What It Takes To Succeed As A Privacy Pro

Intro: 00:01

Are you ready to know what you don't know about Privacy Pros? Then you're in the right place.

Intro: 00:06

Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts. The podcast to launch progress and explore sell your career as a privacy pro.

Intro: 00:17

Hear about the latest news and developments in the world of privacy.

Intro: 00:22

Discover fascinating insights from leading global privacy.

Intro: 00:25

Professionals, and hear real stories and top tips from the people who've been where you want to get to.

Intro: 00:32

We're an official IAPP training partner.

Intro: 00:36

We've trained people in over 137 countries and counting.

Intro: 00:41

So whether you're thinking about starting a career in data privacy or you are an experienced professional, this is the podcast for you.

Jamal: 00:57

Good morning, good afternoon, and good evening, everyone. Welcome to another episode of the Privacy Pros podcast. I'm your host today, Jamal Ahmed, and today I've got an amazing guest, Lydia Knab. Lydia Knab is the Global Data Privacy Officer at Sanofi Genzyme. Prior to this she was the DPO at BCGE, a bank in Geneva. She has an LLM in life science law and bioethics from the University of Geneva and her CIPPE from the IAPP. Welcome to the podcast, Lydia. How are you today?

Lydia: 01:32

I am good, thank you. Thank you for having me.

Jamal: 01:34

It's an absolute pleasure to have you on the show. Now, we always start off with an icebreaker and the question we have for you today and you can thank Jamila for this later on, she says she wants to really know, Lydia, what's your favourite sandwich and why?

Lydia: 01:46

I would go with cheese and tomato because quick tomatoe you get some veggies in there and some protein. So that seems like a good kind of mix of things.

Jamal: 01:54

Yeah, it seems like a very logical decision. Thank you for sharing. All right, so Lydia first question for you. Why privacy? What about privacy really drew you and fascinated you?

Lydia: 02:05

First of all, I think it's something that is important for everybody, but I'm not sure everybody understands it yet. My personal journey, I have to go back a little bit in my family history with this. I'm sorry. I'll try to be very quick. So family fled communist Hungary in the 70’s because their lives were in danger during that time under the communist regime, there was a lot of surveillance and people were not really free to speak, not even to think what they wanted. And I get this perception in my family that we are sometimes controlled or under surveillance, and we should not be if we don't want to. We should be able to keep our private lives to ourselves. We should have no one spying on us, if I might say. And coming from a family that has basically risked their lives and lives of, well, my mother and my uncle who were ten years old and I think 13 years old at the time, fleeing at night, leaving a country while risking your life just to be able to live in freedom. I think that was an important factor in whatever choice I made professionally. I was influenced by my grandfather who was a pastor, and for us, it's important to be of service of some kind. Now, you might ask how privacy is being of service. I think it is something that becomes increasingly important when we live in a society where we lose control over our data. And I think that as a privacy professional, we need to raise awareness. But I feel that that shouldn't stop at our work. It should also continue in our private lives, in our activities. And personally, I like to post a lot of content on LinkedIn that is usable or interesting to everybody in their daily lives. So that's basically my family story. And I think it's important to conceive privacy as a topic that is of interest and important to all of us. And what concerns me currently is that I do not see the level of awareness that I would like to see. I often hear all of it that's none of my business or why should I be interested in this? I have nothing to hide. My family history comes back here. Well, maybe you don't, but maybe you do. But even if you don't, do you still want everything you say post, be out there and never be able to retrieve it again if you change your mind, et cetera? Yeah, that's how I kind of see privacy as something that is to be protected for various reasons. And I think everyone should think this is important. And that's what I try to raise awareness for when I do my LinkedIn posts.

Jamal: 04:23

Thank you so much for sharing that, Lydia. And it's really interesting. You gave us almost like a paradigm shift. So most people that I speak to, most people that I work with in the context of what we do, is based in European countries, based in multinational organizations, is based in a democratic society where we actually take some of those rights that we have to privacy, some of those fundamental rights and freedoms that we enjoy under the United Nations Declaration of Human Rights almost as granted. And to hear the experience from your family members where they have to flee and risk their own lives because they wanted to enjoy that same right and freedom that we take for granted, it's really fascinating. So thank you so much for sharing that. Now, you mentioned the LinkedIn post and what inspires you to do that? And you recently shared an article from a company called Lush who are closing down all of their social media sites. Do you think this is a trend we're likely to see in the future with other large privacy companies amid growing privacy concerns?

Lydia: 05:15

I think the last line in my post was, maybe it's time to build more privacy friendly social media. So the current state of social media, especially Facebook Meta, is maybe not ideal, and I would think that this company, that there will be a trend towards this. But social media is still an important part of what every company does in their marketing strategy everywhere. Even if companies go away from it for a while, some go back after a while. I think Lush has been toying with the idea for a while and then they went back, then they didn't leave. I'm curious to see what happens now with that. I'm not aware of any other company that has currently really said no to social media. But then social media in itself is not the issue. But the issue is the way social media is practiced currently, you know where your data is being collected for whatever purpose, sold to third parties for a purpose that is not just your innocent sharing of pictures of your family or some thoughts that you might have. And that is where I think maybe other companies will do this. I currently am not seeing it. I think it would be a good message to send though, because then maybe some social media companies might think their strategy through and then maybe might see, hey, I'm losing all this ad revenue, or people are not interested in my business proposal anymore, so I might want to change it. And that's actually my hope here, that more companies do it. Maybe social media companies will change their way of working, but the question is, will they really do it? I don't know, but I think there is a trend there. But I'm very curious to see what happens.

