Cover image of The GDPR Series

The GDPR Series

The GDPR Series is a series of real discussion with Philipa Jane Farley and ProPrivacy on data protection, privacy and cyber security with real business owners designed to help you with your data compliance programmes in a practical way.

Weekly hand curated podcast episodes for learning

Popular episodes

All episodes

Warning: This podcast data isn't working.

This means that the episode rankings aren't working properly. Please revisit us at a later time to get the best episodes of this podcast!

Podcast cover

Connecting, the Power of Networks and Professional Sales with Mike Roberts

Today on The GDPR Series podcast, we talk connection, networks and messaging. Our guest is a solutions provider in the field of keeping mail safe, physical and digital. He is also a well-known LinkedIn personality who is passionate about professional selling. Listen on to find out how he uncovered successful ways to network, connect and sell professionally on LinkedIn through selling a solution for secure mailing. Our guest today is Mike Roberts the sincere and friendly helping hand behind ‘LinkedIn 101’ and the seamless secure and confidential mail communication solution Frama Rmail . Frama Rmail is a solution that encompasses email encryption, tracking, large document delivery and e-signatures. Installation is fast and painless and help is always at hand with Mike as part of your vendor team. Through selling this solution online, Mike came to realise he had developed a successful method for connecting with and selling to his professional network on LinkedIn. Thankfully for us, Mike realised people might want to know the secret sauce. Mike offers a one-to-one 90 minute online session where he gets hands-on with you and your LinkedIn presence. This is followed up with a comprehensive report which serves as a guide for you going forward. Mike is a great believer in connecting with his clients in a personal way and also a great believer in building networks. In this episode, Mike shares some great advice about the type of messaging we should be focusing on that is client-centric and presenting information in a way that people can receive it. We hope that you enjoy it and that you do reach out to Mike be it for a seamless security solution or for a LinkedIn revamp. Tel: +447545292184 E-mail: mike.roberts@frama.co.uk LinkedIn 101 Website Frama Rmail Website Transcription: Philipa Farley:  Hi, and welcome to our podcast called the GDPR Series, where we discuss data protection, privacy and cyber security matters that ordinary people in everyday businesses face. We have a series of really interesting and lovely guests, and we hope you enjoy listening. Philipa Farley:  Today, we’ve got Mike Roberts on The GDPR series. I met Mike on LinkedIn, which is a great place to meet professional contacts. I think Mike, we kind of met probably when you were I don’t know if you had started with RMail, or how far along the lines you were a bit. It’s quite a while ago now that we’ve been connected. Mike is going to chat to us today about professional selling on LinkedIn. I’ve got his website open here, www.mikedroberts.co.uk. The links will be in the podcast web page with other links that Mike will provide us. Do you want to introduce yourself? Mike, you probably do it far better than then I will and then we can get chatting. Mike Roberts:  Yeah, of course. Thank you so much for having me on today. I really, really appreciate it. And, and for all your support recently as well, it’s been absolutely fantastic. Yeah. So a little introduction about me. So for the last 15 years, I have been helping people with their mail. And that was in the physical format. So I started off as a young, fresh straight out of college salesperson selling mailroom equipment for law firms and regulated industries. And I have progressed into the digital age. Yeah, so now I’m still helping all of those same clients and all those same customers of mine, protecting their mail, but in a digital format, so there’s two sides to me. One, I help firms and companies, make sure that their email is secure. And yeah, help them automate some of their processes with electronic signatures, and things like that. And then the other side to me is I absolutely love helping salespeople and professionals on LinkedIn. I’ve been using the platform ever since day one. And I just, you know, really enjoy showing people how it’s helped me how it’s helped my business. And,  that’s me. Philipa Farley:  Yeah, that’s that’s a fantastic summary, Mike. Honestly, like I hadn’t realised that you went so far back with it the mailroom equipment, type of thing. I thought that you were more digital, but that’s fascinating. I’m a bit of a geek for, like, old machines and things. So yeah, we’ll have to talk about that another time. Yeah, yeah. So you’re most of your clients. You mentioned law firms there, and professional firms. Who would you say are kind of the core clientele that you would deal with on the mail side of things? Mike Roberts:  I would say there’s three: there’s wealth management firms in the financial sector. There are legal firms, so solicitors, barristers, people like that. And then there’s your other regulated industries. And I would probably say that that would be healthcare. Yeah. But wealth management firms are probably my biggest sector. And I and I’ve been thinking recently why that is. And it’s because when you’re speaking to a wealth management firm, for example, their clients are for life. So, your client will be with them from day one, and until the end of their lives. Yeah. So it’s absolutely critical that you make sure that everything is perfect from day one, and no better place to start really than making sure their electronic communications are secure. Philipa Farley:  Yeah, I mean, in that context, Mike, like they’re based purely on trust, you know, obviously also with their strong obligations to the laws that govern them. But nobody wants to see a wealth management firm in the news for breaking trust. And that’s what we deal with in the GDPR, is it’s about to trust more than anything else. And once trust is broken, it’s so difficult to come back to that. So when you’ve got that, kind of, those stakes on the table, you need to make sure that what you’re using is pretty much bulletproof and easily managed by the client that’s using it. So I think that’s what’s come across to me on a lot of your posts and your videos, which I love. I love the way that you present your product on LinkedIn. You know, you’re not a pushy salesman, you engage with your clients, your customers, your potential customers, you know, you have relevant industry discussions. It’s fantastic. So, yeah, I think like you’ve got this lovely way of reaching people kind of where they’re at, and drawing them in and making them feel very comfortable. With the solution that you provide, and obviously you’re fully behind that solution with the knowledge that it’s one that works, you know, and I think that’s a great message for people to hear. Mike Roberts: Absolutely. And then one of the big key things that I talk about regularly is clients’ experience. And that hits so many levels with me, because when I’m talking to my clients who use Frama R mail. Yeah, and they’re, they’re needing email encryption or electronic signatures, it’s not all about security. A lot of it is about the client’s experience and making it easy for their customers. And I try to do that myself on LinkedIn. So when I’m, when I’m selling my product to potential clients, I want to make their experience good and I try to do that in as many ways as I can, whether it’s engaging content, creating videos, trying to use a bit of my graphic design in there. I just want it to be a pleasant experience right before we’ve even spoken. Philipa Farley:  Yeah. And you know, I think that’s one of the things that I really love about you and your personality, Mike, like. Just to get really personal here is that you’re just, you’re such a nice guy. And I think I’ve known you for long enough now to know that that’s not like a huge pretence, you know, you’re not like some kind of, I don’t know, Jekyll and Hyde, where you have this persona online and a persona offline, you are genuinely a good guy. And that comes across through everything that you do. So you really like, live your brand, which is amazing. I know that I have sent some questions over to you. Can I ask you a couple and we’ll get back to this discussion because it’s flowing really nicely, you know, and back to you specifically your www.mikedroberts.co.uk website, where you offer LinkedIn training and other services. Yeah, because I think we’re kind of crossing over here a little bit now. Specifically, and I’m going to reiterate what you said to me: you’re not a GDPR expert, a specialist, but I believe that the work that you do and the services that you offer, bolster a message that we who kind of work purely in the field, are trying to send out, where you’re approaching it in a way and with a language that the customers understand. Sometimes we can throw language or things, throw requirements at things that really scare people off. And I’m very, very mindful of that because I don’t want anybody to be scared of owning their responsibilities to others’ personal data. So, I sit back a lot of the time and I kind of “watch and learn.” And I really appreciate somebody like you who is giving it to people in a way that they can receive it. You know, we have to learn as an industry, there’s an appropriate time to kind of get heavy about the topic. And then, there’s an appropriate time to kind of tone it down, and bring it right down to earth for people to receive it. So that’s kind of the mission that we’re on, if you want to call it that. So I asked you here, where did you first come to grips with or aware of data protection and the GDPR? Mike Roberts:  I 100% fell into it by accident. When I was transitioning from physical mail into a digital mail specialist, I began to understand the basics of email encryption. What happens to a standard email as opposed to how an encrypted email looks? Yeah, and this all was happening around March of 2017. Philipa Farley:  Yeah. Mike Roberts:  So GDPR was slightly in the news. And people were talking about it, but as the months went on, it became more of a big thing. And I just thought to myself, you know, I was in a very lucky situation where I was learning this with everybody else in the UK or, I mean, as much as you know, people that weren’t, you know, “with it” as much as I was. Philipa Farley:  Yeah. Mike Roberts:  And by the time May 2018 came along, I was in a great position to talk to my clients and, by the way, my clients are not big companies. They’re probably in the one to 20 headcount. So they wanted to be able to speak to somebody, without having a techie jargon-filled conversation. And I was fortunate enough to be able to say, “Okay, well, I’m all I’m going to be talking to you today about is a Microsoft Outlook or Gmail plugin. And I’m going to go through the basics with you. And I’m just going to simply show you how you’re going to transition into basically being secure with your electronic communications.” And I did it in a way that I wanted to, I wanted to have it done to me in March 2017. And that’s basically one of the things I do where a lot of people want to go down the whole jargon-filled, really technical-filled conversation. And that’s not me, but if my clients want that, I’ve got people fantastic in my network, for instance, yourself with Serity, and things like that, who have got some amazing offerings and platforms and discussions that they can have. So not only have they got a great product with me that I can provide to them, but I’ve got a network behind me that really does know their stuff. So I’m very fortunate. Philipa Farley:  Yeah, and Thanks, Mike for that. I do appreciate it because like, you know, you can approach us anytime and give us a shout and say: “Would you mind chatting to this person or that person or what’s our opinion on this?” And I think you’re quite great at that. Like, just sort of, minimally tagging people who are relevant to posts to hop into a discussion and I love that. You know, I love interacting in that way. And I think what you say is so important because, let’s just focus there, what you were saying about sort of the technical kind of reviews of a platform. Now, we would speak about vendor assessments, and due diligence, and all of these things. And, you know, there are certain parts of the GDPR that vendors have to stand up to. And then, there’s sort of more nebulous parts that aren’t very specific, like technical and organisational measures, you know, and you have to kind of dig quite deep to find out exactly what that means. And then we get to places where it says, you know, in proportion to the risk presented to the data subject, and then it’s like, oh, it doesn’t necessarily have to be state of the art, but it must be appropriate to that risk. And these kinds of things, like really frighten people. So I’m gonna say it again, that really, I love the way that you present your solution and particularly, that point of people wanting it to be an easy customer journey. Because going back to applications, that would have sort of mushroomed up around the time that the GDPR was brought into force, I would have tried a couple of email encryption solutions. And I mean, 10, 15 steps down the line, you still don’t have your message and you actually really want to just throw the computer out the window. It’s just an impossible landscape for people to navigate. So I think, really, it’s so vital, what you’re saying there, that people work together to provide the best, overall global solution – the networks work together. And this is another message we’ve been trying to put out as this podcast is that, yeah, competition is healthy, but actually, like we’re all much better off for working together, because our clients actually benefit from that, Mike Roberts:  Well, you know, well, absolutely, for sure. And the thing is, with Frama, we, you know, we’re not a multi billion Dollar organisation. Yeah. Often when I’m demonstrating our mail to my clients, they ask about the support and I tell them about my team and myself. And I say to them, you know, chances are you could text me or call me at 8 o’clock in the evening. And if you need help, chances are if I’m available and I probably will be, I can jump onto a quick screen share, and help you send that email, or create that document for an e-signature. And a lot of people think Yeah, okay, you know, he’s saying that because he just wants the sale. But when they actually do make that call, or give me a text at 8 o’clock and realise that I am there, I’m able to help them think, do you know what? That’s absolutely fantastic, because people are looking for that little bit of extra customer service especially in today’s day and age. Because you know, our big giant competitors you know, yeah, they are a customer and there is a figure on a whiteboard to them. Philipa Farley:  Oh, yeah. And all the call centres are outsourced, and good luck to you actually finding something that’s not a computer that’s answering questions. My favourite trick with the help bot is “Please may I speak to a human?” And, they all seem to have some kind of code programmed in to pass you off on to, like a human being, that actually will answer the questions, you know. And what you’re saying is so important, because I’ll just put a note here, because this is kind of like evergreen content. But we’re recording this in the middle of the lockdown in 2020, where we’re working from home offices and people aren’t having meetings in person unless you’re essential services. So, that kind of goes to what I’m about to say here is that, you know, you say your customers are in the bracket of people, you know, in one to 20 teams, of one to 20 in the business. So not more than 20 employees, where we ourselves, we deal with a lot of people in that bracket, a lot of local businesses around Cork city and Cork county. And then we would have a lot of startups that we deal with globally. Also, in, like, the 1 to 5, 10, 20, not more than 30, teams, because when they start getting to that stage, they start hiring in-house and we kind of help them cross over, you know, Internet security and data protection expertise that they need on board permanently. And, going back to my point of people working from their home office, and that I think, like I’m, I see, maybe a shift in business where, you know, obviously, there is a place for the enterprise and there always will be the enterprise-level business, but there will be a lot more smaller businesses around, Mike. And, you know, we can’t, I think this is just this is just me personally, we can’t think that anymore in business that the goal is to make millions and millions and millions of Euros, Dollars, Pounds, whatever. Because what we’re seeing now is this sort of humanity around us where, that’s not really appropriate, you know, the human connection is far more important than the money making. Yes, the money does grease the wheels of the business to continue. But I think what’s really coming to the fore, is that that human connection that one to one, reputation matters. You know, and I really love the model that you’re building here because I think that’s, that’s core to you. That’s the LinkedIn sales, professional selling, that you do the help there is really, really core to that. And it, kind of, is parallel to data protection and the trust, you know, and it’s a very philosophical message and, and a lot of people kind of battle with that. That it’s not just another law, you know. That we all have to do and we have to tick the boxes, and we have to, kind of, it’s such a drag, it actually really should be like a pillar to your business that: How do I care for my customers? What am I doing to make sure that their trust is minded? It’s taken care of. And, you know, they deserve to have that trust. So, yeah, like it’s GDPR and data protection, and it was a drag, and it shouldn’t be a drag. But I think, you know, with enough of a message going out, people will hopefully start to see that. Mike Roberts:  Yeah, absolutely, totally agree. Philipa Farley:  My soapbox. My soapbox, there! I asked you a second question here: the impact on you personally of the GDPR. And it’s fine, like if you haven’t had kind of a personal rumble with the law as such. Everybody who follows my Twitter will kind of have a laugh every now and then about the things that I post where I might get into a situation. The one was the insurance broker or company and asking for the blood tests because we are kind of newly arrived in Europe enough, for you know, HIV to be a concern, but the way it was handled was just really, really difficult and it took months before the correct information, you know, came out. And like, it would have been so easy for me just to sign the paper and go for the test, you know, like, whatever. But sometimes I just get to the point where I think like, if I don’t say something, you know, other people are going to have this bad experience and not get the information that they are required to get in the law. So, I kind of do stand up for it a little bit. Have you had any personal experience with the GDPR data protection that you could share with us I want to share with us, or want to share with us? Mike Roberts:  Personally, I don’t think so. But, you know, what we do as a company at Frama is we are learning, just like everybody else. And if we ever get anything wrong, then we hope that people will tell us and make sure that we can put it right. And, you know, we’ve had people that have approached us with regards to our privacy statements. Yeah, asking is about asking us about, you know, our products and where we keep people’s data? Yes, yeah. And, you know, again, we’re in a very brilliant situation with our solution because we aren’t a cloud-based tool. Yeah. Yeah. So unlike other email encryption companies that take a copy of your email, put it in the portal of somebody else’s computer, i.e. the cloud. You know, we don’t do that. And so again, it’s nice, it’s a nice weight off people’s shoulders, knowing that we’re not taking copies of people’s emails and putting them in the cloud somewhere. So, I think we’re doing good. And again, I’d ask anybody out there, you know, please, if there is something that we can improve on, we’re always open to learning. Philipa Farley:  Yeah, and that’s an amazing statement, right? Because a lot of people kind of just tuck their heads under their desks, and close their ears, and don’t want to know about it. Because, I think and you’ll hear this as a thread through the other episodes, where I say every now and then that I find quite a few Data Protection team or Data Protection Coordinators, the Data Protection Officers in businesses that have not been afforded the training and the backup that they should have been afforded. So, you’ve got people that have just, kind of, been appointed in positions and have said yes, and they’re trying to learn on their own. And you might come across a product or a service or website online that actually technically is not compliant with the GDPR. But to, kind of, shred it, if I can say it like that, on a professional network and publicly name and shame and, you know, say things about it. We’re forgetting that there are real people behind that you may be struggling with resources in their jobs. They may be struggling with the time in the day, you never know until you approach somebody personally. So I think what you’re saying there is an excellent message for people to receive, is that if there is a problem, please pick up the phone or send us an email, and let us know, you know, you will definitely get an answer, and things will be improved. And we all get better that way. Mike Roberts:  Absolutely, absolutely. And the other thing is, you know, I would highly recommend people to use online learning platforms. I know a few of my clients who’ve used Serity, have given me absolutely fantastic feedback. So, yeah, I, you know, well done on what you do as well for your clients. Philipa Farley:  You know, we, we, we hope to democratise the law a little bit, Mike, and let’s let people, kind of, you know, get that knowledge without too many barriers. Okay, so the third question here is: where you’ve seen that you’ve seen opportunities for your own business in the context of the GDPR. I don’t want you to answer in any GDPR-centric way. And I would like you to please tell us about your LinkedIn services for professionals, because I think, if I may be so bold as to say it, that’s kind of the opportunity that came out of this for you. Mike Roberts:  Yeah. And so I’ve used LinkedIn from day one. I’ve never been on a LinkedIn training course. And I’ve never sat in a classroom with somebody, you know, on a PowerPoint presentation telling me how to use it. I spent many, many years using it for no real benefit, I suppose I was getting no interaction. And it was only really, probably in 2016 or 2017, where I actually started to record and look at why things were turning around for me. What was it? I was doing something different? Philipa Farley:  Yeah. Mike Roberts:  And, you know, within a 12 month period, suddenly I was getting lots of brilliant people in my network. I wasn’t doing anything ridiculously time-centric or it or, you know, throwing loads of money at the platform. But I was just getting to understand a little bit more about personal branding, what people enjoy seeing, and how to make your content different to other people’s. And then I started just kind of delving a little bit deeper into it, you know how Google and the Search Engine Optimisation (SEO) works with LinkedIn. Philipa Farley:  Yeah. Mike Roberts:  And how to make yourself different from everybody else, in your industry and competitors. And it was literally just just over a coffee one lunchtime with a friend of mine, who I spent half an hour with, and I gave him some tips and tricks for his LinkedIn profile. And he said, you know, you should be doing this as a service that you teach, you know, I’ve never heard it before. So I just decided to call it LinkedIn 101. And it’s, it’s an hour to 90 minutes with somebody on a screen, sharing a session. And all I do is I just absolutely pack in as much as I can in that 90 minutes to look to look at the front page, and help people with their headline, their summary ideas for content. Philipa Farley:  Yeah. Mike Roberts:  And we just try and squeeze as much as we can into our session so that the person that I’m speaking to, can just walk away after that 90 minutes and think, you know, there’s a couple of things there. There’s 1, 2, maybe 3 things that I can walk away with and put into practice immediately. And so far, I have a 100% success rate in the fact that the people that I’ve provided this service to have actually seen an increase in lead generation, or conversations. So, I, that just absolutely delights me because when I would, I would put all of those years of practice into giving people nice, bite-sized chunks so that they’re not just sat there; there’s no PowerPoint presentations, and there’s no classroom environment. It’s very interactive. And they walk away with a PDF ebook at the end of it with a personalised report on exactly what we’ve discussed. So I love it. I just love what I do. Philipa Farley:  Yeah, I know. And that really comes through and it is amazing, Mike, I would have personal knowledge of a couple of the people that you have assisted. And, the difference is remarkable. And I’m going to bring us back to what we were chatting about just before I think we press record there and say that: Basically, the way that you’re teaching people to use LinkedIn to develop those relationships, you know, and to make those sales is kind of what people need to learn in terms of data protection, and e-privacy, specifically, you know. Long gone are the days of using analytics person analytics, mailing lists, and just bombarding inboxes with emails in the hope of a sale. You know, let’s email 10,000 people and we’ll be lucky if we get one sale out of it. And that’s a really bottom line true statistic because, around the time the GDPR came into force, I would have sat with many, many people going through their mailing lists: How do they get the data? How do they compile it? Could they tag origins? Had they obtained the correct consents? You know, could they justify under legitimate interest? And then going through it and saying to business owners, who are very, very concerned about, you know, working through this prospect of losing contact is how effective are these mailing lists anyway? Particularly like in a b2b context, and it turns out, most people were not actually making any sales from them. So I really, really love what you’re doing here. And I have hope that people do take up the opportunity to get in touch with you and, to sort, of revamp the way that they think about sales. Sales are not scary, you know, you’ve got something people need. And I think you’ve said that to me before people need it, they need to hear about it. So take the opportunity to do that, you know, into being kind of proud of what you’re selling and what you’re doing. Mike Roberts:  At the end of the day, I am a salesperson, and I have been ever since I left college, well around 15 years ago now. And what I tell people time and time again is, forget your mailing list, forget the spam emails. Basically, start with, and again, I bring it back to LinkedIn, because that’s where I’ve made all of my success is: start with one success. Let’s call it a penny, and then then turn that into another penny. And before you know it, you’re springboarding your way through to this fantastic, successful world of sales where it’s an enjoyable experience. And, and everything that you’re doing is off the back of your last major success, where you’re helping them. They’re helping you. And suddenly, it just becomes a fantastic world to be in. And that’s what I try to help young people with, especially people who have just started off in sales. Yeah, they might not be on that journey that I had 15 years ago. And they’re bombarded with this whole world of digital solutions to this and video this…All you gotta do is take it one step at a time and before you know it, it’s it’s, it’s great. Philipa Farley:  Yeah, no, and that’s, that’s a fantastic message. Thank you for sharing that with us, Mike. Okay, the opportunities for your clients. I think we’ve just mentioned that here. So let’s not spend too much time on that. Unless you’ve got a sort of a story or two you’d like to share with us. People’s kind of them being turned around on LinkedIn where it has made a deep impact on their lives? Mike Roberts:  Well, I do get a lot of messages from my clients, both Rmail and under LinkedIn training. You know, and I try to put that on my testimonials page. And I just want people to walk away with one thing, which basically helps them gain that extra sale. And, I say to a lot of people, when the extra sale comes in, from what I’ve taught you, use it and piggyback off the back of that and make sure it’s, you just continue that success. And, I think people just enjoy it and enjoy the short, fun, jam packed time that we have together, rather than sitting in a classroom on death by PowerPoint. Philipa Farley:  Yeah, exactly that those days are long gone. Yeah, thank god for that as well. Okay, I’m going to ask your personal opinion on a platform like LinkedIn, in our very likely future of work from home remote work-type models, and I sent these questions to you two weeks ago. I think I just, maybe, tweaked the last one maybe more than two weeks ago. So small little inside laugh there. I’ll ask it again, what’s your opinion on a platform like LinkedIn in our very likely future of work from home remote, remote work type models? Mike Roberts.  My opinion on a platform like LinkedIn is, I think they’re fantastic. Philipa Farley:  Yeah, yeah. Essential. Mike Roberts:  Yeah. I think you can make them fun. The technology that is available to us nowadays, has presented this with an opportunity like never before. And, I’ve been doing online meetings and video meetings now, every day for the last, probably, three years. And I just think that they’re great. It saves time. It’s easy to do, once you start using it. Philipa Farley:  Yeah. Mike Roberts:  And then I think the opportunities are endless. I really do especially with them. Now that we’ve, the globalisation that we’re faced with, I know that you and some of the contacts that you’ve connected with me, Andrea, you know, connected me with a wonderful company in Mauritius. And without the technology available to us, I would have never had the opportunity. So I thought I think it’s great. Philipa Farley:  Yeah, it is. I mean, I kind of grew up in isolation, if you can call it that, like our nearest city was about 100 kilometres away with the nearest sort of rural hospital 25 minutes away from our farm. And when we had that first screaming modem in the house, connected to a small satellite dish that connected us to the telephone services, it revolutionised and changed our world, you know. Just understanding that in 5 or 10 minutes, you could get something from the other side of the earth, that had taken weeks or months previously to organise. And I really do feel that excitement that you’re bringing forward in your statement there. Because you’re right Mike, the opportunities are endless. Technology might be a barrier for some but you know, we all have our challenges in business, whatever area it’s in. We have to recognise that and work towards overcoming those challenges. But yes, video conferencing, video meetings are definitely a part of our future. And I, for one, we’ve, we’ve worked in a home office, I dip in and out of co-working spaces as my clients might require. But, I prefer a home office because of the absolute security. You know, I’m kind of guaranteed for the work that I’m doing but also the work life balance. That’s very important to me. So I really love technology and I love the opportunities that it presents us with You know, and obviously from the data protection and security point of view, and this goes back to your Frama RMail point is, you know, we need to make sure that we’re using the correct tools to help us enable enable us to do our work in a compliant manner. So, yeah. Mike Roberts:  And it also sets you apart from your competition as well, because one of the things that I do regularly is video email. And I’m surprised it hasn’t, you know, become more popular. It’s popular in the USA, but not quite so much in the UK and Ireland. And, one of the things that I tell a lot of my clients is, look, if you’re in a competitive situation, you know, why don’t you be that person that sends your prospect or client a video email, instead of blank text on a white background because, you know, things like this, and the technology is so readily available to us and nobody’s really doing it. It’s going to set you far better apart from anyone else. And so it’s just there to be taken, and the opportunities are there right then and to be in sales now is probably the best time ever to be in sales, even during this lockdown. It’s a huge opportunity. Philipa Farley:  Yeah. And again, Mike, I really really hope that people connect with you and get in touch and get some of your enthusiasm first hand, because I know that it has made a big difference to me personally, and quite a few people in my professional network and personal network. You’ve been an amazing assistance in great times of need sometimes and thank you for that. Can I end with one last question here, because I know your time is very precious. And thank you for spending the hour with us. We really do appreciate it. One piece of advice to potential clients of yours. Mike Roberts:  So my advice would be: Don’t worry about things like email encryption, and, you know, ways of automating your business processes. It doesn’t have to be, you know, long winded IT, technical discussions. Myself and there are others out there. You know, we are humans and we can have a one to one conversation with you and make it easy for you. Just don’t worry about it and just, you know, speak to the right people. Philipa Farley:  Yeah, take action, I think it is a good one. And any potential advice to you potential, or any advice to potential clients have those for your LinkedIn101? Mike Roberts:  I would say: Don’t be afraid of social media, especially LinkedIn, it’s there for you to have to create content. It’s about you and your personal brand, not necessarily your company. People are on there to learn about you, not your company. Philipa Farley:  And that’s a really good piece of advice, Mike, because I think we kind of step into this professional sort of persona. We’re trying to align. I’m speaking personally here, like, my message with what we’re doing with a company. We’re actually like, you have a unique personality that needs to come out. So that’s a fantastic piece of advice. Is there anything else you’d like to say? You know, any, any, any contact places you prefer? Obviously, LinkedIn, you know, you’re there. Do you have a Twitter account? Are you on Facebook? Where can people find you? Mike Roberts:  So they can find me on LinkedIn. They can also find me on Twitter, which is where I post more things about social media and ideas for posting that’s @frammamike. And they’re the best places to contact me. And the other little piece of advice, which I’ve just realised I could have said before, is when you are posting on platforms like LinkedIn, always put yourself in the mind of your client or customer. Just think about what it is that they would like to see if you were in their shoes. That’s probably a really strong piece of advice. Philipa Farley:  Yeah, that’s fantastic. So thanks so much, Mike for joining us. We’ll obviously share the things that you’ve spoken about in the post that will go along with the link to this podcast. And we’ll put it up on social media so people can contact you easily. Really, really thank you. Your presence in social media is a delight, and it’s fresh and I love connecting and chatting. Thank you. Mike Roberts:  No, thank you as well. I really, really appreciate the opportunity. Philipa Farley:  We hope you enjoyed that episode of the GDPR series. If you do, please subscribe. Find us on social media. We’d love to have a chat. The post Connecting, the Power of Networks and Professional Sales with Mike Roberts appeared first on ProPrivacy Data Compliance Solutions.


