In Conversation With Eduardo Ustaran
World Renowned Privacy Lawyer With Over 25 Years Of Experience Shares The Secrets To His Success!
Attention Data Privacy Professionals who want to take their career to the next level
Hi, my name is Jamal Ahmed and I'd like to invite you to listen to this special episode of the #1 ranked Data Privacy podcast.
In this episode we're joined by Eduardo Ustaran, Global co-head of the Hogan Lovells Privacy and Cybersecurity practice to talk about his illustrious career. Find out about his 'accidental' start in Data Privacy, the key privacy challenges every Privacy Pro must be aware of, plus a Q&A with the Privacy Pros community!
Discover:
- The future of Data Privacy and how Privacy Pros can keep up with emerging technologies
- How to approach updates to Standard Contractual Clauses for International Data Transfers
- Why Data Protection should be a concern for everyone
- What it takes to sustain a thriving career in Data Privacy
- What the industry is missing and how to stand out
You can't afford to miss this episode!
Ready to become a World Class Privacy Expert? Book your call to join the World's Leading Privacy Program
Global co-head of the Hogan Lovells Privacy and Cybersecurity practice Eduardo Ustaran is widely recognized as one of the world's leading privacy and data protection lawyers and thought leaders.
With over 25 years of experience, Eduardo advises multinationals and governments around the world on the adoption of privacy and cybersecurity strategies and policies. Eduardo has been involved in the development of the EU data protection framework and was listed by Politico as the most prepared individual in its 'GDPR power matrix'.
Based in London, Eduardo leads a dedicated team advising on all aspects of data protection law – from strategic issues related to the latest technological developments such as artificial intelligence and connected devices to the implementation of global privacy compliance programs and mechanisms to legitimize international data flows.
Eduardo is the author of The Future of Privacy (DataGuidance, 2013), a ground-breaking book where he anticipates the key elements that organizations and privacy professionals will need to tackle to comply with the regulatory framework of the future.
Eduardo is co-founder and editor of Data Protection Leader, a member of the panel of experts of DataGuidance, and a former member of the Board of Directors of the IAPP. Eduardo is executive editor of European Data Protection Law and Practice (IAPP, 2018), and co-author of Data Protection: A Practical Guide to UK and EU Law (OUP, 2018), Beyond Data Protection (Springer, 2013), E-Privacy and Online Data Protection (Tottel Publishing, 2007) and of the Law Society’s Data Protection Handbook (2004). Eduardo has lectured at the University of Cambridge on data protection as part of its Masters of Bioscience Enterprise, and regularly speaks at international conferences.
Follow Jamal on LinkedIn: https://www.linkedin.com/in/kmjahmed/
Connect with Eduardo on LinkedIn: https://www.linkedin.com/in/eduardoustaran/
Subscribe to the Privacy Pros Academy YouTube Channel: https://www.youtube.com/c/PrivacyPros
Transcript
Are you ready to know what you don't know about Privacy Pros? Then you're in the right place.
Intro:Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts. The podcast to launch progress and excel your career as a privacy pro.
Intro:Hear about the latest news and developments in the world of privacy.
Intro:Discover fascinating insights from leading global privacy.
Intro:Professionals, and hear real stories and top tips from the people who have been where you want to get to.
Intro:We're an official IAPP training partner.
Intro:We've trained people in over 137 countries and counting.
Intro:So whether you're thinking about starting a career in data privacy or you are an experienced professional, this is the podcast for you.
Jamilla:Hi everyone and welcome to the Privacy Pros Academy podcast. My name is Jamilla, and I'm a data privacy analyst at Kazient Privacy Experts. I'm primarily responsible for conducting research on current and upcoming legislation as well as any key developments and decisions by supervisory authorities. With me today as my co-host is Jamal Ahmed, Fellow of Information Privacy and CEO, Kazient Privacy Experts. Jamal is an astute and influential privacy consultant, strategist, board adviser and Fellow of Information Privacy. He is a charismatic leader, progressive thinker and innovator in the privacy sector who directs complex global privacy programs. Considered by his peers and clients to be one of the UK's pre-eminent privacy experts, he has the credibility and gravitas to engender confidence. He is a sought-after commentator, contributing to the BBC, ITV News, Euro News Talk Radio, the Independent and The Guardian, amongst others. The Privacy Pros podcast reaches audience in 72 countries and is ranked the number one privacy podcast in the world and one of the top three GDPR podcasts. Jamal strives to be a great leader, listener, and coach. He has grown a talented, high performing team who protect the privacy of a billion plus data subjects and our international experts in data privacy, GDPR and cybersecurity. Jamal and his team are driven by the principles of simplifying and demystifying privacy, removing complexities, and educating clients to forge a privacy by design culture that enables clients to build their internal privacy capability and capacity. He works with global clients across multiple sectors and jurisdictions, partnering with boards and C suite, debates constructively, challenges, rigorously questions intelligently and advises pragmatically alongside exceptional experience and qualifications. He has value by providing pertinent insights, bringing alternative perspectives, and triggering healthy debates. Hi Jamal.
