Intro: 00:01

Are you ready to know what you don't know about Privacy Pros? Then you're in the right place.

Intro: 00:06

Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts. The podcast to launch progress and excel your career as a Privacy Pro.

Intro: 00:17

Hear about the latest news and developments in the world of privacy.

Intro: 00:21

Discover fascinating insights from leading global Privacy

Jamal: 00:25

Professionals and hear real stories and top tips from the people who've been where you want to get to.

Intro: 00:32

We're an official IAPP training partner.

Intro: 00:36

We've trained people in over 137 countries and counting.

Intro: 00:40

So whether you're thinking about starting a career in data privacy or you are an experienced professional, this is the podcast for you.

Jamilla: 00:57

Hi everyone, and welcome to the Privacy Pros Academy podcast. My name is Jamilla, and I'm a data privacy analyst at Kazient Privacy Experts. With me today is my co-host is Jamal Ahmed, who is a Fellow of Information Privacy and CEO at Kazient Privacy Experts. Jamal is an established and comprehensively qualified privacy professional with a demonstrable track record solving enterprise-wide data privacy and data security challenges for SMEs through complex global organizations. He is a revered global privacy thought leader, world-class trainer, and published author for publications such as Thompson, Reuters, the Independent, Euro News, as well as numerous industry publications. Welcome, Jamal.

Jamal: 01:34

Good afternoon, Jamilla. How are you today?

Jamilla: 01:37

I'm good, thank you. How are you?

Jamal: 01:38

I'm all right. I don't know if I should be happy, if I should be excited, or if I should be scared, because speaking to us all the way from Doha in Qatar is actually the regulator.

Jamilla: 01:47

Our very first regulator.

Jamal: 01:49

Woohoo.

Jamilla: 01:51

You should be excited and scared.

Jamal: 01:53

Yeah. I mean, usually when I speak with regulators, it's because I'm representing a client who might be in a little bit of trouble. But every time I've spoken to our next guest here, it's always been pleasantries and super friendly. And I think that's exactly the kind of relationship everybody should have with regulators, to be able to give them a call and ask them for advice and ask them for guidance. So why don't you tell us who our fantastic guest for this episode is?

Jamilla: 02:16

Yes. So today on the podcast, we have Daniel Patterson, he is the Commissioner at the Data Protection Office at Qatar Financial Centre Authority. He has spent 17 years in the financial services and insurance industries and 12 years specializing in risk management. He achieved his CIPP/E and CIPM, and he has a degree in management and law from the Dublin Institute of Technology. Welcome, Daniel.

Daniel: 02:38

Great to be here. Thanks so much for having me.

Jamilla: 02:40

You're welcome. As you can tell, we're very excited to speak with you today. Our ice breaker question who is your celebrity look alike?

Daniel: 02:47

Oh, wow. I would say I don't even know his name. Do you know the movie Independence Day? And the first one, the guy who plays the president?

Jamilla: 02:55

I’ll have a Google whilst we're doing

Daniel: 02:57

Yeah, I get a lot of you look like so and so from the movies. I get a lot of you look like certain Irish celebrities who are middle-aged and folding and a little overweight. So I'm not sure whether it's a compliment or just an observation.

Jamilla: 03:09

You're currently working in Qatar. What is like landscape of data privacy in the Middle East and also in the area that you're working in? Is it hot topic as much as it is over here?

Daniel: 03:19

updated regulations now since: 2016

Jamal: 04:11

What do you think is driving this forward Daniel? Where is this appetite coming from?

Daniel: 04:15

I think this digital economy is definitely becoming more in the forefront. I think focus on fintech and reg tax as possible FDI or the QFC is a really big driver as well. We're seeing how much data is worth. I think we want to talk globally about how much data is worth. It certainly doesn't hurt that the big fines are hitting the Facebook, they're hitting the big firms, British Airways, the Marriott. I think the focus on data and data privacy and how that is being used globally is filtering down now to the region. And we know that we have to be balanced between protecting the rights of the individuals but also still being able to promote business in the right way.

Jamal: 04:55

Would you say it's more a business risk? They just want to avoid that reputational damage. They want to avoid those excessive fines and being in the news for the wrong reasons or it's more about inspiring the trust and confidence of the users and the consumers?