17 Apr 2020

Rank #1

Podcast cover

We’re on a GDPR mission with Andrea Manning

Today on The GDPR Series podcast, our focus is bringing the GDPR back down to earth.  I chat with a rare woman in cyber (and data) who presents her GDPR message to businesses through the lens of real life cyber security issues.  With a very interesting background in the hotel, travel and leisure industry, we are treated to a discussion with somebody who knows all about taking care of masses of far and fast moving data!  Listen to find out more. Our guest today is Andrea Manning.  Andrea set up Data Influence with the intent to influence how we think about data. She is on a mission to change some of the negative perceptions and scaremongering that sprung up around GDPR.  An eternal optimist she highlights the benefits of doing GDPR and likens it getting a full health check for your business.  She talks about how we all now have a duty around cyber security and that it should become more user-focused.  A passionate champion for small business which often gets left behind, her focus is on plain speaking and practical solutions.  In her own business, she advocates training for everyone in the organisation and creating a culture of curiosity.  In her words, make your staff part of the solution, not the problem. It’s clear from listening to Andrea that she also has another agenda.  And this is to attract more women into cyber security and data protection.  A natural mentor and a diverse role model herself, Andrea is keen to highlight how women bring varied backgrounds, mindsets, challenges, world views and family dynamics to the table making them natural problem solvers and an ideal fit for the world of cyber security. Drawing on an extensive career in Information Systems and Marketing, Andrea brings a fresh approach to Data Protection. Andrea’s Links: Read more and contact: https://www.datainfluence.ie Free training resources: https://www.datainfluence.ie/resources Interview transcription: Philipa Farley 0:01 Hi, and welcome to our podcast called The GDPR Series, where we discuss data protection, privacy, and cyber security matters that ordinary people in everyday businesses face. We have a series of really interesting and lovely guests, and we hope you enjoy listening along with us. Good morning, Andrea. It is fantastic to have you here. Thank you for joining us. Andrea Manning 0:26 Hi, Philipa. Thank you for having me. Very excited. Philipa Farley 0:30 Okay, so as you know, we’ve been doing a series called The GDPR Series. In my head, I keep thinking the GDPR issue, which it really is, but anyway, it’s The GDPR Series. And we’re talking to people across business, SME owners, as well as people who work in the industry, and you are actually both. Your focus is not entirely on the GDPR and Data Protection. You have an extended focus. I will leave you to introduce yourself. Okay, while I go over and find your website on a screen, so go for it. Give us your pitch Andrea. Andrea Manning 1:16 Okay, so I have a very varied background and the best way to describe me is: I am a square peg that does not want to fit into a round hole. I set up life in the hospitality industry, but I’ve always been in marketing and in sales, but I was that child who could programme the video recorder, and I’ve always loved tech. And, with everything I do in life, I always start at the position of “yes!” and then I go and figure out how. And that’s tech, that’s business, that’s everything. So I went back to college and did a degree in Business Information Systems. Same thing, I just said yes, and then kind of figured it out. I had no idea what I was taking on, and the next thing, there I was doing programming and data modeling and financial accounting, thinking: “Oh my god, how did I land up here?” But, somehow, sort of that one step at a time approach, I got to the end, and I finished my degree. And, during my degree, I got to do an internship, which is the most valuable part of the degree, and I would recommend this to anyone. And I landed up at the tech startup, One Page CRM. And, same thing, he looked at me and he was kind of seeing the square peg and couldn’t find a hole for me. And I mentioned that I love anything legal, and, if I’d had a second life, I would have done a legal degree. And then he went: “I’ve got just the job for you!” And it was GDPR, because this was prior to May 2018. And I hated it, but I’m an optimist. So I took it and I kind of consumed GDPR. There was nothing I didn’t know about GDPR and I was determined to find the positive in it. And I did find the positive in it! And that is what I did. So, my job was to kind of map the data, figure it all out, see what the competitors were doing, and then be the communicator back to the company, to explain what GDPR was. And that was another side that I realised I loved, was the training. I mean, they made me do the training for the developers. And I was like: “You can’t make me tell, you know, software engineers about password protection?” Well, you can, because there was one who had their passwords on a post-it – so, everybody needs training! And you must never assume! So it was through that internship, they kind of planted this love for GDPR. And one of the funniest things was – the whole way through – everybody was sending out these re-permissioning emails. So, I was dealing with them at One Page CRM, but I was also dealing with them in my own company. And, every time somebody got one of them, they’d forward it on to me. So, while the average person was getting 10 a day, I was getting a hundred a day. That is my lasting memory of GDPR, and I was seeing them from people, saying: “But, my solicitor sent me this one, so it has to be right!” or “But, my doctor sent me this one, so it has to be like that!” No. Philipa Farley 4:12 Yeah, I think everybody completely damaged their domain reputation scores during those couple of months, because I think people were just like, deleting, and most of them just landed up in spam anyway. Andrea Manning 4:25 Oh, gosh. And they just followed like sheep and you know what it reminds me of? I lived in the UK for a long time. And there was this whole thing with Brexit, they kind of analysed why the EU had such a bad name. And it was because the newspapers every day, were printing stupid stories like: “The EU says we must have straight bananas. The EU says this. The EU says this.” And it was actually nonsense, when it was that drip feed, and then people believed that the EU was a bad thing. And, I almost feel like the same thing happened to GDPR – this drip feed of nonsense that wasn’t even true. And now, everybody has this completely wrong perception of GDPR. Which brings me to how I set up Data Influence: I needed to change the perception of GDPR. Philipa Farley 5:10 Yes, absolutely, Andrea, I’ll add to that. And I think I might have said it to somebody else; it will probably come up in one of the other podcasts. But, if it wasn’t one with Liam, that I was very surprised, coming from South Africa, where our sort of culture, for the most part, has worked together, you know, give somebody a hand up. Because if you succeed, I succeed, you know, and it’s better for everybody instead of just sort of shoving each other down. When I sort of started looking at social media, you know, and talk around data protection and GDPR specifically, this phrase “scare mongering” came up over and over and over again: “Oh, don’t pay attention to that, that person is a scaremonger. Don’t pay attention to that, that is just scare mongering.” And I think that the industry did itself no favours by entrenching that phrase into everyday language and attaching it to GDPR, because we’re now in a space where people’s kind of automatic reaction to you saying: “Have you, you know, how’s your compliance going? How’s your data protection compliance? You know, have you dealt with your GDPR obligations?” They – the triggers – are “Oh, I don’t need to she’s just scare mongering.” And it’s just like this wall up in a lot of people; they don’t want to deal with it. So, I don’t know what you have to say about that. Because, like talking about getting a fine… yeah, I know, it’s extreme to say everybody’s going to get a 4% whatever global annual turnover fine, but talking about it, and saying “That’s the potential.” The potential is also that the Commission comes in and says: “Oh, sorry, you can’t do this” – like they did with Facebook last week and the dating app. “Sorry, you can’t do this. You have to stop while we investigate.” And while we do the correct, you know, compliance assessments, the documentation assessments. Okay, so, is that scare mongering? Or is that actually creating awareness around the reality of what this law has the potential to do? Andrea Manning 7:27 Well, there’s a lot to unpack there. So, my background has always been in small business, and I understand small business. And I do think the GDPR puts a really unfair burden on the small business. It’s one regulation that Facebook and the man with four employees needs to still, you know, do together. So I just say… I start off and I say people, and they are quite shocked. I mean, you know what, let’s just put GDPR in the bin for now. Let’s just put it over there. And let’s not even talk about it. And let’s just talk about your business, and then, I start just in an almost conversational form, saying: “You know, does everything – when you send your guys out? Do they have all your customer data on their mobile phones?” And, and I know every I always know the answer to this question. I’m like, lawyer, don’t ask a question until you know the answer. I’ll also ask “You got all your passwords on an Excel spreadsheet on your computer?” They’re like, yeah, because everybody does the same thing. But, once I start explaining to them, like, what the repercussions of that are and how easy it would be to gain access to all their passwords, and then imagine if they lost all their customer data, and they kind of woke up in the morning and they came in and he there were no customer records, there was no details, there was nothing, then what do they do? And then, you start to build and you say: “Okay, this is all you know, this is cyber security.” And cyber security is a lot more sexy than GDPR. So we go through this and it’s, it’s real life stuff. We all have millions of apps. You know, the typical small company, and that is Ireland – yes, there’s the big enterprises – but it’s actually small businesses. Philipa Farley 8:58 250 000 SMEs. Andrea Manning 9:01 Yep. So you’re using things like Monday.com and using Gmail, and you using, you know, all these little products. You probably don’t even have an IT department. Philipa Farley 9:11 Nobody does, Andrea. Andrea Manning 9:13 Yeah. So who’s managing these? Who’s making sure that they’re all secure? Who’s making sure that who’s got access to them or like the interns left and now she’s got all the passwords to everything? They don’t have an IT department. So I’m their IT department. I’m coming in. I’m saying: “Okay, let’s draw a picture of what’s happening, what you’ve got, where it’s going.” And then they’re sorted out – let’s just make it a little bit safer. And, if I explained how easy it is to crack a password with a great story? And, by the time I’m finished, they’re like “Okay, how do I sign up for a password manager? Then, moving on to the next stage and I just say it’s just about getting your GDPR ducks in a row, document everything, just have all the paperwork to prove what you’re doing. And then your GDPR is done, but you’re also in a great position that your company is not going to fold, because with like, ransomware, they say that if a small company is hit with ransomware, within six months, they fold. Philipa Farley 10:08 Yeah, yeah, no, we got those figures at the breakfast briefing I was at last week. And, for some companies, it’s as soon as three months Andrea, it does not even extend to six months. Like it’s done. Andrea Manning 10:28 Just before Christmas; and it really kind of sticks with me. They were based in Arkansas and they were a tech marketing company, and they were doing so well, that they were giving away a cruise, as like a prize to their top employee. And they were hit with ransomware and, this was just before Christmas. Second of January, they had to let the 300 staff go and that was a family firm that had been in business for years and that; it honestly it just breaks my heart. So, when I want to help people that is it is truly from that position that you’re a small company. And if you just had a little bit of GDPR, which is just some housekeeping, that company would have been fine. They would have been able to recover, they would have had a backup, they would have had a plan. You know, it’s just prevention. Philipa Farley 11:13 Yeah, yeah. But, having said that, it’s just prevention. Do you not think that most people just don’t think about this stuff? It doesn’t cross their mind to think about ransomware and the effect on their business? Andrea Manning 11:31 Do you know what? There are two parts: first of all, a lot of people just don’t care. Like, they don’t even get to the point where they want to find out whether they should think about it. But, a lot of people, we live in our filter bubble so we’re we’re on Twitter in that community. We’re on LinkedIn in that community Philipa Farley 11:47 And on that note, before you carry on, I’m so aware of that because it’s like if you get into a group think state and you create blind spots. Andrea Manning 11:55 Look, I know what malware is, but there’s people who don’t know what malware is. I know that you should – like we were talking about this yesterday – you know how many people, they go to a web developer they give their website is built on WordPress, web developer signs off, who does the update? Nobody. Philipa Farley 12:14 And they don’t even know how to log in, Andrea. Most people don’t know how to log in to those websites. And so, here we see like a bit of a sort of a conundrum coming in, where, like, you would have a lawyer saying that kind of oversight should be built into law, and then translated into systems. So by oversight, I mean, web developers are kind of an unregulated, profession, right? Anybody can put up a website. Anybody can put up a website and just be a web developer. Okay, but in all seriousness, like they obviously have a skill set that is sorely needed and they are very much appreciated. This is nuts, you know, condemning web developers by any means. We’ve all done it in our past, I suppose, as a bit of our jobs. I’m sure you have made websites for people at one stage. But like, is there a code of conduct? Is there a standard way of handing over a site? Is there, you know, a recognised checklist of security measures? And here we go into data protection by design and default. They’re bound by these things as well. And I think that they don’t even realise, Andrea, that they’re bound by them as service providers to people, you know. Andrea Manning 13:37 That’s it. And, I mean, sometimes their contract is just to hand over a website, and there’s no further contact. And then, somebody in marketing looks after the website, but then they leave. And, whose job is it to do the updates? And that’s why I’ve just where it’s always said it’s like, if you go to the GP once a year and have your sort of NCT, have all your bloods taken, have the whole thing, you probably never need to see them again until the following year. And you could just do it for every company, go in and have a 24 point check or probably a few more points than that, and just go through all these things and do a check for their sort of health. But that’s what GDPR is, and people need that, so you’re getting a free health check where your company, Philipa Farley 14:19 Yeah, and you know what, most of the time, I would say, nearly every single one of my clients has discovered some kind of cost saving along the way. You know, so they might be spending money on your consulting or your you know, your implementation of a system to manage data and manage their compliance. But, if you do the cost analysis over even a year or two, they’ll land up saving money somewhere, be it in subscription fees for software, they didn’t need, be it in time saving, be it in whatever. So we see those positives, you know, and trying to get the message out, is a challenge. But that’s why exactly why we’re we’re here talking, very obviously. Andrea Manning 15:06 Hopefully, it will get there. Like you, automatically now, you bring an accountant in for that same reason: just pay a professional that knows their stuff. And actually, you know that they’ll save you time and then, more than likely, save you money. And you put money in your budget and you pay for a professional. And I just think that the data privacy person, or the GDPR person, or whatever you want to call them, is going to become that professional. That’s what we have to set ourselves up as, within that suite of professionals that . We have to set ourselves up at is that that in your your your suite of professionals that you get in when you need to do stuff. Philipa Farley 15:44 When we think about it, we would like to see and, and again, I said because I’ve said it before, this is not kind of a money making promotion, not at all. It’s really like, very deeply, trying to create that sense of awareness for the need for that check, and the need for that partner, and the need for that expertise. So, we would like to see compliance, cyber security compliance, because it will become that, we’re leading that way. Where we’ll have like a GDPR for cyber, if you want to say it. It’s kind of written in any way: your security measures are needed. But I believe that, very soon, we’ll start seeing the recognised set of regulations for cyber for businesses. The cost is too high at the moment for cyber non-compliance. So, we would see cyber compliance and data protection compliance as a core pillar in the business. You know, compliance should be a core pillar for everybody just like a marketing, your whatever. You know, if you don’t do it, the cost to your business is so high. You know, you can hear I really, like I really battle to process the mindset of a business owner that doesn’t want to have their ducks in a row. That’s just me personally. Andrea Manning 17:15 But then, there’s another side of it. And we are all guilty of this. I mean, have you ever been to your GP and told them that you Googled your symptoms? Philipa Farley 17:21 Oh, every single time and I say to him, I know what you’re going to say. Oh, yeah, I know. Because Yeah, exactly. Andrea Manning 17:29 We’re all kind of gatekeepers of our domain and we’re all guilty of this. We do it, and unfortunately, the cyber community and the privacy community are just the same. And it’s like “Oh, we know so much! Article 99 and Article 17 and Article…” And we’re like: “Listen, you have to have us because we’re, you know, we’re the experts, but we are not prepared to share it.” And I think – where I want to make the difference and I know you make the difference – and it’s a bit like, when you build WordPress websites for them, it was to empower them that when you left them, they could go make their own edits. So, when we go in and do GDPR, if we train them and teach them and said: “Okay, now, you know it!” – knowledge is empowerment. Yeah, and you know this stuff, you can manage this yourself because you haven’t got a huge budget. I’ll just come back in a year’s time and give you another health check and give you another list of to do’s and that way, you know, like an app that tells you what you need to do with the fixes that you can manage your data yourself. We have to, as privacy people, empower everybody and not be the gatekeepers and not use things like Article 17 and Article 19. Because really, who actually knows what that is, other than us? Philipa Farley 18:37 Yeah, exactly. Andrea. And that was precisely what I said to a couple of the SME owners that we’re chatting to; to please come and talk to me, because they’ve done their data protection compliance, and a couple did it themselves; entirely themselves. And I said to them, I think we speak a different language to what people need to hear. So, part of this discussion is exactly what you’re saying there: that we need to find the middle ground, or we actually need to go as, as professionals in this field, we need to go further than the middle ground, and we need to meet people where they’re at. And it’s quite, not a scary thing. But people battle with this idea of giving knowledge, because then nobody’s ever going to pay you for it. But like, I know, myself, we give so much information out. Like I I’m very aware, you know, as a lawyer, even though I’m not really allowed to say that whatever in Ireland, like, but I’m very aware as a lawyer, that you have to give information responsibly. So I’m not going to chuck out a bunch of templates and policies and whatever and say to people go wild, because there is the potential for error there. If I do say: “Here’s a starting point to do your documentation. You will please refer it back to me to check for you, to make sure you haven’t made A mistake, you know.” Andrea Manning 20:07 But