How To Avoid The Biggest Privacy Mistake

Intro: 00:01

Are you ready to know what you don't know about Privacy Pros? Then you're in the right place.

Intro: 00:06

Welcome to the Privacy Pros Academy Podcast by Kazient Privacy Experts. The podcast to launch, progress and excel your career as a Privacy Pro.

Intro: 00:17

Hear about the latest news and developments in the world of Privacy.

Intro: 00:22

Discover fascinating insights from Leading Global Privacy

Intro: 00:25

Professionals and hear real stories and top tips from the people who have been where you want to get to.

Intro: 00:32

We're an official IAPP training partner.

Intro: 00:36

We've trained people in over 137 countries and counting.

Intro: 00:41

So whether you're thinking about starting a career in data privacy or you are an experienced professional, this is the podcast for you.

Jamilla: 00:57

Hi everyone and welcome to the Privacy Pros Academy podcast. My name is Jamilla, and I'm a data privacy analyst at Kazient Privacy Experts. I'm primarily responsible for conducting research on current and upcoming legislation as well as any key developments and decisions by supervisory authorities. With me today is my co-host is Jamal Ahmed who is a fellow of Information Privacy and CEO of Kazient Privacy Experts. He is an established and comprehensively qualified privacy professional with a demonstrable track record, solving enterprise-wide data privacy and data security challenges for SMEs through complex global organizations. He is a certified Information Privacy Manager, Certified Information Privacy Professional, Certified EU GDPR practitioner, Master NLP practitioner, Prince II practitioner and he holds a Bachelor of Arts in Business with Law. Today he has provided privacy and GDPR compliance solutions to organizations across six continents and in over 30 jurisdictions, helping to safeguard the personal data of over a billion data subjects worldwide. I wish all I could do that in one big, long breath. Hi, Jamal.

Dan: 02:05

Welcome.

Jamal: 02:06

Hi Jamilla, how are you today?

Jamilla: 02:08

I'm good, thank you. How are you?

Jamal: 02:11

I'm excited. We've got an amazing guest on today's episode, and he is joining us all the way from the other side of the pond today we have Dan Clarke. Jamilla, tell us more about Dan Clarke.

Jamilla: 02:24

Dan Clarke has 30 years of experience combining technology with media, retail and business leadership. He has held executive leadership roles at Intel, he is an experienced data privacy advisor, and is a 9-time CEO. Dan has deep expertise in the privacy landscape and speaks frequently at public venues on the topic. He is also actively involved in Arizona, Texas, and federal privacy legislation. Welcome, Dan. Thank you for joining us.

Dan: 02:51

Thank you so much for having me. I'm so excited to chat with you guys today.

Jamal: 02:55

Wow, that is some resume, Dan. Nine times CEO.

Dan: 03:00

Yeah, a few of them have been pretty successful. I've got a couple I've sold to Google, one I sold directly when I merged with themand then they bought the result. I have one I took public and then I've got a couple of just spectacular failures, too, that just, like, absolutely crashed and burned. So I've got a mixture in there.

Jamilla: 03:18

I'm sure the successful ones outweigh the ones that were less successful.

Dan: 03:23

You tend to learn the most from the ones that aren't successful. I think actually the first one I did was a spin out of intel. I'm an ex intel executive, and in a lot of ways, that one was almost too easy. I remember thinking, like, because we had $100 million of venture investment from intel and some big players, and I remember thinking that this just isn't that hard. I don't know what people are always complaining about. We had the backing of intel, and we took one of their divisions and pushed it out. And it turns out the second time was a lot harder than the first time.

Jamilla: 03:58

I can imagine. Right, icebreaker questions is what we always start off with what is your favourite smell?

Dan: 04:03

It has to be bacon. That's kind of funny because I'm mostly a vegan, but there's just nothing like the smell of bacon in the morning.

Jamal: 04:13

What do you mean you're mostly a vegan?

Dan: 04:16

Yes. My girlfriend and I are triathletes. We do the ironman competitions. And what we find is that you need lots of vegetables in your life in order to keep a healthy diet. Nutrition is a big part of extreme endurance sports. We're not religiously vegan, but we do, like, a mostly vegan diet where we mix in mostly seafood. But occasionally I do have bacon, and there's something magical about that in the morning.

