Tharishni: 00:00

As someone who is not tech savvy whatsoever, it was actually just taking apart a concept and then simplifying it for yourself and for others as well. I'd like to think that sometimes I'm able to act as a technology translator.

Intro: 00:17

Are you ready to know what you don't know about Privacy Pros? Then you're in the right place.

Intro: 00:22

Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts, the podcast to launch progress and excel your career as a privacy pro.

Intro: 00:33

Hear about the latest news and developments in the world of privacy.

Intro: 00:38

Discover fascinating insights from leading global privacy.

Intro: 00:41

Professionals and hear real stories and top tips from the people who've been where you want to get to.

Intro: 00:48

We're an official IAPP training partner.

Intro: 00:52

We've trained people in over 137 countries and counting.

Intro: 00:57

So whether you're thinking about starting a career in data privacy or you are an experienced professional, this is the podcast for you.

Intro: 01:13

Hi everyone, and welcome to the Privacy Pros Academy podcast. My name is Jamilla, and I'm a data privacy analyst at Kazient Privacy Experts. I'm primarily responsible for conducting research on current and upcoming legislation as well as any key developments and decisions by supervisory authorities. With me today is my co-host is Jamal Ahmed, who is a Fellow of Information Privacy and CEO at Kazient Privacy Experts. Jamal is an established and comprehensively qualified privacy professional with a demonstrable track record solving enterprise-wide data privacy and data security challenges for SMEs through complex global organizations. He is a Certified Information Privacy Manager, Certified Information Privacy Professional, Certified EU GDPR practitioner, Master NLP practitioner, Prince II practitioner and he holds a Bachelor of Arts in business with law. He is a revered global privacy thought leader, world-class trainer and published author for publications such as Thompson Writers, the Independent, Euro News, as well as numerous industry publications. He makes regular appearances in the media, on television, radio and in print, and has been dubbed the King of GDPR by the BBC. To date, he has provided privacy and GDPR compliance solutions to organizations across six continents and in over 30 jurisdictions, helping to safeguard the personal data of over a billion data subjects worldwide. Welcome, Jamal.

Jamal: 02:24

Hi, Jamilla. How are you?

Jamilla: 02:26

I'm all right. How are you?

Jamal: 02:27

Yes, super happy today. The weather is great. We've got a fantastic guest, so I'm delighted.

Jamilla: 02:33

Cool I'm happy I'm just seeing clouds outside my window, oh, well. So let's introduce our guest. We're very excited to have her here. Our guest is Tharishni Arumugam a privacy nerd who has worked in the privacy field for almost 10 years, beginning as a lawyer in Kuala Lumpur, Malaysia during the early days of the enforcement of the Malaysian Personal Data Protection Act. She left private legal practice to join Aon as it’s APAC Privacy lead, spending 4.5 years building a privacy team and practice in APAC that spanned the exciting and constantly evolving landscape of privacy and data protection laws in Asia-Pacific. She is now based in London, United Kingdom and is part of Aon’s global privacy operations team, where her focus has been on the operational and governance portion of privacy compliance, as well as being the privacy advisory lead for Aon’s global data analytics and innovation services. She has written internationally published articles on privacy, and has been a speaker at various privacy conferences, including the IAPP Global Privacy Summit, RSA-APJ and the Boston Bar Cybersecurity conference. In her free time, Tharishni’s goal is to better understand UK jargon after being locked up in a pandemic shortly after arriving, being able to deadlift 100 Kilos and finally get one successful unassisted pull up.Amazing.

Jamal: 03:49

Yay. Progress over perfection, right?

Tharishni: 03:53

Thanks Jamilla, for the introduction and hi, Jamal. Thanks for having me on the podcast.

Jamilla: 03:57

We're delighted to have you here. We always start off with an icebreaker question. If you could choose one famous person from history to have on your team during a zombie apocalypse, who would it be?

Tharishni: 04:07

Arnold Schwarzenegger. Like 100%. That man at his age is still an absolute physical beast of a person.

Jamilla: 04:17

That's true.

Tharishni: 04:18

He's still alive. He's not historical, but he's somewhat historical, like the Arnold Schwarzenegger of the movies versus the Senator versus I would have him on my zombie apocalypse team.

Jamilla: 04:30

I think I might have to agree. Jamal who would you have?

Jamal: 04:33

I was going to say I would have the A Team, but it says one person. I don't know. Maybe Christopher Columbus.

Jamilla: 04:39

Why would he help you during the zombie apocalypse?

Jamal: 04:42

He knows how to navigate.

Tharishni: 04:44

Wasn't he trying to find America and then find India and then found America?

Jamal: 04:48

Well, that's what I mean. He gets lost by accident, right. On his way to India, he found America. Imagine what else he's going to discover during a zombie apocalypse.

Tharishni: 04:56

Right, that's true.

