Episode 42

full
Published on:

6th Sep 2022

How To Overcome Challenges Every DPO Faces

Leading Data Privacy Professional Spills the Secrets on How To Overcome Challenges And Guarantee A Successful Career in Data Privacy

The world of data privacy is constantly changing, and it can be hard to keep up. From staying up-to-date on the latest regulations to ensuring that your organisation's data is properly protected, DPOs have a lot to contend with. In this value packed episode, James Robson shares the secrets to his success! He discusses his journey into data privacy, working in different sectors and the unique challenges data protection officers face in non-corporate organisations.

Hi, my name is Jamal Ahmed and I'd like to invite you to listen to this special episode of the #1 ranked Data Privacy podcast.

In this episode, you'll discover:

  • How to find your niche and excel in Data Privacy
  • How finding a mentor can transform your career overnight
  • Practical tips on how to succeed as a DPO wherever you work!

Discover why you can enjoy a rewarding career the Data Privacy regardless of your background, and so much more...

Ready to become a World Class Privacy Expert? Book your call to join the World's Leading Privacy Program

James Robson is a Data Protection Officer at The Evidence Quarter, which is home to a number of organisations, including Reform, What Works for Children’s Social Care and Neighbourly Lab.

James has 10+ years infosec and data governance experience including privacy/security information management system design for multiple large multi-national organisations. His qualifications include IAPP CIPP/E, CIPT, IBITGQ EU GDPR P, and ISO 27001 Lead Implementer and he proudly considers himself a data protection nerd. Before joining The EQ, James was a senior consultant for Evalian Limited working on multiple data governance and security projects at any one time being Data Protection Officer for a number of companies concurrently. Before Evalian he was a Data Governance & IT Security Specialist for the largest global psychometric testing firm SHL Group Ltd.


Follow Jamal on LinkedIn: https://www.linkedin.com/in/kmjahmed/

Connect with James on LinkedIn: https://www.linkedin.com/in/-james-robson/

Subscribe to the Privacy Pros Academy YouTube Channel: https://www.youtube.com/c/PrivacyPros

Transcript
Intro:

Are you ready to know what you don't know about Privacy Pros? Then you're in the right place.

Intro:

Welcome to the Privacy Pros Academy podcast by Kazient Privacy experts. The podcast to launch, progress and explore sell your career as a privacy pro.

Intro:

Hear about the latest news and developments in the world of privacy.

Intro:

Discover fascinating insights from leading global privacy

Intro:

Professionals, and hear real stories and top tips from the people who have been where you want to get to.

Intro:

We're an official IAPP training partner.

Intro:

We've trained people in over 137 countries and counting.

Intro:

So whether you're thinking about starting a career in data privacy or you are an experienced professional, this is the podcast for you.

Jamilla:

Hi, everyone, and welcome to the Privacy Pros Academy podcast. My name is Jamilla, and I'm a data privacy analyst at Kazient Privacy Experts. I'm primarily responsible for conducting research on current and upcoming legislation as well as any key developments and decisions by supervisory authorities. With me today as my co-host is Jamal Ahmed, Fellow of Information Privacy and CEO at Kazient Privacy Experts. Jamal is an established and comprehensively qualified privacy professional with a demonstrable track record solving enterprise-wide data privacy and data security challenges for SMEs through complex global organisations. To date, he has provided privacy and GDPR compliance solutions to organisations across six continents and in 30 jurisdictions, helping to safeguard the personal data of over a billion data subjects worldwide. Hi, Jamal.

Jamal:

Hi, Jamila. How's it going?

Jamilla:

I'm good, how are you?

Jamal:

Hungry? Yeah, hungry. So, for those of you listening, we're recording this during the month of Ramadan, which in the Islamic calendar is the month of fasting, which means from sunrise to sunset, there is no food, there is no water, there is no marriage relations, and we have to abstain from all of those things. And right now it's British summertime, so we're going for about what is it, about 14 hours a day?

Jamilla:

Ish I don't know, the hours have all kind of.

Jamal:

But this year is easier than it was last year because we are at the beginning of summertime rather than in the middle of it. So it's getting easier and easier every year. But it still takes quite a toll, doesn't it?

James:

So impressive.

Jamal:

James Robson is very impressed. Before we dive right into it, tell us a little bit more about James.

Jamilla:

CIPT, IBITGQEU, GDPRP, and ISO:

James:

Thank you so much. It sounds so nice, it being read back. It's almost a bit nerve-wracking hearing it. Is that my career? Is that how I sound? Thank you so much for that.