Jamal:Hey Jamilla. Good afternoon. How's it going?
Jamilla:Very hot. How are you?
Jamal:I am also extremely hot. But you know what’s hotter, our guest for today? He is the hottest thing in data privacy. Please tell us more about our guest.
Jamilla:Yes, we're very excited to welcome our guest, Eduardo Ustarin, who is the global co-head of the Hogan Lovells privacy and cybersecurity practice. He is widely recognized as one of the world's leading privacy and data protection lawyers and thought leaders with over 25 years of experience. Eduardo advises multinationals and governments around the world on the adoption of privacy and cybersecurity strategies and policies. Eduardo has been involved in the development of the EU Data Protection Framework and was listed by Politico as the most prepared individual in its GDPR power matrix. Based in London, Eduardo leads a dedicated team advising on all aspects of data protection law from strategic issues related to the latest technological developments, such as artificial intelligence and connected devices, to the implementation of global privacy compliance programs and mechanisms to legitimize international data flows. Eduardo is the author of The Future of Privacy, a ground-breaking book where he anticipates the key elements that organizations and privacy professionals will need to tackle to comply with the regulatory framework of the future. Eduardo is cofounder and editor of Data Protection Leader, a member of the Panel of Experts of Data Guidance, and a former member of the Board of Directors of the IAP. Eduardo is executive director of European Data Protection Law and Practice and co-author of Data Protection A Practical Guide to UK and EU Law beyond Data Protection, e-privacy and Online Data Protection and the Law Society's Data Protection Handbook. Eduardo has lectured at the University of Cambridge on data protection as part of its Masters of Bioscience Enterprise, and regularly speaks at international conferences. Wow, what a bio. Welcome, Eduardo.
Eduardo:Thank you very much. I should add that now I'm speaking of this podcast, so I'll add that to the bio, I think.
Jamilla:Please do. That would be amazing. Okay. I ask a icebreaker question always very random and nothing to do with data privacy, and it's something that I was talking to one of my friends about this week, so I thought I would use it. If you could domesticate any animal and have it as a pet, what would you have?
Eduardo:Wow, that's not a question I was expecting. I have cats, right? Yeah. I don't know if cats count as domesticate. I don't think my cats count as domestic. And if I could domesticate my cat so that we could do, like, high fives and things like that and then put that on Twitter or something, that would be a good call, because I see that sometimes and I wish my cats did that, but they're just quite lazy to be honest.
Jamilla:What about you, Jamal? If you could domesticate any animal?
Jamal:If I could domesticate any animal, I'd probably get an elephant.
Jamilla:What would you do with the elephant? Like, ride it to work.
Jamal:I’d have so much fun. And can you imagine how much stuff the elephant can remember? I'd love to talk to the elephant. I would never have to remember anything in my hand. Just ask my elephant.
Jamilla:That would be good. Ride the elephant instead of going on the tube. I think we know which would win. I would have a giraffe because I'm quite short, so I could reach things in the cupboard, or the giraffe could for me. I think every time I ask one of these questions, Jamal looks at me like I'm getting weirder and weirder every time we do a podcast. But it's a good way to get to know our guests. We're going to go into the privacy questions now. Eduardo, tell us a little bit about yourself growing up and how you got into data privacy.
Eduardo:Well, I probably have to go back quite a bit. The real reason why I got into this is because I was a paralegal in a law firm many years ago and there wasn't anyone in that law firm that knew anything about data protection because the mid-nineties and data protection didn't quite exist in the real world. And someone asked clients at the time asked a question and someone said, well, let's ask the new guy, the paralegal, see if we can find the answer. And somehow, I managed to find the answer to that question. I was an instant expert in data protection and the entire law firm. So yeah, I think got any better going forward. But that's how I started.
Jamal:And the rest is history.
Eduardo:The rest is history. Yeah. I'm still trying to figure out whether the answer was correct at the time, but I hope it was.
Jamilla:What made you stay in data privacy? You said you have 25 years of experience. What made you stay in data privacy and not jump ship?