Jamal: 04:58

What about you, Jamilla?

Jamilla: 04:59

I thought of the Rock because he’s got a lot of muscles to be able to punch zombies in the face.

Jamal: 05:08

Can you smell what the Rock is cooking.

Jamilla: 05:11

Or maybe someone who worked on the first ever spaceship so I could just get on a rocket and fly to the moon and live there.

Jamal: 05:20

Good luck with that one.

Jamilla: 05:23

All right, let's get down to the data privacy questions. Tharishni, what first sparked your interest in data privacy?

Tharishni: 05:30

It’s funny how I ended up doing privacy. I was in the legal firm, kind of going through the different options that I had. I did litigation, I did tax, and then they were like, oh, we just need someone junior to help out doing personal data protection there. And as I started doing the work, because I had to, I realized that I actually liked it. It was just so much more practical than any other legal field that I had been involved in. It was more fluid. You could see sort of how it impacts individual lives, and then the more you get into it, the more you see, like, oh, every single part of how business runs would need to understand how privacy works, and then just keeps getting more and more enhanced, more and more touch points. And that's really sort of how I got involved in privacy. It was, you know, ten years ago was almost like the right time. I would describe myself as like one of the privacy babies. I haven't really done too much in my career before privacy, so these ten years have mostly been about privacy. A lot of practitioners, you'll see, probably had a career in something else before they ended up in privacy. And I think quite confidently say, I've only ever known privacy as my bread and butter.

Jamal: 06:36

Wow, ten years. That's amazing.

Tharishni: 06:38

Thank you. I hope I don't look it. That's not the whole point though.

Jamilla: 06:45

So you're a trained lawyer or you studied law. Did you ever think of going into other aspects of law?

Tharishni: 06:50

Absolutely. I think, first of all, if you told me ten years or twelve years ago in law school you're going to be a grownup doing privacy law, I would go like, what is privacy law? There's no such thing, especially not in where I'm from. It’s still not taught in universities. It's still not considered to be too much of a career option. I used to be a debater. I used to travel the world representing my university. I used to teach debating. So the natural sort of progression would have been that I would go to court as a lawyer. And I did do a couple of months of that and start my training, but I didn't like the fact that it was super heavy on procedural aspects. There's a lot of court procedure that you need to go to before you could ever speak about an issue in court, especially in the kind of law firm that I was in, where I had to gather years and seniority before you could actually speak on behalf of a large client in court. So that's sort of what I thought I was going to be. I thought it was going to be Allie McBeal. That shows you my age, going to court in a nice suit. But I used to do that and just hate it. Like waking up super early to get to court at a certain time and making sure that you file the correct paper it's at the right time, and you could lose a case because you haven't filed it correctly. So that sort of thing kind of drives me a little bit crazy. I knew it wasn't for me as much as I did enjoy the other aspects of that.

Jamal: 08:08

That's super interesting. My brother is actually aspiring to become a barrister and he's interested in all that stuff, and right now he's going for the procedural stuff. I hope it's not as heavy on the admin side in UK practice as it is in Malaysia. But what I'm really interested in when you say you hated this part of your job, but then you started on privacy because they needed somebody, and then you fell in love with it. What was it about privacy in particular that you was like, you know what, I want to do this for the next ten years?

Tharishni: 08:36

I sort of thought, look, is there anything else I would like to do with my law degree? And I didn't think there was anything else that I wanted to put my toe in. Like, I did figure, like, IP tax was intense, lots of math, lots of lawyers will tell you they go to law school so that they could avoid doing math. So that's sort of where I am. But the privacy specifically, I think it was the fact that it was quite new at the point there was a lot of body or work that was still being developed. There's a lot of opportunity in the field, and I think that's still the case ten years later. In fact, I think it's just growing more and more in terms of opportunity and respect for the field. And it was this ability to create a niche in a way that really speaks to people's daily lives. When you pitch to clients, or at that point, or you're giving talks and training people, it's so easy to see the human aspect in privacy, as opposed to a lot of other fields of law that isn't like human rights law, for example. So I'll caveat that, let's say criminal law, not everyone thinks they're going to be a criminal, so you can't really talk to them on that side. But from a privacy perspective, everyone, especially in the age of Internet, can see how their data is being used, can see how this impacts their daily lives. It's so easy to connect with people in privacy law as opposed to any other field.

Jamal: 09:57

Awesome. Thank you very much for sharing.

Jamilla: 09:59

In your bio, we spoke a little bit about you were a lawyer in Malaysia during the early days of the enforcement of the Malaysian Personal Data Protection Act. And you also said that privacy isn't really a thing, maybe in Malaysia, and it's not taught in law schools, I guess. So what is the current kind of landscape?