Jamilla:

No problem. We'll get into more questions about your career shortly, but we always like to start off with an Icebreaker question on this. And for some reason earlier I was in a Wikipedia rabbit hole and I was reading about the fourth plinth in Trafalgar Square. So I was wondering, what would you like to have on the fourth plinth? For those people who don't know, we've got four plinths in Trafalgar Square in London and the fourth one has often been empty and different artists have been commissioned to put artwork on there. So what would you have on that?

Jamal:

Hold on, hold on. Before James answers right, we need to add a bit of context. What's on the first, second or third plinths right now?

Jamilla:

Well, I didn't think you were going to ask me because I can't remember. Some old people I've never heard of. Charles James Napier and Major General Sir Henry Havillot. Those are on two of them, so I'm not sure who they are, but I'm sure they were great. But anyway, James, what would you have on the fourth one?

James:

That's a huge challenge, actually. I was around Nelson's Column recently and it did have a cherry on top of a plastic bit of cream with a drone on the edge of it. And it's meant to depict the size that drones will become and the possibility of AI actually being a real problem with the fact that drones can be so small and so damaging to people. So it was a massive message. I'm not too sure if I could have a message as strong as that in any way. I mean, I'm a qualified yoga teacher, so maybe somebody doing yoga or directing the yoga class from the plinth and having everybody on their mats all over the area. I think that would be something that I think would be good to have there.

Jamal:

Yeah, that'll be pretty amazing for London. Wake up every morning, rise, go to Trafalgar Square, and there will be James Robson on the fourth plinth doing yoga classes.

James:

I didn't necessarily say it would be me. I don't think I'd be up for that.

Jamal:

If you do it, I'll be there, I promise.

James:

Okay, awesome.

Jamilla:

Moving on to more careery questions, if that's the word, how did you get into data protection, James, and data privacy?

James:

point. We're talking kind of:

Jamal:

fect, where it was announced,:

James:

Yeah, I agree. It's getting faster with the recent release of the Data Governance Act, and you've got the Markets Act and the other, what, three or four acts are coming out in the EU, and then the potential updates and changes within the UK with a paper that's come out. So it's kind of fascinating times of how it's kind of embedded in developing and we've got a new commissioner and just trying to keep up with all this stuff is just phenomenal. The thing that really excited me about kind of being a early adopter GDPR consultant was the fact that you end up sort of having to know everything about that business that you're talking with. It's not just the business itself, it's every department of that business. It's every a name and email. We all kind of know it, but every part of the business will process personal data, so you've got to understand it and then make sure you don't miss something. So you're not giving kind of bad advice, wrong advice, misunderstood advice, just asking questions about every different part of every organization. I bounce between everything from I work heavily for Sports Direct, that there are actually a phenomenal organization on the inside. There for sure, right through to the smallest sorts of organizations, like one-man bands and recruitment agencies and dating agencies. One of the interesting ones, it was actually a gay male dating fetish website. They had some data protection challenges. I probably don't want to mention what they were, but they were one of the early adopters of GDPR and just want to get themselves sorted so they were on board. And it's a great experience with that bunch as well. So it's so diverse and it touches everywhere. And somebody recently in the place where I work with saying to me it seems like you can just go from sector to sector, you can just kind of diversify learning the sector, be a specialist and jump to another one. And I'm like, yeah, absolutely. It's fascinating that the scope and the ability that an individual has as a privacy professional, you don't get locked into maybe retail or maybe SAAS service or something else like that. You can literally jump from one to the next to next to next. And that is what has really kept me so motivated in the career. I recommend anyone to jump into it really.

Jamal:

Definitely. I think that's one of the things we enjoy most about having such a diverse range of clients on the consulting side of our business is one moment we're working with tech SAAS companies, the next minute we're working with healthcare, next we're going into someone with financial services. And the great thing is all of the skills are transferable, all the qualities are transferable, but you learn things that are different. Let's say the healthcare sector is doing something one way and the financial services sector would never have thought about that. But because of that broad range of experience, you can now bring innovation to make even more pragmatic solutions that actually work for the business. And everyone loves you a lot for it. One of the things you mentioned. James. A moment ago there was about really getting to know the business and one of the things I say to my mentees on the accelerator program is by the time we've done the data mapping, by the time we've done a record of processing activities. If you don't know how to do the job of every single person there with anything they do with personal data, you haven't done your job properly.