that’s the perfect solution. So it’s a little bit of DIY. It’s understanding the budget. It’s understanding very limited resources. But it’s also teaching them and empowering them. Yeah. And then they’re not that, you know, the consultant sometimes gets a bad name, you know, come and do this. He has my bill. Philipa Farley 20:28 I sent you some questions, Andrea, that we are talking about, with everybody who comes on the chat. And we have covered a couple of them. You know, we’ve spoken about opportunities for your own business and opportunities for clients. But, I think what I would like to ask you is: the GDPR personally, okay, because, I say it every time and I say it again to you. I get asked often when I’m interviewed, or if I’m talking to people in management: do you think the GDPR is a good thing or a bad thing? And my response is instantly, it’s definitely a good thing. And these are the reasons why. And I have my reasons. So, when I’m talking to people like you – you know where it’s your life; cyber and data protection is your life, really – we all have our own personal stories to tell. So, has it impacted on you personally, in a positive way? You know, have you had a good experience where the GDPR was kind of central to that good experience? Andrea Manning 21:39 I’m a parent. So I can tell you something: that I read privacy policies for fun, as a parent. And the other thing, that when I was in college – I was with, you know, the sort of 18 to 20 year olds – and I had a whole insight into a different generation, which was so valuable. But, they are the ‘sharing generation’ – they do not care about sharing anything. They are the most risky ones when it comes to sharing passwords. They grew up in a in a world where you share everything: you wake up in the morning and you feeling hung over, you take a selfie… Philipa Farley 22:16 Yeah, yeah. Their entire life is documented. Andrea Manning 22:19 So, you know, certainly for me, as a parent, I I look to that privacy policy and, I do, I feel like it’s a little bit of insurance. If something goes wrong, or if I need reassurance, so I want to know that actually, when my daughter is signing up to stuff and doing stuff, that it is regulated, and that if something happens, I have powers that can take things back. Philipa Farley 22:43 Yeah, that’s a good way of saying it, Andrea, it’s like an insurance policy. You know, it’s not a silver bullet. It definitely is an insurance policy because it’s, it’s that trust. You know, do we live in a constant state of fear over the risk? Or, do we trust, with our insurance policy, and use tools that enrich our life? Because I’d say this again, for us personally, I have a Fitbit on. There we go. There’s, there’s the Fitbit, everybody can see it. And most people would go, what the actual hell are you doing with that thing on your arm? And I say, reminding myself to actually get up off chair during the day. Because without it, you know, I know I can set an alarm, and I can do all sorts of other things to monitor my health and to get moving and to do whatever, but this is everything in one, and I need that right now. You know, so I’m prepared to forego on my absolute, you know, private identity, and hope that they fulfill their data protection obligations in a way that they should. Andrea Manning 23:52 That’s it I mean, I love tech. I don’t want to go back to the year of the ox wagon. Philipa Farley 23:56 That’s a South African reference! Andrea Manning 24:02 Haha, okay, a horse and cart. You know, I love the fact that we’ve got an Alexa in the house. Yes, we’ve turned the camera off, but I love arguing with her. Oh, yeah. And either one like the smart lightbulb. And I like talking to Siri, when I’m driving and arguing with Siri. I love tech, but I also want to be protected by it. And, the GDPR is the best we’ve got at the moment. We need to make it work. There needs to be some more test cases. I’d say my favourite one which I’m following, is the man who wants to leave the Catholic Church and he’s using GDPR. Philipa Farley 24:35 Yeah, I’d like to read the full report. Andrea Manning 24:38 You need to look him up. He is Marty Meany, and his website is goose.ie. And, it’s an ongoing story, but you know, it was sent to me by somebody who can’t stand GDPR and I went: “You see, I’ve got you living and loving GDPR.” Philipa Farley 24:54 Yeah, yeah. Andrea Manning 24:56 And it’s a good test case. We can see where it’s going to go. We can look at the good and the bad. And, it’s a brilliant one because it’s bringing it into the mainstream and is making people think. Philipa Farley 25:06 That’s a very, very personal one. That’s a highly personal one, you know? And, it does, It goes to the extremes of private life, really, that case does. So I I’m really interested to see how far it goes, sort of more so than the, you know, like as an immigrant, I don’t have I can’t keep anything to myself. Like, that’s just how it is. My life is an open book. So, when I see like the PSC card cases, you know, the public services card cases, I’m just like: “Hah, well some of us didn’t have a choice, you know, at all like we had to register for those. When we arrived here, there was literally no choice, like, you have to have it whether you like it or not, you know.” So, for me those cases, I kind of, I sit on the sidelines personally and watch it happening for the legal principle. But, this one with the Church must forget me like that’s, you know, that’s like, going right into the soul of this matter. Andrea Manning 26:09 Well, yesterday, on Twitter, there was a huge debate and all with the, you know, Caroline flack and her suicide. So if you want to be on Twitter, you must give them your passport number, and you must be registered and verified. And, obviously, it came from the heart It came from a really good place, but they didn’t see it from the privacy side. And it was a good debate. It was very respectful, and people were saying: “Hold on a second, will you trust Twitter with your passport number? Does everybody even have a passport number? What about the people that it’s not safe to be visible on social media?” Philipa Farley 26:43 Exactly. That was gonna be my opinion. Exactly. Andrea Manning 26:46 Yeah, but it was a great debate because it brought – you didn’t have to use words GDPR – but it brought GDPR into a conversation that affects everybody, and everybody wants the same outcome, which is, you know, better behaviour online. Philipa Farley 27:02 Yeah. And then I had a listen to Emerald de Leeuw’s TED Talk. Andrea Manning 27:09 Yes, I did too, yeah. Philipa Farley 27:10 Yeah, it’s really good. And I’ve kind of been, and if Ems ever listens to this, this is absolutely not a criticism at all. This is like my introspection on the conclusion: where Ems poses a solution to mismanagement of privacy. Now, we’re sort of digressing off the path GDPR a little bit, but it does relate; the mismanagement of our privacy by the solution is to pay for services. And I kind of listened to that. And I was like, yeah, I pay for YouTube premium and I still get tracked. I know that, I still get profiled. I know that. So like, paying for services, to make it worthwhile for service providers to provide a service is actually it’s not, that doesn’t make them behave better. No, it doesn’t make them behave better. Andrea Manning 28:06 To be honest, the trolls are only feeding off some of the very sort of outspoken public figures and public media. They were just feeding off them, who got loads of money who could be verified, who could pay for a premium service, so it doesn’t solve the problem. I mean, nobody has a solution. But I love the fact that it is bringing GDPR or privacy… Philipa Farley 28:28 It’s getting people talking about it. Andrea Manning 28:30 Yeah. And making people think and making them look at all sides of the argument. And I think, you know, that’s where our duty is: to help that informed debate. Yeah, in simple terms to, you know, try and come up with a solution. Philipa Farley 28:47 Yeah, and you know, what, like, if you do a bit of reading on Systems Theory and complexity and wicked problems, and that, like, there’s a language around what we’re saying, and we possibly need to also all go and dip into that, and be trained in that, because it’s not a solution to the problem, really. And I would say it myself, we need to find a solution to the problem. It’s a problem. It’s a this. It’s not. This is life. This is life, like how we negotiate our way through it is, it’s just a nudge here and an edge there, and we’ll get there. But I think, like really, the short term focus for me, and you can disagree for yourself, is making sure that people stay in business. You know, like that. The bottom line is like, making sure that people stay in business, because without the safeguards that this law, or without respecting safeguards, or without acknowledging, without living the safeguards, that this law is requiring, you’re exposing your business. And, I’m not talking about a 4% fine. I’m talking simply about the non-awareness of the measures that you should have in place over your data, and other people’s data, in your business, over the data you care for. That is going to cost you your business. Andrea Manning 30:00 But you know what I do when I go into companies? It’s so overwhelming, and I just say to them: “Okay, let’s start with, where are you visible? And where are you vulnerable”? So, where are you visible? You’re visible on the website. You’re visible if you’re sending out a newsletter. You’re visible if you’re running a competition. People are can see what you’re doing. And, if you’re not doing it right with regards to GDPR, they can come after you, because they can see it. Where are you vulnerable? Well, you’re vulnerable if you’re using the same password in lots of different places; if you haven’t got a policy for, you know, movers and leavers, and they’re going to run off with your client list. And you know, just break it down. Where are you visible? Where are you vulnerable? There’s a whole bunch of other stuff you need to do, but just begin there. And it’s a really simple strategy. Philipa Farley 30:49 Yeah, it’s a good one, Andrea. I really love that, it’s here on your website as well. I’ve been forgetting to scroll through for the video section. Andrea Manning 30:57 And then I’ve got another one, which is my African roots. Where we have that saying: “How do you eat an elephant?” And, it’s one bite at a time because it’s so overwhelming. Even me, when I started GDPR, I was like: “Oh my god, just take it one bite at a time!” You’re not going to do your GDPR, tick it off, and be fully done. It’s an ongoing thing, maybe five years. If you worked at it every day, and then maybe you could say your GDPR is perfect. Philipa Farley 31:24 Yeah, but in three to five years. Andrea Manning 31:24 It’s ongoing. Philipa Farley 31:26 Yeah, in three years, if you’re absolutely dedicated to it. And, every single time you make a business change – you know, if you decide to introduce a new product or solution, or you going after a new market, you know, a different jurisdiction, you’re exporting whatever – like, as much as people do their tax preparation, they need to do their data protection and preparation for that as well. Okay. Andrea, I am going to ask you here to share a positive story. One positive story, where somebody had a lightbulb moment, and it really made a real difference to them. Your inputs on data protection. Andrea Manning 32:13 Oh my god, I had one, now I can’t remember what it is. You might have to edit this out. Philipa Farley 32:19 That’s fine. Andrea Manning 32:21 The one I have helped, and I have helped a company now who have twice been hit. They were sending out PDF invoices to clients with big fat deposits like $20,000. And, when the invoice was reaching the client, who were a couple in their 70s, they happily paid the deposit into the bank details they put on the invoice. And, nobody, everybody thinks PDFs are unchangeable. And so, I’m sharing this story far and wide. Because, if I can just get everybody to move over to a system where you’re encrypting your emails or encrypting your PDFs, we’ve saved everybody a lot of money. Because the same thing is – and I keep saying to them, don’t don’t be embarrassed – because a Dutch Museum, an Art Gallery, – the same thing happened to them. And, it’s going to court and who’s liable? Then the guy who’s got the painting, he’s not going to give it up. The museum’s paid the money, but they’ve not got the painting for the money. The guy never got the money. He’s never going to give up the painting. It’s a terrible conundrum. And it’s happening more and more and more. Philipa Farley 33:30 Yeah. And it’s very, very simple things like that. That, you know, we can write a checklist and email it out to people, but when you’re standing in front of the group of people and training them and telling them these stories, like, the impact on somebody to hear about that is that the information lasts much longer with them, you know Andrea Manning 33:52 And we put in a simple fix with Mike, with his Rmail. And, he trained everybody and within a week, they were 100% better off. They put in a password manager; they were, I don’t know, I can’t even count the percentage of how much better off they were,because everybody was using simple passwords. Yeah, so do just simple fixes. And, that company now is so much better off. Philipa Farley 34:16 Yeah. And it reduces the risk immensely. And, that’s what we’re aiming to do. Okay, so we’ve spoken about a lot. And we’ve, kind of, discussed the challenges of working in the field and the challenges that business owners face, people and organisations, I can add to the pool of challenges and say that the stress and anxiety on people in larger organisations, you know, that are tasked with data protection, compliance is huge. So, I think what we want people to know and to understand is that there is help out there, and we do want to share our knowledge. We really do. And, we do online; you post stuff, you write articles, you know, we’re doing a series of podcasts. And, we would encourage people to set aside a small amount of time in their week, even once a month, a couple of hours, to sit and just try and absorb a bit of it, and to start planning for their compliance. And, I am going to say to everybody listening, Andrea is one of our Serity support consultants; we only have a small handful. There are three others, besides myself and Andrea would be the first, that signed on with us to do security audits. And, I would really encourage people to phone you for either an audit, or for training, because if you’re not quite ready to commit to a consulting process, training is definitely a great way to start exploring what your responsibilities are. So, please, everybody just engage with Andrea and what, where can they follow you, Andrea? where’s the best place to find you? Andrea Manning 36:08 Well, I’m very active on my favorite place, which is Twitter. Philipa Farley 36:11 Yes. Yeah. Andrea Manning 36:14 My Twitter is @andrea_data, and my website is datainfluence.ie. Yeah, yeah. And honestly, I’m happy to just have a conversation, everything begins with a conversation, and there’s no cost to a conversation. Philipa Farley 36:29 Exactly. And I love your word search. There it is. You’re on LinkedIn as well, but I think you chat more in Twitter. Okay, so if you could give one of your potential clients a piece of advice, Andrea, what would that piece of advice be? Andrea Manning 36:46 I always tell them: do the surprise test. If I buy a new car from you, and you email me a year later and say your car is due for a service, I’m not surprised. If you email me six months later, after buying a car and telling me that you’ve got tyres on special, I’d be like: “Seriously, dude?!” If it doesn’t pass the surprise test, then it fails GDPR – it’s as simple as that. Philipa Farley 37:12 Yeah, that is a good piece of advice and the surprise test, to be technically correct were the product of your legitimate interest assessment, the three step test. So, if you want to go and Google “legitimate interest assessment”, you will see that Andrea has summed it up very, very well, in the surprise test and I love that. Andrea Manning 37:30 And, in plain, simple language. You know, I, I’ve made a commitment that I will stay away from jargon as much as I can, because we have to be we have to be relatable. We have to be understandable. Philipa Farley 37:42 Absolutely. Okay. Is there anything else that you would like to add, Andrea? Andrea Manning 37:49 Um, no, I just think that, Philipa, these podcasts are wonderful, and I think you’re doing a great service and just getting the word out there, and getting more women into the cyber sphere which we need. And, you know, and the reason I set up my business was the whole thing of “be the change you want to see.” And yes, yeah, that was my, my fundamental reason for setting this up. Philipa Farley 38:11 Yeah. And and I’ll add to that, Andrea, and say that, you know, my inbox is always open. And I mean that! I might like schedule you for a week’s time, if I have to, but my inbox is always open to somebody who wants some advice on, you know, where they can fit in, in this space, you know, if they do want to break into cyber work or data protection work. I am always happy, especially girls growing up into the field or women wanting to make a change, or, you know what, even if you’re in the industry and you’re battling, like, please reach out and have a chat, because we all know how difficult and how lonely it can be, sometimes. And you know, there are people, there are support groups, there are shoulders to cry on, and, you know, sounding boards to bounce things off. So, I think that you would be similar, Andrea – I don’t want to offer your time up for nothing. Andrea Manning 39:02 I am the same – it’s that mentorship, that is something practical. Everybody can talk about diversity. But, you know, inclusion is a verb. Yeah, that’s my other one that I keep saying – what are you going to do? We can all say “Oh, you know, we practice diversity.” But, what are you actually doing? Are you offering mentorship? How are you reaching out to people that maybe don’t fit the mould? Who are the square pegs in a round hole? That’s how you make a difference. Philipa Farley 39:28 Yeah. That when when I was chatting on the AIB panel, the network Ireland AIB, Network, Dublin AIB panel there, one of the questions they asked, and I wasn’t asked directly this question, but one of the questions put to us was: How do we encourage more girls to enter the field? You know, because it’s, I suppose, it was a network event that it was it was phrased that way, so we can broaden that and say diversity, and it would also boil down to breaking down the stereotypes. You know, I think the South African stereotype of like “cyber people” was somebody in a hoodie, you know, in a dark room, not, you know, in, like mingling with the outside world at all. So, I think when you’re sort of a bright student in high school and you look at that you kind of go like, you know, I don’t want to be that person. So, whatever stereotypes have been created, we need to break those down, and actually show our faces and go, yeah, like, I’m a mom of two kids, and I have too many dogs. And, you know, we grow potatoes in our backyard, and we live out in the country, but I’m pretty damn good at what I do. Andrea Manning 40:41 But, you know what, that just sums you up. It says you’re resourceful. And there was a thing I read today, the guy who kind of turned Porsche around and he said: “Employ for character, teach for skill.” Philipa Farley 40:52 Exactly. Exactly. And that’s it. So, you know, I think that’s your journey as well, Andrea, is you’ve found a space where you can shine, and we most certainly need to value your unique skills in absolutely simplifying and making this relatable. Like, if I have to say one thing about you, is you absolutely make this whole space relatable to people, and that’s a huge skill and a huge plus. So thank you for bringing that. Andrea Manning 41:21 Well, thank you for bringing me into the fold. Philipa Farley 41:24 No, you did that yourself. You really did that yourself, with a lot of hard work and dedication. Thank you so much for for chatting with with us today, Andrea. It’s been a pleasure. It always is a pleasure to talk to you, and I hope, even though our discussion was somewhat general, there’s there’s some real nuggets inside there. And, there are resources on your website, datainfluence.ie/resources, for people to have a look at their some questionnaires, and a lovely word search and Andrea’s contact details. So, for people not looking on video, you’re listening to the podcast, Andrea’s website again is datainfluence.ie. Go and have a look. And she’s @andrea_data on Twitter. So find her there and have a chat. Andrea Manning 42:07 Thank you so much, Philipa. Philipa Farley 42:12 We hope you enjoyed that episode of The GDPR Series. If you do, please subscribe. Find us on social media. We love to have a chat! The post We’re on a GDPR mission with Andrea Manning appeared first on ProPrivacy Data Compliance Solutions.