Tharishni: 10:14

The thing about laws is especially enforcement of laws is quite political. And in Malaysia, what has happened, unfortunately, in the last, say, two or three years, has been a political turmoil. And we keep changing governments, keep changing people in charge. And so to build upon what's needed to be done from a privacy regulated perspective, there's a lot that needs to be done. They need to understand, what do we want to enforce? What are our values? How do we want to go about enforcing this? How do we make sure that the data we collect is secure? So these are things and building blocks that a mature regulator would have that has thought about, this is what we want to focus about. But that's not unfortunately, the focus in Malaysia politically in the last few years. So that's sort of where we are. But there are privacy practitioners growing in the country, especially because they look at the fact that there's still work to be done, there's still compliance to be done from a client perspective, especially when you're a multinational company. The effects of the GDPR extraterritorially is also a big driver in pushing the growth of privacy professionals outside of the EU. It's growing, but I think unless the regulator makes a more concentrated effort about being serious about this, I doubt that's going to happen. So that there's a bigger push for companies because some companies will take the position that, guess what? I don't really process EU personal data, and I don't think I'll get into trouble for this. Like, what is the risk call for not being in compliance? Turns out there's never really been much of a fine besides the data breach sort of stuff. So that's unfortunately, there's that situation where I'm from right now in terms of being a privacy professional.

Jamilla: 11:53

Where do you see the future of data privacy going in that part of the world?

Tharishni: 11:56

That would depend on where we go politically in Malaysia, which right now it's an absolute mess. I don't know where the future of my country is at right now, let alone like, privacy at all. I think one of the things that we have tried at Aon is there is a privacy council in Asia, in Kuala Lumpur that handles Asia Pacific matters. And so training people up that way and saying, just because you're based in Malaysia doesn't mean that you can't upscale to look at the rest of the region, I think that would be sort of the best way to do it. I think it's more of a private sector driven effort because you've got the talent there. It's just a matter of utilizing that and giving people opportunities. So we've also started having a secondee from a law firm, a junior lawyer that's helping out with Asia Pacific matters as she's upskilling herself in getting these sort of roles and responsibilities.

Jamal: 12:45

That's really positive. And I guess there are benefits to businesses to take privacy quite seriously. As we can see that privacy has been more important now to the individual than it has ever been at any time in the past in history. If we just look back earlier this year when WhatsApp decided to talk about their new update and how they want to share some metadata with Facebook, all over the world people are going crazy. Hey, what's WhatsApp doing with my data? I mean, I had my mother's friends calling me and say, should we stop using WhatsApp? Can they see my messages? What's happening? And these people, they wouldn't even know how to spell data privacy. So it's fascinating how data privacy is on everyone's mind. And what's really interesting is all over the world the press is actually publishing stories on data breaches, on privacy matters, and privacy seems to be more important. We see massive tech companies like Apple, they're not advertising their features, they're not advertising value for money, they're advertising how much they value your privacy. And so for businesses to take privacy seriously, even if there is no fear of enforcement, it’s actually steps in the right direction. What do you think about that?

Tharishni: 13:48

I think that's definitely the case. Like Apple's been a great shining example of privacy being a differentiator in the market and people understanding how you process their personal data. What are you going to use it for? I like to use the cool to creepy continuum because until people think it's creepy, they will think oh, you use my personal data in a cool way, I have no issues. But when there's a scope creep and it becomes like a very creepy thing and we know now that's like the use of cookies for targeting people, you have a conversation and then suddenly you get an ad to go to Mallorca. I say Mallorca because I'm dreaming of a warmer place. But you've made a really good point about that. And even if you're not a B2C company, as a B2B company, which is mostly what Aon does, there's a lot of trust that needs to be engendered between companies when you're passing data on as well. So it becomes a differentiator sometimes. Obviously, if you're a B2C, but as a B2B, it becomes an even bigger differentiator if you know where your data is. Because as a vendor you would need to provide this information. You would need to convince your clients that you are the best option for them to send their personal data, for them to be able to use your platforms and services and not have to deal with the data breach. That's sort of the big business differentiator. And we've seen that at Aon, if you're super prepared in terms of how you respond to client queries or how you go out to market in a B2B circumstance, that is a huge thing. Because guess what? The lawyers and the privacy professionals do influence decision making, especially in the last few years.

Jamal: 15:24

Absolutely. In terms of the actual culture of privacy, I want to ask you about that because you've been fortunate enough to travel all over the world and you've worked in Malaysia, you've worked in Singapore, and now you've been in the UK the last few years albeit in confinement because of the pandemic. But how have you seen the attitudes are different in privacy in different parts of the world. And I'm talking about cultural privacy.