James:

There's a lot of truth in that and it kind of leads me nicely into sort of what I do now because the one place, the one sector that I didn't quite understand when I was a consultant was probably the research sector and how that all works. And that is like was totally left field to the more corporate more, the normal GDPR stuff where legitimate interest and consent for marketing and all that kind of stuff. But before I came to the Evidence Quarter, I did a big gig consultancy for a large pharmaceutical research organization and that really started to open my eyes into the potential of that as a sector and real diversification of knowledge throughout all sectors. Because research, if you really think about it, is embedded into everything we do as well. If you've got maybe a salesforce platform within any organization, you're pulling out analytics and you're crunching that data to make some business decisions and BI, and then you've got kind of Microsoft Power BI and SQL databases and all these kinds of stuff and really what they do and they're doing research on that data. So how do you make that compliant and is that okay? And most organizations usually rely on the legitimate interest of data controller to be able to improve their organization internally. Now what's curious about kind of research organizations is while there's a massive interoperability of that data because it's required within each research project and you will be sharing data between each organization and you could be anything from two organizations to ten organizations working collaboratively to produce a bit of research. So I've kind of gone a little bit into what I do there, but it was almost like the last bastion of sectoral knowledge and I'm like, you know what, I want to see what that was all about.

Jamal:

Definitely. So you mentioned the Evidence Quarter and that's where you're currently working, which is home to lots of organizations which do great work for communities. What are some of the challenges with non-corporate organizations when it comes to data protection?

James:

Yes, it's a good question. Let me tell you a little bit about the Evidence Quarter then. Essentially there's something called the What Works Network. The What Works Network is basically a network of research organizations that are funded by central government, different governmental department. The largest organization I work for under the Evidence Quarter umbrella is called What Works for Children's Social Care. And they are directly funded from the Department for Education, of course, for research into children's social care services, which believe it or not, before three years ago hadn't had any more than about three randomized controlled trials on well, what is the government spending? Is it effective and is it actually improving the lives of the children that we're putting money into local government schemes and practices and charities, is it actually effective? So What Works for Children Social Care does is uses that money to then do research on those interventions. Interventions like if we're taking a disadvantaged the child to the zoo once a week for the next five weeks, it's a fairly bad example. But for spending that money to do that, does that have a significant improvement to their lives and do them?

Jamal:

What is the impact of that resource or that investment into the child?

James:

Yeah, exactly right, it's exactly that yeah, for sure. And so if you start to extrapolate out and go, okay, well, how do we do that research? How do we collect that data? That's where the data protection bits and bobs kind of start to feed into that because you may have interviews like one to one or one to many. There are kind of group sessions where focus groups, for example, observations. So you may be there and maybe recording something that's going on and then reviewing that data. So of course you've got video footage as well. And you've got to think about the ethics as well, which is quite important, especially if you're having interviews. And ethics in research is based on something called the Helsinki Principle, which kind of stems from right about the Second World War, where if you are doing research on human subjects, then you need to gather consent. Lots of research organizations say, oh, well, it's a consent for the research then that is obviously consent for data protection practices. But unfortunately, that's kind of a bit of a misnomer because informed consented research is not the same as lawful consent as a lawful basis and the GDPR. So you've got that to kind of content and then you've got multiple collaborators. So, I'm consistently working with multiple controllers. Maybe some of those are joint controllers and some of those will be independent controllers. You’ve got the likes of maybe a local authority that is running this intervention, doing this great thing. And then you've got the research organizations collaboratively working to extract the data. Is it effective? Let’s interview people, staff, families, children, and then also get the administrative data around all of this stuff. And not just administrative data, it's also the metadata that they'll possibly collect to then put this whole research package and research report together. So you've got all these little nuances of joint controllership. I haven't come across that very often. And then the fact that What Works for Children’s social care is funded by the Department of Education, we're then able to use public task as the lawful basis. Now, I didn't come across that very often in my consultancy days at all. And then you've got the whole implementation of data sharing agreements as well, where you have the ICO code of conduct for data sharing of agreements. And maybe there's a number of conversations to convince people that you don't necessarily need to share data between organizations to have to have or be party to a data share and agreement. It's a shared use, it's a collaboration. And so that's the who, what, when, where, why and how of the data protection within the whole project that you're collaborating on. There's numerous challenges there. So you've got lawful basis, you've got joint controllership and you've got consent. All of these kind of thrown into the mix and then there's plenty of conversations and it took a while to get them to understand that that's what those challenges were because you kind of walk in and assume that there's a really mature practice in the sector. And I found it wasn't necessarily as mature as I thought. Some organizations did it great, some organizations didn't do it so great. That's kind of what I found in consultancy anyway.