Eduardo:Apart from the fact that it felt nice to be the person that knew at least something about data protection, what really, really happened was that this was happening in the mid-nineties and nineteen ninety-five. The EU had just passed the directive and what was a very innocent question by a client became a series of questions by different clients of the problem. So someone had to learn the area. And I thought that not having actually studied data protection law in university, and I went to university in Spain, I went to university in the UK years and years of the studies. And then my life suddenly was about something that I had never studied at university. But it was fascinating because it had to do with the use of personal information. And I thought, oh, that's kind of cool. And as the law evolved and the questions became more relevant, then it's electronic challenge only grew. So that's how I got into it.
Jamilla:With all your experience, are you able to predict a future in data privacy or is it no?
Eduardo:Everyone can predict the future. The question is who will get it right? The thing is, there are two things that I guess two or three things that you need to bear in mind in dealing with the future of data protection and privacy. One is that technology is constantly, constantly, constantly changing and testing the boundaries of what we can do with information and how we can disseminate information and so on. Technological developments, the ones that we can even think about today, will be part of the driving force. Then you also need to take into account that data and information is so valuable that when you look at data protection law, you need to take into account the fact that data is part of what rules the world. So it's not a theoretical science. It's not something that you can say, well, we're talking of fundamental rights. So that trumps everything in the real world. It doesn't. You need to be able to see the bigger picture. So I think the value of data and how that evolves is also another factor, and then the fact that all of this is happening at a global scale. So if you put all of that together, what I think will happen is that the law itself and the work that we do will have to adapt to the technology that is changing, and we'll have to take into account what is happening throughout the world. So it's only going to become more difficult, I guess. So I think we're going to have to keep learning.
Jamilla:You said you started your journey of data privacy in the 90s. Were you able to see where data protection was going in terms of the GDPR coming into effect?
Eduardo:Well, it would be really cool if I could say yes, of course I did. Partly in answer to your question of why I got into it, because I thought that, again, the mid 90s or late 90s, that was the beginning of the internet as we know the Internet beyond the pure academic world. And what I could see was happening was that, as I was saying, the data and the use of information was becoming so pervasive that the rules and the laws that govern the use of that information were going to become more and more important. So that's why I did think that there was a future. And at the time, I guess even my parents were saying, are you sure you want to dedicate yourself to this area? Why don't you do litigation? Why don't you do corporate or something a little bit more meaningful? And I thought, no, but there's a real future in data protection. It's just that not many people know about it. But to an extent, I did think that this would become as big as it has become, although it was more of a gut feeling that real knowledge.
Jamal:I remember when I first looked at the first version of the GDRP as it came out, and I remember looking at it, I was like, there is no way this would ever see the day of light. There is no way big businesses will allow this. I'm sure they lobby it and the water it down. What was your reaction when you first saw the draft legislation?
Eduardo:I seem to remember, wow, this is ambitious. I thought that was a real complex framework, all put together with lots of different styles. And sometimes I compare the GDPR to a cathedral or to a gothic cathedral that maybe would be even more appropriate, something like all these different styles and all these different concepts put together to make something really big and really spectacular. So it was a bit like that from a legal perspective, that you have rights and principles and prescriptive rules next to very woolly rules and big enforcement powers and bigger geographical outreach. So all of that mixed together. I thought, well, this is going to take a lot of work to even digest on this.
Jamilla:We've had a lot of questions in for you, from our colleagues, from people from our Privacy Pros Academy. I'm going to start with one of them which came in from our colleague and Ananya. She wants to know about your textbook writing and what went into writing it and how did you go about writing your textbook. You've got a lot of publications that I read out in your bio, and this probably will help me as a PhD student, how do you go about writing something textbook?
Jamal:We're talking about is this one here. The European Data Protection Law and Practice. And it’s actually the official textbook that IAPP International Association of Private Professionals use for people to prepare for the exam to demonstrate that they are an expert on European data protection, and they have the foundational understanding to go and help clients and really make this happen. And one of the things that's really fascinating and the reason why I feel a bit star struck is this book that we have here. It's what we rely on to help all of our students that come and mentee that comes from the academy. But it's not just the people that come to the academy. There's thousands of people all around the world reading these textbooks, studying these textbooks and really going on to have careers in data protection. And it's Eduardo that we all have to thank for putting this together. Because I remember when I went and did my CIPPE exam, we didn't have this. There was like a handout, which was some stuff that Bird and Bird had put together, and a couple of booklets and leaflets that the IAPP threw in our direction and that was it. And now you have this amazing book that's really well put together, really well structured. It breaks it all down and Eduardo you changed the world for so many privacy professionals. So I’m really keen to hear about your thought process behind the book, and then I want to ask you a little bit more about the actual sections that you put together as well.