3 Apr 2020

Rank #2

Podcast cover

The (Undiscovered) LinkedIn Data Protection and Privacy Champion with Louise Bunyan of SmartFox

Today on The GDPR Series podcast, we have a bit of a different guest. My challenge to digital marketing consultant and LinkedIn trainer, Louise Bunyan of SmartFox, was to join me in discussing data protection even though she kept insisting it wasn’t really in her sphere of influence, so to speak. But I knew from many previous work-related discussions that it most definitely was! We invite you to listen to our chat on the challenges job seekers and employees face in a digital world, curating their identities online via LinkedIn especially while looking for opportunities for growth. As it turns out, Louise is in fact a privacy and data protection champion who has helped more than a few people ‘save face’ on LinkedIn. And as a writer and storyteller, Louise entertains with some great stories throughout our chat! Louise Bunyan is the enthusiastic and very thoughtful lady behind SmartFox, offering digital marketing consultancy and social media training. However, she is perhaps most well known as one of (if not the!) ‘Ireland’s leading LinkedIn experts’, also acquiring the nicknames the LinkedIn Legend and the LinkedIn Queen. Louise offers a wide range of specialised LinkedIn training services from one-on-one online sessions, in-house on-site corporate training on LinkedIn for Sales, regularly speaks at conferences and seminars and delivers talks to students on how to use LinkedIn for jobseeking. And Louise had some very exciting news to share with us – an exclusive announcement of her new venture www.smartfoxtraining.com which is her just-launched automated online training courses that will teach you how to become a smarter LinkedIn jobseeker with easy and expert step-by-step videos and tasks. A message from Louise: I’ve created a 50% discount code for everyone across both courses. People just have to go to https://www.smartfoxtraining.com/buy-linkedin-jobseeker-course, select their course, and enter the coupon code ‘upskillme‘ in the ‘coupon code’ box at the end and click redeem. At the moment, there is no expiry date but I think I might let it run until the end of April or see what happens. Thanks, Louise! If you could do with some savvy LinkedIn advice or need to boost your profile because you’re jobseeking, contact Louise through her site or find her on LinkedIn! It takes a smart fox to know a smart fox. Contact on Site: https://www.smartfox.ie/contact.html Louise on LinkedIn: https://www.linkedin.com/in/louisebunyan/ Online Training: https://www.smartfoxtraining.com/ Transcription: Philipa Farley:  Hi, and welcome to our podcast called the GDPR Series, where we discuss data protection, privacy and cyber security matters that ordinary people in everyday businesses face. We have a series of really interesting and lovely guests, and we hope you enjoy listening.  Thank you, Louise, so much for joining us. Louise is from SmartFox. We’re going to have a short chat about GDPR in the context of a real business, okay? Not from the perspective of, you know, the GDPR consultants that you would have seen kind of in other videos or GDPR service providers. Louise is a fantastic personality in Cork and online. Louise is very involved in Network Cork, besides promoting her own services, LinkedIn services online. And, I’d just like to say personally Louise, like, I love following you because you do offer tips and advice to people. And, it’s just like these lovely tidbits that you can get from your feed, that are so helpful. So thank you for that. I’ll hand it over to you to introduce yourself there, while I share the screen with your site up. Louise Bunyan:  Yeah, no problem. So hi, everyone, and thanks, Philipa, for that lovely introduction. So my name is Louise Bunyan, and I’m a freelance digital marketing consultant, and also a social media trainer. But, I suppose, I would be most well known for being a LinkedIn specialist. So a few different elements to LinkedIn. So the first one is, I go in-house into companies and I train up sales teams and business development teams, and how to use LinkedIn as a sales tool. But also we look at, like, the personal profiles, we look at company pages, and I kind of cover the entire A to Z. And then the other element then, is I work with job seekers and job changers and I help to, kind of like, overhaul their LinkedIn profiles. To build that and, you know, personal brand. But also, if they’re full time employed and they’re thinking about changing jobs, you know how we kind of keep things under the radar a little bit, like changes that we’re making on our profiles, but also that whole job section on LinkedIn. And, you know, how to really kind of manipulate all the free elements. And then a new part of the business that I started quietly kind of piloting last year late last year is online: one to one training, which is absolutely fantastic, and I love it. So, I work with entrepreneurs, sales, people, like online one to one. But then I also work with again, the job seekers job changers, and they love it, because it’s confidential, courtesy of their own home, they don’t need to drive and they get me for an hour, like one to one. And then – very exciting – which I’m going to be piloting shortly. And, I’m kind of working with the beta group, which is my online course. So I’m starting with LinkedIn for job seekers. So with everything that I would do kind of in a workshop, and but split into short videos, and so again, no matter where you are in the world, you can watch these videos, everything I do anyway, in workshops. And, you can, kind of, learn at your own pace at your own time. So I’m really excited about that. You know, it is a big project, but it has been in the pipeline known for a long time. So we’re kind of… Philipa Farley:  Yeah, but it’s quality, real quality, you know, it’s not just a rush job. And it’s not just a fast money making scheme. Like, I think I’ve said to you a couple of times before, this notion of passive income is a bit of a myth because, like, the absolute immense amount of work that goes into putting something like this together in an excellent way. You know, people don’t see that side of it. Louise Bunyan:  Yeah, you know that. Philipa Farley:  Yeah, my keyboard, my keyboard, is ruined forever, from typing out audit questions and answers now. Yeah, I want to say one thing before I go back to the privacy side of things. And that is to say, like, most people would know that we came from South Africa, and there are people sort of coming over in a regular stream, you know, and moving around the world, because that’s life today. You know, people come and go in different places. And I would say that, you know, with somebody like you, you have the local expertise and the local knowledge. And, where LinkedIn is a global platform, I think one aspect that you bring to services when you work one on one with people, is that localisation of their profiles to meet the expectations of the people receiving the information. I know that’s a roundabout way of saying something probably quite simple, but when, you know, when you move to a different country, you don’t really know what the business culture is. So, you really bring that as value to the table, you know, understanding the business culture, and understanding the terminology that people would want to see or hear. You know, and I think that’s a very valuable part of what you do. So, this course online is just a really amazing resource for people who are coming into Ireland. Louise Bunyan:  Ah, thank you. Do you know? It’s funny. I remember in one of my workshops – it was like just an open workshop – that I ran, with like 10 people from all different types of businesses and there was a guy he was the Sales Director. And he was English, but they had been living here for about maybe two years. And in the training, I was saying that like, yes, LinkedIn is amazing, but you also have to get out there, you have to shake hands, you have to network And then, in Ireland, you just don’t know who knows who and like I’ve had brothers referring their sisters, onto me. And, this guy, he just kind of started laughing. And he said, Yeah, and he goes, I was trying to get into this company for about like, six, seven months. And he said, my little kid, go to GA training, and he was at one of the training sessions, and he just got talking to one of the other dads. And he Yeah, they just had a chat and he said, What to do yourself because I’m the Sales Director for this company. ” And this guy kind of worked in  a similar industry, and the Sales Director said: “Yeah, look, I’m trying to get, like, a contact. I’m trying to get an introduction to like ABCD limited.” The other guy started laughing, and said, “Yeah, look, leave it with me. I know somebody who knows somebody”. And then, the next thing, he got a message the next week going: Here’s the name here’s the phone number, he will give you like 15 minutes. Yeah, and this English Sales Director is saying like, Ireland is a very different landscape to the UK. Philipa Farley:  Yeah. And personally, you’ve had an impact on me, Louise, in that regard. And I’m quite happy to say it, because my comfort zone is sort of behind the screen.Yeah, it’s very uncomfortable for me to go out and actually make that effort. That’s not the problem. It’s to go into a group of people and say, “Hey, this is me, this is what I do.” Because I’m so used to listening to people, especially in my work, that I forget that it’s so important to get out and tell people what I do, because it can help them. Exactly like what you’re doing now. You know, we need to get that message out and say this, and this is what I do, I can make your life easier. I can enrich it, and I can make it far better. Louise Bunyan:  Yeah, yeah. Yeah, especially with the line of work you do, which we know we’ll get on to shortly but, it’s invaluable. And it’s, in essence, that you’re an expert in what you do, and it’s a necessary service and like the peace of mind that you give that, you know, we’re going to do things properly. Like when it comes to data like you can, you know, you can read old stuff online and think you have an idea. But there’s a huge gap. There’s a huge difference there. Philipa Farley:  Yeah, same, same same on your side. So getting right back into that you were talking about one point specifically before I get to the question. And this is so, it’s so important, because it’s so real. Now, when I asked you, if we could make the video, I said to you, I think that there’s a disconnect with the language that I use online. It’s very technical, where people are not quite connecting with the message that needs to go out. So, thank you very much for helping me get that message out. Because, you actually just have done a huge part of it, and you haven’t realised. You said when you started, you said you help people fix up their profiles for job seeking purposes in a way that is kind of under the radar. And we all know somebody, quite a few people who have just like, kind of, blundered their way through this. Yeah. And it’s been so damaging to their career. And it could have been very delicately handled. And so that, getting back to my technical side, we would say employees and job seekers are a vulnerable group of data subjects. Louise Bunyan:  Okay. Philipa Farley:  And immediately, here, in this example, we can see exactly why they are vulnerable. They’re considered to be a vulnerable group of data subjects, because their entire life, their private lives, their home life, their family, everything gets affected if they make one mistake, or something comes out publicly that shouldn’t come out. And, you know, it has a huge impact on their life. So, when we’re doing our data protection work, like CV-related stuff, you know, and job yeah, application processes, you know, HR in general, we’re acutely aware of, you know, the separation between public and private space. And, what should come into the workplace, what shouldn’t, you know, when someone is going through something personal – how is it handled in the workplace? Where’s the confidentiality? You know, all of that kind of thing. So, you know, you’re saying, you’re using a technical platform, LinkedIn, somebody is using that to, to get ahead, get and go to the next place, change their career, do whatever. Yeah, it’s their thing. Yeah. You know, and you’re saying, you’re helping them keep the confidentiality there. You know, can you just maybe speak on that for a short while, okay? Louise Bunyan:  No problem. And so, you know, before I train anybody, like before I go into a company, or before we’re going one on one. Like, there’s this very comprehensive form, that somebody has to fill out. And, I always ask them, like the top three things you want to get out of this. And it’s really interesting when I go in-house, because what I find is, kind of like, the more Senior you go, the more like responsibility, and the more senior you are, I seem to find that people – those types of people – they might be on Facebook or they might not they, they’re not really that keen on Facebook. They’re definitely not on Twitter. And they think that they’d just get trolled, and that their lives would just be over if they go on Twitter. And they use WhatsApp, and they might be on Instagram, depending, but then LinkedIn is the big exception. Because they know that they need to be on LinkedIn, because you know, it’s the professional platform, but yet, they’re bringing that social media fear, basically, they’re bringing the Twitter fear onto LinkedIn. And so, I suppose, you know, I ask them like the top three things that they want to get out of us. A lot of the time, Philipa, it’s just confidence. You know, it’s just a very broad general statement going “I want to know the do’s and the don’ts” which I have a bit of an issue with – I don’t think LinkedIn is black and white, and I don’t want to put fear into anybody going: “Do this, don’t do this.” But also, it’s very, very general statements, like, and yeah: “I just want to feel more confident using the platform.” So that brings me then into the actual training. And one of the very first things that I do, and I’ve learned, the hard way to do this, very first is privacy settings. And so we go into the privacy settings and I show them how to turn off the share network changes. So you know, if you change your job title, or if you add a new job title, we turn that off, because if, when you’re messing around with your job title, we don’t want that hearing on LinkedIn feed. It does that automatic “Congratulations!” Philipa Farley:  Oh, wow. Yeah. It’s a huge task. Louise Bunyan:  Yeah, exactly, however, imagine, you do get a harder and an internal promotion, or you do change jobs. You know, you pass your probation and you’re very happy there, then I show them how to use it, almost like a press release, or a broadcast. But, the difference there is that they’re in control. And, they know the technical implications of what’s going to happen, if we flick the button over to on, we make a job change, and we hit these. And some of them, you know, they do follow up or, some of them may have gotten a new job title in the past six months, a hard earned promotion. And they say, you know what, now I’m going to go in there and I’m going to make my changes, I’m going to turn on that button and turn my whole network like practically, and I go “Fair play, fair enough.” Then there’s other elements and you know, like you have a public profile on LinkedIn? Philipa Farley:  Yes, yeah. Louise Bunyan:  So you have your full profile. But if I find you on Google, it’s kind of like a privacy kind of wall, so you can open that up as much as you want, or you can lock down as much as you want. And actually, that’s quite interesting because a lot of people may not have their photograph on that. But a lot of salespeople, the business development team, are like, “Oh my god, I didn’t realise that, like, if you land on my profile and we’re not connected, you can’t see my picture.” So again, I leave that totally up to them, I just say, “It’s up to you. It’s your internal temperature.” You know, and I don’t make anybody put stuff out there that they don’t want to do. And so, I suppose, that that’s very important to basically just setting that tone at the start and just saying: this is how you control your profile; this is how you open it up and, this is how you close it down as much as you want. Philipa Farley:  But you just said something there, Louise, again, and I’ll say it again, you said about realising that you’re speaking the same language as me. You said, it’s up to your internal temperature. What do you want to show people? And I absolutely respect how privacy runs like, as a thread, through your business. And, you’re showing them how to protect their data.  So like, the privacy and data protection people would have this sort of constant conflict of privacy versus data protection. Where does one end? Where does one begin? Some people say it’s cut and dried, black and white, privacy’s this side, data protections that side. But, you know, in this example here, it’s a beautiful example of they are private people, they want to protect their privacy. So, the data protection tools are there to help them protect it. Yeah. Louise Bunyan:  And then, you might have like some salespeople, some business development people, you know, very, like big outgoing personalities, and they’re like, yeah, you know, give them everything. Yeah, no problem. Philipa Farley:  And there again, Louise, with that kind of person, would their LinkedIn profile reflect them in their private life? Or most of the time? Yeah, that’s interesting, because I would know a lot of people in my space that have a public persona, you know, I’m not saying like, sort of, like crazy, or schizo, or whatever. I know, you know, they have their public professional persona, and then their private life is very different. You know, they create this digital sort of TV kind of almost personality. Yeah. Louise Bunyan:  Yeah. A digital persona, because you’re like the show person. But then, perhaps on Facebook, you know, you’re a lot more, you might just put photos of your dog photos of your guy, and you’re probably a lot more reserved. Because you’re just so exhausted probably from maintaining your online persona. Philipa Farley:  Yeah, yeah. And you’re right. It does get exhausting, doesn’t it? Louise Bunyan:  It does, lately. Philipa Farley:  Yeah. And that’s like the whole point of sort of privacy by design, and that. That should be the default. Louise Bunyan:  Yes. Philipa Farley:  And then, you know, you open up what you need. Okay. I sent you over some questions. And we won’t take too much of your time up, because I know it’s so valuable. Thank you. And we’ll just go through them, sort of as briefly as we can, get to the covering of the substance. So the first one is, where did you first come to grips with data protection and the GDPR? And that’s not like sort of only professionally, is like, where did it sink into you that actually this is here to stay, or this matters, or how did it impact you? Louise Bunyan:  So well, I suppose, I used to work in a global online marketing team before, a recruitment agency, a multinational recruitment agency. And, I mean, you can just imagine the volume on CVs coming in. And our data team was excellent. I suppose it began; my conversations began to kind of filter down throughout the business and words like, you know, “explicit consent” you know, “implicit consent” and all this. And because, I would have been working on like websites, so I suppose, we always had to kind of overlap with the data team. So they would come up with like, wording, and we would like, implement this, and you know, their custom designs like, you know, the privacy policy, you know, a huge amount of work went into that. So, suppose that was the start of this and then, before the GDPR came into being, I remember going to one or two, kind of, workshops – Cork Chamber had an excellent like half day one in the Maryborough Hotel, and a few representatives from the Data Protection Commissioner’s office. Yeah. And they came down. But there was also a little mini workshop for marketers. So like, there were many workshops in different industries. And I just remember, it was only – it was supposed to be like a 25 minute workshop – but it actually just got so many questions. And I just remember her saying over and over again that like marketing people were saying, like, my data, like my lists, my email is my data. She was like, yeah, and she was like: “Guys, it’s not your data. It’s my name. It’s my phone number, my email address and it actually doesn’t belong to you. It’s mine.” And that, that kind of really resonated with me. And I just thought, actually, yeah, you know, when you come out of that marketing space, and when somebody actually says it, and you don’t own this, and like you’re given it, but it’s not yours. Philipa Farley:  You’re the guardian of it. Louise Bunyan:  Yes, yes, a custodian. Yes. And so that was the start of it. And then I suppose, I see, I don’t. I don’t have my own email list, you know, and I kind of purposely didn’t didn’t start doing that, because I felt the responsibility was huge, just because I’m a one woman show. And so, I kind of went into the background a bit. And, maybe that little bit naive on my behalf, just because, you know, I didn’t have an email list and I wasn’t kind of, you know, actively going after gathering people’s data. And that was all fine. That was all grand. And then, when I started looking at kind of launching the online part, and then and then when I started moving into that space of… Philipa Farley:  You need to sell something. Louise Bunyan:  Yes, but also getting the word out, you know, people yeah, and actually creating a kind, you know, on this online platform. You know, the credit card details of the people were being handled by a company in Australia, but like, I am going to have a database of users. And then, that’s when I obviously I came to you at that stage and I was like, you know, look, this is unknown territory, and I want to do it properly and I want to do right, and, you know, how do we go about doing this? So I suppose, kind of like my data GDPR journey as a business owner, but as just a regular website user, you know, I, I reject all the cookies. You know, when I go into the website and the box pops up, and it says, accept all I’ll go like see the vendor list, and I reject. Or if I don’t know if you’ve ever noticed it, but one or two sites have after I hit reject, or one or two sites will pop off a little box going: “Oh, we really rely on these cookies for advertising.” And, you know, change your preference here. And I’m just like, no tough love. You know, I don’t think me rejecting your cookies is going to implement your advertising revenue. And but I’m just a bit of a diva that way, anyway. Philipa Farley:  No, Louise, you’re not. You’re like that on your own head because, absolutely not at all should you be doing that. If you follow the data protection conversations and you read the current literature out there, it’s dark patterns, you know. If you’re bored of a day and you want to just go and have a look, look up dark