Tharishni: 15:45

So many interesting stories. So here's a juxtaposition. I know that in some European countries even the use of any privacy technology, if it's not exactly as how this country thinks it should run. They won't even use that piece of technology. We've had issues in terms of trying to get technology that's hosted out of the EU to be approved for use within the EU. The culture across Europe, especially, I say in continental Europe, is very aware of their privacy rights, sometimes a little bit too aware, where everything is an alarm bell. But then you juxtapose that with some countries in Asia, you can't lump all of Asia. So I remember going to India as part of a business trip and giving privacy training, etc. So then I leave the office, I go to a shopping mall, and I'm paying for a garment that I bought, and they're asking me for my ID number. And this is like a whole list of information before I could pay for my goods and people willingly give up that information because that's the norm. And then juxtapose that was like going to Japan, where if there's been any mistakes, any little thing, the culture is like, we have to apologize for it because we hold ourselves to whatever it is. It's the highest standard. We need to go and bow and make sure that we don't do this ever again, whether it's privacy or anything else. And there's an awareness that privacy is a big part of the culture as well, that everyone gets to have their own space, and people should understand that. Even in countries where people readily give up their personal data, I think there's more awareness now as well. And that's because you've got some of the European standards. Some companies have a global standard, and you have to give your consent, and you have to make sure that things are transparent in terms of how data is being collected. But one thing I do notice is that people tend to think that you can use the GDPR standard across the world, and there's no deviations that's the highest standard, which is actually not true, because under GDPR, you might have legitimate interests, and that's a way to legitimize the use of the personal data. But in most parts of Asia, and even in some parts of the Pacific and certain processing activities, you must get consent. So it's a consent first jurisdiction. There's no such thing as legitimate interests. So that's actually stricter, because you have to get some sort of positive affirmation from the individual. It's a real patchwork. I think it's very interesting, and I think that the standards have changed because of COVID as well. Like, everyone is indoors, they're reading more, they're online more. I think we still get requests for people in Asia trying to enforce their data subject access requests, thinking that that's applicable to them. And that's really interesting because those things don't necessarily apply to individuals who don't live in the EU.

Jamilla: 18:38

What advice would you give to someone looking to enhance their career in data privacy in ten years? I mean, in the sector you've learned a lot and picked up a few tips.

Tharishni: 18:46

I would say one is be curious. Like you can't think you know everything about privacy law because it's not about knowing the law so much as knowing data and knowing how data works. And actually this week, I had two Stephen Lawrence scholars who I spoke to about privacy law, and they had a conception that it was just about knowing the law. When with privacy law, you've got to understand how data works. I think kids these days, like, they learn how to code and they learn a little bit more about tech. But literally, I had to learn about big data, AI, machine learning all of these things were things that you have to learn yourself. Or and this is a shortcut, is speak to an expert about it. Everyone loves talking about their job. And that's what I told the Stephen Lawrence scholars that I spoke to this week as well is that don't think that you're bothering someone with a question about what they do, especially if you catch them at the right time of course is they would love to talk to you about this and be humble and go look,

Tharishni: 19:49

This might be a stupid question and you'll realize every time you say this might be a stupid question. It's not a stupid question. And it's actually a really good question that helps you understand the conceptual mechanics of whatever you're trying to understand. This is not just privacy. This is not just tech. Obviously advice that goes across the board. Because for me I work so much in data and analytics that as someone who is not tech savvy whatsoever, it was actually just taking apart a concept and then simplifying it for yourself and for others as well. I'd like to think that sometimes I'm able to act as a technology translator because you've got the tech guys who like, know it inside and out with their jargon. And then on the other side, you probably have a regulator or contract or client that you need to explain things to or someone in your team and being able to take apart these concepts, put it in a very lay man’s language and then spit that out. I think that's sort of been one of the best skills that I've been able to harness across the years in my career.

Jamal: 20:47

Absolutely. And I think that is crucial, especially if you're going to be upskilling other people, empowering other people, and training them. And one of the things that we really try to focus on, the Privacy Pros Academy, is breaking everything down and making it super simple. So not only do people really understand it in depth and breadth, but they also know how to take that and apply in their roles. I see too many people that are struggling with data privacy roles, with kind of struggling to get a job because they can't explain their data privacy knowledge to hiring managers to recruiters. Yes, and the reason is, most of the time they've picked up a book, learned how to pass an exam, and they don't really understand how to apply those concepts because they've never spent time doing these things and never spent time with a mentor or someone that can show them how it's done and explain these concepts to them. And one of the great things that we find for the mentees that come onto our IAPP certifications and the accelerator program is the penny drops for them. And they understand all of these concepts and how it makes sense not just in their life, but with their clients, in their businesses, in their future businesses. And now they understand the foundations, and they have strong foundations and strong pillars, and they can really go out and really help solve some privacy challenges.