Jamal:

Yeah, I stopped assuming it's going to be mature framework to find anywhere, in any sector. Out of all the sectors, I think probably financial services sector is probably in better shape than most of the others. I think that's because they're so heavily regulated with all the other stuff going on that they have the resources and reputation is very important to them. That's probably the most important thing to financial institutions is their reputation. So they do take these kind of things very seriously. But what you're describing there, the quagmire of all the different challenges you have to navigate on a daily basis. It sounds fascinating and just trying to piece those conversations and explain those things to some of the stakeholders from the different organizations who might not be privacy educated has its own challenges, as I've been discovering and I've continued to discover. So you must really need lots of great people with all of your ten years plus experience, how important has it been to develop your communication skills, to really thrive in your role like you do now?

James:

I think it's paramount. I couldn't have gotten where I am without a level of diplomacy because one of the challenges here that I have to be very careful about is working with kind of doctors and professors and research analysts and all these kinds of highly respected individuals. And in these organizations they may have put together a set of data protection or GDPR policies and they set things up in a way they understand really nicely websites and other codes of conduct. And you realize when you read this stuff that it's good, there's just something not quite right. And you have to keep on digging and ask more questions until you unpack the onion and realize for the untrained eye it looks okay, but for the trained eye, actually there are some significant challenges to overcome that. And then you've got to meet these people and then very diplomatically, almost tell them that it looks great. And I understand how you got there. In fact, the reality of the fact is it's XYZ rather than ABC that you've put together there. The people skills have been incredibly important. I mean, the sense of humility that you have to come into these conversations because people do get aggressive, they spend a lot of time, they are expecting a bit of a fight maybe, because why do I need to speak to your data protection officer? I've spent kind of six months working on this and building this thing up. You don't want to go in, in any way or shape or form trying to offend anyone and tell them they're wrong. It is one of those huge areas where it can be a bit of a minefield. And people do come in aggressively and confrontationally and sometimes trying to be difficult, trying to catch you out. And the ecosystem of working with other Data Protection managers and DPOs and I guess untrained data protection professionals is that they are trying to catch you out. They're looking at the policy and the clauses and they're trying to say this bit or that bit or this bit. Yeah, we want to change this wording because it doesn't make sense. And they're really quite confrontational and they may not even realize that you're the one that's written this. You're in this call with them and trying to go through these bits and bobs again respectfully, carefully, and that interpersonal skills and being very polite and often something I use in yoga when somebody's asking me about certain poses like a downward dog. Am I doing this correctly? I always go in with what's positive first and then what can be improved. I usually try and double up on things as well. So it's two things that are fairly positive and really respectfully saying I can understand the interpretation, could be this way, but then backing up with information. So that whole survival mechanism that we're talking about at the beginning that you kind of build, it's not just survival, it's a backbone, but it's also kind of empathy and humility for what you're trying to do and trying to achieve to get the best outcome, but also the knowledge base. Because if somebody is asking you about something that is incredibly complex and technical. Especially let's take the comparison between ethical informed consent and GDPR consent. When somebody is like adamant, no consent is what we're going to use because that's how we want research part and trying to explain to somebody you have to back up with information and say there is a new ICO code of conduct on data protection research that confirms that should a research participant withdraw their consent during the research trial. Then in that analysis you have to stop using the data so you could be in the middle of it and you've crunched all these numbers and all this data. But then you have to stop. Remove it. Go back and it just falls apart very quickly. So it's not a great mechanism. But what I'm trying to say is you have to back it up with knowledge. And the amount of reading that you have to do I think now is really increased dramatically because people are getting savvy and they are getting smarter and they are getting more technical with the legal language. And you have individuals that are not the privacy, professionally trained people, but they're dealing with you and they're always saying, well our legal counsel, this is the comment from my legal counsel. I'm like with the greatest of respect, I want to speak to legal counsel or I want to speak to the DPO because then I can have that kind of mutual conversation. So yeah, all that stuff.