Daniel: 05:08

That's a really good question. I would be very much on the business enabler. It's a way to grow your business by handling data in the right way, understanding where your data is, your data flows, what the data you have, what permissions you have to use it. You can monetize that. That can be a great benefit to the firm. It can be a great benefit to the data subject themselves and the customers of these firms. I think it's too easy to focus on the negative and the fines and they are there to be persuasive, they are there to be dissuasive. But the principles with the data protection regulations, much as it is with other financial services regulations, like AML example, if you do it right, it's a real business enabler and build trust, but also there's opportunities within it itself to make a lot of money. So I'm very much on the it's positive for the business, not just about avoiding financial oversight.

Jamal: 05:55

ever issued three fines since: 2018

Daniel: 07:22

I think there's a lot of caution that needs to be taken in relation to the challenges that the regulators face in the work that they're trying to achieve. I think when you look at regulators like the ICO or even the Data Protection Commission in Ireland who are trying to oversee every single firm in the country. Not just financial services but everything. And then you throw in all the emerging tech, AI, Machine learning, Intelligent things, Smart cities, you have Facebook, Google, LinkedIn all situated in Ireland. And being able to put the resources into the right place. To spend the right amount of time, to do the right amount of analysis. I think we'd expect too much too soon. I think of some of these regulators and they will ramp up and they will start delivering more fines and directions and orders against firms. But I do think that it's a new law, a lot of it hasn't been tested in the courts and I think that's a cautionary tale in terms of how they're approaching some of their oversight. So I would always be cautious to go. Just because they haven't done a huge amount of funds doesn't mean they're not in the background doing an awful lot of work to drive the right compliance of the right outcomes, but also they're trying to drive the right behaviours as well for everyone across all the firms across the country. And I think that's a huge challenge even with an office as big as the ICOs.

Jamal: 08:38

Thank you. Thank you for sharing, that’s quite insightful. You're right, there has to be a balance between what we want to see as privacy professionals, people who are looking out for the individuals data and also what's actually possible from an organizational point of view, given that this is so new, given that it hasn't been tested, sure, they're actually trying to tread quite carefully. On that note, you've had a chance to read through the proposals that were issued by the Department for Culture, Media and Sport in the UK here and they've proposed some really radical changes to European Data Protection law and it seems to be the opposite of what other states and what other jurisdictions are doing, which is trying to meet the GDPR. The UK seems to be more watering down the GDPR, moving away from it and offering less protection to citizens in the UK. What are your thoughts on that?

Daniel: 09:25

You're going to get my regulatory type of response to this one. You have to look at all the laws that affect data and affect businesses and not just one in particular. And I think you can look at something like the changes they're proposing to the UK GDPR and go well, it's a watering down just of that legislation and it may very well be, but you have to look at it in light of other legislation that's in place and other regulatory frameworks that they have. It's also cautionary tale that the GDPR is one way of doing data privacy. It is not the only way, it is definitely not perfect in its own right. I think there would be a lot of critics of the GDPR in terms of how some of the clauses are written and some of the requirements within it. So whether or not we hold the GDPR up to be this gold standard and this perfect instrument of data protection regulation, or whether we go well balancing protection rights and freedoms of individuals and promoting business. It's a fine line and the ICO, in their response, obviously, to that consultation, is cautioning certain things to be careful as they start making these changes to the regulations, and everything has to be looked at in its entirety. So I think you can look at it and go, well, yeah, they're taking away some of the key elements or suggesting they take away some of the key elements that are in there as protections, or trying to look at it from more holistic viewpoints in terms of how do you sustainably grow business at the same time as protecting those rights and freedoms. And I think that's the fine line they're trying to walk. And until we see actually updated regulation, it's hard to know where that's going to land post consultation.

Jamal: 10:56

Thank you. Thank you for sharing that. It's such a diplomatic answer, but you have so much value at the same time. That's a skill I'm going to have to ask you to mentor me one day. Daniel, you speak so well,

Daniel: 11:06

To be honest with you, for me, you can look at something and it looks a certain way and it may very well be that way, but you don't really know what else is going on in the background that's around it. And we need to just give the benefit of the doubt to the professionals and the very big brains that are there trying to do the right thing. I don't think anybody in the UK wants to throw the data subjects under the bus, so to say. I think they're trying to walk a fine line. That's always difficult. Certainly I see that in my own work as well as we try to walk the line between promoting business at the same time as protecting people.

Jamal: 11:38

Jamilla, I've got a question for you, actually. One of the proposals is that you should now have to pay to exercise your right to privacy.