Tharishni: 21:54

Absolutely. I think it's got to be taking out the academic knowledge and being able to practically implement that in a way that makes sense. I think people tend to think this is a framework that I need to follow and I have to do it this way. But that's not what a privacy professional is. A privacy professional knows what needs to be done from a compliance perspective, understands the organization and what needs to be done for the organization and not just a general one size fits all. And I think that's how you get a privacy job, is that if you can talk to the hiring person going, this is what your organization looks like, this is what I think the issues are. This is the standards that I think we need to implement and here's what I bring to the table based on that. That sort of, I think, the best thing to hear when you're hiring as a privacy professional. As someone hiring, I don't need someone who can like, tell me, article whatever, an article this I actually hate when people do that, to be honest. Are you like, in compliance with article 33 of the GDPR? And I'm like, can you speak in English? And this is a lawyer saying that, I don't want you to tell me section whatever, article whatever. Tell me what is the provision? Tell me what are the essence that we're trying to comply with. Tell me what kind of framework should work. Tell me about human behaviour. And that's what I want to hear when I am interviewing someone for a privacy job. I want someone who's obviously knowledgeable to a certain extent, but anyone can go and Google like, the GDPR. I want someone who understands how to implement these things, what's important. And I think that's probably the other thing. Curious enough to see what regulator activity behaviour announcements are, because we are beholden to that. We need to know what their focus is, what they might look at. Obviously, there's going to be some areas that that's the first time they're looking at that. But a lot of things are going to be things that you've seen the regulator take notice of and has made announcements and keeping track of that and keeping track of people's sentiments around it.

Jamilla: 23:50

A lot of good advice there. And what other things do you look for then, specifically when you're hiring someone for a privacy role?

Tharishni: 23:56

I want someone who is keen on learning. I think a lot of times people come to interviews going, oh, I already know these things, and so let me help you. Sometimes that's a good approach. It's a very confident approach, I would say, but every organization, especially when it comes to how privacy and data works, it's so different, and I think I like being asked questions in an interview rather than just me asking the questions. An employment contract is both ways. You have to like what we do. You have to like what we stand for as an organization, and I've got to like what you stand for as a person and as a privacy professional. Look, I'm not big into looking at certification so much as curiosity and attitude, because the certification gets you through the door sometimes, but that knowledge might lapse. I'll put up my hand and say, I pass the CIPM, and I can't remember most of the content. I didn't even do my CIPPE because I was on the team that came up with the questions. So, like, the value of those things. I like giving people the opportunity to sell me on what you want to do here and sell me on yourself sometimes. Your experience might not be in privacy. I think some of my favourite interviews are people like that who are like, I've not done privacy before, but I've been super curious. I've been doing the work, reading up on it, having a finger on the pulse of the privacy world, and I've got certain transferable skills. Those are some of my favourite interviews, I think, when it comes to speaking to people about privacy, when you get these interviews, are they mainly people from law background to actually more around compliance background, so risk. I've also spoken to people who want to do a career change from audit, from tech. Sometimes they're not obviously, official job interviews. They're more like, can I talk to you about potentially moving into this field? I think that's always interesting. I don't see too many lawyers trying to have a change in career, and it's more people in different backgrounds.

Jamal: 25:52

I think that's definitely the trend we've seen as well. We've seen lots of risk professionals and lots of operational people focusing on primary casework and other GRC related areas, getting really curious about data privacy and saying, hey, I actually want a career in it. It's been really interesting to see how different challenges or different backgrounds people come with. But you know what the most fascinating thing is, and the thing I love most about the academy is everyone brings so much to the table already, and then. When we add privacy to that, privacy understanding of that, the applications, the actual knowledge, the regulations, the mindset, the practical experience and understanding of the know how and focus on their personal brand, they suddenly go out and they're this super valuable asset to any organization, and people just want to snap them up because they can see that they have so much to already bring. And one of the biggest misconceptions I think people have about transitioning to data privacy, sometimes they think they have to start again from the bottom. They have to take a salary cut, they have to take some other sacrifice. No, no, no, you don't. You have all of those great things. You're so valuable as it is. You're already worth x. Now you want to add all this privacy stuff to it, you should be worth X plus a little bit more.

Tharishni: 27:03

Yeah, that's interesting. It's definitely not starting from scratch. I think if it's how you sell yourself of like, here are the skills that I have honed in the years that I didn't do privacy that's applicable, and that sometimes is years of leadership and years of dealing with a business, years of getting to know a business, being part of a corporate structure. You're not someone out of university at that point, so it's definitely not that sort of starting point. And years of being able to catch up from a knowledge perspective as well. Because, you know, when you first start out, there's a big learning curve, but when you are already in the workforce for a couple of years, your years of catching up, your time of catching up, or your curve of learning is very much smaller. You don't need that much of time to jump over. But you know what's interesting, though, actually, is something that I discovered as I was trying to hire for my backfill when I left my job in Singapore was, lawyers who have lots of experience, more than ten years of experience with very little experience in privacy, but demanding like, ten year lawyer salaries. On the flip side, that does exist as well. And they're like, oh, there's a market for this now I'm going to do a little bit of work, and then I can sell myself as someone who has ten years experience. And I saw these CVs, I was like, you've done privacy for a year, and you've advised, like, a couple of clients on certain elements. You shouldn't be demanding this much of money. Like, that's just not how this works. So there's both sides. You've got people who genuinely are doing a mid career switch and are valuable, but then you also have people who are like, oh, I'm just going to tag on privacy, do a sprinkle here and there, and I can say, oh, I should be given a privacy job that's fairly senior. That's not okay. In my books, that was part of the challenge of hiring, I think, especially for senior roles in privacy. You don't have too many people that are a senior, and then you've got people passing off as, like, having the experience.