patterns, in the way things are written. So you know, when we even look at the cookie banners that we’re putting up, the teeny tiny ones at the bottom, you know, it shouldn’t say like, “Oh, we use cookies to enhance your experience on the site.” Like if we’re saying we use cookies to enhance your experience – how exactly are we enhancing your personal experience on the website? You know, does the cookie help the websites sort of, I don’t know, get brighter, darker? Louise Bunyan:  Could I have it in green? You know, my favourite colour is green. Philipa Farley:  Yes, exactly. It should be absolutely factual: these are the cookies. This is what they do. Accept them. Don’t accept them. Not even a compulsion to accept them, a slight compulsion to accept them. Louise Bunyan:  I wouldn’t say it’s terrifying, but it is. It can be a little bit overwhelming, when you see the entire list of vendors, you know, and they’re listed alphabetically and you’re scrolling down and… Philipa Farley:  And it’s just like insanity. Insanity. Louise Bunyan:  What do all these companies do, and how can there be so many of them? Philipa Farley:  So yeah, go look up and see what the Brave Browser is doing. It’s like this fight against ad tech, because there’s this massive machine. Basically, and this is really not me with my tinfoil hat on, this fact like. You know, massive machine of like data sucking that’s creating profiles and all of us and you know, at the end of the day, we’re being influenced in ways that we shouldn’t be online, it’s that simple. So, you know, by rejecting all the cookies, going back to your original statement, rejecting all the cookies, you’re saying, “No, I will not participate in this.” But Louise, you know, what’s scary is like, when you reject all, a lot of the technology that’s implemented, does not in fact, do what it should do. So the keys are still dropping on your computer, and people think that they’re not because they’ve got the solution that they just chucked down there. Louise Bunyan:  Yeah, you know, at the back of my mind, I’m going” “I’m hitting reject.” there, but, like there’s obviously something somewhere I probably need to know. And, you know, how some of them are opt-out, and you have to go to their website and you have to update and… Philipa Farley:  Yeah, so that’s that’s not good default behaviour. Yeah. But yeah, that actually answers the second question I was going to ask you: the impact on you personally. So, thank you, you have this fantastic understanding of your own privacy and how to look after it, you know, and it’s a great message to get out to people because, you know, in your own life, you understand the impact and you’re, you’re living it, you’re carrying it through to your professional life, which only benefits the people, you know, who come to you as clients, because you have the understanding, which is fantastic. Yeah. Okay, so number three: where have you seen the opportunities for your own business in the context of the GDPR? You know, you’ve touched briefly on this when you discuss the course design and looking at the data that you’re going to collect. So, you know, it might be an opportunity or it might just be a consideration as part of your business, you know, so just a short point on that? Louise Bunyan:  Yes, well I suppose, you know, some of like, you know, my core values and like, when I was setting up SmartFox and the core values there would have been, you know, reliable, and, you know, knowledgeable, you know, kind of on the cutting edge, like, you know, quite innovative. And, but I also think, you know, treating people’s data, like, you know, with respect, and that for me, I suppose it’s just, it’s just a ground rule, that I would have. And I guess, you know, if I have somebody who’s a job seeker, and perhaps, you know, they’ve been out of work for many months, as I was, three years ago, or, you know, if they’re thinking about changing jobs, and you know, kind of quietly, basically, they’re not happy where they are, like, if they’re going to be parting with money. And, for me, I suppose that that contract kind of goes beyond that and…and yeah. Like, you know, I put together the best course that I can for them. And now, it’s not just with the online videos, with the content, it’s the whole service offering, like the whole package. Philipa Farley:  It’s absolutely the right thing to do, yeah. Louise Bunyan:  But there is a responsibility, as well, you know, you do have a weight of responsibility. And I just want to make sure that that all goes well. So, I suppose, I’m hoping that if I can show, like through all the steps and through all the elements of the business, and that I am, like, like everything is being done properly, like from all elements and like top to bottom. That, in turn, will instill trust in me and trust in my brand as well. Philipa Farley:  Yeah. And I’m just going to say like I did not influence what you said in any way here. That’s you. The reason why I’m saying that is because that’s absolutely the message we’re trying to get out to people. And I’m so happy that you said it that way, because a lot of people would go: “Oh, I’m only going to do it like, sort of if there’s a risk of a fine or enforcement or a complaint…” And we just really, we really don’t want people to live that way, because that’s no way to sort of live in your professional life. Like, this is something that enhances your service offering and really does absolutely, 100%, you’re correct, build trust, you know, it does build trust. Louise Bunyan:  It’s just your brand. You know, as a marketer, your brand doesn’t start and stop with just the service that you offer, the brand and like, the transparency behind the scene. Yeah, as well. And that’s something that I see when I go in and out of companies and the first question I always get asked is: Content, you know – What’s the best time to put up content? What’s the best type of content? Whereas I’d be looking at them going, you know, you have a great team here, like, you’ve a great culture here, why not try and get that across – that’s part of your brand as well. But also, you know, when you would adhere to best practice across everything, across all elements of your business. And I think that’s a marker, you know. It can be a kind of trust building marker, but it’s hard work. I mean, like I couldn’t I could have just launched my videos there like months ago and, but instead you know I want to get this right and you know, we were talking about revenue and VAT. And VAT is like a minefield in itself. So I’m working on a tax specialist on that. So you know, maybe that’s just me, like do it and do it well, and do it to the best of your ability. Philipa Farley:  But, you’re building the correct foundation and framework to hang on to. So, you know, you’re cleaning up later you know, you’re starting right which is fantastic. Louise Bunyan:  Of course there is the threshold like a fine or a complaint. Philipa Farley:  But that’s not your motivation. That’s the motivation. Louise Bunyan:  That’s the motivation. That’s what I’m trying to avoid. Yeah, across everything. You know with revenue, with data, but if I go to the right people and follow the right steps, then, you know, that will protect me then further or further down the line or, you know, hopefully I won’t even get into the situation because I’ve done everything right at the start. Philipa Farley:  Yeah. I have another client that I’ve worked with for two to three years now. You know, ongoing maturing their compliance, and they would be exactly what you’re saying there. They would be getting awards for sustainability, you know, their, their compliance to modern slavery legislation. Yeah, yeah, you know, that’s how you drive but you know what I mean? Like, like everything they would go for the industry standard awards, that are recognised and there’s space for all of these things, you know, particularly sustainability now. I think it is the focus there. But you know, you’re absolutely right. When you say when you’re in that mindset and you’re showing that you’re in it for the long haul, and you’re going to do it right. It’s a huge plus for your business. Okay, so number four, we’ve spoken about a little bit as well, is: Where have you seen the opportunities for your clients in terms of you being compliant with the law? GDPR and data protection law? Louise Bunyan:  Yeah, and, again, you know, consigned to the trust part, as well, and ,I suppose, and you know, they’re very they’re, they’re quite closely linked, and people feeling – some people’s feelings towards LinkedIn. You know, how much information do I give away and connect, you know, who do I connect with? So there is a theme there is a pattern there of like, I suppose being public and being visible on a social media platform, and you layer the whole it’s tied to your job, you know, tied to your professional career and as a lot of fear there and like doing something wrong and, the irony is nobody has ever really asked me about what LinkedIn doing, you know, with all the information. And, they’re just more concerned about not, was not making an eejit out of themselves, like on LinkedIn building something wrong. So, I suppose, you know, when you map back on them to GDPR or like, as a customer as an individual, and like there are kind of similar themes, But, to be honest, like when I’m trading the whole data, like I’m the one who’s kind of saying LinkedIn now has that data. So you know, LinkedIn has your profile. So when it’s showing you jobs, it’s working off of your, your profile, and I’m the one actually in training who’s kind of pointing it out. Philipa Farley:  For them to be aware of it. Louise Bunyan:  Yeah, yeah. And it plugs in with them, like Microsoft, as well. And, and there is… Philipa Farley:  Yeah, it connects with Outlook, and your like, Word. You can pull information into the other applications for you. Louise Bunyan:  Yeah. And there’s a CV builder too, like in the software. That’s actually one of the privacy settings, when you get to the privacy part – I think it’s under account? It’s under “job seeking preferences”, like third party and like third party applications, and stuff and I was looking up dash and from what I can see yes, I look and it’s Microsoft Word as well. So again, I’m you know, I’m not an expert, like, by any means in that area. But in case I ever get asked, like, you know, I do need to know and, but yeah, though it can like me pointing a little things going, I have to show you this, because it has. Philipa Farley:  Yeah, all of this. It’s raising awareness in the public, Louise, because I just had a discussion there, this morning about the use of WhatsApp in the work context. It was quite a convoluted discussion, but, part of it was: when you’re doing your legitimate interest assessment, like if you’re processing on legitimate interest, how do you justify the use of WhatsApp? And one of the pointers in a legitimate interest assessment would be for the data subject, would they consider your data processing to be a reasonable use of their data? Or, what are you doing? Is that reasonable? So what I was trying to say is, like, if you look at the current landscape in front of us, people are quite happy to conduct business on Facebook. They’re all over LinkedIn, they’re on Twitter, they’re everywhere. So, if I say to a data subject, you know, I’ve got you on a LinkedIn list. They’re not going to be surprised by that. You know, where the person I was chatting to was like, but there’s such huge privacy concerns and x, y and z… And I was like, yes, I know that. I know that. But what I’m saying is the criteria is: would the data subject be surprised? And, they wouldn’t because like, they don’t know a lot of the time, you know. Louise Bunyan:  Actually, I can fill you in like, I know, I’m talking to one or two recruiters when they’re dealing with and I hate this term millennials, but when they’re, let’s say dealing with like under 30s, they won’t they won’t answer their phones. They’d be ringing them and they won’t answer their phones. Whereas now they messaged them on WhatsApp and they’ll actually reply, like the candidates, you know, the client. So if the client actually engages, prefers to engage with you on WhatsApp, and it allows you to kind of carry out your business… Philipa Farley:  Yes, that’s their preference. That’s exactly what I was saying. Louise Bunyan:  It’s their preference to use it, and so therefore you meet them there. However, like if I was asked professionally, what do we do? I would say “Guys, there’s WhatsApp for business where you get the correct contract, you have the correct controls over the conversations so register the recruitment business for WhatsApp for business and use that, if that’s what they prefer.” You know, actually, can I ask you about a, like, conspiracy theory that I have? You know certain radio stations will say “WhatsApp Us” so like they you know if I’m like entering competitions or like commenting on something. In the back of my mind, in my marketing brain I’m always like, are they just building up profiles of who’s messaging the station you know demographics, who’s entering, like she’s female, she’s this age, she’s entering this competition? Philipa Farley:  And then that’s that’s the whole actual thing. I say, go check it out. Say, let’s use me as an example: I have two children. Okay, two young ones. They want to go to Disney whatever, you know, whenever they see Disney on the TV, they’re like “Enter the competition, Mom” And I’m like “No, I’m not wasting my money.” You know, “Enter the competition, Dad!” And dad invariably lands up like you know sending a text or WhatsApp. So there is a profile being built: there’s a family of four, you know, who wants to go on holiday to Disney. What starts appearing in the feeds a week down the line, Louise? Holiday specials to Disney, wherever, you know. So yes, it does absolutely like, it’s not even a conspiracy. It’s just a fact now. Yes, it does. But that would depend on, like you say specifically your radio station, storing the data or allowing access to their data. And, having said that, I’ll go back to the WhatsApp points and say, Whatsapp is owned by Facebook. And if you go and read like the Ts and Cs, you’ll see that there is like some obfuscation on the point of is there data sharing going on? And we can show you see, we should assume that WhatsApp is sharing data with Facebook in that regard. Louise Bunyan:  Oh, absolutely. I remember, last Christmas, I was watching one of the Harry Potter movies, and I was WhatsApping a friend. And there was and yeah, like three Harry Potter films, I don’t you know like another two more to go, or four, or whatever. And honest to god, like I have never mentioned the words “Harry Potter” ever. The next day, I opened up Facebook and there was a post at the very top, going: Who is, if you were a Harry Potter character, which is your character? And yeah, I remember staring at it going, god almighty, like, this is not a coincidence. Philipa Farley:  Yeah, yeah, yeah. Yeah, yeah. No. Yeah. Yeah. Moving on from this. So, I am going to ask you to share a small positive story in terms of data protection, like, where you’ve managed to help somebody like, you know, you’ve spoken repeatedly about privacy settings, and that. Do you have one that you would like to share? Louise Bunyan:  Yeah, yeah, like I have one, one or two. But I think that, that whole turning off this “share with the network”, that can be a bit of a game changer for people as well, because a lot of them just don’t know that this exists. But also, like with LinkedIn, LinkedIn is a funny one, right? Because we use it for work. But, it depends on what email address you have as your primary email address. So you know, you can have like 2, 3, 4 or 5 email addresses and you can log in with any of them. But only one email address can be your primary email address, which means all the communications, all the emails, that go to the address. So I always kind of mention it, if I’m in-house, I kind of have to word it in a certain way, if the boss is in the room. But, and so a few times people have, kind of said in the past, that they might have their work email address on their LinkedIn profile, which is fine. But then, if you’re applying for a job through LinkedIn, it sends the confirmation to the primary email address. So, that can be coming like into your work email, it can be saying “Louise, thanks for your application.”  So, when I’m dealing with job seekers, you know, or job changers, and quite often they’re high level executives who just want to kind of change roles. That’s one of the first things that we will cover, would be looking at that email address. And you can put it in your personal one as well. You can change it to be your primary email address. So, I think that’s kind of saved a few blushes for certain people. And then this is another story and a high level executive who is just kind of setting up their own consultancy at the moment, and their email address on their LinkedIn account so they’ve had 7 to 800 connections on that. That was their old job basically but 2 years ago, and they couldn’t get into that account and they couldn’t understand why, and they kept hitting the password reset button but they didn’t realise that it was like the old two jobs ago email address. So they created a second profile, so they had two profiles, and they had about four connections on the new one. So, and I was kind of looking, we were trying to kind of, like, get into it. And then I said, you know, on the app, I was like, well, is your phone number still the same as the job two years ago? And he said: “Yeah, yeah, always been that number.” So, we put in the phone number. And then, we had to text a code, you know, to get in, and then all of a sudden, he was in the account, that he’d been locked out for two years. So, we had to add, you know, the new email address, the personal Gmail email address. And the signed up email address was two jobs ago. And literally there was silence. It was an online call and was silent for like five seconds, going “oh my god.” Philipa Farley:  He just can’t believe it. Louise Bunyan:  Again, this I’ve been trying to get into this account, like for two years and it was actually weighing enormously like on them, that they had 700 connections and this is there. Philipa Farley:  Yeah, but wow, Louise, think about the value in those 700 connections like what that’s worth. Louise Bunyan:  But also, like, their career history. Yeah. And you know, they weren’t happy with it and the dates are wrong and, and I just got it in that moment. And I was like, that’s your, yeah, that’s all your data, that’s your personal, that’s your professional work persona, and you don’t, you don’t have access to it. Now, before this whole phone number thing we did look at and you know, LinkedIn, to be fair, the help section is very good. It’s very comprehensive. There is a part where you can go where you can say, all, you don’t know my password, I don’t know what email address, and you have to verify your identity and all the rest of it. Yeah, like, thank god, they have that. And I’m sure that you know, every day they get messages and people going, I can’t get access to my account, you know, it’s my old email address, blah, blah, blah. But thank god, and the phone number was still the same, and the phone number was connected, and just the relief! Like the app, the sheer relief! We deleted the new account with like four connections. And then, to be fair, over a couple of days, this client did ‘trojan’ work on their profile, like it’s kind of an A+ profile now. He was just delighted, like, beyond delighted to finally, and be able to get access to all his entire professional and employment history. Philipa Farley:  Yeah, that’s actually like, it’s giving me goosebumps. No seriously because like, you know, I kind of lose touch with that, that side of humanity a bit. Like, I’ve been my own boss for so long I’m in total control of my entire life like. Just your stories of, and I wouldn’t even think about it,like emails going into a corporate inbox where I see this side of it, Louise, people have set up filters and keyword triggers and dah dah dah dah dah dah. So yeah, yeah. Yeah. You know, and this is where we go in, and say, listen in transparency, the employees have a reasonable expectation of privacy. If you’re doing that you have to declare it, they have to know about it, you know, and all these discussions are happening behind the scenes. Like say you’re a key employee in a business, your company could have set up trigger keywords to be alerted to the fact that you might be job seeking. Most organisations like to use that, for IP and security reasons, you know that you’re not emailing stuff out, okay? Like, legitimately, but people do use it for other reasons. So it’s frightening to think that people don’t know that they should have that other email address. I’m also the kind of person that turns off notifications of anything. So only if I’m personally mentioned in a post I get an email about it. Louise Bunyan:  Yeah, okay. Yeah, that whole job seeking. The job seeking on LinkedIn, you know, with the icon at the gentleman, and briefcase. In the online course that I put together, I have a whole section on job seeking preferences, because they’re so important. Like, really, really important, and especially if you are in full time employment, and you are kind of doing it quietly, and you just need to know. Philipa Farley:  Yeah, absolutely. And really like, can you see now what I was saying to you? You do all of these things that are so amazing for data protection, but you don’t know that you’re doing them because you’re in your language and I’m speaking in my language. And, you have such a depth of knowledge about it and how to help people. And I think it’s just wonderful. So thank you so much. Louise Bunyan:  Thank you so much, Philipa. Thanks for your time. Philipa Farley:  Okay, I’m going to stop the recording. Okay. Just one second here. Is there anything you want to tell people to get in touch with you, how to find you? What’s the best way to find you? Louise Bunyan:  Okay, so if you want to get in touch with me, I suppose the easiest thing to do is you can either find me on LinkedIn, So it’s Louise Bunyan,  and the company is Smartfox. So my website is www.smart fox.ie. I’ve written a couple of blogs, like three things you should do on LinkedIn, even if you’re not looking for a new job, you know, three more things you should do on LinkedIn, and so on and so forth. So like, if you are, unfortunately let’s say you have been made redundant suddenly or you know, you’re not currently working, like there’s all that free information there to help anybody. And if you’re on Twitter, and personally, I’m @louloubunyan or the company one is @smartfoxdigital, as well. Philipa Farley:  Well, that’s fantastic. I gotta go find you there. Thanks, Louise. Louise Bunyan:  Okay, thanks for doing Bye. Thanks, Philipa. Philipa Farley:  We hope you enjoyed that episode of The GDPR series. If you do, please subscribe. Find us on social media. We’d love to have a chat! The post The (Undiscovered) LinkedIn Data Protection and Privacy Champion with Louise Bunyan of SmartFox appeared first on ProPrivacy Data Compliance Solutions.