Jamal:

I completely resonate with what you're saying there, James. And one thing I just remembered, as you were saying, you made me smile. So actually there's two things. Number one is you're talking about when you put together documents and people kind of review and want changes. Recently I finished up with a client who read through every single word, dissected every single word in the policies and all the standards. I was like, wow, it wasn't just a gist of it. They wanted to go through every single word by word and say, why have we used this word? Why can't we use that word? Sometimes what we have to remind ourselves is that we're there to serve the client. If that's what the client wants and it gives them the result that they're paying us to do, then great. Sometimes the client wants something, but it's not serving them or the organization. And we have to respectfully remind them, hey, I'm here to serve, but these are my objectives. And this is taking us away from the objective. And one of the things we teach in the Privacy Pros academy, so the academy, we have this twelve week accelerator program, and on the accelerator program there's five pillars that we focus on. And one of the first pillars is all about mindset. And all of these communication stuff comes into the pillar of the mindset. And I teach them a number of assumptions of an empowered privacy professional. And one of the assumptions we always teach them is everyone is doing the best they can with the knowledge and resources available to them. So if someone's coming up with something completely incorrect and non-factual, or they believe something that's not actually true to be true, then we always assume they're doing the best they can with the knowledge and resources available to them. And it's up to us, as well as privacy pros, to respectfully give them more knowledge that shifts their position. And the best way to do that is always by starting off, by establishing the baseline, establishing the framework. Remind them what you're here to do. Remind them you're here to support them with their objectives, with their goals. And that I find whenever we do that, it makes for a much more cooperative engagement with the clients. It's those ones that get you the hampers from Harrods to say thank you when you've done the job well done. At the same time, I've experienced where the client has previously gone to a Magic Circle Law Firm, had their documents revised, had them redrafted, paid £800 an hour for consultations. And I've seen the staff and it's not worth the paper it's written on and having to explain that they're like, well, who are you? Yes, you might have all of these privacy qualifications and stuff, but I've gone to Magic Circle Law Firm who have done this. So then you have to respectfully show them this is what's required, this is what's happening, this is what best practice looks like. And these are the changes we need to make. We can keep things the way they are. But then the reason you've asked us to come and look at this is because things aren't right, and you want to get to a stage where you are compliant, where you're actually going to be on compliance and earning cultivating trust and inspiring confidence. If that's what we want to do here, then this is not going to be the thing that the ICO comes and is very pleased with.

James:

ch is that's why I got my ISO:

Jamal:

James, you mentioned a couple of the IAPP certifications, and I know you hold the CIPPE. You've also said you've attained the CIPT Certified Information Privacy Technologist. One of the things that we've actually known for at the Privacy Pros Academy is our award winning IAPP certification mentoring programs, and we offer the CIPPE, the CIPM, and the CIPT. Now, it's true, isn't it? Anyone can actually go and just read the book and go and pass the exam, but that's not really going to help you in the market. Employers, hiring managers, consultants, they're not looking for people who have a piece of paper. It's great you have a piece of paper, you get a quote for the CV. But the moment they start asking you questions, the moment you start going to consultancies, the moment you start working, they want to know you have the practical application of stuff. How important is it? Is it to work with a mentor to really get the theoretical understanding of how to apply the theory in practice for a thriving career in data privacy?

James:

You're talking to a guy who didn't get a mentor and had to kind of face the dark side of K Two to get to the top of it. So I'd say I would love that and it would have been incredibly helpful to shadow someone. So I was the first day data protection consultant in an organization called Cyber Crowd, and when that seemed to pick up, we were able to bring aboard another chap and he was able to shadow me and then be mentored by myself and also the CEO. I think the mistake most people make if they don't have that kind of mentorship is to go into maybe a consultancy conversation and think they're talking about the data. It's not about the data. My first question is, forget what you think this is going to be about. What do you do? Just tell me what you do. I'll figure out where the data is flowing in there. That bit is easy because it's always second. And the more challenging consultancy gigs that I had, and even conversations where I am now is where people are trying to feed me what they think is the right information. We do this, we do this, we do this. The more they do that, they're fairly convinced they know what you want, but actually they usually don't really know what they should give you. Therefore they give you a lot of the wrong information,

Jamal:

I find a lot of the times when they do that. It's because there's been a consultant. Let's say a bad consultant. That's been in before you. And they sat there with the laptop and they've probably gone through a form on some kind of software application and just ask them the questions and got them to fill out and do their work for them. And I say only bad consultants go there, pull up a laptop platform and try and populate that form. Without trying to understand, what do you say you actually do? Why are you doing these things and how long have you been doing it that way? Are you following anything specific? Why are we doing that? Get curious, get to really understand why are they doing what they're doing? Does it actually make sense? When was the last time they reviewed the way they're doing things? And what you often find is people just especially for the more established and the longer running businesses, they've just been used to doing things a certain way and no one's actually looked at it. GDPR has come in, we have to think about data minimisation and all of these things, and we're just collecting all this information because that's the way we've always done things. It's nice to have. The last consultant that came, he just asked us to answer questions, we fill out the form and he said everything is good, right? So how do you overcome what someone's done, damage someone's done previously? And I go always back to those assumptions of empowered leadership and embedding communication. Communication is so important. It's about building that rapport and then being able to pave space and then the people towards the right outcome, which is a win for their business, which is a win for them as an individual and a win for you, knowing that you've got the satisfaction that you've done a job well done with them.