Jamilla: 04:45

What's your favourite smell, Jamal?

Jamal: 04:46

I love the smell of freshly baked bread.

Jamilla: 04:50

Good one.

Dan: 04:50

Jamilla, what about you?

Jamilla: 04:52

I like the smell of petrol. Petrol station gasoline. That's the correct word in America, isn't it?

Jamal: 04:59

Dan, why are you so passionate about privacy?

Dan: 05:02

sident. Inner Edge is about a: 1800

Jamal: 08:44

Yeah, absolutely. And I don't have a legal background either, so I'm more like operational side. And I think that really helps us to be more pragmatic with our solutions. And now it makes sense why you've been involved with all of the different states and why you're so passionate about bringing some kind of federal legislation for the states because of the experience that you've had. But before we get to that, I have a really important question for you. So the software that you've created, it really helps businesses with mapping their data. Why is it so important for business to be able to map their data?

Dan: 09:14

That's an interesting question, and it wasn't the initial focus of our platform. Initially our platform was focused more on the DSAR fulfilment, the automation of that, connecting to systems, and being able to collect the information, automate verification and validation, things like that. Especially larger clients that are the core of our customer base. That was their kind of biggest concern and our biggest advantage. But over time, what we've seen is the data map has become more and more important. What highlighted that the most for me was we had one of our customers that experienced an incident, a breach, if you will, IT was actually more of an incident than a breach. But when you get to a point where you have an incident, that data map becomes central to your ability to respond. It helps you understand in the forensic analysis phase where the data originate, what systems did it go to, and then in the response phase, you end up needing it a lot more than ever would have suspected, or at least more than I had suspected you would need it. In fact, we ended up needing the data map to actually create the responses, because only a portion of the information had been exposed. And so if you have somebody's, let's say you have somebody's, and I'll just make this up, but let's say you have their driver's license number, and that was released along with their name, that would certainly constitute a breach or an exposure. But you don't actually know where they live or their email address that was never exposed. So from the data map, you can actually reconstruct and say, okay, this is probably where the data was collected. Here are the systems where it's stored. But you actually have to go get additional information from your own systems in order to notify them. You have to take their driver's license number and look it up and come up with their email address, for example, in order to just be able to notify them. It was way more important than I would have given it credit. So getting that data map right, really making sure it's comprehensive and kept up to date, because it's constantly changing. If people add fields and delete fields, and they add vendors and remove vendors, this is central, I believe, to not only privacy, but governance at any company.

Jamal: 11:32

Yeah, I completely agree with you. And as a privacy professional, when I'm out with clients, one of the most frustrating things is when they have data maps, when they've invested a lot of time, a lot of money, a lot of resources on data maps, but they're not accurate and they're not up to date, and it's like, okay, there's no point having it. What's the point in having a map that doesn't actually lead you to where you need to get to? Imagine you have to go on a really long journey from one state to another state on the other side of the US. You know the kind of direction you want to get to, you know where you want to get to, but the map that you've been given, all those roads don't exist. They're all blocked or they've been built over. It makes it so difficult. And when you have an up to date and accurate data map that tells you where all the data is stored, where it's come from, all the different systems, where it's being shared, who all the other vendors are, what the different software you're using to run some of your different operations. It makes our job. It makes the life of privacy professionals, governance risk and compliance professionals so much easier. And it helps us to make sure that we can really identify those risks, respond to any incident, and also make sure that we're delivering the right solutions based on an accurate picture of what's happening with personal data within the organization.