Jamilla: 11:46

Why should I have to pay for it? Why should I have to pay? Because companies are getting money from when I disclose information online. So why do I then have to pay to find out things like what information they have about me? They can sell my information for advertising purposes, for example. I've agreed to that and then I want to find out more about it. Either do a subject access request, why do I need to pay for that if the company's already making money off my personal data?

Jamal: 12:10

That's a very good question. It's something that we're going to have to put to the new commissioner, I guess. Why should we have to pay to exercise our rights?

Daniel: 12:18

In our updated regulations, we are stipulating quite clearly you don't have to pay. It should exactly be a free service. I think that right to know what a company has about you, what information they hold on you and how they process it is a very important right. The transparency rights and the rights of access in particular, I think are fundamental, and charging for those, you have to be cautious. You have to remember, under the old regulations, pre GDPR, charging was always in place. And I can tell you from being a DPO that it didn't affect the number of access requests that we got. We still got them, they still flow through the door and we still did all the work to respond to them. So I'm not sure it's a huge, big blocker if the price is right, and I think our regulations will stipulate this, that it being free is really important.

Jamilla: 13:02

But then, as we've gone through GDPR, privacy has been more in the public eye. We're more digital, especially with COVID. Surely that means that if you're charging for privacy, then privacy becomes more of a privilege for the rich rather than a right for everyone. Because if it's charging 50 quid for a subject access request, if you are someone who can just about afford to put food on the table for your kids and just about afford rising costs that are happening in the UK, subject access request and privacy is going to go down the bottom of your list. But if you can afford that,

Daniel: 13:35

That’s a really good observation, and I think that's 100% correct. I think that if you charge somebody, if you have a lot of money, it's not an issue. If you have very little money, it's a big issue. And I think that's why we in particular don't want to have a charging mechanism within our regulations, because you don't want to disenfranchise certain individuals from making those requests simply because there's a cost involved. And that's the same for any of the rights across the board, is that the second you put a barrier in between, you'd lose a certain amount of people at that barrier point. And that's what we're trying to avoid.

Jamilla: 14:07

Seems almost quite American charging for privacy, because a lot of what other countries see as a right, for example, in the UK, healthcare is a right. In America, they charge for it. I could envisage America going that way and charging for privacy.

Daniel: 14:22

Really what I want to see the flipside is when the day the subjects are charging the firms for our data.

Jamal: 14:28

On that note, we've got some fantastic guests coming up who actually talk about how to monetize your data. We'll save that for another episode. What's really interesting here, Daniel, is you're actually promoting the rights and freedoms of the individual. And when it comes to actually processing personal data, we've got a couple of different lawful basis. So at one end we have consent, which is giving ultimate rights and ultimate choice and freedom to the individual. And at the other end we might have things like legitimate interest or necessary for a contract. The legal basis of consent is often misquoted. Can you properly define it for us and give us some examples?

Daniel: 14:57

I think you're right. I think the word consent is used for agree as opposed to actually the regulatory definition of consent, which is an ambiguous indication of agreement to a set of processing that is specific, it's clear, it's well articulated that you know exactly what you're signing up for. I think quite often people go, well, you consented. It's like, well no, I signed a contract that's not consent. That's contract it’s very different, it's a different legal concept. The use of consent gets bandied about a lot where I think firms don't often know what they should be using, what the right legal basis is. And that is something that we spend a lot of time with our firms on. We are trying to educate them on where the boundaries between contracts, consent and legitimate interest might lie.

Jamal: 15:44

That's really interesting because one of the biggest challenges that I face when I'm working with my clients is a lot of the time the consent will be hidden in clauses. It might be at the bottom of a footnote, and they think they have consent. The challenge is that consent isn't always valid. And as you just described, for that consent to be valid, it needs to be clear, it needs to be specific, and there needs to be some kind of an affirmative action and any consent that's blanket consent isn't actually in line with what the regulations intended and therefore it's unlikely to hold up under scrutiny and therefore that processing all becomes illegal. And we saw a fine recently issued by the Italian Garant against the university for processing based on what they thought was consent but that consent wasn't considered valid. So you raise an excellent point and a timely point and it's great to see that you are actually taking care of steps to educate data controllers and businesses within your region and your jurisdiction. I wish every jurisdiction had somebody like you at the head of the centre. It would make this space so much more easier for people to understand what they need to do. It would avoid some of the challenges that we have where people often have their rights violated by businesses, not because businesses don't care, but because they don't actually understand and they don't get it. On the note of the ICO, this is actually one area where I think they do add a lot of valuable input. A little bit like the BBC we're giving balance here. Is they do provide some great guidance and great advice on the website and it is clear and it is quite concise and it is actually quite useful. Especially for some of the smaller businesses that can't necessarily afford to go out to established consultants. There's enough information there for them to have a really good go at it. How important is it for a regulator to give clear guidance?