Jamal: 06:41

Actually, I'm also very curious about this as well. And I haven't come across any other company who's taken such a strong position. They haven't just said, hey, we aren't happy with one platform. They said, we're coming off all social media platforms pretty much overnight. And that's a very brave decision. I want to see how it pans out for them. Because if it pans out well, then I think it would encourage other companies to take a similar stance. And if enough companies take that stance, I think they will force and drive that change. At the same time. It reminds me a little bit what we saw a few months ago with the whole Facebook and Apple war.

Lydia: 07:17

Oh, my God.

Jamal: 07:18

The war they have with privacy there. Facebook was saying, Apple, by bringing in the security settings, you are killing small businesses. And Apple are saying, well, everybody has the right to privacy. How do you feel about that, Lydia? Where do you stand on that?

Lydia: 07:31

What I find interesting here is that private companies are basically deciding on who does what. If you just take a step back as an ethicist, I say, wow, I'm not even judging any company here. I'm just thinking, wow, those companies have gotten so powerful that they can basically dictate what people do. And it's not even in the frame of legislation anymore. It's a certain company uses something that they have decided, like Twitter now will ban not ban doxxing entirely, but they will ban pictures that have published without consent. And then you wonder, but wait a second. Okay, that sounds good, but based on what exactly are these companies doing? And I would not exactly say that Apple is a privacy friendly company. It seemed to me more like a war of the giants and like a marketing strategy for everybody who thinks now that Apple is, oh yeah, everything is super private and Apple respects privacy 100%, No. Yes, they ask in Apple stores, they ask app developers to be privacy compliant. But that doesn't mean that Apple themselves do not collect data. People always tend to forget that. To sum it up, one needs to be a little bit critical and private, there's also I don't even know what it's called, privacy washing. And that is also a real thing, actually, from what I have seen in the past, companies that were so privacy friendly, but then I'm tempted to say yes, show me how. And then it says back peddling a little bit.

Jamal: 08:48

Yeah. First of all, I want to really thank you for talking and bringing something to light that I feel very strongly about. And I've said publicly in a number of places, companies like Apple, companies like Amazon, they're really smart. They know that data privacy is a big issue right now. They're taking up advertising space, saying how much they value their privacy. But when you look at their practices and when you look at what they're actually doing, the reality might be a little bit different from the perception that we get from the advertising and marketing efforts.

Lydia: 09:16

I 100% agree. Especially you mentioned my favourite company, Amazon. Don't even get me started. I think they would need a separate podcast. You should do a special company special about certain of these companies and have experts come and say what they think. Honestly, because there's so much to say and so much to be criticized.

Jamal: 09:34

That's a great idea. Maybe we can do a webinar on something like that.

Lydia: 09:38

Yeah, I'm personally very much interested in dark patterns, generally speaking of Amazon, some of the things we need to stay on top of as privacy professionals as well.

Jamal: 09:47

You mentioned dark patterns there. And for anyone who's listening that doesn't know what dark patterns are, can you just explain that a little bit more.

Lydia: 09:55

With the limited understanding I have pretty much everything, but I will try to explain. Dark pattern, for example, the classic one, I've just seen it the other day. It's basically something that is, I would say, the technical set up or the setup of a website or an app that doesn't really let you do what you want to do. You are being forced in a certain direction. I can give one example. For Amazon, they tick automatically, unbox for refills. It is here in the US all the time that when you buy a product, they basically have already decided that you are going to subscribe to a subscription service for that product and that you get it, I don't know, every month maybe. But sometimes you just want to buy the product once, so you need to unpick a box. And some people are just careless, they just tick it. And then all of a sudden you get monthly shipments of something they don't want to have monthly. And it's a little bit deceptive. I would sum it up as deceptive practices. What do you think of this definition, deceptive practices to push the consumer in a certain direction.

Jamal: 10:46

I think subconsciously getting or leading the consumer to behaviour that favours the company is probably a good way of claiming it. And I recently came across a dark pattern when I was trying to sign into my Facebook account. When you're trying to sign in, it says, hey, do you want to accept these cookies? And if you say, no, I don't want to, or if you try to restrict the settings, the screen just stays there. And it's almost like I think you have to click it three times for the screen to move away.

Lydia: 11:11

Really?

Jamal: 11:12

Yeah. And I tried this from a different device, and I noticed that on the other one, if you clicked yes straight away, you were allowed to go in. So that was a very dark pattern from Facebook or Meta. And so we see these kind of things all the time, even by the use of colour. There was a link in post I saw somebody did where they had two options and the contrast in the text between the option that would be detrimental to the company you could hardly read what it says because it blended in, whereas the other one was really bright, loss of contrast and really encouraging you to go and say yes.

Lydia: 11:43

I'm not sure if this exists, but I'm pretty sure there is such a thing as a dark pattern engineer that must exist. I'm sure they have those.

Jamal: 11:49

From your ethics point of view, what can we say about that pattern?

Lydia: 11:54

Ethics is supposed to be neutral. It's supposed to look at or that's at least my perception of ethics. It's supposed to look at something factually. Not what I think, but what several very smart people in the past have built certain framework. If you position yourself on the side of the company that would get more revenue through dark patterns and has to pay employees in the US. They pay health care for their employees. Yes, I guess it's for them, it is justified. But for me, as a consumer who has completely different needs and desires, it doesn't seem very right that my inability to detect that dark pattern is used against me, basically, and to force me to do something I might not want to do. I think generally, again, perspective question on whose perspective am I? Am I talking from the company's perspective. I might have legitimate interests here, or they seem legitimate to me as a consumer. I really don't see it. To me, the middle ground is important. How can I maximize the good for everybody? Yeah, this is one of the moral philosophers, I don't remember which I should really know this, but maximizing the amount of good available for everybody, and in this case, I think it's not maximized it's really heavily on the side or the advantage heavily on the side of the company. And I think that simply there should be no pre check box or they should maybe highlight that, be careful you’ll subscribe here to something that you might not want. But obviously then there would be no dark pattern anymore. I think to sum it up, the tech up is in such a strong position that it feels just because of that unbalanced, and which could lead me to the conclusion that it's probably unethical because I have a tech giant and then I have a consumer who is not always a privacy IT or other professional who might be able to detect this. And just because of this imbalance of power, I would say that it's problematic to the least, if that makes sense.