Eduardo:Thank you. Well, the IAPP European Data Protection Book, I shouldn't really take credit for writing it because it's not like I wrote the whole book. I'm the editor. That means that the book is written by a number of contributors. I have written, obviously a couple of chapters of that book, and I edit the whole thing. But I think the one thing I want to emphasize is this is a team effort. It's not just me writing the whole book, but the way we approach this book, the third edition, by the way, is about to come out and I don't know if many people know that, or maybe I shouldn't be announcing it before the IAPP does, but there you go, the original edition, the first edition, which of course predates the GDPR. When we started thinking about it within the IAPP, and I was at the time involved in the real genesis of this book, we thought, let's try to summarize data protection, European Data Protection Law in the most practical possible way. This is not a textbook for students so much, or it’s a book for professionals. And when I volunteered and I volunteered my team to write the book, I actually said, we're going to write this book as we would write legal advice to a client, as we will write a memo. So try to be really practical, very precise, of course. And I think it's important when you write about law to be as precise and comprehensive and clear, obviously, as possible, but at the same time, in a very practical way, that brings down the concept to a level that everybody can understand. And you were asking me about why I write so much. I think in our profession, or at least as a lawyer, it is important to look at the law and interpret it in a way that then you make it accessible to people. Something that happens a lot in our area and I'm sure you've seen this before, is that a law gets passed, for example, like the GDPR? And everybody says, okay, we have to look, where is the guidance? Where's the guidance? Why aren't the regulators providing guidance? Where's the EDPB providing guidance? And I'm thinking, but we don't necessarily need that kind of, the law is already there. It's just that you need to read the law. But it's just difficult sometimes to read the law because you need to understand the policy, objectives behind it and the real scope of the law and all that. So I think by writing about a law or a case or anything to do with this area, you really have to think it through and then try to put it in a way that people understand it. And I think that's part of our job and that's why I enjoy it as well.
Jamal:Yeah, putting it together for taking the initiative to really say, I want to leave this. But when you read the 99 articles of the GDPR, especially someone like me, who doesn't have a legal background, it doesn't really make sense. Like, what do we do from a practical point of view? How do we implement that and how do you operationalize it? It's when you read sections like here, when you've got the actual Internet technology and communications and direct marketing, and the bit that, you wrote, chapter 18 and about outsourcing and chapter twelve international data transfers, it's a whole mess. So having this really makes it clear. For previously professionals and for myself, really, of exactly how we should go about thinking about this stuff, what the law is actually trying to get us to do, and then operationalize and implement that to really help businesses to adopt those honest and compliant practices. And on behalf of every single person who has ever picked up this book, whether it's the first edition or the third edition, I really want to say thank you for putting this together. You've really helped us to make a career out of data protection and really enjoy and really thrive and we owe so much to this book. And I really can’t thank you and the rest of the team enough about that.
Eduardo:Thank you. I'm going to extend your thanks you to the whole team behind that book
because it was a team effort. But the issue with all laws, but I guess even more so with data protection law, because it's so, in a sense, business critical and so relevant to everyone's life, is that you need to make sure that the law that exists translates into practical actions. Because otherwise the reality is that if you have a law that doesn't have a practical application that is not even viable as a law, then you have a completely useless law. But if you have a law that you can understand and you can put it into practice, then you can achieve two things. First, you're more likely to be able to comply with it and that's already a benefit. But even more important than that, you are able to run a business or whatever you are doing with data, in this case in a way that you know you will be able to do it and that it will be viable and that will be in line with the policy around issues like the use of personal information, the direction of that policy is going. And I think it's really important to have that long term viability, if you want, when you do something. So I think when we wrote this book, our aim was always, let's try to ensure that we just bring this into palpable real content that people understand, that people then can put into practice and say, if I do this, I get it right, if I don't do that, I will not get it right. So I think that's a little bit the thinking behind how we have approached this problem.
Jamal:Thank you for sharing this. It's actually quite fascinating. I could sit here listening to you talking about it all day. Your chapter on international data transfers and our friend Max Schrems has kept us all very busy on that. What do you think the future is in relation to adequacy for the UK with the reforms?
Eduardo:Well, that's the question that many people are asking. I think it's not a difficult question to answer. I think that as long as the UK does not radically change its approach to data protection as a law that is there to help people and to protect what is essentially a fundamental right, then adequacy is not in danger. And I think that we don't know what's going to happen in the UK, but the direction of travel is one that doesn't suggest that the UK is going to radically change things. So I think that as I'm saying, unless things change very radically, I wouldn't worry about Adequacy for the UK. And I think it should be obvious to everyone that UK Data Protection Law, despite Brexit and irrespective of what the Data Protection Bill may bring, is not going to radically depart from the European approach to data protection because it's based on the same principles, it's based on the same concept. So I think I'm relatively relaxed about this issue.