Dan: 12:42

Yeah, I completely agree. I'll tell you one other place where we've seen it rise in importance is related to cyber insurance. I did a webinar the other day with one of the cyber experts from Marsh McLennan, and he talked about the difficulty, the premium increase for clients for cyber insurance. We've seen across the board an average of about a 40% increase in cyber insurance rates for companies. But he pointed out that that doesn't even tell the whole story because 20% of companies can't get a renewal, and if you get a renewal, it's going up by 40%. What his point was, which I think resonated with me, is the data map is often the first thing that they look at, and they look at it for exactly the reason that you talked about. Is it really up to date? Is it really comprehensive? Or is this something you kind of created as an exercise and threw in a drawer because it needs to be living and moving document because your data is constantly evolving and constantly changing. But he was saying that this was probably one of the biggest elements that a company could contribute to decreasing the cost of their cyber insurance, was having a really robust data map that's really part of your, but it can't be an exercise that you do. Once the data map has to be something that you're constantly looking at and constantly updating, it has to be sort of part of your culture of the company that you're keeping that up to date and keeping it the uses and the policies around it have to be current. But the data map is so much more important than I would have ever provided credit to it in the past.

Jamal: 14:22

Yeah, absolutely. I couldn't agree more. And I don't think we can actually overemphasize how important and how critical it is to have a really good and really detailed data map. So you've been involved in legislation across different states all the way from Arizona to Texas, and informally Florida and Colorado too. What are some of the biggest challenges that you face and how are you tackling them?

Dan: 14:45

Well, I think for us, we're an automated platform, so our customers expect a very high degree of automation in responding to any type of request of do not sell or delete or whatever it might be. So we have to really understand the legislation and how it applies and try to resolve any of the grey area in it because there are so many grey areas within privacy legislation. Just a quick example is in California law, it says you can't charge a consumer for request up to twice per year. What does that mean? That it's every six months? Or can they make two requests five minutes apart from each other? Exactly how do you interpret that? And so we've had to put all these switches in our platform where we have a default that says twice per year is twice in the twelve calendar months period. But you can interpret it differently and you can change the slider if you want to. We've ended up with hundreds of these options within our platform that have really evolved organically. So we have to stay very, very on top of the legislation, certainly around the United States, but all around the world to understand exactly how it's interpreted. And it's unfortunate that we have this patchwork of laws. In the EU, you have GDPR, which is very consistent. The UK now is kind of making some noise that they may modify that a little bit themselves, interpret it a little bit differently, but at least you really have essentially one jurisdiction there that you can pay attention to. In the US, we now have California that's active with the current law. We've got the new law in California coming online in January of 23, the CPRA. Now you've got Virginia and Colorado, and then you've got at least four states with pending legislation Ohio, Massachusetts, Minnesota and New York. Unfortunately, they all are different, they all have nuances. And what I always try to tell the legislative bodies in my own testimony is it'd just be better if you can copy someone else's law and just try to make it easier for all the businesses. And are they perfect? No, of course they're not perfect. Could they be improved on? I'm sure they could be, but gosh, it's a big burden for companies to have to keep track of all the stuff and all the differences and nuances. And unfortunately we constantly see change in this. Virginia in particular introduced a brand new thing that if you took the entire list of features around the entire world and added them all together like we have in our platform, it didn't exist it's just right to appeal. And Colorado followed that and added the right to appeal in their law. But Virginia said, if you're denied a request, if you make a do not sell or delete or any type of access request, and it's denied for any reason, you have to provide a right to appeal. And in the nuances, it essentially said, or the interpretation is that right to appeal has to be a different pathway than what you're getting. You can't take the same person and appeal to them with the same process. So now you have to have a completely different workflow. Best practice might even be outside the company to look at any appeals. This is completely new and completely different. It actually was relatively heavy lift for us to add this to our platform, which we've done. But you think about this. For most companies, if you don't have an automated platform, you don't have an automated approach. I think it's a big burden just to keep up with these things and these changes. I wish we could get a federal law here that would unify this, but unfortunately, I don't see a lot of hope for that, at least not in the short term.

Jamilla: 18:28

Why don't you see a lot of hope for it? Do you not think the businesses will start lobbying the government and say, look, this is difficult for us. We've got consumers?

Dan: 18:37

When I was asked to testify it by the Senate Committee, I was so excited. First of all, I've never done anything like that before, so it was really cool personally.

Jamilla: 18:44

For some listeners who aren't in the US. Could you maybe give a background on what does it mean to testify for the Senate Committee? Is it like being in court?