20 Mar 2020

Rank #3

Podcast cover

GDPR Management Strategies with Claude Saulnier (in his lovely French accent) of Bizoneo

We all have days where we feel truly overwhelmed with our GDPR compliance obligations.  We’ve said before, eat the elephant one bite at a time, but how do you decide where to start?  Today on The GDPR Series podcast, our focus is an application (and the creator) that guides you through a logical way to manage your GDPR compliance obligations, and yes, it’s mostly about you, smaller businesses.  Listen up for some nuggets that will save you a lot of time and effort, especially when dealing with pressurised and complex data access requests! Our guest today is Claude Saulnier, the man behind Bizoneo.  Claude shares his journey into data protection and the creation of Bizoneo, which highlights his unique approach to inventory as the start of risk and data management.  In the context of a client facing malicious emails sent out of their system, we discuss the absolute necessity of ensuring the applications you use provide you with the information you need in the form of logs and audit trails when you’re dealing with such incidences and data breaches, especially when you need to report back to your supervisory authorities. If you have the pleasure of getting to know Claude, you’ll become well-acquainted with his unquestionable logic, quick wit, incessant appetite for new information and learning, and his interrogation of typical ‘GAFA’ practices, which, of course we fully support.  We can only admire Claude’s deep ethical and personal sense of responsibility toward data protection (and privacy) issues that we’re faced with today in business and personally.  Claude’s wisdom includes: prevention is better than cure, input the data once and use it many times in different contexts, and consider the actual cost in time, money and efficiency when you’re using your collection of ‘free’ applications. If your interest is piqued after listening, please contact us at ProPrivacy for a demo of Bizoneo as you can only benefit from the input of Claude’s complex and layered understanding of integrated systems and data management in the context of data protection. Learn more about Bizoneo Data Protection & Compliance: https://www.bizoneo.eu/ Find Claude on LinkedIn at: https://www.linkedin.com/in/claudesaulnier/ The GDPR Series: Claude Saulnier of Bizoneo Philipa Farley:  Hi, and welcome to our podcast called the GDPR Series, where we discuss data protection, privacy and cyber security matters that ordinary people in everyday businesses face. We have a series of really interesting and lovely guests, and we hope you enjoy listening.  Hi Claude, thank you for joining us. It’s fantastic to have you on video instead of just the usual voice chats. I’m looking forward to chatting a bit more about GDPR and your experience with the GDPR, data protection, and your business, that services clients who need – how can I say? risk management in their business. And, you know, data management. I’ve got a screen open I’m going to share here. And while I share it, would you like to say Hi, and tell us a bit about yourself? Claude Saulnier:  Hi, so my name is Claude Saulnier. And I am French, and I live in Ireland. And, I am the founder of Bizoneo. Bizoneo is a platform to assist SMEs and, you know, businesses, organisations in general, to document their processing activity. And that’s something that’s required under the GDPR. But, even if you put the GDPR aside, the tool is there to assist the governance of any business. In order – you mentioned risk in your opening line – and the only way to manage risk is to know what you actually process. If you don’t know the environment in which you’re operating, you can’t actually assess any risk and therefore, you can’t mitigate it. Philipa Farley:  Yeah, yeah, no, I absolutely agree with that. I’m going to click through here into the features of the Bizoneo data protection and compliance application that you offer. I’ll just leave it open while we’re chatting, Claude, there is a blog there that we can click into. And, on other chats, we’ve opened up people’s social media. I, I sent you a couple of questions over before we started talking. And, we can kind of use them as a guide, but like, feel free to digress, if you want to. The aim of these chats is to really have an open discussion between professionals in the field of data protection, cyber compliance work, but also with regular business owners. So, you know, you kind of wear both hats here as a business owner, who’s aware of their compliance requirements, as well as a service provider in the industry, whom we all respect greatly. And I mean that because, I’ll say it again, I say it over and over again to people, you know, when we are talking about what applications – what management applications – to use in this space that I have yet to see. And I mean absolutely 100%; I’m not paid to say this at all. But, I have yet to see an application that has been designed from the stance of being risk aware in such a comprehensive, but easy to understand and logical way. It’s the logic of your thought that really captured me into, you know, wanting to learn more about how you did this, and wanting to get to know the application more, and I’ve really enjoyed getting to know it. So, yeah, we appreciate that. Thank you. Claude Saulnier:  Thank you, Philipa. I’m honoured. On behalf of the team, that’s great. Philipa Farley:  Okay, so my first question to you, Claude, is: Where did you first come to grips with data protection and the GDPR? Claude Saulnier:  Well, it goes back to a long time ago. So um, I set up the conference on my background, I ran before I suppose, started, once starting Bizoneo, and Wandsoft, and the other parent company, if you want. I worked, I, actually in fact spent my whole career in using integrated systems. And for, I suppose, the uninitiated, the integrated system is great because you enter the information once and you reuse the information. And I was very fortunate, like, you know, back in ‘91, when I started working, that it’s all I’ve ever known. And, but there was a certain level of frustration in that a lot of those systems, like sometimes you hear about SAP and all that; they’re extremely complex and to implement, and I still not sure why the cost of implementation, I mean, if any management system takes three years to implement, I think there’s something wrong, because after three years, your business is going to be different and it just this is not right. And this is basically the foundation of the initial business, like Wandsoft as well. So, prior to doing that, I also have to mention that I had a career in internal auditing as well; a part of my career also in internal auditing. So, governance has always been at the heart of everything I’ve done really. So when the company started, so initially, we started the software company, to provide integrated systems to the SME market. And I could see at the time, the cloud or I suppose, yeah, the cloud, if you can call it like that, although back in 2001, we weren’t talking too much about the cloud. Then, what I realized very quickly, I thought, well, we have a lot of responsibility in terms of, we’re actually hosting data that doesn’t belong to us. Our clients are paying us for that. And it’s very important to have a very strong, very strong security and really, we’re responsible for that. And, if something goes wrong, you know, you can have all the insurance in the world, but if something goes wrong, we could actually go out of business and some clients that actually trusted us could actually go out of business, and that can actually happen very easily. And we’ve actually seen that. So really, we really focused, a lot of work we did was always trying to protect our clients’ data. And, in many cases, prior to the GDPR, there was already some data protection law that existed. And we always tried as much as possible to be aligned with that, you know. And so, when came GDPR, we read the text -the initial part was a moment of panic and thinking, okay, that’s the end of it. We’re a small organisation and there’s a lot of responsibility. You obviously, people talk about the fines,  you only look at the fines. You look at data processing agreements and all that, and think, “My God, that’s the end of it.” And then you actually start stepping back and say: “Okay, well in the length of time we’ve been in business, how many breaches have we suffered?” And you start counting… zero. And then you say: “Well how many data breaches did we actually stop?” And, it’s a lot! And we basically had put in infrastructure, and you have to revisit everything every time somebody strikes. You, basically, have to be vigilant and monitor that. And that’s what any software company and any hosting company should be doing. So, at that stage, we thought, okay, actually, maybe we shouldn’t actually worry too much about that, because we’ve got a very solid infrastructure. And let’s focus more now on the rights and the transparency, and different elements and all that. And I thought, well, actually, we have nothing to hide really in this because our clients trust us. And we kind of really like this transparency. And then we then added a number of tools into what was our CRM and ERP system. We added tools so that our clients would have, would be able to fulfill data subject access requests and elements like that. And one thing leading to the rest, Bizoneo, we added a number of modules again to help the clients on the CRM side. And then, we kind of decided, well, there’s probably a market for a tool like that. We looked at the various tools that were available on the market. And they were either very expensive, or we realised very quickly that they were not really addressing, they didn’t actually understand the problem to solve. And going back to the fact, I think, people are actually overcomplicating, GDPR. Philipa Farley:  Yes. Absolutely. Claude Saulnier:  And I suppose the order in which you will read the GDPR I think will matter. And people are underestimating Article 30. And, Article 30 being the key I suppose, and what you have on the screen here; to be proactive in terms of, again, your records of processing. If you don’t know what you’re processing, there’s no way you know, you’re going to know whether it’s lawful, if it’s minimised, if it’s secure, etc, etc, etc. So you start by the inventory, and I think that was the true meaning; the rationale behind Article 30 was really to help organisations focus on this, you know, inventory. And then once this is actually sorted, there’s so many things you can actually deal with. Again, we’re talking about data subject access requests. If you don’t know where your data is held, you know, you’ve got 30 days to do that. If you have a data breach, you have got 72 hours. You better actually know where the data is. Philipa Farley:  On the data breach side of things, if a data subject is involved, it’s immediately. You know, forget the 72 hours if there’s if, sorry, if there’s risk to the data subject involved, you know, you have to inform them immediately. So you have to know what data was taken. You have to know what data was, say a server, an asset is attacked. Data is taken, what was on there, so you’re talking about an inventory, so bring it back to that. If you assess that, there is a real risk to a data subject, you have to inform them immediately. You know, if it’s data that can result in identity theft, or some kind of financial fraud, they should be told immediately, not in 72 hours. And, a lot of people are not getting that message. So, to back your point up of the inventory. Immediately, you can see, and you can make that risk assessment as to whether or not the data subject needs to be told. Claude Saulnier  And the benefit as well is this, because I would tend to work more on the prevention than the cure. Because I think sometimes, I mean, I’m not saying like, you know, breaches don’t occur, they do occur and sometimes they are, it’s not exactly the way you would expect certain you know, breaches, you know, would actually occur. There’s probably more risk of an accidental, yeah, human error that could actually lead to that. But again then, if you don’t have anything to back up and know, okay, what measures did we take ahead of that, to secure the data, then that’s where you’re in trouble. And again, your inventory allows you to mitigate all of this. And, yeah, and then the policy, I suppose elements. Yeah, the risk assessment is obviously, you know, the next stage as well. And with that as well, so people, I mean, risk management, people, again, tend to think, well, this is this, this is complicated, like, you know, what are the risks? And one of the things I’ve actually done, you know, in the platform is, as you actually start entering assets, there’s different types of risk in GDPR. And ultimately, you’ve got the risks on, I suppose, you know, the rights and freedom of the individual, but different things in terms of assets can actually have an impact. Even a supplier can actually have an impact because if your supplier doesn’t do what they have to do to protect the data, there are risks. So you have to actually look at those three pillars there. So, what we did, we actually built in a number of preset risks, and a very, very exhaustive list, you know, following like some what some, you know, security standards would recommend. And businesses, organisations using the system have the ability to add their own risk as well, and maybe remove some that may not be relevant. But the key thing is to get your organisation to think of what they have. And, if you start putting that sometimes you start bringing a few pieces of the jigsaw and the organisation concerned says, “Oh, actually, we hadn’t thought of this”. And then they find something else that – and that’s all you want. Ultimately, you know, you want organisations to think: “What are we processing? What are the risks?” Philipa Farley:  Ask the questions and be a bit curious about it. You know, I was talking to the students this morning and just chatting about natural curiosity. Ask questions. Why, you know, the thing; ask why five times, and you’ll find out why. Why are we doing this? What do we need this for? What is this for? Ask questions and ask the hard questions. We have to do that. So basically, we can sew it up, Claude, and say that you’ve got a very rich history in this space, and an incredible understanding of systems, you know. And, it’s very valuable for people to have access to that knowledge. I was saying to one of the guys I was chatting with, you know, if you go and get a job, or if I go and take a job, or if you go and take a job, Claude, access to your amazing bank of knowledge is lost to businesses. So, you know, we really appreciate independent consultants, vendors like you, staying in the market. So that SMEs and smaller businesses, you know, sole traders, individuals have access to that expertise. And I would like to get that message out to people. Okay, the second question I had here was, and this is really personal. I’ve been asking everybody this question: the impact on you personally. Has the GDPR impacted on you personally? I get asked the question when I’m interviewed sometimes: do I think the GDPR is good or bad? And my response is always I come from, you know, a jurisdiction in law where privacy and dignity are paramount, like in our constitutional foundational principles, and everything else comes out of that. So absolutely, yes, I do believe the GDPR is very important. Coming from the history of privacy, through to data protection being recognised as a right, and the GDPR kind of really landing down, boom, on people. You can’t ignore it. You know, we had data protection law before here, and I’ve lived in other spaces where there’s been some form of privacy law or cyber law, electronic law that protects people’s rights, but not In the way that the GDPR does. So, personally for you, has it had an impact on you? You know, have you enjoyed your rights? Claude Saulnier:  It certainly has a huge impact. And in many, in many ways, I suppose where, prior to that, prior to the GDPR, where we focused solely on security, certainly trying to minimise data, you know, as much and being very conscious of this, maybe we didn’t actually, you know, minimise data, you know, as much as maybe we should have added maybe some of our clients there. And maybe, certain elements of privacy is not something we had fully considered. And I have to, I have to admit, see, I have to admit to that. And when, again, because we didn’t actually have to worry about the security elements. And then, I certainly focused far more on the, I suppose, the privacy, the fundamental rights of people, and to actually understand and I think we’re very fortunate in Europe in terms of its data protection, regulation. Not just privacy, it goes beyond that, It goes beyond just privacy. And I think, yeah, we’re fortunate from that point of view. And, I’ve done a lot of research as a result of that. In terms of: What is the true meaning of personal data? How far does it go, and the consequences it can actually have? And going back, I suppose to, going back to, you know, post World War Two, and that’s the history of that. So, from that point of view, I think, yeah, it certainly has made me think very differently. And then, when you actually start seeing how some organisations that have been, are currently harvesting data, with no legal basis on people’s back, it’s just it’s not very ethical. And so, if nothing else, I think that’s what I appreciate, what certainly well, the GDPR has brought. And, I’ve also met, I suppose, on a separate note as well,  some incredible people, like yourself, Phillipa, that certainly have a very strong interest in protecting data, and make sure that suppose that processing is fair and transparent. And there’s some amazing, amazing people, out there in many countries and if nothing else, I suppose the GDPR introduced me to a number of amazing professionals that I would never probably have met otherwise, you know, prior to that, so. Philipa Farley:  Yeah, absolutely. And going to your point on the amazing people around the world who work in this space. There are some incredible personalities out there who are activists that we, well, I personally would definitely admire. I’m not going to name names here. But I think, just a short little piece on that. We were talking this morning about Cambridge Analytica, and the influence that they exerted on people politically with the Brexit referendum. And, I’m going to say this without any emotion, because it’s fact, it’s out there, it’s known. It’s my personal opinion that that entire referendum should have been canceled on the basis that psychological warfare was waged on the people who voted. It’s that simple. So, you know, if somebody says to me, do you care about GDPR? Yes, absolutely, I do. Because, without it, without these kinds of laws, without these kinds of regulations, it’s open gates, you know. And people don’t understand that that information is going straight into the most private space of all and that is your mind, you know, directly into your mind, without a filter. So, without being mindful, and without being present in your life in this moment, now, you’re absorbing so much and you’re being influenced in ways that you don’t even realise. So yes. Yeah, it’s absolutely vital. Claude Saulnier:  And when you’ve got, certainly, like, you know, people like, like, Mark Zuckerberg and his vision of the world. I think it’s very, it should be very worrying. I mean, I find that I find him scary, really? And it’s, like, like his little toy. Philipa Farley:  Yeah. I think like, what, what is the next generation. This is the start of their war, you know? It’s frightening. But yeah, so that’s the personal effect. And that’s, I think it gives us a reason to kind of wake up in the morning and carry on doing what we do. Because, you know, like any type of business, I suppose, there’s days where you kind of ask yourself: Why, why am I doing this? You know, you could revert back to your tech background, I could easily revert back to my tech background, and kind of go, “Okay, well, you know, if nobody else cares about it, why should I?” But yeah, we really do. I really do. Claude Saulnier:  Well, you see, I think one thing that’s important to me. and certainly in terms of the processing we do, is that I sleep at night. When I see what certain providers of services would be doing and sometimes, through clients, we come across, you know, different types of enterprises, that I wonder how some people can actually sleep at night, given how careless they are. And so, I think from that point of view, it might be, you know, giving trouble sometimes in terms of, yeah, we might be, people might just say, we will be too strict about certain things and data protection, but I don’t think we are ever too strict. I think again, I sleep at night and I think that’s important. So yeah. Philipa Farley:  I think…I think…I win the prize for being reported to the Data Protection Commission for being over the top about telling people how to conduct their marketing activities in a compliant manner. One marketing company, in a town that shall remain unnamed, because this country’s very small, actually picked up the telephone and reported me to the Data Protection Commission. So, yeah, I do sleep at night. You know, I, if people want to say it’s over the top, that’s that’s grand, you know, it’s, it’s not. Okay so, you touched on this a little bit where have you seen opportunities for your own business in the context of GDPR? I think you explained it a little bit there, you kind of, your business evolved and grew in a really lovely way, you know, alongside the understanding that you found. Claude Saulnier:  Yeah, so I suppose, now we’ve got that, kind of, for us, it’s like we started a new product range, I suppose, from what the traditional, you know, CRM. Initially, again, we didn’t actually intend to do this. We actually spoke to, even some people in the markets and some organisations that are now our competitors, and said: “Well, you know, with your CRM, you said, you were too small for us.” You know, we just want to deal with all organisations and all that so yeah, which we haven’t enjoyed access to, you know, massive US corporations. So, you have a, you know, a system that could respect, you know, data protection, all that, and they said “No, no.” You know, so, as a result of that, I suppose we created our own product line. And it’s interesting again, as well, you know, I suppose in the market, we’re a software company. We’ve got a lot of experience in that. And there were many well, competitors, if you can call them like that, that actually, don’t actually have the experience of software development. And, you know, there are a number of things, I suppose, we are very glad that we have many, many years… Philipa Farley:  I think I’m going to speak specifically now, Claude, and we can cut anything out that you don’t want on here. I’ll try not to be too specific. But, I’m going to say it, because your background in development and understanding of systems and internal auditing has given you a fantastic appreciation of the need for audit trails within the software and logging of actions within the software. Because, when we come from the other side, and we get a phone call: “I think I’ve got a data breach going on”. You know, the first thing that we say is: “Okay, what vendors, etc, etc.” Let’s get the vendors on, you’ve got to your personal contact there, we’ve got to contain this as fast as possible. The next step is looking at the logs, you know, and the amount of applications that people are using that cannot provide them with that vital information is actually frightening. Claude Saulnier:  It’s interesting, back in 2005 or 2006, on our application, one of our one clients that at the time rang, or emailed us, I can’t really remember, and said:  “Claude, Hi. Somebody hacked into your system and sent a nasty email to all our members, all our clients or whatever they are, and all that. And I said “Well, this is a very grave accusation….” And they said, well, now let’s, let’s go and investigate. So the first thing we did was getting our logs and saying, well, first of all, this is the list of everyone who logged in your back office. Us, I can guarantee for my system, it’s not us, as only looking at the data and all that, they could see that any way. I said: “Look, we have certainly extremely strict procedures and internal policies. And, you know, we could find out straight away if something wasn’t if it wasn’t, you know, meant to be. And then, it turned out that, and