Jamal:Okay, what are your top tips for those lawyers, those privacy professionals who are actually trying to get their heads around the standard contractual clauses and the UK addendum? And then this and the update, and they're going through a lot of pain. What did you say to them to make it easy for it?
Eduardo: rnational data transfer since: Jamal:Yeah, absolutely, that makes sense. The other big item that you also wrote about is outsourcing. And like I said, international data transfers will always happen, and businesses also outsource work and work with other vendors. Tell us a little bit more about why you chose to write that section.
Eduardo:These days, outsourcing means that it's about the partnerships we're seeing, the fact that organizations don't operate in isolation. And in the world of data. I think it should be obvious to everybody that the way in which service providers contribute to the use of data by everybody else is so fundamental that the relationship between those who using jargon, the controllers, those who own the data. Those who have responsibility for the data. And those that are contributing to the processing that are servicing those uses of the data is really important. And that relationship, of course, is already contemplated in the law by the relationship between controllers and processors. But that it goes beyond what the law says because you have to ensure that as what we call processors become more and more influential and more independent in the way data is used, and more a bit like controllers, that relationship still has some sense or some function, ultimately to ensure that the data is properly protected, properly used and not abused. So that's what the outsourcing chapter is about and how that is regulated and how you go about complying with regulation in that context.
Jamal:So that brings me on to talking a little bit more about the textbook. From the CIPPE exam point of view, what is the best way to make the most out of this resource when they're preparing for their exams and they're preparing to serve their clients, when they’re preparing to best serve their organizations?
Eduardo:Well, first you need to read it. And I think it's important to read it in a way that is kind of open minded, in the sense that Data Protection, that's not just about this book. It's in general about data protection in the sense that it's made up so many different elements. You've got this whole idea of principles and data protection law from very early on was meant to be less prescriptive and more principle based. So there are chapters in this book that talk about the principles and about the local grounds for processing. So those are super important concepts that are a little bit abstract in a way, in the sense that it's not super prescriptive what you need to do to comply with those principles or to find a suitable law for ground. So then you need to approach again that bit of the law. As we are contemplating in the book from that slightly creative perspective. Then there are other aspects of the book that are slightly more prescriptive perhaps. All the bits about accountability or data protection by design and by default or data protection assessments and obviously date security. All those things are more practical in a way and it's more about understanding not just the which is the first bit. But the how and how to do a data protection impact assessment and how to rely on or how to ensure that you know how to report personal data breach. So those are the more practical side of things. And then of course, it's really important to not forget that data protection law is about people, it's about our digital existence. And therefore, the rights of individuals are an important element of what European data protection law is all about. But again, rights are never or hardly ever absolute rights because my rights may conflict with someone else's rights. And we need to bear all of that in mind. And I think the whole area of data protection rights is also very important to understand from that perspective that is not all sort of black and white. You need to be able to operate in a situation where you understand the importance of everyone's rights, but putting that into a practical context so as I say, different bits of the law, like different bits of the book, requires slightly different mindset if you want, but you have to approach it like that and hopefully it would make sense.
Jamal:All right, so for everyone listening, what Eduardo is saying, the man behind the book is saying when you pick up the textbook, or when you pick up the book, you have to have an open mind. You have to realize that this law is actually more principle based rather than prescriptive. And therefore you should approach the book like that. There are going to be elements that are prescriptive around the accountability side of things such as how to do the data collection impact assessment, making sure you get a standard conceptual clause and all of those elements right. But fundamentally we should always remember that it comes down to people and people's rights. And even then, not every single right is absolute, bar the right to object to direct marketing. There are no absolute rights and we have to think about all of that. And we also have to remember that there is not necessarily going to be a black and white answer that they're going to find in the textbook for every single scenario. They have to be led by the principles and just be guided by that. And different sections of the book will require a different mindset to really get the most out of it. Does that sound about right?
Eduardo:Yeah, I think that the reason black and white answer is the answer to all the questions around data protection in the sense that it's not just data protection law, it's all laws. Maybe not tax law, but law is not mathematics and therefore you need to balance things out. And data protection, particularly one of the big ingredients if you want or one of the big changes that the GDPR introduced was this idea of balancing different interests. And the risk-based approach is all about that. It's about making sure that an obligation, in a given article in the GDPR may be interpreted in slightly different ways depending on the specific case and depending on the nature of the data and depending on the use of that data and depending on how obvious it is that a given use of data is taking place, how obvious it is to the individual. Those are real life factors that affect how the law is understood and interpreted. And I know it makes it more difficult, but you could say, oh, then it's super difficult to understand. But at the same time, you could also say that common sense has a role to play here in understanding the significance and how honourable some of the obligations may or may not be.