James:

You're absolutely right there. You can't go into those conversations expecting the right answer, no matter what they say. There are a lot of privacy professionals now, that's the thing. And they call themselves privacy professionals and I come up against them a lot. I would have had major higher education institutions. I've gotten them to update their privacy notices and external facing policies because they just don't fit and are not right and I'm the one calling them out in the same way that I've had the privilege now to kind of dovetail into something else that I've been up to, which is creating a data archive in the Office for National Statistics and working with these governmental departments and understanding how they work and actually ending up maybe in some capacity, advising them on some updates they would do. Because what we were trying to put together never actually been done before either. So there's lots of avenues to go down there. But the amount of people that do think they understand it properly in a way that makes them compliant is getting a little scary. I think the people with the types of qualifications that you guys do give, but they just filter to the top fairly quickly and become well known. But there's still a lot of people making a lot of money out of this and it's just going to grow. It's going to get bigger and bigger and bigger because the whole interoperability of data thing is not going to stop.

Jamilla:

I think this is the longest I've ever stayed quiet on a podcast because I'm so listening so intently to both of you. You briefly mentioned the Office of National Statistics and you're passionate about creating a compliant data archive in the Office of National Statistics. Could you tell us a bit more about that?

James:

Jamilla that's flattering. So thank you so much for staying that. I kind of came into the Evidence Quarter and I guess in the first couple of months that they had this project floating about, which was within one of the organizations I work for, within the EQ, it was What Works For Children's Social Care. They wanted to put the social care research data into an archive for future use of secondary use of that data for future research. So you do the research once, that's a point in time and then you make it available for further research and other researchers to access it in this secure environment. The ONS itself has an environment called the Secure Research Service. The SRS. They only allow a certain type of access, so they have something called five safes so they have safe data, safe people, safe access. I forget the other two off the top of my head, but they really put you through the wringer. One, if you want to set up your archive, you have to jump through like numerous amounts of hoops, legally and in documentation and technically and all those kinds of things. But the whole concept behind it, of course, is, well, you don't just want this point in time data, you want to get the richness of that data to be used over a long period of time and then end up making it maybe a longitudinal sort of study. And you've got to remember that the ONS of course they have everything from census data to NHS data, Department of Education data, National Pupil Database, the ISA database, the Higher Education and Statistical Authority databases. All this kind of incredible information that researchers where I am they do get interested in running a bit of research to see if this intervention that the local authority paid for, for the kids to do something or for their families or social workers to do something. Does that have a positive impact over maybe a three-to-five-year period on academic achievement from the National Pupil Database? So wouldn't it be great to put those two together? And so they do and they can. What I've been privileged to do is actually be part of the first charity to get data into the ONS outside of kind of a governmental institution to provide this richness of data. Like, yeah, we've done this intervention. This is the cohort; this is the group of people that we're researching upon. Was that intervention effective? And we also put up against the National Pupil Database, for example, for academic achievement. If you're doing a secondary bit of research and you want to use the data, that What Works for Children's Social care has, and you want to find that pupil from the National Pupil Database, you can use that data to do so and match it with the data that you've collected. So you've got this kind of triangle going on here. You've got the ONS with the national database, you've got our data that we've mapped via anonymized methods. It's more functional anonymisation as a methodology, so you can find that child in our data and then have an outcome for your report. But it's all still anonymized. You can never pull that data out and go like, oh, it's a little John Smith or James Smith over here that we're looking at. Although in the mechanisms they have, you're able to kind of crunch the numbers up against the same set of people. Hopefully that makes sense.

Jamal:

It sounds scary and fascinating at the same time, what was you going to say to Jamilla?

Jamilla:

No, I just think as a researcher, sometimes you get data that doesn't give you the whole picture. So being able to put that against another set of data that can give you more information and the bigger picture, I think is really useful, for sure.