Daniel: 17:25

It's incredibly important. We don't have the luxury of the way the financial services regulators just issue the rules and they leave it completely up to the firms to make their own assessments. I think it's very important that we take time to explain to our data subjects, to our member firms in particular who are very diverse. They can be everything from consultancy firms to law firms who are very sophisticated down to small little start up fintech’s who are focusing on the technology and they don't really understand maybe some of the regulation that comes into play, that we give them a message that's meaningful to them about one of the key things they need to focus on and then it becomes a layered approach. It's a bit like a privacy notice. You start dropping the things they need to look at on day one and then you start building that up and you try and build into their consciousness, and their psyche this idea of privacy by design and default where they are thinking privacy from the very start and if you can get that right, everything else kind of flows very very easily from there.

Jamilla: 18:23

What can DPOs do to stay on the right side of the regulator?

Daniel: 18:27

I think the very first thing when I was a commercial DPO was to go and actually sit down with them and explain what the client model that we were operating within the firm looked like, what the challenges we were facing and where we were trying to take it. Did that in previous roles and worked really effectively both in Ireland and Lithuania in particular. And I think this idea that regulators are inapproachable and a little bit scary is actually probably not fair. I think that I was very impressed by the regulators I sat down with and discussed our plans with as being open minded, thoughtful, would take on board our challenges and how we are trying to address them. I think if you do that as a DPO, kind of honest to an extent and try and be forthright and forthcoming with regulators, they will go right, we understand where you're coming from, we understand what you're trying to do. You're trying to do the right thing by the regulations. We will certainly work with you to achieve that. That's certainly one of the key things from DPO. I think the second one is definitely get to know your board. I think you need to know your board of directors, you need to know your senior management team because they need to trust you. They need to trust that when you drop that, you need to stop this activity now. They need to know that you wouldn't say that unless it was really important and the firm was definitely up for that.

Jamal: 19:46

Totally echo and agree and resonate with everything you said. One of the things that really helps me I find, which is a little bit different to some of my peers maybe, is that whenever there is a need to get some advice or some guidance or there is an investigation or some kind of concern from the regulators. The first thing I do is I would pick up the phone and I will arrange a meeting to speak with the regulator or speak with the person, the case handler, the person leading the investigation, and just have a nice chat and just understand what they're looking for and give them a little bit more explanation. Nine times out of ten, every time I've done that and every time we take that approach, it actually is resolved very peacefully and in a very cooperative way, rather than in a very stand offish way. Compared to when I've come across stories or where I've had to go and pick stuff up, where stuffs come in, a legal counsel or a legal firm has been appointed in and they've sent very legally strong, robust letters to the regulator as they do, kind of trying to show, look, we've got mighty or we're going to throw the book and all this jargon and all this legal spiel and that often ends up in a not such a great place. Just having that human approach, just being able to go and have a chat with the regulators. Often times you can actually resolve a lot of challenges without having to escalate any further.

Daniel: 20:59

I fully agree and I think you have to remember the regulators are human beings as well. Our focus is solely on compliance. It is solely on are you doing the right thing, are you following the regulations? Are you protecting the data of your data subject? Is that what you're trying to achieve? I think we're realistic in that things go wrong. We're realistic that compliance costs money and there are challenges, there are decisions that have to be made by firms. And what we want to know is the firms are considering those constraints of trying to make the right decisions. And if they're upfront and honest and having that dialogue, you know that when things don't go quite right, it's not the end of the world that they will try and correct it. It doesn't necessarily mean that it's not going to result in a financial sanction or a direction or an order or some other type of consequence. It just means that it's probably less likely as bad as it would be perceived to be hidden or perceived to be not really cared about.

Jamal: 21:57

I think one of the things is there are certain situations which will have to ultimately, unfortunately result in a sanction or some kind of enforcement action. But all of these steps, all of these open communications could actually be mitigating factors that you take into consideration when making that decision of what that's going to look like at the end.

Daniel: 22:15

Definitely. And I think that's the case for pretty much most good regulators, will always go honesty and openness, being frank about what's going on and what occurred goes a long way to smoothing the waters.