then we looked at the file with the information that was actually sent, we did a bit of forensic of their own thing, of their own their own data and then said: “Well, actually, that email, in fact, wasn’t actually sent from our system. And now you need to conduct a different line of investigation.” So again, the fact we had those logs, we had that and again, way, way before the GDPR; we’ve always been a data processor. If you can’t, you know, get the, I suppose, the basics, you know, things right, I think, you know, there’s a problem. And it turned out that they had, in the organisation in question, I can’t say too much there, but they had…there was a room with computers with no security whatsoever and they were Excel spreadsheets with all the clients and members and all that…it was actually a sports organisation. And everybody could actually go there, retrieve the files and do whatever they wanted. And that that was the issue they had, it was an internal problem, nothing to do with us. And I’m so glad again, that having all these audit trails and and, and I’ve seen, actually some of our competitors, you know, and on the fields that can’t even manage access rights properly. And it’s good for us, I suppose, because we’ve actually managed rights, the right access rights, I suppose for forever. And having logs when certain things are happening, different user levels may change and all that. It’s just so important to be able to actually trace what could have gone wrong, you know, in all of this so, yeah. Philipa Farley:  It’s vitally important when you’re doing your reports into whatever supervisory authority you need to report into, when you’ve uncovered a data breach or an incident, you know, your internal reporting, too. So, from that perspective, I just say, again, you know, it’s an amazing application and your knowledge there is only of huge benefit to people. So, I do hope that people get in touch and ask you for a demo, and have a look through. I am going to ask you the question here. And again, don’t name clients. None of us do, or we don’t expect you to. So where, where have you seen opportunities with the GDPR? And again, I say, Claude, like, I get asked often, why should we bother? It’s too much. It’s over the top. I’m a small business, I don’t need to do this. You know, and you can sit me down in the chair and throw all of this at me. I can very quickly tell you where the opportunities lie in your context, whatever business you are, but where have you seen the opportunities for your clients that do their compliance? Claude Saulnier:  Well, what’s interesting in this is so I think if you’re, if the organisation has less than 10 staff in just generally speaking, I think you can probably work, you probably don’t have too many systems. And you could probably work with a consultant, work with somebody like yourself, and get a picture of how you will be processing, whether you need tools like ours, how much governance do you need, like as a small business? How much do you need? That’ll depend, again, on the type of business, the type of business you’re in. But, past that stage there, and when you actually start looking at, I suppose, doing these inventories, looking at policies, I mean, the human factor is very, very, very important. And what you would actually see is that, by actually looking at the policies and looking and training people there, and that your business, you might you should actually question well, why are we doing this? Is this a bit of a mess? And let’s try to put things in a more structured way, right? And some people say: “Yeah, but you know, we’re, you know, we’re a small organisation and we don’t need this, whatever.” And then, the accident actually happened, just because people haven’t been following policies and all that. So, even if you’re small and want to grow, I think, having embedded a number of policies, and things and things don’t have to be very, very complicated, you know, initially there are certain elements you can bring to that and, certainly in Bizoneo, we’ve also brought in a number of like, you know, template policies, so that for smaller businesses you can just go click its preset, and you could just adjust for your own needs, I suppose. You know, I’m not necessarily a big fan of templates, but you need a bit of a guideline. Just a starting point. What again, do we need this? Do we not need this? And trying to think of that. And then, you realise then that by putting this governance looking at, okay, who’s doing what, are we? When you are looking at procurement, for instance, which is actually key in GDPR, and I’m a bit…I don’t understand why organisations are not necessarily looking at that in enough detail there. Your supply chain is very important. So, by putting certain things in your, at the procurement stage, you will by spending a little bit more time trying to find a supplier that certainly will comply with the GDPR. And, it’s not just “Oh yeah, I will comply”… you kind of need to do a bit of due diligence, you know, on this, you will actually eliminate a problem down the line, because you’ve actually done that piece of work. So, again, for small businesses, I think, you know, there’s a lot to gain in terms of the general organisation. So, you may forget a little bit about the personal data element and the GDPR if you want, but by looking at that, the organisation normally should become you know, better. And we; that’s something we’ve actually experienced ourselves, because although again, with the, I suppose, prior to GDPR we had a number of new policies and a number of procedures in place, even we had that prior to this. But, in the context of GDPR, we actually reviewed some of that. And then we decided then to even like, you know, improve certain elements. And we said, we get beyond that, to the extent now that, when we engage with a new client, we’re usually the ones to say what, like, we’re actually going to send, you know, a nondisclosure agreement before we actually start talking. And many organisations are actually surprised to say, “Well, what’s this?” And that’s us saying: “Well, look, we basically care about, I suppose you, even if you’re not yet a client”. But it’s important and goes to show that, I suppose, from an early stage, we well, we don’t just take things seriously. We actually do things seriously. And it’d be so easy, I think, for smaller organisations to benefit from that. Philipa Farley  Yeah. The housekeeping alone, Claude, because, you touched on that, and said, you know, things are a mess and to tidy them up. Like, people say to me, sometimes what do you think happened? My first response is the app, the app era. You know, apps on phones, little apps that do things did nobody any favours, you know, it’s just these sort of disintegrated systems all over the place. But besides that, in business, we’ve lost – and I think I’ve said this to you before – we’ve lost the office manager. You know, the person who was in charge of filing, you know, and sorting and just making sure that systems are in place and systems were adhered to. So, I would personally love to see that position come back into smaller businesses, because I think it would benefit everybody but a real impact that cleaning up the mess has for smaller businesses, and assessing suppliers and vendors is that you actually may very well save yourself a lot of money on unnecessary software subscriptions, that you’ve just sort of let that happen, that you don’t really need so you’ll land up kind of consolidating, like debt review, you know, everything gets well filed. Claude Saulnier:  Yeah, and another thing is well, part of this, and you mentioned about the apps and all that. And one thing that also fascinates me is the number of organisations that will take one, two or three or four pieces of software because they’re free. And they’re creating different problems. And okay, if it’s free, sometimes you again, you have to think, okay, what are the impacts in terms of, you know, how do they leave, and you can’t run a business for free. So, the ads have to be brought into play at some, at some stage. And so you have to think, okay, well, if it’s not essential, is that right? That we actually give this information that could be sometimes sensitive, we actually give all our you know, business life to you know, this third party, what are they going to do about that? This is just not really fair, but on top of that, then the cost of it. So you may have like, no three or four applications that are free, but by again, I’m a big fan of integrated systems, the information enters once, you enter the information once, and then you can actually reuse that, it has loads of benefits. And yes, there’s a cost to that, but you’re actually saving a lot of time, in as far as management and because staff are going to be more efficient. They don’t, you don’t need to hire extra staff to do this because somebody, it’s already in the application. You could reuse that, and you’ll notice that on, I suppose, on the CRM side is the type of things that we do and encourage, you know, organisations to do this. And once again, once it’s integrated, from a data protection point of view, if you’ve got one system and okay, you need to make sure that system is very secure. But, there’s a lot less things that can go wrong that you would have if you’ve got, you know, application one talks to application two, with standard data, their application to then send it to application three, there’s two or three, you know, people there in the middle, and suddenly, oops, I sent, you know, the Excel sheet from one export to the other one, I sent that to the wrong person. Suddenly, we’ve got a data breach. So, at least when things actually stay in the system and only export when you really genuinely need it, which is sometimes actually not that often. Then you actually reduce a lot of the risks out of the equation. And certainly, I think integrated systems, I wish smaller organisations looked into that. There may be, I suppose, a slightly higher cost, but in the long run, that actually helps in your governance. It helps in so many ways. Philipa Farley:  I think what we’re seeing also, Claude, is like the larger players in the marketplace are offering a lower tier for a very reduced subscription rate, because they can. You know, they’ve got enough Bitcoins to sort of support the business model, where SMEs can access applications online. You know, I’m specifically thinking of things like SharePoint, you know, it’s accessible now online, on the cloud. Whereas before, it wasn’t, because it was very expensive to have the server that could handle the install, have the expertise to do the install, the management, the admin, etc. So, yeah, there’s a big, big case to be made for that. Yeah, and going back to what you said, with the tidying up, you know, you keep your, your records correct, you suffer a breach, you suffer an incident, you know, immediately what’s gone. But if you have an access request, you’re saving an immense amount of time, by knowing exactly, you know, Claude Saulnier:  Exactly, if the information is structured that makes things a lot easier as well, and I suppose, having an inventory, even knowing where to go and retrieve it. Now, not every subject I said, I mean, we’re dealing with clients where frankly, the subject access request is far more complex than retrieving the information from a system. There could be, you know, a lot of redaction that is needed, trying to assess what does the person want, etc, etc. Like, you know, so Philipa Farley:  Yeah, but at least you’re not wasting your time, your focus on finding it. Claude Saulnier:  Exactly, yeah. Philipa Farley:  Yeah. You’re using the time as it should be used. Yeah, yeah, you know, yeah. Okay, share a positive story, Claude. A positive story about the GDPR. A happy one. Claude Saulnier:  Mmmm, a positive story about the GDPR. Again, I think if something is, even the fact we’re talking today, I think it’s this for your positive story. Again, I think I have not necessarily I haven’t actually met all the people I have been engaging with, I suppose, through you know, since GDPR. But this certainly has been certainly through, you know, conference calls and Skype, or Teams calls and all that. I have met a lot of people who are also very passionate, I suppose, who actually care and who’ve got a sense of ethics. And so, I think that would be a very positive, you know, I’m grateful I suppose to I’ve met those those people that I suppose I have brought me again, I can maybe I’ve contributed like, you know, to it like a different way of thinking and, I suppose, it’s very reassuring, so that would be one positive story. Other positive stories? I don’t know, maybe you have to actually cut that and I have to think of something else. Philipa Farley:  No, I’m not going to cut it. It’s in the evening. And I think we both had a very long day. Yeah, I think just generally, the message that we’re trying to get out is that it’s not all bad. Like, it’s not a huge mountain that has to be climbed. You know, I’ve had people saying to me afterwards, oh, I’m really sad you’re going, because that was a lot of fun. And I don’t know if it’s my wicked and twisted sense of humour as we go along. You know, that that makes people laugh. And actually, quite honestly, that was training at law school. I did a year of Legal Aid. And we had an attorney that spent sessions with us, probably once every two weeks. And he taught us to, you know, to laugh about things that were very difficult, not laugh at them or diminish the value of what is going on, but to just lighten, or share the load. Claude Saulnier:  Yeah, again if you look at the GDPR, though, what is actually difficult? Because, first of all again you need to kind of read the GDPR and there will be a podcast soon, I will be giving some tips on that. But again, the GDPR isn’t really bad. The Article 5.1, right in terms of you know, it actually gives you you’ve got like, you know, six principles right? And then, you’ve got your, I suppose, one of the six principles is going to Article 6, and which is how lawful is your processing? And, for most businesses, you would probably find either you know, legal or contractual obligations, and that actually should be fairly straightforward in most cases there. And then you’ve got this Article 30 which says, well, why don’t, you know, well yet before you even do all of that, before you process your Article 5.1 and the lawfulness of processing. For now, let’s do an inventory. What do you actually process there? And, once you’ve actually done that, just you know bounce that against the, you know, the six principles. It’s actually not that complicated, because when you’re going to then start looking at the principles. Some of them very quickly you will realise, you don’t actually have to do too much work, you know, about them. And from that angle, it’s not very complicated and then once this is done, and you kind of know what you’re doing then you can actually write your privacy notice to put on the website and go on. Now, the other thing that should come out of that which is also frustrating is the whole thing about cookies and all that, which is the bit that really annoys me. It’s not just the cookies but, I suppose you know, placing electronic things on an electronic device. And there’s a lot of confusion around this. I suppose, initially, many people in marketing panicked and you know, I suppose mixed things and all of that. There’s an awful lot of processing that shouldn’t be taking place at the moment. Philipa Farley:  Let’s just call it what it is like, Claude, pure surveillance. You know? Yeah. Claude Saulnier:  And, marketeers are worried that it’s the end of the world. There’s been an awful lot of unlawful processing for years, that has resulted in monopolies like Google or Facebook. And I think it’s about time that some of that actually stops. So… Philipa Farley:  Yeah, no, I would hundred percent support that. And say, definitely, yeah. And and it’s interesting, Claude, because you kind of come back to like, classic principles of business. Well, how do we measure the success of this campaign? We’re running you know, not I’m not talking about like a paid whatever advertising campaign, in general, within the business marketing campaign. How do we measure the success of that? Well, you know what, like I can tell you, my phone calls have gone up 10 times in volume than what they were 3 months ago. Yes. It’s not hard. You know, for smaller businesses, I’ve yet to measure like that, well, let’s look at the figures. Let’s let’s look at the profitability. Let’s look at our management accounts and see, okay, we put the effort in for the 6 months, look at the return for the next year or 18 months, you know. We need to actually understand that there are other ways of doing things, rather than just relying on statistics by organisations that are actually horribly…what’s the diplomatic way of saying this, Claude? You know, look at your Google Analytics, you’re not getting the actual picture. Claude Saulnier:  No, I think, we conducted because we were actually working on the one part of the, on the CRM side, we’re actually looking at analytics and we’ve done an advanced prototype. Actually, we’re actually in beta testing, early testing, I suppose with some clients there and we actually compare, so we can actually process statistics, without cookies, in a very lawful manner, with high respect with respect to people’s rights. And that. And all we figure out from this is that Google Analytics, in fact, doesn’t report all the traffic, one of the reasons obviously being that they’re in the business of selling ads, so why should they report the thing? But also technically, the way things are actually embedded cannot work every time. And we’ve actually found some traffic, some sources of traffic that there’s absolutely no way I mean, we were actually surprised initially, but there’s no way Google will ever track them, and yet they could be converting now. Because we have part of the suite,where we’ve got an e-commerce suite. So, we can actually provide very comprehensive information about sales without even naming people and looking at okay, well, are the sales up and down? What products do work well etc, etc? And then also, then bringing statistics where you would have the number of visitors on a particular product, and the actual turnover for that particular product. And that’s, that’s all you need, really, in a small business. Philipa Farley:  Absolutely, I mean, when where, why target. You’re looking at it from your perspective as a business owner going, “oh, everybody went to look at that, so they’re interested but there’s something wrong with it because they’re not buying they’re, not converting to an actual customer. So how do we change the messaging? How do we change that, even the product photography, what’s going on here?” It’s not hard to to work through that one positive thing that I’ve found… Claude Saulnier:  So even some of the metrics that for instance, Google Analytics would give you are a bit flawed as well because, depending on the type of business you’re in, something like the bounce rate people say, “oh yeah, you know, people come to websites and they leave the website…” Well, if your website is actually like you find, I suppose, the product or whatever you’ve got open, like through a Search Engine, you actually find this page and then use the Contact Us page. Well, it doesn’t really matter if people have actually seen 20 pages or one page, you know, they’ve actually taken an action. And that’s it. And, and again, if you’re shopping, like we’ve got clients that use our shopping facility there, and their brief is, well, we want the minimal amount of clicks between the time they choose a product, buy the tickets and pay. So, from that point of view, then you really want to actually minimise that and make sure that people stay as little as possible on the website. You want them to buy one product and go, and that’s it. So again, so that could be very misleading. In terms of obviously, anybody in marketing will tell you a different story. So Philipa Farley:  Yeah, the one thing that I’ve seen and I’ve said it to Graeme, time and time again, is this is the first space that I’ve worked in – and I’ve worked across many different spaces – where one subject matter forces everybody in the business to talk to each other. It breaks down silos and people have to start understanding what other people in the business do, which I think is fantastic. You know, it’s great for everybody. Yeah. Okay, last one, because I have now nearly taken up an hour of your time. Thank you so much for that. Please, Claude, can you give us one piece of advice to potential clients of yours? Claude Saulnier:  Blank, haha! Philipa Farley:  So if somebody is coming along to you, Claude, and they were sort of half convinced that they needed to do something about compliance and the GDPR. And they, they knew that you saw the solution, and they knew a little bit about you, what would be one thing you would like them to take away to think about? Claude Saulnier:   Maybe that they should consider how they care about their own clients. And what, I think a large element about GDPR is about reputation. Right. So, yeah, I think reputation matters. And that’s, I think, is probably what will happen and not so much necessary because they use our software to do this, but that the action of, I suppose, taking the software to help them in – software itself doesn’t solve every problem, let’s just be clear, right? It actually provides a certain economic guidance and, and the tool to actually support that demonstration to the GDPR but not just demonstrate the GDPR to actually make their business better, right? It  makes their business better and then gives a positive, and again, reduces the risk towards their, you know, their reputation. So Philipa Farley:  And build trust. Yeah, exactly. It helps build the trust. Yeah. Okay, cool. Thank you so much. I have got your contact details up here. But your website is bizoneo.eu. Where can people best find you online? Where do you prefer? Claude Saulnier:  Well, I’m usually a LinkedIn person ideally. With tweeting about it, it’s nice to think you know, people can find me. Feel free to put the link to the LinkedIn page and people can follow me. I try to put a certain angle of, of wit as well, because I have to admit that for the majority of people data protection could be a bit dull. And it could be dull. So I think we have to put a bit of fun into data protection and that’s what I would try to do, I suppose. When I’m posting on LinkedIn, I hope sometimes I try not to take it like, you know, too seriously. I try to give serious advice, but try to joke about certain things. And, and try to, I suppose, educate people; just trying to actually get people interested in it. I think if we can actually get this, I think there will be an awful lot achieved on that, you know, so yes. Philipa Farley:  Yeah, Claude, It’s a part of our life now. And it’s not going anywhere. It’s not going anywhere. So, you know, whether we like it or not, we need to absorb it and live it. Claude Saulnier:  You know, I think we’re very lucky in Europe to actually have such a law and regulation to do this. Philipa Farley:  Yeah, absolutely. We are. You know, I’ll say time and time again, like, every single person that I’ve worked with, we walk away from the job. And I’m sure that you have the same experience, where they say “thank you.” We actually feel better, so much better when it’s done. You know, I’ve had phone calls from people saying, just a quick phone call, thank you. You’ve changed our life, because now we know what to say. When our customers ask questions. We know how to do our own negotiations, and we can absolutely 100% stand on the information that we’re giving out, you know, the confidence is back there again. So, you know, I know that Bizoneo can help people with that too, and give them that, that confidence and that deep knowledge of what they’re doing is the right thing. Yeah. So, Claude Saulnier:  Yes, yeah. And again, you see this in terms of: be proactive, to be organised, and be ready, and I think that this helps us sleep better at night. Philipa Farley:  Okay, thank you, Claude, I’m going to end the recording here. Claude Saulnier:  Yeah. It’s been great chatting. Philipa Farley:  Okay, thanks. Bye. Claude Saulnier: Bye Philipa Farley:  Hope you enjoyed that episode of The GDPR series. If you do, please subscribe. Find us on social media. We’d love to have a chat! The post GDPR Management Strategies with Claude Saulnier (in his lovely French accent) of Bizoneo appeared first on ProPrivacy Data Compliance Solutions.