Dan: 18:54

It’s like court. It's a smaller group. It's a group of senators, there are specific committee. That our oversight for Commerce, essentially, in the US and they had a specific subgroup, so I think there were five or six Senators, and they're kind of lined up in a panel. It's a very formal setting. I had never done it before, so I had to go to a training class to learn the formal protocol. And interestingly, you're required to dress formally. And so I like, never wear a tie and never wear a suit. And you're actually required to do that unless you have some sort of exemption or something. So I had to dress up for this. And it's a very formal affair. They actually make you feel very comfortable when you get there, because I'm not a lobbyist, and so I wasn't trying to further any type of political view. They have kind of rules around that too, but you get to talk to them about, you answer their questions for what they're trying to probe around privacy legislation. And it was my relationship with the FTC that enabled this. I'm friends with John Leibowitz, the former chairman of the FTC, so I got a lot of coaching and stuff from them, but when you actually go in and talk to them, I was so excited about this because I thought, finally we're going to get some movement, we're going to get a federal law. And what I found was there were these deep divisions between the political parties. As soon as you got anywhere below the very top layer of do you want a federal privacy law? Yes, we do. Everybody is, yes. And then it's like, what should that look like? And you've got deep divisions about, is it pre-emptive or is it a floor, does it include a private right of action? And then who's the enforcement body related to this? And so you ended up with really deep, deep divisions underneath the fundamental desire, and I got a little dissuaded by that, thinking that we didn't have a lot of chance. I do think we have a new opportunity for some federal action, though, by the FTC itself. And the Federal Trade Commission in the US if you're not familiar, has pretty broad rulemaking authority under what's called Magg-Moss. And Mag Moss is a law that allows them to create rules for things like miners and many other practices without new legislation. So as long as it's within their purview of authority and they have the authority to regulate privacy in the US. But there's no laws specific to it. So I think we've seen just in the last few months, the new chairman of the FTC has expressed an interest in potentially using the Mag Moss rulemaking to create privacy legislation. So finally, I'm seeing maybe at least a glimmer of hope that we'll see this in the US.

Jamal: 21:41

Yeah, that sounds super interesting and we're going to be following that really closely. We have a lot of clients based in the US. And we have a lot of businesses both in the UK and Europe who rely on lots of US based businesses to really help them to deliver a lot of the data processing operations. And it's interesting you talk about the FTC because historically it was actually the FTC that was in charge of overseeing the safe harbour certification and also the privacy shield as well. So it actually makes total sense. And we are quite familiar with the powers that they are supposed to have. But one of the challenges that we found, and one of the challenges that's been found in the course is when it came to enforcement, there were some major concerns there. So now that the new FTC commissioner is looking to bring in new legislation that you can apply across the board, across all the states from this Magg-Moss rule that you talk about, how challenging is it going to be to actually be able to enforce that and do they have the resources available to be able to do that?

Dan: 22:38

Yeah, I don't think they have the resources available to do it. In fact, in the initial testimony where she talked about the enforcement of privacy legislation. They talked about the need for a significant new budget for this. What happens though is to counteract that, you end up where the fines themselves for this, can actually be not only at least counteract the budget requirement, but can actually be essentially a revenue stream for governments. We've seen that in Europe, right? We've seen a couple of the more active groups that actually are sort of posting a profit for prophecy, and they've mentioned that here. But the FTC, I think they have the authority to do this if they go through the proper rulemaking authority. What I think you are alluding to is recently, I think they may have overstepped their legal bounds in the enforcement of consumer related advocacy. I don't think that applies in privacy necessarily. If they go through the Magg Moss rulemaking, I think they will have the authority for enforcement. They have enforcement authority essentially today. it's a little bit weak because they don't have a set of rules around it that they can point to. But I think they probably do have pretty good authority, they just don't have the resources to do it. So you're going to have to get some type of action in order to enable this for them. Even if they go through Magg Moss, they're going to have to get funding from the legislative body to make sure that they have the resources to go after enforcement. But I think that's a much lower bar than getting an actual law in place, a GDPR like law in the US. I think there's just way too much counter lobbying. You ask, aren't companies going to lobby and say, hey, we really want something unified? I've seen not only companies lobbying, the state of Arizona actually sent an official, they actually passed it's not a law technically, it's a legislative action. So there was a legislative action passed that went to the federal government that basically said, please pass a federal privacy law. So this is the attempt by the state of Arizona to lobby the federal lawmakers and say, please pass a federal law. But still it's not working. And there's so much counter lobbying by some of the largest, most successful companies that really don't want in particular, they don't want a private right of action. They don't want certain elements in the laws.