Jamal: 28:57

suffered and struggled around: 2018

Tharishni: 29:41

Yes, I know. I've seen some of this happen. I've seen people telling me, oh, I do this, and this is what I've done for my company because I've hired this adviser. And then I go, okay, but how does it apply to your company? Like, how have you customized this? You can sometimes get cookie cutter whatever templates if you want to, but then someone inside has to make it work for the company.

Jamal: 30:05

Yeah. The most disturbing example I came across was it was for the top asset management company. They hired one of the Magic Circle firms not going to name who the firm is. They hired the Magic Circle firms to create some of their documents. And these guys had put consent wording into the contract. Right. It's part of the contract. And they were, like, standing by that. They're like, well, we paid this firm to do it, so it must be right. It's like, I can't even believe they would make such a mistake to begin with. And the fact that you're actually confident just because this firm did it even though I'm explaining to you in the most basic terms possible and showing you in black and white that it's strictly forbidden from doing that, like, where do you want to go with this? And then there was like, oh, no, what else have they got wrong? And then that's where we have to uncover a big mess.

Tharishni: 30:52

Yeah, look, I actually have seen a contract that looks like what you've just described as just negotiating contracts throughout the years with clients. And you go, why is this here? This makes no sense whatsoever. And again, it's some sort of law firm that's fairly established telling our clients that this is the correct way to do things. So, yeah, there's a lot of confidence in what people are doing, but it's not necessarily correct. And they're coming from sources that should be legitimate sources in their reputation, but that's really not the kind of quality of work that should be there. I think one of the worst ones I've had, I think one of the challenges I had when I was back in Asia was when GDPR came out and we had to negotiate GDPR contracts for some of our clients or with some of our clients because of the nature of the data flows. Oh, man, I had one account from another country for the biggest multinational in that country shouting at me, like, literally shouting at me, telling me I'm wrong and that he wanted to talk to someone from our UK offices, even though we're both in Asia, because they didn't want to believe our position on being a data controller, which we've got an extensive legal advice. It's the industry standard, dah dah dah. And he's like, no, no, no, that can't be the case. And he's not a privacy expert, he's a general counsel. And so that sort of thing was in the early days, there's a lot of confident people, and I think it was funny how it just went from zero to 100 at him, yelling at me. That was intense, I would say. I don't think that's how contract negotiations should go. I meant to calm him down in the end and explained, I think, how this was actually beneficial for him. Then he's like, calmed down and he was like, okay. And then we were friends in the end, but it was not very nice.

Jamal: 32:41

I'm smiling because it reminds me of another fascinating story. One of my clients in the past used to it's another asset management company, right? And they had this fund, and this fund on lots of shopping centres around the world for a particular bunch of shopping centres were managed by the same management group. There was a lot of discussions about who's the data controller and who's the processor, with the joint controllers, with the independent controllers in common. It took a whole year to get to a point where we'd made some traction on it. We had to do all of the mapping. We had to there was so much ridiculousness we had to do behind it. Because whenever we had a board meeting then there was like 30 of people of their company coming to the board meeting and it was like me and a couple of my colleagues from the company. About seven, eight of us. Anyway it got to a stage where they was like, okay we're going to agree to X. And then we got there to sign to agree to X. And then they decided the night before, literally, they colluded with the other providers of this same service. They're another large company. We look after the other portfolios and together they decided their joint position and they they're was like, not going to budge which was completely different to what we just agreed over the course of the last six months of negotiation to get to that point anyway. It was like, okay, we're not going to waste any more time on this. This needs to be done because we still don't have a contract and it's been some time and we need to have this signed. So we agreed, the client agreed to the contract. Three months later, they turned around and said, hey, can we have this CCTV footage with that? No. So it was their insurance company wanted the CCTV footage to fight a claim, and if they get the footage, it stops them from spending lots of money going to court and getting all of this equipment. And they was like, can we have this footage? You're like, no, you can't. You're a data processor, you follow our instructions. If you wanted to be a controller in common of this, then you could have made those decisions yourself, but now you can't. And they have so many of those incidents every week where they could really have benefited from being able to make those decisions, but from us as a data controller. We don't want to give that person or the client doesn't want to give that person’s information out. There is no legal obligation, there is no other legitimate purpose for them to do that. So the position is very clear the policy is, no, we only release CCTV images if there's a legal obligation or if you are making or exercising kind of legal claims. Seeing as you don't fit any of that outside of the policy, it's not going to happen.