James:

And what the ONS Secure Research Service really is, it's what's known as a trusted research environment, which really feeds into the whole concept of, I guess, the advancement of privacy enhancing technologies. And there's this huge push now and the NHS within the last few months have received a 200-million-pound government grant to create trusted research environment for the full interoperability of all NHS data. In fact, yesterday a paper came out called the Goldacre Report, which is like 112 pages of report around, well, what's the overall goal? We can actually maybe look to solve the challenges around cancer, around strokes, around all these kind of debilitating diseases by getting hold of all NHS data. I'm talking all GPs, all hospitals making it completely interoperable and also have the data, scientists and data analysts use that data within these trusted research environment. As you can imagine, what's happened is you've got a lot of trees ties, they're called trees in lots of different hospitals with lots of different sets of data that different researchers can get into and use that data. Now, what if that is totally interoperable and how do you make that compliant? What's the legislation? I mean, that's massive data sharing where we generally don't know how our NHS data currently is being used. For example, for what outcome and where is it, how is it being used? And the government is just relying on public task for public benefit and public interest as a lawful basis for non-consented data. That's what they call it. I've kind of done a bit of consultancy for an organization also doing research by using what's known as the NHS ADS data, hospital episodic, statistical data, and that is in fact sold by the NHS to organizations to run analysis on our data. We're not aware of where it is, what it is, why it's being used in that way. And then you've got the GDPR saying, while article 14, you've got to have a data protection notice for anything that isn't collected directly from me. Where are they and how do you ever know which one to look at? So they've got some huge challenges to overcome and I think one of the ways that it will and will be kind of a massive development in pets, privacy and enhancing technologies is the federated analytics, federated learning, and then taking it a step further and then adding the likes of a differential privacy. What I found is the ONS have begun to use a term called functional anonymization, which is a fairly new thing, especially in these data sets where it says the way you use that data means it remains anonymous. Now, arguably you could say pseudonymisation, isn't that the same thing? Because I'm not going to give you the key to re identify. But then of course you've got to go through the motivated intruder test to see if well what if the key or separate data set or external data sets could allow you to reidentify whereas functional anonymization means you can use the data that is identifiable in a way that you would never be able to reidentify through technical means. So it's not even necessarily a pseudonymization per se. It's all technically anonymized, even though at the point you are using it is not anonymized, which is very curious.

Jamal:

Now sounds like that's something that needs further investigation to really appreciate gravity of what you're suggesting is possible.

James:

Yeah. UK RI, something called UK research. But they're actually funding a project that I've got involved with called the Dare UK, where they're creating a blueprint around how to make data interoperable in these environments and also retain privacy and the protection of personal data. And one of the challenges they're having is while the legislation how do you actually comply with GDPR with these things in these mechanisms? And I've often kind of talked about it in sessions I've had with them around. Well, surely if you want people to know what's happening with the data, you've got to keep a bit of a ledger of that stuff. And what's the newest ledger technology that's popped up? You're talking decentralized ledger technologies, blockchain being an example of that, which is of course what Bitcoin is based upon. Although when you really think that a DLT distributed ledger technology and blockchain is just one type of DLT, you've got the opportunity to create a DLT to then be able to record what is happening with your data interoperable on an open ledger format that you would only have access to from maybe your own digital identity wallet. Then nobody would be able to re identify you. So it's like it's way out then the technology is there and I've gotten so excited and it's all because of this ONS project sorry, a bit passionate.

Jamal:

No, don't apologize. We love passion. We love passion and that's what the Price Pros Academy is all about, is giving ambitious professionals a community to come together where they can be passionate with the right people around them. I want to ask you one more question if you can squeeze it in. This is in relation to people listening. We've had over 12,000 downloads at the point of listening. We have audiences across 82 different countries. Privacy is growing in every single country that I can think of. What advice would you give to privacy professionals to really take their career to the next level?

James:

The strength of the profession is highly respected now and it's becoming so embedded. What is the secret? Approach it with a total blank slate, open mind in every conversation you have around personal data. We kind of talk around that sort of stuff, but just read constantly and get involved with what's going on. That's the only way you can learn and pick up and keep going and you will make bad choices and be okay with that and stick your hands up and say, yeah, that was a bad choice, a bad call because of my interpretation of something. But then solve it. What's the secret sauce? It's being a problem solver. If you can solve problems, then you're in for a pretty good career. And so it's a level of creativity. If you are the maybe, the more technically minded and this is how it needs to be. It's XYZ and there is no other, maybe data protection isn't necessarily for you, whereas the more creative you are and can be and you have that little bit of flare of personality as well, then data protection probably is for you because you need that. But you also need that real inner resolve to be able to tackle conversations and questions from people that are maybe the tops of these multimillion-pound organizations that are questioning you, that are pulling you apart in front of all your colleagues and all theirs. And you've got a very respectfully defend yourself and come back. So I think that takes quite a creative mind and a speed of thinking. But it's about just be real, be yourself. You can't know everything, be honest. If you don't know something and just be empathetic, people will then respect you a bit more. But one thing I always try and do is leave people with a smile. Leave them actually a bit lifted. My interaction with James or whoever is like, yeah, I really like it because people do not remember you for what you tell them. They remember for how you make them feel. If you make them feel good, they're going to like you. And you kind of need to have that maybe a little bit of spark and charisma to be that point of contact where they want to get in contact with you and tell you about a breach that they've caused. It's a real problem that could take the company down if it's not solved immediately. But they've come to you within the first 10 seconds of them realizing. And I think that's the secret source again, it's interpersonal skills and making sure they trust you, you are respected and.