Jamal: 25:06

It makes sense. And of course, every jurisdiction, every state, every territory has their own challenges. Now. As an American. And given the fact that you've actually been in the UK. And given the story that you shared about your dating experience. When you see that your peers or when you see that other people in Europe have privacy recognized as a basic human right. And given how passionate Americans are about enforcing and allowing everyone to have those basic human rights. How does that make you feel as an American to see that the America doesn't actually recognize your right to privacy as a human right, at best, it's easy as a consumer right?

Dan: 25:40

It's offensive, frankly, that it hasn't been recognized as a critical right here in the United States, it's even worse when you look around the globe and you see that, yes, Europe led the charge in a lot of ways, though Europe leads the charge in a lot of new rights and is a little bit more progressive in many elements that take a little bit more time to get accepted to the United States. But now we're seeing it all over the place. In Australia and New Zealand, in South America, I saw United Arab Emirates pass a law a couple of weeks ago. China has a privacy law, a much more progressive privacy law, South Korea, Japan, and it's like, you look around and it's like almost every developed country has these fundamental rights. We're starting to feel very excluded now. And you start to wonder, why don't we have these? What is really in the way? And now we've seen with Schrems II's two decision that this is very much in the way of what we used to call safe harbour. Privacy shield is still active in the United States, but it's not accepted around the rest of the world. And what's at the fundamental root cause of that? We don't have a law. And I think it's going to be very difficult to actually, even with the best of intentions, which I think the negotiators that the US have to get a replacement in the face of Schrems II, I think they're having fundamental problems replacing that because we don't have a law. Let's get a law in the United States. And unfortunately, what's happening is, absent federal action, the states are stepping up and they're filling that void with their own laws. And unfortunately, I think where we're headed, absent some action at the federal level, maybe through the FTC, but otherwise we're going to end up with this patchwork of laws. And in the US today, all of the cyber security laws around notifications and what happens when you have a breach, there's no federal law for that. And there's a state law now in literally every state has a state law. And they're all unique, they all have some commonality, but not enough. And so we have this patchwork already there that at least filled the void, but it's hard to administrate. Whereas if we just could get a federal law for privacy, I think it would be much better for everybody. But unfortunately, I don't think that's the direction we're headed. I think we are headed towards this patchwork. And we've got three states now. Nevada and Maine have a tiny little sliver of a privacy law, but then we got four other states that have pending laws now. I think we went through more than 20 possible laws this year. This is just going to keep coming up and keep coming up, and you're going to end up with this patchwork in the United States and. It's just not good for business.

Jamal: 28:35

No, I completely agree. And it must be very difficult for any privacy professionals or even any risk and compliance professionals to try and understand what could at one point be 20, 30, 40, even 50 different sets of privacy laws and having all the different nuances. And you describe there the Virginia one where they have the right to appeal and who knows what else they'll bring in. And it reminds me of a conversation I was having quite earlier, actually, with one of my friends at Microsoft and they were saying when the GDPR was introduced, Microsoft actually returned a federal law and said, hey, we've done all the hard work for you, take this and just adopt it. And I was like, wow, that's absolutely crazy. But you can see there is an appetite to say that look, everywhere around the world there is privacy law. As Americans, we should recognize this, right? And we should have one federal law so everyone is clear about what their rights are, what their rights are. Businesses know what they need to do, what they should be doing, so everyone can have the confidence that the privacy is protected. And from a compliance point of view, they know that their reputations are protected. And that gives the US the credibility for other jurisdictions and other legislators like the European Union to say, hey, we want to do business with you and we want to have free flow of data. So let's have that free flow of data and let's do business.