Jamilla:Jamal, you use the textbook in the Privacy Pros Academy, and you also use the C Five formula. Can you tell us a little bit more about that, how you incorporate the textbook into the academy as well?
Jamal:The C Five formula is all about the five C's that I live by. I get my mentees to follow in the academy to guarantee success. So the first C is for clarity. We need to really understand and get clear on what is it that is required from European data protection law. What are they trying to get us to do? What are they trying to protect against? What are the harm? What are the risks? And again, clarity comes from the book. The book really helps us to get that clarity. Once you have clarity, it gives you the second seat, which is confidence. Now that I know I'm clear on what this means, what I need to do, how I need to go and serve someone, I have confidence going and giving advice. I have confidence going and carrying things out. So once you have the confidence and the clarity, you become credible, right? It allows you to be credible. You can go and speak to clients. They can sense the confidence and they know that you're clear because if you are clear on something, you can explain it to somebody in a very simple way. So the stakeholders who are not really privacy professionals are not really legally educated. They just want to hit their business objectives. Now we understand why this matters and what you need to do, and then they see you as somebody competence. So the clarity and the confidence gives the credibility. And because you've now got the credibility coupled with the clarity and confidence, it gives you that confidence. And the final thing we do is wrap all of that around a powerful community of likeminded, individuals who are all working towards being the best they can be to really make sure that everyone else is on board and helping them to really thrive. So you've got the fight, so you've got the clarity, you've got the confidence, you've got the credibility and confidence, and finally, that powerful, supportive community.
Eduardo:I like that.
Jamilla:Eduardo, we've had some questions from some other people. We had one in from Emma Martin, who is the commissioner for Guernsey, and she wants to know how can we help to keep data protection relevant to the wider community when there are so many competing demands, pressures, challenges in everyone's lives at the moment?
Eduardo:First of all, I'm not sure I'm the most qualified to help a regulator. Pretty difficult job of making data protection relevant to the community. The way I look at this is that data protection, I think, is one of the most relevant things to everyone. And the reason why I think that is because the word data protection sounds very technical, and people don't go about the supermarket and say, oh, what do you think of data protection? Or how is your data protection today? But the reality is data is us, right? And data is us when we operate online, on the Internet, when we pay, when we use mobile phones, when we use devices, when we drive our cars, when we turn on the lights, when we turn off the lights, when we click, when we read, when we shop. That's us, right? But that's data. And therefore it's really important that the protection of data is the protection of us as individuals. And I think that is the starting point of how you make data protection relevant, because I think it's really important for all of us, everyone here, to understand that, again, data is us, and that the way in which we behave is visible. And therefore, the protection of how we behave, I think, is probably one of the most important things to all of us. So I think then you need to articulate that using Jamal’s in a clearer, more credible way. Ultimately, it's about that.
Jamilla:We've had another question, and it's from one of our mentees at the Privacy Pros Academy, Ashutosh. He would like to know what is the privacy issue that you come across most frequently at work and how do you deal with it?
Eduardo:The number one is anything to do with international data transfers. Somehow I think that is because I live in the work I do with multinationals and global companies and those type of players. Their ability to ensure that data can flow globally. Whether it's just because they want the HR data to be visible or use global vendors or cloud service providers or retail audience. All of these things that are happening. That triggers a lot of queries about international data transfers. Because what I was saying earlier, there's this tension between the protection of the data on one hand, and then the ability of government bodies to access information throughout the world and all that. So that is definitely the number one war generator for us.
Jamal:I have a question on that, actually. So when it comes to multinational organizations, one of the things in place for them to share information across all of their offices and to access it from different locations across the world is obviously the binding corporate rules. And to get the binding corporate rules, you have to talk to the supervisory authority and get them to agree on it. And there's some organization that says, look, we don't want to go and talk to the authorities, we don't want to be on their radar. So let's put in place an intra group agreement. What are your thoughts on that?