Jamal:

They feel good about interacting with you absolutely 100%. I couldn't agree more with some of those points you made, James, especially the one about remembering that people don't remember what you say, they remember how you made them feel. And if you can make people feel good, it's going to make you feel great, it's going to make people feel like you're there to help them and you're adding value. They'll be more than happy to reach out to you. I think one of the reasons I really put so much energy into making our mentoring sessions our consultancy fun is I tell my consultant, we're not just there to get a task done, we're there to give people an experience. And the experience is how they reflect on the service that we're providing. And that's the reason why 80% of our business comes from referrals is because of the experience that we give people when they choose to work with us. So thank you for spilling my secrets, but also for sharing that with our listeners, valuable listeners across the world as well. James, it's been absolutely amazing speaking with you. I'm sure we could speak for hours and hours on end.

Jamilla:

Thank you so much. It's been a pleasure having you on our podcast.

James:

Jamal, Jamilla. Thank you. Amazing.

Outro:

If you enjoyed this episode, be sure to subscribe, like and share so you're notified when a new episode is released

Outro:

Remember to join the Privacy Pros Academy Facebook group, where we answer your questions.

Outro:

Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world class Privacy Pro.

Outro:

Please leave us a four- or five-star review.

Outro:

And if you'd like to appear on a future episode of our podcast or

Outro:

Have a suggestion for a topic you'd like to hear more about, please send

Outro:

An email to team@kaziet.co.uk.

Outro:

Until next time. Fine. Peace be with you. Bye.

Show artwork for Privacy Pros Podcast

About the Podcast

Privacy Pros Podcast
Discover the Secrets from the World's Leading Privacy Professionals for a Successful Career in Data Protection
Data privacy is a hot sector in the world of business. But it can be hard to break in and have a career that thrives.

That’s where our podcast comes in! We interview leading Privacy Pros and share the secrets to success each fortnight.

We'll help guide you through the complex world of Data Privacy so that you can focus on achieving your career goals instead of worrying about compliance issues.
It's never been easier or more helpful than this! You don't have to go at it alone anymore!

It’s easy to waste a lot of time and energy learning about Data Privacy on your own, especially if you find it complex and confusing.

Founder and Co-host Jamal Ahmed, dubbed “The King of GDPR” by the BBC, interviews leading Privacy Pros and discusses topics businesses are struggling with each week and pulls back the curtain on the world of Data Privacy.

Deep dive with the world's brightest and most thought-provoking data privacy thought leaders to inspire and empower you to unleash your best to thrive as a Data Privacy Professional.

If you're ambitious, driven & highly motivated, and thinking about a career in Data Privacy, a rising Privacy Pro or an Experienced Privacy Leader this is the podcast for you.

Subscribe today so you never miss an episode or important update from your favourite Privacy Pro.

And if you ever want to learn more about how to secure a career in data privacy and then thrive, just tune into our show and we'll teach you everything there is to know!

Listen now and subscribe for free on iTunes, Spotify or Google Play Music!

Subscribe to the newsletter to get exclusive insights, secret expert tips & actionable resources for a thriving privacy career that we only share with email subscribers https://newsletter.privacypros.academy/sign-up

About your host

Profile picture for Jamal Ahmed FIP CIPP/E CIPM

Jamal Ahmed FIP CIPP/E CIPM

Jamal Ahmed is CEO at Kazient Privacy Experts, whose mission is safeguard the personal data of every woman, man and child on earth.

He is an established and comprehensively qualified Global Privacy professional, World-class Privacy trainer and published author. Jamal is a Certified Information Privacy Manager (CIPM), Certified Information Privacy Professional (CIPP/E) and Certified EU GDPR Practitioner.

He is revered as a Privacy thought leader and is the first British Muslim to be awarded the designation "Fellow of Information Privacy’ by the International Association of Privacy Professionals (IAPP).