Tharishni: 35:01

Yeah, exactly.

Jamal: 35:03

I mean, that's where we left it. But you can see that you have to think things through and you have to think of what's actually happening. In fact, it doesn't matter what the contract says, you have to look at what's in fact and the contract should actually reflect that.

Tharishni: 35:16

Exactly.

Jamal: 35:16

So it'd be interesting to see if any of those incidents end up in court one day and a judge tells them who the controller and the processor is.

Tharishni: 35:23

Yeah, especially because regulators and courts don't really make any determination around controller processor for the most part, and the impact of misidentifying as well. We don't really see that except in practical circumstances, as you've talked about. That's sort of, I think where it is. There's a lot of still very academic discussions, I think, around a couple of different parts in privacy that’s interesting and always keeps it fresh in this field, for sure.

Jamal: 35:53

Yeah. So I'm curious, what's your favourite privacy challenge story and how did you overcome it?

Tharishni: 36:01

It's funny because it's probably not a privacy story because I started getting involved more and more in the field of data and data governance. I think some of my favourite things is people come to me now because I understand the legal parts of data, that it becomes more and more about, hey, how about using data in this way? And about data governance? What do you think about people's roles and responsibilities around data? But I think one of my favourite fields of data right now is the field of data ethics. So just because we can, should we? That question and answering that question is something I really love doing because it's for the most part, not very regulated. It's not black and white. You can't read article 33 and make a determination on that. I enjoy being in that grey area of like, just because we can, should we do it? Being the voice of reason, being the voice of sanity and having that be implemented has been some of my favourite things. I think there's just way too many challenges. I do enjoy the occasional solving an issue where data has been compromised. It's funny, you have to have a certain personality to enjoy it. You have to enjoy managing a crisis. And I do enjoy managing a crisis. I just can't do it too often or not I'll go crazy. But it's always interesting. And I love going through a product cycle end to end to see how that works. And I think that's the difference between being a lawyer in a law firm versus being a private company. Because in a law firm, you sort of do something, you give that piece of advice and you walk away. But in house you see it end to end and if you were there long enough, it comes back five years later and you've got to like, oh, we now have a new cycle of this. Something's changed so it's quite fun to do stuff like that as well, I think, in terms of being in a company for so long.

Jamal: 37:51

Great. Thank you for sharing that. Now, one question I like to ask our guests is why do you think it's important to get a mentor?

Tharishni: 37:58

I think it's really important to get a mentor because you don't know what you don't know to put existing to it. It's an easier way to tap into experience without you going through it yourself as well. If you keep your mind open, you will hear stories and lessons and a path that you can use for yourself. Like having a mentor for me, isn't just about doing it there way, but rather taking the lessons of that and applying it to yourself. If you have a mentor, and I've been lucky to have some just unofficially throughout my career, you have the support. Sometimes things might float around in your head and you're like, am I crazy for thinking this? And having that sounding board of someone with more experience is really great. And yeah, it's always just good to have an in into the larger privacy world. I started picking up photography in the lockdown, and my partner was my mentor because that's what he's good at, that's what his actual job is. Great. And that for me, I hadn't had a mentor in a long time.

Jamal: 39:01

What are you shooting?

Tharishni: 39:03

I do a lot of film photography, strangely enough, very old school. I like using film. I guess it's in now. Again, it's super expensive, though, to like, shoot in film. But I love architecture. We love architecture where you have people setting the scene for it. So there's an a sense of nostalgia to that. And I think some of my favourite photos are the ones I took in Venice last year on film.

Jamal: 39:25

Well, I look forward to seeing those. Where can we catch those?

Tharishni: 39:27

Public Instagram for photography is tharishphotography. So @tharishphotography on Instagram.

Tharishni: 39:48

Well, people who don't know privacy think that it's crazy that I'm even on Facebook or any of these platforms, and I go, Look, I understand what's happening better than you two. So I am having a full choice and consent and understanding of what I'm doing to myself and my personal data as I'm on these platforms.

Jamilla: 40:05

Yeah, I think after the whole WhatsApp issues, I was like, should I leave? And then Jamal wasn't leaving. I was like, okay, well, then I'll keep WhatsApp.

Tharishni: 40:14

I still kept WhatsApp still not on Signal. I know I should be on Signal, but yeah, I haven't done that.

Jamal: 40:19

Yes, unfortunately, we had a lot of privacy peers who got very nervous about WhatsApp, and they decided they're going to lead the way and follow the digital migration and moved over to Signal. So we used to have a privacy process community on WhatsApp, and now it's migrated over to Signal. But I'll tell you more about that in a minute.