Jamal: 13:43

Yeah, no, that absolutely does make sense. And thank you very much for sharing and breaking that down in a way that even I can understand. Okay, so you said you're a generalist and you have so many different interests, and I can see from your LinkedIn post that you actually have so many interests, which is really fascinating. And I can see by all of the number of books behind you that you definitely are very keen and interested in so many different topics. I want to ask you about artificial intelligence, and I want to ask you this specific question. Can artificial intelligence and privacy exist peacefully together?

Lydia: 14:14

I think so. First of all, we're just at the beginning of creating AI legislation framework. There is, to my knowledge, many drafts circulating, many drafts circulating currently. And of course you can have privacy friendly AI, but the people who build it need to be made aware of what privacy friendly AI looks like. It cannot just be about amassing the maximum amount of data and well, there was also, I think, the Clearview decision or the intent to fine by the ICO that I saw just yesterday. I didn't have the time to look into it any deeper. But I think it is interesting that we are at a stage where we do not really have very clear legislation, let's say everywhere. It's not clear to everybody. Maybe we should say that not everybody understands what AI even is. We do not even seem to have a clear definition on AI. Yet we're seeing an intent to fine, which I find really interesting from an authority. But then I would have to ask, what are the frameworks? And currently, I don't feel that there is a clear framework, so there's a lot of grey areas. But I think that the path for consolidating privacy with AI is pretty clear. You make AI transparent so people understand what data sets were used to train the AI, how data are being used in general, if individuals have consented, et cetera, this is absolutely possible. But privacy professionals are generally not the ones creating the algorithms and building the AI. And I think it requires a lot of company cross functional but generally multidisciplinary approach to make sure that not just privacy, but basic ethical principles are built into the AI. It's totally possible. Of course, the question is just which framework are we adopting? Who has validated that framework? What will the future legislation looks like? All these are questions that have not been fully answered. I know that there are so many papers that have been written as an ethicist. I'm interested in how we build ethics into AI. Some researchers are building ethical principles into AI bio principles that they draw from bioethics. For example, they suggest that we use the principle of nonmaleficience, autonomy, justice, and principles like that that we know from bioethics that they propose to build into AI. Now, all that's very nice, but is it really done in reality? And that's where I think things become a little bit more difficult.

Jamal: 16:31

What advice would you have for organizations that are working on bringing in artificial intelligence as part of their processing activities?

Lydia: 16:38

Now, I would say that, first of all, thorough due diligence is a good idea. First of all, ask maybe the company, is this really AI? Is it not just an algorithm? That's exactly what a human being could do as well. Whereas the kind of learning component, is this really AI? That's maybe the first thing. I feel it's being thrown around a lot, especially in the marketing and commercial world where there is a lot of I'm sorry, I had to say, but there's a lot of FOMO. Everybody hears about it, so everybody wants to get jump on board, and we feel we're missing out if we don't have AI, maybe a thorough due diligence process can't hurt in this case. Also, ask your providers a lot of questions, see if they're willing to answer set questions, because sometimes they say, oh, no proprietary information, I can't answer this, but there should be a minimum of transparency. And if there is not this minimum of transparency, I would be very cautious. And also, authorities in the US. For example, are looking into AI. I feel there will be also much more legislation, and we need to prepare for that a little bit as well. We cannot absolutely not assume that we can do whatever we want in AI, and there will also be more privacy, relevant surveillance going on, and more awareness around. You cannot just use all the data you want. You need to ask for consent. You can't just do whatever you want when you train your AI. And I think a lot will revolve around that. And I'm also pretty sure that we will see more AI vendors maybe getting into some legal troubles. There have been some already that I have seen. So I think this is something that will be continued. And the only reason or the only way to avoid as a company to work with another AI company in this case that might have huge issues as well is to do proper due diligence. And not just In God we Trust, everything else we check. So that's what I hear from my cybersecurity colleagues, and I think they are very right about this.

Jamal: 18:23

I love that in God We Trust and everything else we check. Your top advice or your top piece of information that you have for businesses thinking about using AI for any of the business processes is due diligence. First of all, figure out is it actually AI or is it just an algorithm that marketing as AI? Where is the actual learning coming from for it to be considered artificial intelligence? And then also ask questions to see how willing they are to be transparent about what it is that they're actually doing. And if they're not willing to be transparent at all, maybe have another thing. I start thinking and asking some of those key questions because you could find that potentially you end up in trouble later down the line. And that's something that you probably avoid to make sure that you keep your reputation intact and also you're not wasting resources fighting court cases.

Lydia: 19:07

Yeah. And also maybe deciding on the cost is also something. Is it really worth it? I have seen several cases where some AI solution was proposed for a lot, a lot of money. And sometimes it was not even clear what the AI was supposed to do. And in which case you kind of okay, but you need to kind of explain how you don't need to explain every detail of your algorithm, but you know, just the kind of the thinking process and all that. And I think that's absolutely not impossible. I don't know. Would you agree with this?

Jamal: 19:36

Every single decision that people make, especially if it's a business decision and you're responsible for and you're accountable to other people, and you're spending other people's money, your shareholders money, that money that could be better used for something else, you have to be accountable. And if you are going to spend that on any kind of solution or invested in any kind of education, whatever it is, there needs to be a clear case for a good management decision. What is your return on investment as a result of this? Not, hey, we're scared that we've heard all of our competitors are using AI. So this company that says the AI, let's just pay them a lot of money and see what they can do for us. No, there should be a very good accountability of how well this is a good management decision. That's my position on any investment decision.

