowadays, if you want to be a privacy pro recognized in the field, you, you don't need to have the CIPPE, but great. I think it's a great package that you offer. So you have the, the exam, you have, the, the practical aspect that you mentioned, the coaching. I think everyone should go for it.

Jamal: 30:26

We do have the holistic package. One of the questions I was actually asked, how did you come up with this whole thing? And I said, I went around, used my mistakes and everything that worked for me, and I put that into a proven formula and a strategy. We test it out with a few people and now we know there's a proven formula that works, but it all starts off with mindset. A lot of people have been told they can't do it and they've had some challenging experiences. We take away all of that negativity and we're build them up with a growth mindset. Get rid of any self-limiting decisions, any self-limiting beliefs. Get rid of anything that's holding them back that is no longer true, and would say, hey, let's go and be the person you want to. Show up as your future self from today so you can become that person by the time you transform through the academy. And it's a full transformational process. So we take them from where they are now all the way through the end where they graduate as world class privacy professionals. And as you mentioned, we take them through all of the theoretical stuff. We help them to attain the Certified Information Privacy Professional from the IAPP, so make sure that they've got some actual credentials behind everything they've been doing. The whole idea is we break down all the elements of European data protection law. So not only do they know enough to go and attain their certification, but they can actually have a conversation with me or you or any other privacy pro, be confident because they know they're competent and they're the subject matter expert. And it's only when I'm confident that they're competent and confident in each area, that we move on to the next. And I'm coupling the theory with the practical assignments. We don’t just teach what you have to do or what you need to know. How does this actually apply in a pragmatic and practical way where you're actually going and helping the business? You're enabling them to do the how and not telling them yes or no kind of thing. And then once they have the theory, they have the certification, they have the mindset. Of course they want to go out and they want to earn some money. They want to make a difference. They want to put their contribution to the world. And what they really need help with there is the personal branding. And I haven't found any Academy or Transformational Teaching program that helps them to demonstrate their best self. So we help them with the personal branding. So we have a team of career coaches who will go through their CV. We often help them rewrite their cv, we help them create a LinkedIn profile. We talk to them about LinkedIn activity. Over 80% of recruiters are on LinkedIn. For them to be able to have the best chances, they need to make sure that they're attracting those opportunities to them. So we help them with the credibility and authority, and we package webinars together. We actually help them to go and give back to society. One of the things we did recently is for the charity sector, we gave some practical advice on how to draft privacy notices if they're not fit for purpose, so they actually make a significant contribution throughout the academy as well. And it's not just about them, but it's about what you can do for others and through the program where you can see the transformation from when you have a look at their initial onboarding interview to how they're glowing and full of life and so confident in the exit interview. And you know what, that’s what makes it all, worth all of the hard work that the whole team puts behind it, is when we see them get from here, sometimes they even double their income and have the life that they truly deserve at the end of it. It's just magical. Wow.

Sarah: 33:26

Wow, this is very impressive. I think the people who are part of the program are very lucky.

Jamal: 33:31

We are the lucky ones. We have the honour own privilege of helping them throughout their journey.

Sarah: 33:34

Wow. So it's a win-win situation. Perfect.

Jamal: 33:38

I want to hear more about the EADPP. Sarah, we've heard a lot about the academy, and now it's time for you to tell us about the EADPP.