Jamilla: 22:27

What made you want to switch sides and become a regulator.

Daniel: 22:31

I'm not sure it was ever really a conscious decision to go from a poacher to gamekeeper. I think when I had the opportunity to move over to Qatar, it was such a great opportunity with a lot of work to be done. Having the opportunity to shape what data privacy regulation means for the QFC was such a great opportunity, I jumped at it. But before that I was always a commercial DPO. So I was always walking that line between compliance and cost and effectiveness for the firm, I come with a lot of experience on how you would implement some of these protocols and these regulations within a firm, so I know what to look for as a regulator, which helps. It was never something that was in forefront of my mind to become a regulator. It just worked out fantastically well.

Jamal: 23:17

Amazing, glad to hear that. And before you as a regulator, you had a very impressive career as a data privacy professional. What are some of your top tips for our listeners who are also aspiring to become elite, world class privacy professionals? How can they make sure that they are continuously improving and being the best they can? And how can they also be head hunted for amazing opportunities similar to how you have been head hunted?

Daniel: 23:41

I wanted to be in privacy once I was in compliance and risk, so I always knew that this was a growing area and a very interesting area. And for me, the crossover between operational risk and privacy was really intriguing for me. If you've worked in financial services and risk management at all, you would know that operational risk is kind of seen as the little brother to compliance, whereas I see operational risk as the big brother for everything that's not financial risk. Privacy is all about how we do it, how you operationalize that within your organization, how you talk about it, how you prioritize it, and it can be embedded into your risk management systems very very easily. And that's compliance. But then there's the whole other side, which is how do you make it an opportunity for your business? And I think a lot of risk management programs start about loss avoidance. If you're lucky and working with them long enough, you start getting into positive outcomes at the other end. I think my advice for anybody trying to be in privacy is look at it from a regulatory point of view as a how to be compliant, look at it from a business point of view, how can it be beneficial to your business, both from the use of the data and from that trust element, with your regulators, with your customers, with your suppliers, with your board of directors. I think if you come to it with that attitude, that this is a growth opportunity for your business and it's an opportunity to make some money, I think you get a lot more focus within your organization and that always helps.

Jamal: 25:07

So you're talking about having the right kind of mental attitude and the right approach. And that's really interesting. It's because one of the things we teach on our signature twelve-week Privacy Pros Accelerator program is all about having that mindset. We have a whole module just on communicating with different stakeholders and communicating with the regulators and the need to take a specific approach as well. How important is it for individuals to constantly upscale, invest in themselves and get world class certifications we recognize as credible privacy professionals?

Daniel: 25:34

Very important. But I do think to have something like whether it's the IAPP CIPPE and CIPM, or whether it's a certified DPO from an Irish university like I have as well, I think they're very beneficial. I think somebody looking at you on paper, they need to see and have confidence that you understand the topic, can do the job. I think continual education is probably the biggest element in this. I think having the qualification is great, you've done it and it sits over there in the corner, but it's connecting with industry peers, it's being on different forums, it's listening to podcasts like this. It is always kind of keeping up with what is going on becomes the most important thing because a development can happen overnight. It can be a judgment from the European Court of justice slips a view on the DPO, for example, on its head, and some of the firms are trying to figure out what that means for them. So you need to kind of always be continually educating yourself and not necessarily formally, but through other programmes is key.

Jamal: 26:31

Thank you for sharing that. This is one of the things that we actually try to promote through the podcast and through the great work that we do at the Privacy Pros Academy is how important it is to have that clarity of what is actually going on in the landscape. What are the latest changes, developments, having the confidence to identify the challenges, propose the right solutions, and then having the credibility to back all of that up. So when you are engaging with stakeholders, when you are giving suggestions, when you are communicating your solutions, people actually have the credibility to buy into what you're saying. They have complete trust in what you're saying because they know that you are a clear, confident and credible privacy professional.

Daniel: 27:06

It's the same idea that your firm has to be trusted by its customers, by its other stakeholders. You need to be trusted by your board of directors, you need to be trusted by your senior management team. Your focus isn't only on one element, it's focused on the business and how privacy fits it within the business, which again, I think is back to your privacy by design and default. If you're thinking about it always from the ground up, it automatically starts blending into these business development opportunities and growth opportunities, and not just about compliance.