Lydia: 20:18

But I think that as someone who is well versed in privacy. I would say you would agree that it's also about documentation and you need to be able to kind of document your business decision to some extent or you need to be able to say that yeah we went through this due diligence process and we have considered all this and this is a big part of my job as well. We need to document what we do and we need to be able to say yeah we decided this because of XYZ in this case. We decided that. I think that for any acquisition and business decision, it's kind of important to understand why the decision was made. Or I'd like to think so, maybe it's not to everybody, but to me it's rather important.

Jamal: 20:52

Yeah, I completely agree. It is very important. Now, Lydia, I just want to touch on your past a little bit. One of the things that really inspired me about something you've achieved is you are actually the first email head of privacy across any bank in Switzerland. Tell us a bit more about that.

Lydia: 21:08

I was nominated because I had operational experience. I had been with the bank for a while already and at the time it was felt that they needed someone with operational experience, just an external lawyer who would come in, but also someone who maybe knows the company, which I think is helpful. It is not mandatory because if you don't know a company, then you can also maybe come in with a completely fresh point of view, which I can also see as an advantage. But in my case it was a desire to have someone well, who knows a little bit about the law, who knows processes well, who is not just interested in the legal side, but also a little bit in the ethical side. And I was lucky enough to be at the right place at the right place at the right time, which I think is always key to anything that happens to you being at the right place at the right time, because so many incredibly talented people are not always lucky enough to be at the right place at the right time and I was. So I got the job and it all started. It was a challenging position because the privacy program had not been entirely built yet. There was a lot of work to do around that. It was very interesting because I knew the bank well and I was all of a sudden in a very different position from the position that had been my previous position. So I kind of had a completely different point of view and that's when I discovered privacy, actually. So they were open enough to trust someone who did not necessarily have privacy experience, per se, if you work in a bank, I have to be very strict with rules of confidentiality, especially in Switzerland. The banking secret is a very important aspect of the relationship with the client and therefore I would say any employee, especially in a bank, is very considerate of privacy confidentiality in general. And if you know the law well, you can read a privacy law, you understand what it's about. And I also went to a lot of trainings so actually it was my personal wish to get specifically trained in data governance. So I got a training. Specifically, IT/ data governance I went to classes with It security professionals for the same degree and that was actually very interesting and that was something that helped me a lot in my job because you're not born nor necessarily how to do a data mapping, what questions to ask a cyber security professional. And also in order to be taken more seriously, I felt the need to get into more technical knowledge to acquire a more technical knowledge which I coming from a legal ethical background did obviously not have. I'm very open about this, but I do not like it when lawyers or people with a legal background are not a lawyer, are all considered as tech illiterate. Maybe we don't have a degree in computer science, but some of us are really interested and also willing to learn. Some of us have also understood that if you don't do that, you will not be taken seriously by your colleagues who are more technical experts. And that was something that maybe I would say as a woman I was often the only woman in a room with many men, which I was kind of used to, but then I was all of a sudden in a position where I had to talk about policies, where I had to say, okay, we're going to implement this now. We need to implement this. That was not always so easy, I will admit that, especially in the very particular world of banking, which is, I'm sorry to say this, but very male dominated still. And we had a female head of compliance and a female head of risk management, which is also quite unique, but I guess we were all nominated by the same person who trusted female employees. So we had several strong female characters in there, but it's still a pretty male dominated world. And I felt the need personally to be particularly or to make myself as competent as possible in more technical areas because I didn't want to be seen as a person who knows nothing about this. I had cybersecurity colleagues on the other side of a corridor. I was with the compliance department and I had to cross the corridor. Sometimes people saw me running down the corridor asking my colleagues something and they knew, oh, there is something going on. And it was often the case there was something going on and it's also about building relationships.

Lydia: 25:04

But I guess it's not because of my gender. It's because I was in a position that I did not have a lot of experience with, where I had to learn a lot and I had to prove myself. And this is, I guess, male or female, everybody has to do this. You know, you come in with a certain healthy degree of humility, which I think is really important, and then you start to learn and you ask questions. You don't come in and impose your point of view when you're not really in a position to have a super precise point of view because you don't have that much experience. So, yeah, it taught me a lot of humility. I would say. I tried to be very mindful of that. I started at the very bottom. I was an assistant a long time ago. So I started really at the bottom of the hierarchy and worked my way up. But because I was very lucky also, I think I don't believe that hard work alone gets us where we want to be. It's also about a lot about luck and building relationships. And some people tend to forget that they were at the right place at the right time, and someone equally talented might not have been, so luck is important, and it was for me as well.

Jamal: 26:07

Thank you very much for sharing insight, a very quick, deep dive into how you got to where you are. And I can tell you’re very humble and very modest, instead of explaining how hard you have to work and what you had to do to prove that, you said luck favoured me. So thank you very much for your humility and your modesty. You touched on a few things I want to explore a little bit further. Lydia, one of the things you spoke about was about your desire to invest in your own learning and education. One of the things you said is you actually went and trained with professionals. You went and trained with mentors and experts. Why is it important to go and train with experts and mentors rather than just trying to read a book and self-study on your own?

Lydia: 26:49

I would say you can do both. But I believe that experience from mentors and other professionals is absolutely invaluable. I think we all need it, and this is where it comes to humility. If I take a book, I kind of take the position that I myself able to teach myself everything. And I do not believe that. I believe that we need to learn from other people also that you have one topic, and if you ask five privacy professionals, you will probably get five different answers. You know the old saying, two lawyers, three opinions, and this is maybe the same for privacy professionals. And I have the impression that even if you disagree, sometimes you can still learn something. I tend to look up to people who are more experienced than I am, I'm currently being asked by people to mentor them and I'm always very flattered because I say, wow, how can you ask me? But yeah, now I do have several years of experience but I still have a lot to learn. My hope is that this is a lifelong process because an eye opener was for me Carol Dweck's book about mindset. I don't know if you have read it. It's an incredible book that I recommend for everybody.