Sarah: 33:46

So we just started maybe a couple of months ago to regroup. We are like maybe 12 members or so, 15 members, maybe just a French branch. But we try on the French side of things to make things move with, uh, some humility, but to at least among ourselves, make sure that we get to a common standard. So on specific topics and so my first was really to make sure that we address the most important topics nowadays, as you know, which is international transfers. When I say it's the most important topics, it's more in terms of finding a solution. In my opinion, we are so at lost on this topic, if I'm not wrong. I think it's the only topic where we have absolutely no guidance from French perspective, from CNIL. We have a silence. We don't know what they want us to do, and they have not issued anything. Normally they issue, guideline, et cetera. Here we have nothing. What we intend to do is among ourselves, plan to draft a protocol, a questionnaire and transfer impact analysis assessment, draft one that we all agree on as members, and then go to the CNIL. Try to find a way for them, not necessarily to approve what we're doing, but maybe have a working group or maybe other associations, member of associations or with CNIL or whoever wants to partner with us to make sure that we have something that approved the help of the CNIL that we can move forward with something saying it's good. Maybe it's not perfect. Maybe it's not the solution, but it's something that works because otherwise we have almost nothing. We just have the recommendation from the DPB and the recommendation needs recommendations or guidance. And it's really, really hard as a privacy pro in-house when you are DPO to advise internally, you just inform, your stakeholders about the fact that there is a big issue and you're like, we have found a solution. We don’t know yet what it is, but we found one, and then you're like in front of your computer, Okay, what, what will I do? What should I do? And there's no one size fits all solution for all transfers. We all know this. And so we need to still find a way to address this in a pragmatic manner. To me, the best solution is specific questionnaire to the vendors depending on when they host the data. So if it's in in the US, you would have more questions, obviously, and to make sure that at least it's not a perfect solution. But at least from an accountability perspective, you can show that you've done something and that what you've done makes sense. Maybe it's not perfect, but if you have an inspection or if you have questions, even from your customers, you can say, okay, this is what we're doing. So far we may do better, but so far at least we've taken some steps because we can just, wait until we have some guidance. It doesn't work this way. So we need to be the proactive and see, this is the way I found to be proactive here by asking the, the French branch of the EADPP to focus on this matter for this moment. We are working on this but we will focus on other matters later, but this one will take a certain amount of time, so step by step. But so it's a new initiative and I hope we can be successful with it.

Jamal: 36:46

Yes, thank you for sharing that with us, and if there's anything that we can do to reach out to our community and our networks to aid assistance, support, just let us know and we'll make sure we get those communications out.

Jamal: 36:56

Thank you so much for your time. I realize we're coming to the end. We've got one or two more questions. Sure. All right. Cool. I'm going ask this one, Jamilla. Have you got a favourite client story you want to share with us? And it could be something that's a little bit humorous or fun?

Sarah: 37:12

It was when I was a lawyer at Hogan Lovells, and I had a client who wanted to have a FaceTime with me at 11:00 PM and not, he was not hitting on me. It was just because, you know, he was so stressed about the, the day after he had a meeting with the leadership team, and he wanted to review everything with me. And I realized that we are so important, you know, where, you know, we have an impact on projects, not only on projects, but also on people. We reassure them, but at that time I was a lawyer but I think internally, as an in-house lawyer, you also need to be this person who makes sure that people understand that it's going to be fine. The end of the world is not going to happen. Even if you have an incident, even if you have an inspection, an inspection is not fun and, but still, you're not going to die. It's all right. This, this experience, I accepted I'm the worst because I should have refused, you know, having a FaceTime with a client at 11:00 PM this shows you are crazy really. So I am crazy and too nice. That's something I know. But you know, it shows there's no limit when you are, assisting clients on privacy matters. It doesn't seem to be like the most urgent matter in the world, but to some people in some projects it can be very important. So we are heroes in a way.

Jamal: 38:26

All right. Awesome. Thank you so much for sharing that. The other question is, what is the proudest moment of your career?

Sarah: 38:32

It’s not the moment. I think I'm proud to be a, a mum of three while having a very, very nice career that I love and that I'm proud of. I think I'm proud of being part of this great community of privacy pros. It's absolutely, uh, thrilling to do a job where it, you know, you have so many aspects and many things going on. I think people don't, don't understand unless they are in, we are like a crazy world of some people who know something people don't know. Not that I'm proud. I think I'm more lucky than proud of being able to do everything, you know, having, on both personal and professional sites, being able to do it all at once because the privacy world, it's full of women, it's half half according to the IAPP. So, and I think we are a lot of working moms around there and working dads by the way. And so I think it's more being proud of that.

Jamal: 39:23

Awesome. Thank you.