Dan: 29:43

Yeah. And the Microsoft law, I read that, it was kind of based around the draft Washington law. It was much shorter. It was like 70 pages long. It was clear, much more clear language. Was it the perfect law? No, the problem was it split the advocates of privacy laws. You had the really true privacy advocates that felt it didn't go far enough, no private right of action and enforcement being just at the federal level, they felt wasn't strong enough and so they opposed it. And then you had on the other side, the people actually just opposed to privacy laws, of course were opposing it and it was only the middle that supported it. And so you ended up where you roughly had about a third of the people in each bucket and you only had the middle third that were supporting this draft legislation and it was doomed to fail. And I think the problem is just as much the people on the far right as it is on the far left. You have to create some compromise. I would like to see a very strong law myself, but I don't think we're in a mode to do that. I don't think we're ready for opt in the US as being core of the law and an extensive private right of action to be. I think we should just if we take those out and create more of a middle ground law. I think you would have broad support of that. And that's what we've seen in Virginia and in Colorado. Neither one of them has a private right of action. California has a very limited private right of action. They're basically an opt out mentality, for the most part, opt in only for sensitive information. I think this kind of middle ground is the place where you do get compromised. It isn't what privacy advocates really want, but it's so much better than nothing, because you do have most of the companies that use our platform, I would say really all the companies that use our platform are doing their best to comply, and they have the right intentions. And so I think almost all of them, if you make a request for your information, they don't really look at what state you're in, and they don't deny you based on you're in Ohio, you don't have this right, but a lot of the bad actors do. The bad actors that you'd really like to delete your data and you'd really like to actually see what they're doing with it, the first thing they do is they say, oh, you're not in California. We don't have to do anything. And that's true. That is absolutely the way the law works. You have to be a resident of California in order for that law to apply to you. If you're in Ohio, it doesn't apply, and you don't have those rights. And in a lot of ways, the bad actors are taking advantage of that and denying requests outside of the core jurisdictions. We're just not going to get around that until we have either a patchwork of laws in every state or a federal action of some sort.

Jamal: 32:38

Thank you. That's super insightful and fascinating to learn. And I think people who are listening to this podcast and who live in a country or who live in a jurisdiction where your basic criteria privacy should actually feel very blessed and very grateful. I know. I'm very grateful that I'm in the UK and we were formerly part of the European Union where our rights are protected, because imagine having no control over your personal data, a little bit like that dating app, refusing to delete your data even though you're in a hard relationship and it's causing challenges. It can cause so many different problems in so many different ways that I don't even want to begin to start to think about. But I think that's one thing that we can take away from this is that we should be grateful if we're living in a state or if a subject or protected by some kind of privacy law where it recognizes that we have a basic right to privacy and it's safeguarding those fundamental rights and freedoms that we enjoy over our personal information. Dan, you've been a privacy professional. You've been a professional. You've got over 30 years of experience. You have nine CEO ships under your belt. What I want to find out from you is what are some of the biggest mistakes you've seen privacy professionals make?

Dan: 33:41

Well, I think the one I'm focused on right now is around the data map, where so many privacy professionals, I think they take an approach where they don't want to make waves inside of the company. They're not a profit centre, they're not part of the revenue generation, and they're trying to do their best to provide that support and provide compliance for the company without making a lot of waves, without requiring a lot of resource and support. And I think that's a mistake when it comes especially to the data map, because you have to enlist other departments in order to make this work. And I think it's a place where actually the privacy department and the head of privacy can actually kind of shine for the company, because this is something where, yeah, it's a lot of work. Yes. It requires cooperation and collaboration from many other departments. But by leading that charge and making sure it's up to date and making sure it's comprehensive. It has to include all of the pieces of data that's another thing that we see. Is we see sometimes when you go through the data map where it's like well we looked at our structured data systems. We looked at the CRM. And we looked at our databases. Because it's easy to find the data and it's easy to categorize it. Well, we didn't look at any of our unstructured systems. We didn't look at the text messages and emails, because that's really hard. We actually have a partnership with Egnyte that is very strong in unstructured data and brings to our platform and our customers the ability to span everything. But we added that partnership just recently because you have to look at everything. You have to look at Excel spreadsheets and PDFs and emails and text messages. And in addition to all of your structured repositories, you have to be very thorough in understanding where is your data. There's no exemption under any of these laws that says, I don't know where it is or you have to go it's your responsibility. You collected that data, that personal information, and you put it somewhere. You have to know where those are. You have to be very thorough in this data map. And I do see privacy professionals are a little shy about this sometimes. And I actually think this is a place where you can raise your hand and say hey to the rest of the executives in the company. I'm adding some real value here, because we need to understand this. And why do we need to understand this? It's not just for privacy. It's also for incident response if we end up where we have to do that. But a place where I can contribute right now is in our cyber insurance and in the renewal of that policy by having a really comprehensive data map, really understanding all of the pieces and what you're doing with it. I can contribute right now in a meaningful way to reducing the cost of cyber insurance and making us all feel more comfortable if we do have an incident. And that is something that I sit on a couple of boards as well. The board is concerned about that, whether privacy has made it up to the board level discussion, maybe a little bit in many companies, but I guarantee you cyber and the ability to protect yourself from an encryption event or a leakage event or any type of a hack, that is definitely a board level conversation, and privacy professionals can make themselves really central to that response.