Jamal: 27:53

It's really interesting that you're speaking about Caroline Dweck and I prefer to call it Mind State because I realize it's fluid. Right at the Privacy Pros Academy we have a signature twelve week accelerator program and on that program we take people through five pillars and the five pillars are Mind State. That's the first one. So we always start off before we go into any privacy training, before we go into anything else. We always start with the mindset and say, look, before we start this journey of transformation we need to make sure that we go and we have the right mindset. If we have the growth mindset we understand the value of, we understand that anything is possible and we're much better to be able to understand and achieve our goals and I have some background in neuro linguistic programming and life coaching and hypnotherapy. So we bring all of that in as part of the first pillar. The first pillar is really about laying strong foundations and getting the right mindset to achieve that excellence and to achieve the success that they want to have by the time they complete the program. The second pillar is all about subject matter expertise and this is where we take a deep dive into all of the different elements of European data protection also we become a real expert by the time they leave. And then the third pillar we have it's all about getting that credibility. And one of the things that I'm going to ask you to speak about a bit more is about the credibility that an IAPP certification brings. So we put them through the official IAPP training and help them to ace the certification so they get the credibility. We've got the Mind State, that's the first pillar. The second place about the subject matter expertise. The third pillar is about credibility. The fourth pillar, and again, you're a really good advocate of this, is about getting that practical experience, really being able to walk the walk and not just talk the talk. And that's the fourth part is where we prepare them. We teach them how to do records of processing activities with the data mapping company, how to respond to subject access requests, how to do data protection impact assessments, how to write privacy notices that are actually clear and that makes sense that people can actually understand. So we take them through that as the fourth pillar. And the final pillar is all about personal branding. A little bit like what we're doing now on the podcast and what we do about LinkedIn and why it's so important to really understand the value of your personal brand and why your reputation should really precede you and how that can open up so many more opportunities for you and be a magnet to attract all of those amazing opportunities. That's the kind of cold program that we take people from. We will take them through all five of those pillars and by the time they're done they have transformed into an elite world class privacy program and we've got some great people in the Signal community that you can actually reach out to and follow their stories as well. And it's really inspiring the transformation that people make when they have the right mindset and take themselves through this twelve-week journey.

Lydia: 30:22

I think that's really great because your approach is very holistic, and I think that is maybe missing from trainings that I myself have seen. It's very subject matter oriented. I would say it's less oriented on the holistic approach of just maybe also soft skills. What you're saying sounds also like you put a certain emphasis on soft skills because they are very much needed. I know many people have great fantastic subject matter expertise and that's also why I was nominated in my job in the bank in Switzerland is that soft skills are needed when you work with a lot of different functions, which is what privacy professionals have to do all the time. We have to work with IT colleagues, we have to work with IT very broadly speaking, because there are so many different areas of expertise. It can be cybersecurity; it can be website programming and you basically get to do everything from training people about privacy by design processes when they develop websites to going over cybersecurity policies or incident response mechanisms. And for that you need to be able to convey the right message and just knowing your stuff is not always enough. You also need to also be open to criticism and willing to be challenged. The mindset that we just discussed, I think that's also part of your mindset that at some point you might be able to admit, or you have to be able to admit without crumbling completely that you might be wrong or that someone else knows better than you do. And that's why I like your approach because it's holistic. I think it's very important to have that kind of approach and to make people feel confident about what they do. Because if I'm not so sure then I might have a very good knowledge about what I'm doing but I might not be able to convey it in the right way. And I think that's also important. Just a question, do you do some kind of situation training kind of if you're facing a particularly difficult, let's say, cybersecurity colleague or something? Because that's I think something that every privacy professional should be in a position in to kind of see wow, these people really don't care about privacy. I'm not saying the cybersecurity people, because they do, but some people really don't care or they don't know or they don't understand. And that's when you say okay, I will explain it to you. But still while sounding humble and not because the other person doesn't share your point of view and they might be a smarter than you are, how do you see that kind of role play? I think that's important actually.

Jamal: 32:42

So there's two things that I do to address that as part of the actual signature program. One of them is we have a whole session on communication and the art of communication and how things like your tonality, your body language, your micro expressions, all of those things can really make a difference. Looking out and listening for visual auditory cues about what someone's preferred representational system is. So is it somebody who thinks more in pictures, in sounds or they're more in their feelings or they're all about making sense? So we teach them how to look out for these things so you can speak to your colleagues and your stakeholders in a language that they understand and the language that they resonate with most. So that's one of the things we teach. The other thing I teach is about I have 23 principles which I based my practice on and which is my outlook on things. And one of the situations you describe there is where you're having a challenging conversation with another colleague. So one of the principles that I teach is everyone is doing the best they can with the knowledge and resources available to them. And if we always go in with that mindset and we always go in with that assumption, then it doesn't matter what anyone says or does, we know they're doing the best they can. It's now up to us as elite world class privacy professionals to empower them with the knowledge and resources to get them to a different level of understanding where we can actually protect and meet the objectives of the business or whatever the project is.