Jamilla: 39:25

That's pretty nice, really inspirational I think, for people. So our, our last question is for you to ask a question to Jamal.

Sarah: 39:33

Yeah, great. Jamal so I would like to know how you came to privacy. Sorry to ask the same question you asked me. Your program is so complete that you must have gone through lots of stuff. What did you do before doing this program?

Jamal: 39:46

I was fortunate when I first graduated, one of the first roles I had was as a compliance or a business consult. And as part of that, I would advise businesses looking to start up or looking to take their business to the next level. And one of the things I had to be aware of from the compliance point of view was the data protection regulation. We had the data protection act in 1998. There was a couple of principles we had to make sure we're demonstrating things like that, and I actually loved talking about that element of it because I thought it was so important. And in fact, I actually became the best person in the whole organization when it comes to talking about data protection. So that was kind of when I first came across it. And then I went more towards the compliance and went into financial services. I got a job with the regulator and then I started reading on, on one, one occasion I was reading something about this, GDPR. I was like, there's no way companies like Microsoft and Google and some of the other companies that are not even that big is going to let this happen. This is just ridiculous. But to my surprise, it got accepted and then the two-year period came in for that to get, uh, implemented. And I was like, wow, this is going to be a massive game changer. This is going to change the world. And at that time it going through some personal circumstances where I discovered that I was about to become a father for the first time. And I speak more about this in our earlier podcasts and I'll send you links to that, but for me it was like, hang on a minute. I'm stuck in compliance right now where pretty much what I'm doing is running processes, right? Let's not pretend it's anything other than running processes. This isn't how I want to live the best of my life. This isn't what I was born to do. I actually want more than this. I want more meaning, I want more reward, I want more challenge, and I need more income if I'm going to be a father and I'm going to look after my family, I can't be partying all the time. I need to think about the future. And that's kind of what drove me towards really taking privacy career very seriously. And that's when I started out on my search. And all of the different elements that work for me and all, all of the different mistakes I've made that's what I've packaged into the Privacy Pros accelerator program, which is why you kind of get that completeness because I've taken everything that worked for me and that didn't work for me. And if you look at my background, I don't come from a privileged background or in a fortunate position. My parents were both immigrants. I grew up in the ocean estate, which, um, a lot of people I grew up with are either in prison or on drugs or in some other unfortunate places. And most people there are in manual jobs. Not many people are fortunate enough to even go to university. It was kind of the exception rather than the norm. And so when you come from that background, what I really want to do is I want to give back to the community. I want to give back to people, and I want to show people like, regardless of your background, right at the UK, uh, right now, privacy space is dominated by middle class lawyers predominantly male and I want to change that. And one thing that I did at the end of last year was I was invited to a talk about how to bring diversity into privacy. And I said, you know what? I'm actually going to do something about this. And that's when I got really serious about trying to increase diversity and inclusion into data privacy, which is why we've been working so hard from January to really go and fulfil that mission and vision with purpose.

Sarah: 42:43

Wow very nice answer. I like it. Thanks for answering my question.

Jamal: 42:48

We’ll send you links to the podcast where I answer those questions in a bit more detail so you can better listen to it in a bit more detail as well.

Jamilla: 42:55

Thank you so much for joining us today, Sarah. I found what you had to say very inspirational. Very interesting. I think I'll even listen back to some of the points you made. Thank you so much for joining us though. It's been a pleasure.

Sarah: 43:06

Thank you for inviting me. It was very fun.

Outro: 43:09

if you enjoyed this, Be sure to subscribe, like, and share so you're notified when a new episode is released.

Outro: 43:16

Remember to join the Privacy Pros Academy Facebook group where we answer your questions.

Outro: 43:21

Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world class privacy pro.

Outro: 43:28

Please leave us a four or five star review, and if

Outro: 43:31

You'd like to appear on a future episode of our podcast

Outro: 43:34

Or have a suggestion for a topic you'd like to hear more about,

Outro: 43:38

Please send an email to team@kazient.com

Outro: 43:43

Until next time, peace be with you.