Jamal: 37:08

Yeah. And one of the things that we are seeing, and even from big companies based in US like apple and amazon, is they are actually using privacy as a competitive advantage. They are using privacy to grow their businesses, to cultivate that trust and really inspire people with confidence. We can see that, although you said privacy is not really a profit making, it's more of a cost. And if there's anything else, actually, when done correctly, you see that the public people are actually more and more interested in their privacy. More and more news stories are based on privacy, and people that are subscribing to data, privacy news and breaches and everything related to the privacy industry is a growing economy, and it is a booming industry, and it's a great time to get in there. So you've been CEO for nine different organizations. When you're looking to hire privacy pros, what are the kind of things that you look for? And why are recognized certifications so important?

Dan: 38:01

Yeah, I think the IAPP certifications in particular are something that fundamentally required if you want to be in any type of privacy office in a company, it's really the one thing that we can look to that is credible and independent. I'm an engineer by training, you come out of school and you say, hey, I'm an engineer. There's no such degree that you can say, hey, I've got a degree in privacy, so you don't have that to leverage. It is a relatively new industry and a relatively new practice. So understanding what kind of experience someone has is very important. But it's often hard to actually evaluate for companies, because often you're hiring your first privacy person, or there's one privacy person, and you're hiring a second privacy person to really understand what experience you have and what value you have. I think having those certifications is very important, and in fact, in most organizations, it's just a requirement. You absolutely have to have these certifications in order to even apply for the job in the first place. It's also something that I think as a CEO that I look to and a little bit, it's like I'm kind of covering myself by saying that, well, hey, I hired somebody with the right certifications here? Is experience more important or certifications more important? I'm always going to lean to experience as being the most important thing. But how much can you rely on that when you're interviewing somebody? And when we're hiring somebody in this type of compliance situation that you're hiring into, you're going to be reticent to hire somebody who doesn't have a certification. They get a huge disadvantage if you don't have some type of certification. I also think that the certifications at the IAPP are quite valuable. A lot of the work that I do provides ongoing credit for anybody who has a certification. Many of the webinars that I do, last week I taught a session on the new Colorado law, and it was an hour of in depth understanding of again, for me, it's always the operational elements. I always bring an attorney on with me. So you have the legal elements too. But I think this was a pretty valuable session to people who have these certifications in this. So I think that ongoing credit in a lot of ways that's the most important thing that you can do is have that certification and then make sure that you're doing that, fulfilling the requirement for ongoing credits, because that is very valuable information to have. And that's often what you can bring to companies, is that perspective. You might only take a few things out of that, but you might go, wait a minute, we need a right to appeal here. We don't have that today. We better start thinking about how to make that work within our own company. So, yeah, I think the certification is really almost a bare minimum requirement for most hiring, and I think most CEOs would be very reticent to hire somebody who doesn't at least have that. But it also does show experience base in a way that's credible.

Jamal: 41:13

Thank you. Thank you so much for sharing that. It's always really interesting to get the perspective from the person who is actually doing the hiring, and especially for our listeners that we have across, I think, 73 countries across the world now, for them to really understand what they can do to enhance their prospects of getting hired by fantastic companies and working under CEOs such as yourself.