Jamal: 27:34

What's really interesting is most of the time we actually talk to individuals and say how important it is to invest in themselves. But at the same time it's also important for businesses to invest in their personnel and especially their data privacy team and the people looking after the operational risks when it comes to data privacy. As a regulator, how much more weight you will give to a business when you see they've actually invested in their staff or in their team and put them through what's known as the gold standard in data protection, certifications and training.

Daniel: 28:03

Very much a risk based approach as well. So when you're dealing with a larger firm, you kind of always would expect that they're at the right educational background and experience. For the smaller firms, you have to be careful because they don't have necessarily the resources or the time to be pushing all their individuals may have two jobs, they may have three different roles they're filling within the company to go off and get a privacy qualification. It's kind of a funny one. It comes down to what the issue is, if you're somebody who's well educated and they haven't spotted something really obvious, it might actually be worse than if it's someone who doesn't really know what they're doing and make a mistake. Whereas if somebody is very knowledgeable and makes a mistake, it actually looks a bit worse. I certainly wouldn't judge a firm simply on the qualification of its staff, but if they have someone whose job it is to oversee privacy, I would definitely like to see some focus on that within their educational or continual development.

Jamal: 28:56

You make a very interesting point there. There are some people have the right qualifications but sometimes the challenges they've often just lock themselves up in a room and they've learned how to read a book and pass the exam compared to somebody who's actually gone and trained with a mentor, trained with an industry leader, somebody who's credible and authoritative and they've actually discovered and understood how to operationalize all of the things I'm learning rather than just passing exam. How important is it to make sure that you go and actually train with a credible and qualified mentor that you can look up to rather than try and pass an exam just by reading a book by locking yourself in a room.

Daniel: 29:29

If you're lucky enough to be able to get a good mentor or somebody who can help guide you. Someone who can answer the phone and you can bounce ideas off and help guide and grow your education or your career is very important. I think the realities of implementing some of the say GDPR requirements are very different in real life than they are in a book. And the examples you tend to get in books tend to be very straightforward and really obvious. And it's a bit like doing a math problem when you were in school, when they would give you easy and then the ones you have to apply to is like, what? I've never even heard of these concepts before. It's ridiculous. And I think that becomes really important that you can pick up the phone to another professional and ask the question, well, look, this is what I'm thinking. Am I on the right track in how to deal with this in reality? And again, it comes back to the networks that you have, the groups that you're involved in, and if you're lucky enough to have a really good mentor, it will always push you ahead much better than anything else.

Jamal: 30:23

So thank you. One of the things that I've been really passionate and this is based on what I was actually trying to figure things out as a privacy professional. I found that I needed or what would really have supported me is having a powerful community of world class privacy professionals. People I can look up to. People that are my peers now who are experts in different jurisdictions and experts from different backgrounds. So what I've done is created the Privacy Pros community, which I have the pleasure of inviting you and you're now a part of it. How valuable of a resource do you think that is and can be for privacy professionals?

Daniel: 30:56

Without a shadow of doubt. It's really important being able to ask a group of your peers a question and get a steer on what is the right approach, what is the right way to go. And certainly within the group, I've already seen that people will go, well, let's have a conversation about this offline you'll get an expert who will be able to give you a far more formal, guided and specific advice if needed. I think it's hard to do this on your own. If you're in a vacuum, forget about it. Get yourself connected into groups like Privacy Pros is really important.

Jamal: 31:26

Thank you for sharing.

Jamilla: 31:27

What was the biggest surprise or thing you weren't expecting, if anything, when you moved from being a DPO to being a regulator?

Daniel: 31:36

For me, the biggest change was going from Ireland country, with a lot of rain and quite cold, to Doha, where the worst day in winter is like our best day in summer. It was quite a shock.

Jamilla: 31:50

Have you tried the thing of frying an egg on the side of the street yet? I've seen that quite a lot in hot countries.

Daniel: 31:56

We haven't quite done that yet, thankfully.

Jamilla: 31:59

I used to have to spend my summers in Libya and we tried it once. Didn't work, but I thought it might work in Qatar

Jamal: 32:06

Going back to my science lessons, I'm sure you need something else in part of that chemical equation, like oil to fry the egg. You can't fry an egg without oil, can you? Yeah. Really?

Jamilla: 32:16

Yeah.

Jamal: 32:17

Wow.

Daniel: 32:17

First off, heat.

Jamilla: 32:18

We know who does the cooking in Jamal's house.

Jamal: 32:21

Clearly not me.