Eduardo:Now we're getting really technical, but an intra group agreement is probably the most frequently used tool by global organizations to enable them to locally transfer data internationally. And the concept, in a sense, is very straightforward and it’s in the title, it's an agreement between entities of the same group. And that agreement is trying to achieve is to ensure that all those entities around the world, all those companies, affiliates and so on, that have access to data from each other, they all essentially adopt the same type of protocols and rules and procedures in order to protect the data. That's what it's all about. So if you take that to the next level, that's where the concept of binding corporate rules comes in. I mean, binding corporate rules is nearly 20 years old. It's not a new thing. You see it's been around for a long time, I have a degree of regret or disappointment about the fact that it hasn't become easier because the concept, again, is not too difficult to understand. In the same way an intergroup agreement is an agreement. Binding corporate rules is a set of rules, and most multinationals will have global set of rules for all sorts of things, whether you're talking about health and safety or protection of intellectual property or anything else. That our ethics, anything that has a global application. So it's not too difficult to grasp the idea that if you have data flowing all over the world within the same organization, you could apply identical protections in terms of transparency or data retention limits, or data security measures, or ways to help people with their data protection rights. And you put all of that into practice, but in a truly consistent way throughout the world. And then you say, we think this system we have in place meets European standards. Originally directive, now the GDPR, but whatever those standards are, we think and practice suggests that this meets these standards. Can a regulator have a look at this and tell us if that's the case or what we need to tweak and then kind of use their blessing if we can call it like that, to say to the world, don't worry because the data is safe with us, so I can explain it to you in 1 minute here. So why is it taking over 20 years nearly to get it past months and months and months of work and scrutiny and all that. And I think my hope is by the time I retire, I don't know when this will happen, but by the time I retire, BCR is a much more straightforward exercise than what it is today because it can be and it should be. And regulators, I think, are missing a trick here because BCR is a way of delegating. We were talking about the outsourcing chapter of the book. So outsourcing is about delegation, right? So regulators could delegate compliance to big organization or small, but to organizations worldwide by saying, these are the rules you've adopted and we're going to take the view that you're following those rules. That's good for us. Tell us next year how it's going and just almost do like an MOT with a car once you come back and tell us how it's going and we'll have a quick check and that's it. It would be so easy and it would make life of regulators so much easier as well that I don't know why this hasn't really become more straightforward or more commonplace, but I'm still hoping.
Jamilla:Eduardo, what do you look for when you're hiring in privacy? I think a lot of our listeners maybe are just starting out in privacy or have done a career change. So what advice would you give them when they're going for an interview?
Eduardo:Very good question. We recruit very young lawyers all the time. It's difficult. If you're a young lawyer or young professional in an area where you don't have a lot of experience, you may have maybe just read a book or doing a bit of charity work or something like that. You don't know much, but if you show enthusiasm, if you show interest, if you saw willingness to understand these very complex issues and to look at them from different perspectives, that is such an important ingredient, then obviously you still need to have a brain to put all this in your head. But I think most people have a brain and I think then it's just a matter of putting the work as well to try to digest all of these issues. And I think one of the challenges, but also one of the things that make our area so wonderful is that you can never be complacent. We were talking about the book again, none of the people that have written the book or me included, could ever say, that's it, we've written the book, we know everything that needs to be done, that's it, that we don't need to learn anymore. That would be the most scary of things we could say, because you have to be learning every day. First you need to learn new technology. You need to learn the way the law applies to the new technology. You need to learn how of course regulators are reacting to the law and of course, the laws being adopted all the time that's the other thing that you need to be prepared to be very dynamic in the way you look at what you do and not think that, okay, well, I've read a book. Now I can practice. Let's say this is the end of it, and I'll just do this for another 40 years and then I retire. That's never going to happen.
Jamilla:You've got to keep learning. Jamal, you've had the opportunity to work with Eduardo, if I remember correctly. What did you like most about working with him?
Jamal:Yeah, so we had some mutual clients when I was managing one of our asset management companies. They always in partnership with one of Eduardo’s clients. We're talking shopping centres here. It might ring a few bells. And if I say Manchester, it might bring back some stories. There used to be, let's say, lots of exciting things happening in Manchester at those specific sites, and the stakeholders will always get in a bit of a frenzy and a panic about it. And then Eduardo would jump on the court. Eduardo would be there. He would be this really calm and collective person. And just everyone stopped all the panicking. Like, Eduardo spoken, everything's going to be okay. And he was just that presence and that calm and coolness that Eduardo brought to those calls and to the table. I remember thinking, wow, that's amazing. That's such a great skill. There's about twelve people there's, like PR companies, there's directors. They're all going crazy. And then Eduardo just speaks, and then it's just like, nothing. There's never no problems. And I think that's what really inspired me. It's like, how can I bring that coolness to the table? And how can I get all these people that are losing their heads around them to really just get to it? An say, look, I'm here now. Everything's going to be fine. How do you do that?