Lydia: 33:59

Yeah, I think that's a really good approach, sounds like you're a really good teacher should be more of these because not everybody is. Again, many people really have great subject matter expertise but then they're also not necessarily great at conveying that. But some people don't really know. It really depends. I prefer sometimes someone who is maybe let's say not 100 in level of knowledge about everything, maybe an 85, but then is a great communicator and communicates passion. It's so important to communicate well, especially if you are in jobs that require multidisciplinary teams and cross functional work. Subject matter expertise is not enough. I always come back to that. I'm the soft skill person. I would focus on that because also who likes to work with someone who is kind of arrogant and says I know it all. And I have a very good quote here by a German philosopher who said that a dialogue is only possible if each party can for a split second assume that the other one might be right and not them. How do you like that?

Jamal: 34:59

I really like that. That's really interesting. I’m going to write that down.

Lydia: 35:04

I’ll send it to you.

Jamal: 35:07

Post it in the community, I’m sure everyone would really benefit from that quote as well.

Lydia: 35:13

I will.

Jamal: 35:13

Next question I have, what advice would you give for anyone starting a career as a privacy professional?

Lydia: 35:19

Learn and learn. Be very mindful of the fact that you might turn into challenge, especially challenges. And I think businesses that often might not necessarily all want to invest that much in privacy. And I think we hear generally from most privacy professionals that they have to juggle a lot of different things at the same time. As I said, we touch everything from AI discussions down to research. I work in a pharma company, so there is obviously that going on for every professional in the finance world. Sometimes it becomes also very technical. I had to look into processes that I knew about, that everybody knows about, we all understand that if we make a payment online, something happens. But I really had to look into those processes the way a payment was processed or a bank transfer was processed. And as a privacy professional who does not come from a technical background, I think it's very important to train yourself about that as well, because otherwise it's going to be very difficult to have conversations. And then on the other side, people who are from a technical background, like struggle sometimes understanding legal constraints and the law, the law, I mean, every country has different laws. There is GDPR, but then in each European country there might be some specific implementation of some provision. It is sometimes scary because you have to read a lot of stuff. But again, learn, learn, learn, and get out of your comfort zone a little bit because, as I just said, well, tech people will need to get into more legal, ethical aspects, and while legal people will need to get into more technical aspects. And I went to law school, it's probably because I was not so good in math. So computer science is not really the thing for me. But I still have to understand certain concepts and I have to you know, I had to understand encryption and we actually had pretty detailed training about encryption, about the whole mathematical aspect of encryption. And one shouldn't be scared of that, I think, and many people are probably a little bit wide. First, I need to understand GDPR. Yes, but that is just the beginning. That makes sense.

Jamal: 37:34

Yeah. Thank you. That was a really valuable insight. And the key takeaway there is always be open to learning. Be willing to push yourselves out of your comfort zone and be willing to make up for your shortfalls, right. You might have particular strengths, but that means you also have particular weaknesses and be open to your weaknesses and do something about really addressing your weaknesses and turn them into opportunities for success.

Lydia: 37:58

Yeah, that's perfectly summed up.

Jamal: 38:03

Three things that we really focus on at Privacy Pros Academy is helping people to get the clarity they need so they have the confidence. And when they have the clarity and the confidence, it gives them the credibility. And also credibility comes from certifications. And we spoke about IAPP certifications, and I think before we started the recording, you're explaining how important they are, especially in the context of getting a role right now. Can you share a little bit more about why IAPP certifications are so important and why you're really working towards those?

Lydia: 38:31

I think it's to my knowledge, one of the only standards currently. That is why the IAPP is, first of all, an important and serious organization. They organize very good seminars. For me they are wealth of resource of many documents and patients. And I often consult the website for just when I need some information or I want to dig a little bit deeper into a topic. And to my knowledge, there is no other accredited or really serious training and the problem is, I think that you see everywhere, every university now or every kind of institute has kind of a training program about privacy, which is nice, but other than the IAPP, there is no really officially accredited organization or body that comes to mind. At least I'm not aware of anyone or any other body. And therefore, I think that this IAPP certification is certainly an important step. And also it gives you a minimum of but the minimum competencies you need to do this job if you are totally new. But then I know that some people go into the exam and I don't even have to study for me. As I shared with you earlier, despite having done European law, which I was very embarrassed about when I started my training, I still haven't taken the exam yet. But when I started my training, I said, oh God, all this European institution stuff that I thought would never become important when I was sitting in those, I'm sorry, extremely boring European law classes. I'm Swiss, so we didn't focus on European law. We focus on Swiss law since we are not part of the European Union. That came back to bite me years later, 15 years later, the fact that I didn't pay attention to what the European Commission does or something like that, really said, damn, I should have paid attention to all this. And I didn't. That was really challenging because some other aspects of the training program, it was super easy. I didn't even have to read the chapters. But that part, and as I understand it, it's really part of the exam. But then I told myself, okay, it is an important part of general culture just to know this, what the institutions do. And then I said, okay, then I need to read this all over again. I should not resist it. I was kind of resisting it because I said, this is boring.