Jamilla: 41:33

Thank you, Dan. We've learned a lot from you today and speaking to you. So the last question on our podcast gives you the opportunity to ask Jamal a question. So anything you'd like to ask him?

Dan: 41:45

I have a lot of things I want to ask them. Actually being based in the UK and them obviously not being part of the EU, we've heard some noise recently that maybe they're going to take their own view on privacy. And I'm wondering, is that really in our future where we're going to have not only a new legal jurisdiction, which I guess we have today, but one that's extremely consistent with GDPR? Do you think they're really going to kind of break off and start their own thing, or they're really just going to follow the GDPR.

Jamal: 42:18

All right, so the minister that was in charge of the department, the DC Department of Culture, Media and Sport, actually put those proposals together and they've been issued out for consultation and privacy professionals such as myself and a lot of professionals from all over the UK we've been really looking at this very closely, and I've actually put together a video and a very brief summary. I've condensed it down to about four pages, which I'm more than happy to share with you and for anyone else that's listening. It will include the video and also the download in the links here. You can have a really good idea of what's happening now? Some of these changes are actually quite good, and it means that it's actually going to become a little bit more practical to follow privacy legislation. So we welcome those, but some of these challenges are actually quite concerning. One of the challenges we have is they now want to charge people to exercise their right to privacy a little bit like we had before the GDPR came in. So we think that's a backward step. They're also trying to remove the need for protection, for sending information to other countries where it's not so perfectly. And there's a number of reforms, the number of proposals that they've made that are really concerning. And one thing that we can see is the minister that actually publishes paper, very soon after it was published, he was actually sacked. So I'm hoping that is a good sign that a lot of this is going to be challenged and it's not actually going to see the light of day. We've also recently had the Commissioner who has published her views on some of these changes. And again, there's a lot of criticisms. And what I'm hearing across the board from a lot of my peers, from a lot of the lobbyists, is although there are one or two changes in here that we see is actually quite pragmatic and practical, most of these proposals need to be shredded up and they need to go back to the drawing board. And the other thing we've seen is pressure from the European Union, pressure from Europe saying, hey, hang on a minute, guys. We've granted you adequacy, we've said you have an adequate level of protection based on the promises you made to us while we did the Brexit deal. Now that you're saying you want to move away from that, we are going to have to review the adequacy decision. And that is going to have massive implications, not just for the public, but also for a number of businesses in the United Kingdom. And we can't afford to have any more losses in this country because we've already seen, and we're already feeling the impact of leaving the European Union to begin with. Earlier this week, actually, there was reports of large organizations that are actually moving from the UK and relocating in Europe because they're worried about some of these privacy proposals and how that's going to impact their business. So as a privacy professional, I'm hopeful that the proposals will actually not see the light of day. I'm hoping that it's actually going to be just those practical ones that we see. And any changes that are made, I hope they actually benefit businesses, they benefit the great British public, and it actually doesn't impact the adequacy decision. And I want to make sure that we are open for trade for businesses all over the world.

Dan: 45:07

Yes, I think the idea of charging in particular leaped out at me as a very bad idea that really, I think, would undermine a lot of the principles of privacy around the world. So I'm glad that there's some opposition to it. And we'll certainly stay tuned.

Jamal: 45:23

Yeah, we'll definitely stay in touch. Dan, it's been an absolute pleasure and a privilege and an honour having you on our podcast. Thank you so much for giving up your time, and thank you so much for sharing such a fascinating insight into what's happening across the US and from your experience from 30 years of great service as well.

Dan: 45:42

Well, thank you so much for having me. This was a lot of fun. I enjoyed it.

Outro: 45:46

If you enjoyed this episode, be sure to subscribe, like and share so you are notified when a new episode is released.

Outro: 45:54

Remember to join the Privacy Pros Academy Facebook group, where we answer your questions.

Outro: 45:59

Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world class privacy pro.

Outro: 46:07

Please leave us a four or five star review.

Outro: 46:09

And if you'd like to appear on a future episode of our podcast, or.

Outro: 46:13

Have a suggestion for a topic you'd like to hear more about, please send.

Outro: 46:17

An email to team@kazient.co.uk

Outro: 46:21

Until next time, I'm peace be with you.