Eduardo:Thank you for reminding me of that. Well, first of all, I've been doing this for many years. I guess you learn as you go along and when you are an adviser, like we all are you need to quickly identify who you are advising and what their needs are. Sometimes if they are in a panic or stress about something, you need to make sure that they are able to understand what you're saying to them by being calm. And I said, okay, it's going to be okay, it's going to be okay, and then you explain it. And sometimes it's the opposite. Sometimes they may be too complacent. Nothing's going to happen. And then you have to kind of grab them by the lapels and then say, listen, pay attention here because you're in trouble. But you learn whether you're supposed to be calming force or someone that grabs someone by the lapels.But then what I think is sort of universal in this sense, is that you need to know what you're contributing. So you're being hired or you're being asked to help because someone needs help. With something and you know what you can contribute, the limits of what you can contribute, but whatever it is that you're contributing, then that's your job. And you say, okay, this is what I think is happening, this is what I think the solution could be, or the different solutions. And if you go down this road, this might happen. Being aware of how you can be most helpful is what I think I would recommend in terms of acting or being able to give you a call and to be able to be helpful and to be advised in a way that can be put into practice. Thank you.
Jamal:So key takeaway, folks, is have awareness of the situation, have awareness of what you bring to the table, and also have awareness of how far your remit can go and where it actually stops. And once you get that clarity, you can bring that coolness to all of your board meetings going forward.
Eduardo:Yeah. Can I say one more thing? You made a really good point, being aware. It's also about listening, because I think we as advisors, we have strong opinions, we've learnt a lot and we think we know a lot, and therefore we see ourselves that, oh, here's the solution. But it's really important to listen and to understand the context of a particular situation or a problem and to understand what a client is trying to achieve. I think being a very knowledgeable lawyer or an expert at something, it can be completely useless if you don't listen about the problem you're trying to resolve. So I think that's another important ingredient. Absolutely.
Jamal:One of the things I make sure make sure you understand them before you want them to understand you. And always confirm, this is what I've understood. Is that correct? And make sure you're on the same page and get the buy in and establish I call it establish the baseline. And once you establish the baseline, everyone's on the same page and they're more open to listen to your ideas. Like you said, you are there to help them. They're paying you to help them. They want your help. So you know what you bring to the table and just have that confidence to know that you are here to be able to serve to the best of your ability.
Jamilla:Our last question for you, which I think is the last, but Jamal may spring another one on you, so we'll say penultimate. What advice do you have for privacy professionals aspiring to make their careers as outstanding as yours?
Eduardo:Wow. First of all, don't think that you need to have an objective in a way like, I want to have a career like this. In a sense, follow your instinct, in the sense that from the point of view of having a career first of all, I think the first piece of advice is once I'm saying follow your instinct if you want to have a career or something, that is going to allow you to earn a living. It has to be something that there is a market for. I think that goes without saying. There is definitely a market, I can tell you there is definitely a market for data protection and privacy professionals of all kinds, not just lawyers. You have to know a bit about everything. You need to be about the law, you need to know about management, you need to know about technology, you need to know about people and all of that. But other than that, I think it's just what I was saying earlier. Have the enthusiasm for learning and for keeping yourself aware of what is going on and then apply common sense and apply your practical mindset in order to resolve problems. Ultimately, in our profession, it's all about resolving situations. Sometimes there is a problem or sometimes there isn't a problem, but something could become a problem. And I think if you approach every situation as, how can I contribute to resolve it or make the most of it, then I think that's probably a good way to go.
Jamal:Thank you. Great advice. So we've spoken about domesticating animals, we've spoken about international data transfers, we've spoken about a textbook. As well as giving his top tips, he's answered Emma Martin's questions, he’s answered Ananya’s questions, Ashutosh’s questions, he's answered lots of our questions. And then I just want to say thank you very much for taking the time to be here with us today. I know there are so many technical challenges that kept you for a lot longer than we promised, so I really want to say thank you so much. It's been really valuable.
Eduardo:Thank you. Always a pleasure.
Jamilla:It's been great. Thank you so much.
Outro:If you enjoyed this episode, be sure to subscribe, like and share so you're notified when a new episode is released
Outro:Remember to join the Privacy Pros Academy Facebook group, where we answer your questions.
Outro:Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world class Privacy Pro.
Outro:Please leave us a four- or five-star review.
Outro:And if you'd like to appear on a future episode of our podcast or
Outro:Have a suggestion for a topic you'd like to hear more about, please send
Outro:An email to team@kaziet.co.uk.
Outro:Until next time. Fine. Peace be with you. Bye.