Daniel: 32:23

The challenge was a cultural shift and realizing that Qatar isn't Ireland, there are things you need to take into account that aren't necessarily the same as back home. It was challenging, but I was very lucky that surrounded by great professionals, both local and expat, that were able to guide me through that journey are still there to help guide me through that journey. I've been very lucky. I've been very lucky within the QFC itself. It's a fantastic place to work. It's a great organization. They're working to do the right thing. They're working to bring foreign investment into Qatar. It is nothing but positive, so which is great.

Jamilla: 33:00

That's great. How long have you been there for?

Daniel: 33:02

Two and a half years. At this point on my, hopefully many, many year journey, the weather is the only real challenge. Everything else has been great.

Jamilla: 33:10

And you’ve got the World Cup there next year, so that'll be exciting.

Daniel: 33:13

And if I was a football fan, that would be even better.

Jamilla: 33:17

Maybe there'll be some privacy challenges for you to tackle with the World Cup coming to Qatar

Daniel: 33:22

So I'm sure there will be considerations that we need to look at and I think there might be some great learnings that we'll get at the back of it, keeping an eye on that as we develop. It's a fantastic opportunity. I think the World Cup is going to be a huge success. Everything they've done over here is brilliant and the stadia are fantastic and the infrastructure is going to be there. It's going to be great tournaments. I really do think that, and even as a non-football fan, I will certainly be going to a few of the games. Even though Ireland won't be there, we're there to support the other teams. I don’t mean this just as a regulator, but as a DPO, the performance management system of firms, bringing privacy as a key element of those performance management firms into play, have you seen a huge amount of that? And what's your view on having key performance metrics in people's objectives that lead to their bonuses and their pay increases, etc, being privately focused?

Jamal: 34:16

There's two ways of looking at it. One way of looking at it is performance related pay is great, we can see that it actually works and it motivates people in a lot of areas. The other challenges with privacy, the privacy landscape is so fastmoving and there are changes happening all the time and because it's so untested. It can often be unfair on DPOs and privacy professionals to tie it to some kind of related performance because they could be fully compliant or as close to fully compliant as they can be one day. And then overnight something like Schrems II happen and everything changes all over again and they're suddenly non-compliant and then if the bonus of the review is right after that and they're unfortunate, then is it fair, given the fact they've done such a great job, to now say, hang on a minute, while our international data transfers to the US they're questionable, so therefore you are not going to get the bonus even though you’ve work so hard. And the other thing is, privacy professionals, most of the time, and everyone I've come across, certainly at this level, there isn't enough time in the day to get all of the things you want done. There is no privacy professional I've come across who says they have a spare half an hour in which they couldn’t be doing anything. And given that they're under all of this pressure as it is, and when we think about corporate well being, and we think about the focus on mental health and the work life balance, and if we're trying to promote all of those things as responsible organizations, how ideal is it to tie the performance of that to the performance related bonus when they have other responsibilities? And one of the arguments is that if you just pay privacy professionals enough, so money is not an object, and you just let them get on with a great job you will do, they always perform. And what we see at some of the leading firms is all the privacy professionals are rewarded very well which means they no longer have to worry about money, they don't have to make decisions based on their performance and they can go out and just deliver a great job to help those firms cultivate that trust, inspire that confidence and ultimately that will result in increased revenue for the business, increased impact for the shareholders and everybody is ultimately happy.

Daniel: 36:14

That's been in place for compliance professionals for quite some time. I wasn't really getting at the privacy professional because I fully agree with everything you said. What I'm talking about is the business. So you have your head of operations, your head of IT, your head of security. So people who aren't privacy professionals, people who make decisions every day based on privacy concerns, they're developing a new product, they're administrating a new product, they're shipping information, they're doing finance in the background, they're doing analytics on the firm. What part of their performance reviews should be privacy focused, or should they be at all? And do you just leave it to the privacy professionals and then this idea that somebody else will look after that and then we don't need to worry about it?

Jamal: 36:55

That's a great question. I'll tell you why I'm smiling is because something like this actually came up at one of the board meetings earlier this year. They were suggesting that different areas of the business pose different risks to privacy. Some areas are performing better than others, some areas are taking it a little bit more seriously than others. So if they tie a privacy element to the budget, or to the reward, or to the pot that gets shared between that department, it might actually make them pay a little bit more attention. And there was uproar in the boardroom, nobody was open to the idea and nobody was interested in accepting that. So I think right now the current state of boardrooms, you become very unpopular for suggesting something like that. But as privacy programs mature, as privacy becomes the norm, as things settle down in the future, I do think that there is actually scope for some of those metrics to come in and to be tied to the performance and to actually be measured a lot more than they are now in terms of how a department or how an operational head is actually performing.