Jamal: 40:47

And I think that's absolutely true for 99.99% of everyone. And from my experience and from the results that we see being published from the IAPP is most people actually do really badly on that element of the exam. And the body of knowledge that most people struggle with is that, because in your practice, it's not something that you need to know, it's not something that you speak to your clients about. It's not something that you speak to other areas of the business about, whereas some of the other elements is something that we have to live and breathe and practice and educate people about every day. And that's why it's understandable. I too used to find that kind of law really boring. And I'll give you a confession, which I don't think I've shared in the podcast before, is I went to the university to do a law degree. My second week, on Monday morning, I decided, you know what? This public and administrative law stuff is so boring. I changed. I quit my law degree, and I went and did a BA in business with law instead. I completely resonate with the lack of excitement that one might feel for this area, but at the same time, there are other people who actually love it. And one of the things that we try during our official CIPPE training that we deliver at the academy and we're doing this stuff is we bring meaning to it. And when you ascribe meaning to something, it really helps you to understand it on a deeper level, and it actually helps you to go and ace those exams. I'm glad to report everyone who's been through our official training actually have gone and aced the exam. Some people have done it within 48 hours of obtaining the training. Some people have taken a little bit longer, but everyone right now has aced on the first attempt, which means we must be doing something right. At the same time, one of the things that we do after the training, we take that holistic approach that I explain throughout the Privacy Pros Accelerator program and do that for everything. So even if somebody just comes out for the, let's say, the CIPT training, one of the things that we do is a guided revision. So after the training, they still have access to me, and I break down each topic, and I really give them an area to focus on so they really get it. And when they’re really just able to focus on that, they don't get overwhelmed from this whole intensive training session. They can just break things down and get the clarity and the confidence that they actually know their stuff on this. And then we have the weekly live training that's open to absolutely everyone. And the whole point is, one of the things I struggled with when I went to and did trainings is I would do the training. It was amazing for the time I was there and I would ask all the questions I could fit in the time without annoying everyone else. I really loved it. But the problem is, as soon as I started revising, as soon as I went to work and started practicing, I had 5 billion questions and there was no one there to answer them. So one of the things I offer everyone who comes and trains with us is every week I do a live session in our private Facebook group and you can tune into the live session, ask the questions, or ask them in advance and then catch up with the replays afterwards. And I found that really helps people to get the learnings they need and then to have any follow up questions answered to help them really get that clarity so they can be confident they know the stuff and then speak with credibility and authority and attract the recognition that comes with the IAPP certifications.

Lydia: 43:41

I like the fact that you assign meaning to things because it's so important. I have a teenage son and I find that some topics are difficult for him in school because he just sees it as something boring he needs to learn in school. But then when you dig into, for example, some history topics and say, well, this is really something important, and then you explain why, it all of a sudden becomes easier, I think, to learn anything. And this is also why I come back to privacy in general. I think if you assign meaning to privacy in the sense of it's just the right thing to do, it becomes much more meaningful to people. Rather than always saying just that people need to be mindful of the fines because that doesn't work. If the punitive approach or punishing people generally worked, or the threat of a punishment solved everything, there would be nobody in prison and everybody would nobody would ever commit a crime because they're so scared of punishment. But I think that's not how human beings work. If you do explain, though, in a meaningful way, why something is important and privacy is important, it works so much better for everybody. That's my personal opinion. This is why, yes, assigning meaning to everything is absolutely crucial. I think we also learn better. I think that has even been proven right, that we learn better.

Jamal: 44:59

I can tell why we get on so well because we share so many common perceptions and views on things. So it's really fascinating. The last question I have for you before you get to ask me a question is this , it’s going to be split into two questions. What is the most challenging thing about your role as a Global Data Protection Officer. And what is the thing you love most?

Lydia: 45:19

Well, I cannot get too much into detail because I'm not speaking on behalf of the company, but I can speak as a general. Generally in this type of function, the best thing is that you really get to speak with people from all over the world and what I find which is actually challenging and fascinating at the same time because yes, I have colleagues in countries, but I still need to, I feel it's necessary to keep myself updated about legislation. And privacy is an area where there's a lot of legislating and activity all around the globe currently that can be quite challenging because there's many, many different cultural approaches behind it. And you need to kind of understand the culture of the country, why they have the privacy law they have. I said jokingly the other day on LinkedIn to someone, well, show me your privacy laws, I will tell you who you are. And I think that's kind of true and I think that is very interesting, but also challenging because it's just very time consuming. But I make it my kind of duty to understand what my colleagues in the countries are going through, what is important for them. And you also have very different backgrounds, different people, it's seen in a different way and then you have all the different laws. That is super interesting but also super challenging because it's simply very time consuming. And like in every global role, how you work with other global roles that are generally big jobs and important people. I'm not so important, but other people are, other people I have to deal with. And yeah, you need to kind of find a good way to tell all these important people that hey, I'm here and what I do is kind of important as well. You can't just always talk about the fines because that's really boring and I don't think that strikes the right notes with many people. People get parking fines all the time and they know that they get parking fines, yet they park in not the right spot.

Jamal: 47:15

Yeah, absolutely. I don't think driving motivation to do the right thing by making them be scared of being punished is the right thing. I think it's more about understanding what the right thing is, why it's important and why we should really inspire confidence and cultivate that trust to be an organization that is successful moving forward. And one of our goals at the Privacy Pros Academy is to really well, our mission is to build a global community of elite world class privacy professionals that are going to empower businesses with honest privacy practices. And the reason we want to do that is the vision is to live in a world where every man, every woman, every child has the freedom to make their own choices without losing control over the rights and freedoms over their personal information and having had those choices manipulated and made for them.

Lydia: 48:00

Sounds very true and right.

Jamal: 48:05

Okay. Do you have a question for me?

Lydia: 48:08

Yes. Is there anything that would make you leave Facebook for good? Because we talked about social media earlier. I know it's a bit tricky, but.

Jamal: 48:16

Is there anything that would make me leave Facebook for good? Yeah, I think there's lots of things that would make me leave Facebook for good. Now, the only reason I use Facebook is because first of all, I recognize that they have a platform with a massive audience. And it's a fact there's a lot of people out there. And a lot of people out there actually need to understand what is going on with their privacy. And a lot of the interviews that I do with the BBC, with ITV talking about privacy issues when I post it on my profile, a lot of people who are not in the data privacy, it's really helpful for them to understand how, hang on, I didn't even know that was a thing. And they start asking more questions. So I can see as a platform to help people, to empower people, to give it more awareness. Also, because so many people use the platform, there are great privacy groups on there that are people who are professionals using it. And it's a great place to actually find like minded people and to help them. And some of the actual training sessions that we run because how interactive Facebook is. Let me give you an example. We have a group on Facebook and we used to have a group on LinkedIn. The LinkedIn group is dead, right?