Tharishni: 40:38

No worries. I still have to be on WhatsApp. I can't convince my global list of friends. I'm sure we all have friends everywhere. My parents, my family, I can’t.

Jamal: 40:51

I love it.

Tharishni: 40:52

Yeah.

Jamilla: 40:52

And I can't be doing, teaching my grandparents and my dad a whole new app. I know I have enough trouble with WhatsApp already.

Tharishni: 40:59

Exactly.

Jamilla: 41:01

Tharishni is what has been your proudest moment of your career so far?

Tharishni: 41:04

I would say being invited to be a keynote speaker at the RSAAPJ by Trevor, who is the IAPP president. I think that was a big moment because got the IAPP president recognizing who you are, inviting you to be on the keynote panel, it was a big deal. It was with Hillary as well, and she was actually one of the people that I saw on stage earlier in my career. And I was like, that woman is amazing. She sounds so confident. She looks amazing. She's saying all the right things. And to be sharing the stage, like, just a few years later, that was a big deal for me.

Jamal: 41:45

I watched the video. She was sat to your right, you was on the left, and Trevor was on the far right with his beautiful book or clip or whatever he was making. Is he making notes or what is he reading from? I want to see what's inside that notebook.

Tharishni: 41:57

Yeah, he's got his thoughts in there, for sure.

Jamal: 42:00

Yeah. But no, I thought you've done an awesome job yourself. Yes, Hilary was great, but I thought you was equally great.

Tharishni: 42:06

Thank you so much. I appreciate that.

Jamilla: 42:08

For the listeners that don't know, could you explain a little bit more about the RSAAPJ?

Tharishni: 42:13

Sure. So, the RSA conference is the world's biggest gathering of security professionals, and the APJ is the Asia Pacific and Japan version of that. It’s huge.

Tharishni: 42:25

Like, even the one in Asia that's hosted in Singapore. I was shocked when I got there. I mean, I remember some of the speakers that were keynotes in the year before were celebrities. Like, actual not privacy celebrities, I think so. Bob Geldoff, one year, was the keynote speaker, and that AI robot, Sophia. Sophia the robot was, I think, the same year, she was one of the keynote speakers as well. So it's a massive deal. Honestly, it felt like the first year going there was like going to the Apple conference. They were giving speeches about stuff, and the vendor side was crazy. It was definitely the biggest conference I'd ever been to. So the first year, I spoke in, like, a small room with not a lot of people attending. And then the second year, being invited to be a keynote speaker was like, you're miced up. Or it's like these cameras, I wish they gave me a heads up that I probably should have gotten my makeup done professionally but it's fine. No one was there to look at me. But just to hear what I'm saying, which is way more important, congratulations on that.

Jamal: 43:29

Congratulations on that, it was really good to watch, and there was lots of very interesting points that I found quite fascinating to take away from that. And I know privacy it wasn't a very dedicated privacy one, but privacy and security go hand in hand, and I think increasingly, the more privacy professionals appreciate and understand security, the actual more value they can bring to the table.

Tharishni: 43:48

Absolutely. We work very closely with our security guys, and we've built that relationship, each other, trusting each other.

Jamilla: 43:57

Maybe at the next conference you'll have Alexa and Siri there.

Tharishni: 44:03

Okay, Jamal, what is the strangest question someone has asked you?

Jamilla: 44:12

I think I asked, if someone took a picture of someone with a guide dog, would that be a breach of category data?

Tharishni: 44:19

Yes.

Jamilla: 44:20

Would that be special category data?

Tharishni: 44:21

Wow, that's quite an interesting scenario, but I guess so, because it shows that someone's blind.

Jamal: 44:33

It's revealing something, isn't it?

Tharishni: 44:35

Yeah, but I'm suspicious of people whose minds go there, though. I'm always suspicious of people who go there and like, what are you thinking about in your spare time.

Jamal: 44:58

Yeah. Tharishni thank you so much for your time on this podcast. You've delivered some great value, and we look forward to catching up with you again in the near future.

Tharishni: 45:06

Thank you. Thanks for having me on the podcast, and I look forward to listening to it when it's all done.

Jamal: 45:11

Thanks.

Outro: 45:13

If you enjoyed this episode, be sure to subscribe, like and share so you're notified when a new episode is released.

Outro: 45:21

Remember to join the Privacy Pros Academy Facebook group where we answer your questions.

Outro: 45:26

Thank you so much for listening. I hope you're leading with some great things that will add value on your journey as a world class privacy pro.

Outro: 45:33

Please leave us a four or five star review.

Outro: 45:36

And if you'd like to appear on a future episode of our podcast, or.

Outro: 45:40

Have a suggestion for a topic you'd like to hear more about, please send.

Outro: 45:44

An email to team@kazient.co.uk

Outro: 45:48

Until next time, peace be with you.