Daniel: 37:52

It's funny. The circumstances of that story tells me that it's actually really important that boards are doing that because the only reason that they wouldn't want to do it is because they can't. They are afraid of it and if you're afraid of it, it's the right thing to do. Not that as a regulator we would mandate a board to do something like that, but it would always be a very positive indication of the seriousness of compliance if a board is taking those type of things into account when looking at the performance reviews of its CEO, head of operations, etc, the key decision makers within the organization in particular.

Jamal: 38:27

Okay, let me turn this back around on you. So let's say there is an organization that has that in place, and then let's say that they have a breach or they have some kind of a challenge and you have to go in and you have to impose a sanction on them. How would that benefit the business when you're looking at them from a regular lens? Would you see that as a mitigating factor? How much weight would you give it? Or is it something that wouldn't actually come into the final equation?

Daniel: 38:54

I think it would definitely be taken into account. I think you couldn't ignore the fact that a board was taken seriously and was portioning some type of privacy weighting to performance. I think it comes down to whether or not it was lip service or whether it was actually taken seriously. Whether or not the board was analyzing and checking to see if this was actually followed up, and whether or not then something like a breach or a noncompliance issue was negligent or wilful or just unfortunate. I mean, breaches happen. Nobody is out there saying that you can stop a breach from happening, it’s going to happen at some point in most firms. So it's whether or not have you done everything you can to try and mitigate and prevent it. And then when it happens, we take a mortalistic view on whether or not it should even be a fine or whether it should be some other form of sanction, but certainly it would be a factor we look into. The weighting of it would depend on lots of other factors that would come into play, but certainly you wouldn't just ignore the fact that you were taking it that seriously.

Jamal: 39:55

Thank you. That's actually going to be very useful for a lot of people to hear.

Daniel: 39:59

It has been done in risk management and operations, and in particular for a decade, we were building operational risk performance metrics into key parts of the business's, annual objectives and performance management reviews for quite some time. And it just makes sense that privacy suddenly becomes part of that regime as well. For key players across the business, especially in terms of operations, they tend to do a lot of the heavy lifting and processing.

Jamal: 40:24

I think if you actually advocate that position through some of the webinars that you've been doing, like the recent one we attended, then I think you can really campaign for how important this can actually be. Not just how important, how effective it can actually be for the organizations when they're actually putting that kind of importance on it and they're tying reward and they're measuring this performance at that level.

Daniel: 40:48

It's certainly something we will be calling out when we do our guidance documents on our new regulations. For me, printed by design and default, this is what it means. It means that the people who are accountable, people who are making decisions, it is in their objectives, it is in how they are managed and how they are reviewed. You cannot do privacy by design default if the key players and decision makers don't have some type of privacy objective within an organization. For me, it is again this holistic view we'll talk about, and we'll often talk about privacy by design and default as the most important factor. If you get it right, it will address a lot of the problems as you go along and present opportunities for your firm.

Jamal: 41:32

That is really insightful and I'm so glad I mentioned that. I think we're going to have to bring you back for another episode just to talk about how important privacy by design and default is and how people actually can operationalize that and the kind of positive impact it can have. If you're happy for that, I'd love to have you back and we can discuss that.

Daniel: 41:51

I’ll definitely love to come back, it’s a great forum to talk freely about these important issues.

Jamal: 41:57

Thank you. Well, Daniel, it's been an absolute privilege and honour. Thank you so much for making the time to come and speak with us.

Daniel: 42:04

Thank you, Jamal. Thank you, Jamilla. It's been a real pleasure and you're.

Jamilla: 42:07

Looking forward to this one coming out. Thank you so much for taking the time to speak with us.

Daniel: 42:10

My pleasure.

Outro: 42:13

If you enjoyed this episode, be sure to subscribe, like and share so you're notified when a new episode is released.

Outro: 42:21

Remember to join the Privacy Pros Academy Facebook group where we answer your questions.

Outro: 42:26

Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world class privacy pro.

Outro: 42:33

Please leave us a four or five star review.

Outro: 42:35

And if you'd like to appear on a future episode of our podcast or.

Outro: 42:40

Have a suggestion for a topic you'd like to hear more about, please send.

Outro: 42:43

An email to team@kazient.co.uk

Outro: 42:47

Until next time. Peace be with you.