Lydia: 49:20

Really?

Jamal: 49:21

Yeah. Nothing happens in LinkedIn groups. And you can go to most LinkedIn groups and you'll see that they're nowhere near as active or as engaged as any of the alternate and equal groups on Facebook. So you can see that different people prefer different platforms for interacting. And having worked with individuals, having trained individuals at Facebook as part of the privacy professionals, I know just how committed the individuals that are working there are to doing the right thing and are to empowering that business, to develop honest or more honest privacy practices. So I'd rather be part of the solution than thanking people and say, you're the problem and I'm going to have nothing to do with you. And I want to drive positive change. And that starts off by making small differences. And if within the actual metaverse, whatever you want to call it, driving change, then hopefully eventually we can get to a stage where it's a platform that actually does more good, respects privacy and helps people to have those connections. Because if you look at Maslow’s hierarchy of means, you can see one of the things that people need is connection. And so many people tell me they love Facebook products, Facebook, WhatsApp, whatever it is, because it's giving them the chance to stay connected with, their family, with their friends, with their long lost colleagues, with people they went to school. So there are some great things, and there are certain parts of the hierarchy of needs that individuals need that Facebook is able to cater to and offer. It's just we need to support them, we need to encourage them, we need to guide them and continue working with the great privacy professionals they have, working there to bring them towards something we deem to be more honest, more acceptable, and more in keeping with the actual rights and freedoms that are promised to us as individuals.

Lydia: 51:02

You're kind of like a man on a mission from the inside. That's kind of what it sounds like, that it's a good recap. Yeah, I understand. Personally, I have to be very honest. I just can't, after everything that I mean, I haven't had a Facebook account in years and years and years, and I have to say I'm a rather private person also. I think it's also because of my family past that I mentioned. My whole family is like that. We really struggle with putting ourselves out there. This is why it's very therapeutic for me to do a podcast, because a LinkedIn profile is okay, but maybe culturally, just sensitivity to this specific topic, I don't know, it's just very difficult for me. I think it's a very personal thing also. But as I said earlier, I hope that we will be able to build better social media. And this is really if I was asked about my hopes for the future, I would say that that is really something very important because I think it's absolutely possible to build better and more privacy friendly social media. And I think Facebook can do it too, with all the means they have. I just suspect that they don't really, currently are not fully there yet. I hope that Mark Zuckerberg will see the light at some point, though.

Jamal: 52:14

The assumption that we have is Mark Zuckerberg is doing the best he can with the knowledge and resources available. It's up to me to take responsibility to help him and his team to have more knowledge and more resources to develop more honest privacy practices.

Lydia: 52:28

Yeah. From the inside. And I think that if you feel comfortable doing that, I think that's actually a great thing. I hope your account will not be shut down though, one day, because you say too many smart things that might endanger them.

Jamal: 52:44

If you do look through my Facebook profile, a lot of it is very professional in terms of about privacy stuff. I don't really go and post too much about my own personal life and my intimate family matters and my intimate challenges. Understand. Look, if I was standing at Oxford Street, this is what I say to my friends and family. If you were standing at Oxford Street and you had a piece of paper and you would write everything about it on a piece of paper and you'd hand it out to anyone that walks past happily, then you should put it on Facebook. If you wouldn’t want to put it on that piece of paper, then don't put it on Facebook or any other social media channel. That's the kind of stick I used to measure what I would post and what I wouldn't post about.

Lydia: 53:23

I think that's excellent advice and I think this is also where people I've heard about someone not being hired because they had unfortunately had posted something very publicly on Facebook. It was not something politically sensitive, it was just something a little bit too intimate and the person was not hired because of that, because the hiring manager thought that I don't want to hire a person like that because I need someone who respects confidentiality and other principles like that. So I think that people need to be careful on how they use social media as well, especially true for teenagers, which is a topic I need to dig into a little bit because I think there needs to be more awareness on college applications here in the US. Some stupid post, I don't know, eight, seven, eight years ago. It will never be erased, it will always be on the internet. And I think that those are pretty dangerous. I'm very much in favour of the right to be forgotten. I think that those are considerations that younger people who will one day have to look for jobs and who basically post everything and everything is visible out there, need to consider for the future. And I don't think that generation of gen, what are they younger than Generation Z? I never know. I can't keep track. I'm not sure they are aware of that and I think I see quite a danger there. This is why I think it's important to build better social media where you can actually delete stuff if you need it to be deleted, if it's endangering you or something. So, yeah, just a last thought.

Jamal: 54:49

Thank you. Maybe that's the topic we can delve into even further on a separate platform or a separate podcast one day. Lydia, thank you so much for coming on today and sharing so much valuable information. You spoke to us about why privacy is so important. You shared some very intimate information about your family history and why it resonates with you so much. We spoke about Lush and using social media and you gave some great examples and some great advice for anyone who's actually pursuing a career in data privacy and there was so much more that we covered. Thank you so much for all of the valuable information and for taking the time to share this with our listeners and I wish you all the best with your privacy career and I look forward to catching up with you in the community soon.

Lydia: 55:32

Thank you.

Outro: 55:34

If you enjoyed this episode, be sure to subscribe, like and share so you're notified when a new episode is released.

Outro: 55:42

Remember to join the Privacy Pros Academy Facebook group where we answer your questions.

Outro: 55:47

Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world class privacy pro.

Outro: 55:54

Please leave us a four- or five-star review, and if you'd like to.

Outro: 55:57

Appear on a future episode of our.

Outro: 55:59

Podcast, or have a suggestion for a topic you'd like to hear more about.

Outro: 56:04

Please send an email to team@kazient.co.uk

Outro: 56:09

Until next time, peace be with you.