6 Mar 2020

Rank #4

Most Popular Podcasts

Podcast cover

GDPR, Children’s Data and Moving from Paper to Digital with Steph McSherry of Kinderama

Today on The GDPR Series podcast, our focus is straight business talk, children’s data and moving from paper to digital!  I chat with a creative business owner who deals with most of her data protection compliance tasks herself.  Besides helping me translate data protection compliance language into plain speak,  she shares with us how to just get on and do what needs doing.  This business owner writes her own policies and does her own vendor risk assessments!  Listen to find out more. Our guest today is Stephanie McSherry the creative, and all-round wonder(ful) woman, owner of Kinderama.  Kinderama is a unique multi-activity series of classes developed for the younger child’s abilities and attention span where every week has a different theme.  Steph knows kids and kids love to try new things so Kinderama offers a huge variety of activities including dance, drama, music, gymnastics, yoga, sport and mindfulness.  Besides classes, Kinderema offers holiday camps and voucher sales. In this episode, Steph shares how she goes about meeting her data protection compliance requirements in really practical, no-nonsense ways.  Steph has a common sense and direct approach which really works for SME GDPR compliance.  We discuss the responsibility involved in minding children’s data, including special categories of data (health data), minding the movement of data between locations, assessing vendors and the responsibilities of paper-based data versus digital data.  If you’d like to learn more about Kinderama or book your smallies into classes or camps, you can use the contact details below. Tel: 086 2446433 E-mail: info@kinderama.com Kinderama Website Interview Transcription: Philipa Farley 0:01 Hi, and welcome to our podcast called The GDPR Series, where we discuss data protection, privacy, and cyber security matters that ordinary people in everyday businesses face. We have a series of really interesting and lovely guests and we hope you enjoy listening along with us. Thank you so much for joining us, Steph. Stephanie McSherry, your business is Kinderama. I’m going to let you do the introduction for the business because you know it best, but I just want to say thank you for your time. And, it’s a real pleasure to chat to you as a real business out there dealing with what we consider to be a vulnerable group of people: children, and looking after children’s data. So just a short discussion on that but yeah, tell us a bit about Kinderama. Stephanie McSherry 0:50 Okay, so Kinderama is a programme that pre-schools and creches can buy in, or the parents can buy in. It’s a multi-activity programme. So we do a little bit of everything: dance, drama, sports, music, yoga, and just for pre-school aged children. So they’ve got a little bit of everything to try. And we also run kind of mini camps during the school holidays: kind of two or four day camps, for pre-schoolers, getting them ready for the school environment. Okay, so when I hear that story, what I hear is that you have actually quite a fast turnover of quite large amounts, or groups, of data subjects: children. So, your records must be massive, and your record management must be quite intense for you, besides the, I suppose, the management within programmes of records, the retention is quite an issue, in terms of data protection. Yeah. Those are the words I hear when you’re talking. Other people will hear beautiful classes, you know, fun stuff, and I’m kind of going like: “Oh my god, how do you actually even stay on top of that?” Because it’s really intense and it takes up a lot of time. And that’s kind of what we’re focusing on with these chats with business owners is managing the data protection in a realistic way. Simply. Philipa Farley 2:10 Yes. And then, and so our turnover would be yearly. So anyone that enrols with us in a September, we would keep their records until the following September, and then everybody gets re-enrolled, even if the children have spent more than one year with us. And, at the moment, we enroll them on hard copy. They, the parents, fill out a piece of paper, it states their name, address, their email address. Sorry, their name, their email address, their telephone number, and any medical issues. But obviously, all of that information is relating to a child, so we have to be very careful. So that’s, well, what used to happen to it. And what still happens to it is fine, but I wasn’t aware of any GDPR until it got talked about in a business group I was in. But, actually it turns out what I’m doing is fine, because that form gets locked away in a secure cabinet in my office, and nobody else has access to it from that point on for the year. And then, it gets commercially shredded. And then, we start again the next year. Stephanie McSherry 3:13 Yeah. And you see – sorry to interrupt you, Steph – and, on that point of locking it up, and nobody has access to it except for you. Why, particularly, is that? Besides the fact that they are children. Philipa Farley 3:31 Well, and despite that, well, because of GDPR regulations. So nobody – I don’t want anyone in the nursery having access to it. I don’t want any of my staff, they will know the information that’s relevant to them, as in a medical situation, or an allergy, or something going on with the child, but apart from that, they don’t need any of that information. It’s only me that needs it. We retain those records by contacting the parents directly, chasing payments, or dealing with a situation within the creche, like a Child Protection issue. So, nobody needs access to it; just me. Stephanie McSherry 4:07 And that’s fantastic, because you see, we as Data Protection professionals, business owners, you know, helpers, whatever you want to call us… We would be throwing out terms like data minimisation, you know, sort of need to know, access, security measures. And, I think, our terminology really scares people away a lot of time. Where, if you’re just sitting having a cup of coffee, which I mean – full disclosure, we’ve done plenty of times – and talked about this kind of thing. You’re saying it in your way, and I’m saying it in my way, and we find some middle ground, where immediately I would say your hard copies contain special categories of data, medical related information, and that’s kind of on a need to know basis, and you’re instituting appropriate security measures over that. Philipa Farley 4:51 Yes. I think, when I would have heard your terminology right at the beginning, when GDPR became relevant in the press, I would have thought that doesn’t apply to me, simply because I was holding a hard copy. I didn’t think it applied to us. It made us change the way we do the registrations at camp. Because we would have had that information openly on the table where people are sitting in – they would have been able to see everybody else’s information. So how, you know, we have a tick off system, where we have that information, and they’re just signing to say that they’re there. They can’t see anyone else’s information. And then again, that gets you know, once the girls that are running the camp know exactly who you are, what’s going on with who if there’s any different needs that need looking after; that information gets removed from the building. Stephanie McSherry 5:40 Yeah, and honestly, Steph, this is a professional opinion: I think that you found a fantastic balance between not burdening your employees and the people who work for you in various different roles. You’re not overburdening them with compliance requirements, but you’re meeting your obligations under the law, which is a huge message to send out to people; because people say it’s just too much or it takes up too much time, or it’s going to disturb our processes, and our flows too much. There is definitely a way that everybody can embed these good practices into their businesses. And that’s what we’re trying to show people. Philipa Farley 6:19 It’s just an assessment really, of what you’re doing and what needs changing, and I feel very secure. Now a lot of our clients would be creches. So, if they got audited, and they needed to know well, hang on, we outsource this to you; where does this information go? I can say with confidence, it is stored away securely. Nobody has access to it. The girls have the pieces of information that they need, and that’s it. We’re safe in the knowledge that we’re doing the right thing for our clients as well. Stephanie McSherry 6:47 Exactly. You have an interesting supply chain there because, I think, it gets slightly complex at times. We won’t go into specific details, about here’s the data processor, who’s the data controller? You know, are you joint controllers of information. So, at times, it does require a bit of strategic thinking before you put your compliance into action. But, you know, it’s manageable. And, as you say, it’s that peace of mind, and and knowing exactly where data is, who is seeing it, what’s happening to it, and being able to answer the questions. I think a lot of people battle to answer those questions. You’ve made a big change recently, and I’m just going to throw this kind of at you very briefly: you are making a big change to more digital-based processes, rather than paper-based processes. Would data protection have had a dealing for that change, or is that more a business-based decision, where the compliance has kind of come into the decision making? Philipa Farley 7:49 It’s a little bit of both. As we grow, I realised, you know, the further away creches are from where we’re based, that maybe I’m not going to be able to physically handle every piece of paper that gets filled out. So, I wanted to find a company that could I could outsource that to, but that it would, it would look the same. So it’s just people going online. Our parents and our creches, going online, making a booking making enrollments, and processing payments. But it all looks like it’s going through ours. So the company, we chose is Class For Kids. They’re based in Scotland. And one of the first questions I asked was: where is that all the data held? It’s in Ireland, and I was trying to find out exactly what the data processing agreement would be between us, because obviously, then we’re into entering into a joint data processing agreement, and making sure that their privacy policy and their GDPR compliance, because obviously we’re now handling those areas of enrollments and payments and all the thing that we still want to keep private, and that they’re handling that with me. Stephanie McSherry 9:00 Yeah, and you see Steph, again, it’s what I said to you about the language that we both use: I would throw big terms out, and I know some of my colleagues would throw big terms out, and we kind of lose touch a little bit with the very practical way that you’re handling it. Philipa Farley 9:16 And sometimes it doesn’t just involve us as your client. Sorry, I don’t understand that. What does it mean? It’s a new language for us. It’s a completely new field that we have to look after. And I think sometimes it’s just being brave enough to say: “Sorry, I don’t understand what you mean by that. Can you explain it to me?” And, you’re very good at kind of breaking it down and saying: “Well, you’re doing this, you’re breaking this down, you know, you’re entering this relationship here. I’m going to break that down. That means they’re now jointly responsible for that process with you. So check this out and the other…” And that it just involves conversation sometimes. Stephanie McSherry 9:49 Exactly, and just talking about issues is a great way of troubleshooting actually. If you could give a piece of advice to a potential client of yours or somebody who’s similar to you in business, because we would also be big proponents of helping people who are similar to us in business – we don’t kind of keep knowledge to ourselves. You know, just basically on that, that small point of assessing your suppliers, because you’re putting a lot of trust onto them to look after your information, your clients’ information, your children’s information, in a way that would meet your expectations. So three points, five points, short points on how to assess a supplier? Philipa Farley 10:43 Well, I would, first of all, think you know, GDPR sounds a big, scary thing. And, sometimes, you can put it on the long finger or think that doesn’t apply to me. I definitely think now is the time to have the conversation, because you don’t want to be having it when you’re audited, and you don’t somebody picking up the phone and saying: “What is your process? What are you doing with this information?” You don’t have a clue. So just start and just take the first step and have a look: where are you holding all this information? If you’re looking to outsource it, like we did, then having those conversations: “Where are they holding the data? Who’s accessing that data? Where is that written down? What’s in their privacy policy? What’s in the GDPR compliance, in the cookie, that we do?” We now approve cookies and things like that, all of that needs looking at. Either you’re doing it for yourself, or you’re looking at the company that’s doing it for you and making sure that they’re compliant. And just not putting off – some of these things sound like big, scary things, and that’s going to be complicated, that’s going to be expensive. But, actually, when you look into it, it’s not at all. And I think, you know, it’s peace of mind, knowing that you can say to your clients, your customers, and for us, our parents, that their information is safe. Stephanie McSherry 11:58 And, I want to say one more thing about you, Steph, if you don’t mind, and we can cut it out if you don’t like it, but I think you will like it. You wrote most of your policies yourself, did you not? Philipa Farley 12:08 I did, yes. I did a lot of reading and putting it into language that I know precisely: I can read, I can understand, I know what that means. I know how to opt out of things if I don’t to use them, so you could do you can do that yourself. And it’s so important to write it that way, so that you can read somebody else’s – that’s maybe in a similar industry to you – and steal the bits that you like, or just reword them slightly, as you said. We all have to end up compliant, so we may as well have a look at that and use it. Stephanie McSherry 12:41 Yeah, I know. And some people would say it’s plagiarism, like maybe technically it is whatever, but I look at it and say, it’s kind of like, industry best practice. And if you’re assessing who is doing things in a space similar to you and you go and you look to see what their practices are, you might find you’re further ahead on the journey that they are, or, you know, they are further ahead on the journey than you are. And, it’s actually, it makes everybody better if we are assessing each other, and benchmarking against our requirements under the law and seeing, okay, are we meeting or are we not meeting it, and rewriting those policies as we go along. I particularly like your policies, because they are written in your voice, and they are written in a way that your people can understand them. And that’s so, so important because that’s one of the actual requirements, is that we write in plain language for the audience. So, when you’re writing for parents, or when you’re writing for children, particularly, you know, you shouldn’t ask somebody like me to write it because I can’t write. I actually I’m incapable of writing in a way that a child will understand. Yeah, I have a person that I put that through as a filter, you know, who can write that way. So, yeah, I just I wanted to bring that up because people think that they must hire somebody from the outside, to write their policies. No. Philipa Farley 14:01 Sometimes, I think, you because if you want, if you want to understand it yourself and you want your customers to understand it, it has to be in a language that everybody understands. So you know exactly what you’re explaining to the parents. And exactly for our staff even, this is what’s happening; this is why we can’t do this anymore, or this is why we have to change this. Stephanie McSherry 14:25 So, if you gave one piece of advice to a client of yours, but we kind of discussed that, but you can say if you want to do another one, like if a nursery or a creche was looking to get, you know, a kids class provider in, what would one piece of advice be to them? Philipa Farley 14:43 I woud definitely be checking that they’re fully insured, first of all, and making sure that all that information is GDPR compliant, and that their data processing room where are they are holding children’s information at the end of the day, particularly for a creche, if you’re outsourcing a programme of some description, you want to know that all your children’s information is being held safely. Stephanie McSherry 15:08 Absolutely. You know, the last thing anybody wants to deal with is a data breach or an incident. You know, I can’t say that I’ve dealt with too many access requests in your space, you know, yeah, your space is very lovely. So we don’t have too many angry people coming along, but you know, there’s obviously like the small things that can slip through the cracks like you know, a newsletter or marketing going out to somebody that hasn’t opted in. Yes, there might be a bit of smoothing out there that happens. Philipa Farley 15:41 Or, as you pointed out once to me, collecting information that you don’t need. Sometimes, we automatically put these forms – be them online or on paper – where you’re asked their name, their address, the date of birth, and this, that, and the other. And then, you pointed out to me: “why are you needing this information?” Because suddenly going, oh, maybe we don’t. I don’t need to know their address. You know, it’s just small little details like to make sure that you’re collecting the information that you need to do the job that you want to do. Stephanie McSherry 16:08 Absolutely. So that’s like an audit of your forms and processes just going in and asking why, why, why, ,what do we do with this? What do we do with it? Philipa Farley 16:17 Why do we need it ? What are we doing with it? And we get it might be that you come out at the end of that process and say, yeah, we need all that information. But, for me, I suddenly realised I was connecting a whole load of data that I didn’t need. So, we completely changed our forms, and just collected the data that we needed. Stephanie McSherry 16:32 Your website is lovely. I still really love it. It’s not difficult to understand and the links are all there in the correct place. You can, you know, manage your cookie preferences. You can see the policies; you can get in touch easily. So, you know, like, I think the point really is, Steph, and I really would like to say it, again, is that: compliance is not onerous. It might feel difficult, but it isn’t. Philipa Farley 16:58 Clear communication, I think, is the key. Clear communication with whatever your customer or client is, and you need to communicate clearly just what you’re doing with their information and where it’s being held. Stephanie McSherry 17:08 Yeah. Thank you so much. No. Do you want to say anything else? Philipa Farley 17:13 No, this is fun. Stephanie McSherry 17:16 GDPR is fun, Steph. Okay, let’s not go that far. No, we won’t go that far. We hope you enjoyed that episode of The GDPR Series. If you do, please subscribe. Find us on social media. We love to have a chat. The post GDPR, Children’s Data and Moving from Paper to Digital with Steph McSherry of Kinderama appeared first on ProPrivacy Data Compliance Solutions.


28 Feb 2020

Rank #5

Podcast cover

Do you want to hear some DPO Stories? Anonymised, obviously. Listen on with Stuart Anderson of XpertDPO

Today on The GDPR Series podcast, we talk generally about life as a DPO and a few of the challenges that can arise, particularly independence and having to give the medicine when it’s needed!  Our guest today values relationships and lives his motto – your partner for compliance.  Need a DPO or thinking about becoming one?  Listen to find out more. Our guest today is Stuart Anderson the multifaceted and talented man behind XpertDPO!  Stuart shares some real life experience around getting to know clients intimately, giving difficult advice and dealing with data subjects exercising rights.  We discuss how an expert can save you time and money especially when dealing with subject access requests.  Stuart has been instrumental in putting together and delivering Ireland’s first QQI accredited data protection course.  We take on board his advice to keep the training budget in as a line item – upskilling and keeping current is so important!  Stuart’s services cover data protection (GDPR) and cyber security and he offers practical, tailor-made solutions for your organisation. If you need a DPO, EU Rep or some consulting or an audit done, give Stuart a call or drop him an email! Tel: +353(0)16788997 E-mail: info@xpertdpo.com Stuart’s Links: XpertDPO Website A to Z of the GDPR Philipa Farley:  Hi, and welcome to our podcast called the GDPR Series, where we discuss data protection, privacy and cyber security matters that ordinary people in everyday businesses face. We have a series of really interesting and lovely guests, and we hope you enjoy listening.  Thank you so much Stuart Anderson, from XpertDPO, for joining us today for a small chat on GDPR and data protection. Stuart Anderson:  Super, it’s great to be here. Philipa Farley: I know, it’s fantastic! We met on LinkedIn, and for those of you who don’t know us, we, it’s kind of like, I suppose, we are an unofficial support group, professionally and personally, because this work is not easy. You know, it’s kind of what I was saying yesterday on Twitter, we absorb a lot of what humanity has to offer, and some days can get quite difficult. So, it’s great to have friends in this space. And, I really do consider you to be a good friend at this stage. So, thank you. Yeah, thanks for the chats and the time. Okay, so we have got your website open here, and you go under XpertDPO.com: your data protection partner. You do consultancy and outsourced DPO services. But I do know that you are in-house, in some places, we won’t sort of talk about clients on this chat. We have said to just keep it general. But yeah, do you want to give a brief introduction? Stuart Anderson:  Yeah. So yeah, I’m Stuart. It’s great to be here. And before we get into that, I mean, I think it’s really important the point that you just made, you know, that there’s a few of us that talk in the group chat on LinkedIn. And I think that’s really important because, you know, we’ll go into a little bit about what we do on the outsourced stuff, but I’m in the peculiar position that I do work in-house for some clients, a number of days per month and we also do outsourced things. So, we see both sides of that and really, at this stage, my opinion is that, whether you work internally inside a client or externally, it can be pretty lonely sometimes. And, you know, we don’t always deal with the nice, you know, rose-tinted view of the world. Sometimes, we have to make decisions that aren’t easy. Sometimes, we have to give advice that we know the client isn’t going to like, but we have to do that anyway. We, you know, a big part of being a DPO is always independence, whether internal or external. And, we have to, you know, we have to give them medicine sometimes, that is better to swallow. And, that’s just part of the job, but that doesn’t make it easy. And it’s tough. And it’s really, you know, it’s really great to have that kind of virtual shoulder to cry on, or to moan, or to vent, and it’s all done in a very, you know, we’re all very professional about it. And all that kind of thing. But you know, and again, that using the sounding board because, you know, if you’re in the middle of a situation, and you know that the answer is x. And, you’ve arrived at the answer by using your experience and your knowledge and logic. If you’re in thick of it, you can’t see the wood for the trees and sometimes it’s, you know, “I think it’s that, what do you guys think?” And, to have that is worth its weight in gold. It really is. So yeah, I do consider you a great friend, you know, on a personal and professional level, and it’s just great to have that. But, about us. Yeah. So, I run a digital Data Protection consultancy, I won’t say GDPR consultancy because we’re, we’re past that now. Data Protection existed before GDPR. You know, a lot of the things that people think are new in the GDPR, were already there. What GDPR has done is put it on the radar, it’s the sexy new thing. There is big growth in terms of people requiring Data Protection Officers, which is great. So we do the consultancy bit. We do a lot of gap analyses. We do a lot of internal audits. We do those on behalf of our clients. Our consultants also do some white labeled consultancy for bigger management consultancy firms. And a big and a very much growing part of our business, is the outsourced DPO service that we have. So, that’s how we act. Either one of our guys, or me, will sit at a client number of days per month and work with them in terms of managing their compliance programmes. And listening to any incidents that might happen, you know, on a reactionary basis. Philipa Farley:  Yeah. So can I ask you a question here, because I had to do this calculation, like my work could be sort of slightly different to yours. The opposite cliff face as such, you know, doing the actual compliance work more than the management, some advisory. I suppose we cross over there. But, when I go in, people kind of go, “Oh, why should? Why should we pay for this? Why should we do it?” You know, those are the regular questions that come up, and I come from a background in IT management for some part, I’ve got very used to doing cost calculations for people. Like, rather, pay for that service or provide this too, because this is how much time it’s going to save for your employees. You know, and this is actually the cost saving or the profitability in it for you, if you do it this way. So, that’s kind of how we approach GDPR data protection services too. I have my own personal little calculation that I’ve done on time. And, this question to you specifically relates to your services and time, because we know, like not every organisation actually has to appoint a DPO, however, if you don’t appoint a DPO, that work gets farmed out either to one person, or many. And, often there’s confusion, you know as to what’s going on and who should be doing what. So, very, very briefly, have you ever done a time calculation for an organisation where you’ve worked out how much extra time regular employees spend on data protection compliance, vs. you coming in and doing it for them? Stuart Anderson:  Yeah. So in terms of that, we haven’t done any sort of dedicated calculations. But, what we do have is real world experience. Yeah. So, for example, I came across an organisation before Christmas. They’re not a client, but they had to deal with a subject access request. They were a small business, and the cost of dealing with that to them was in and around 10,000 Euros. Philipa Farley: Yeah. Yeah. Stuart Anderson:  A sizable value, I don’t know how many days but we have, for a client dealt with a particularly contentious subject access request. Philipa Farley:  Yes, yes. Stuart Anderson:  We made certain suggestions to the client, and the client decided to deal with the subject access request. There was a lot of data, there were a lot of redactions. Our estimate is that it cost them, because they had external legal counsel, it cost them in the region of 30 to 40,000 Euros. In terms of redactions, we stopped counting at 100 man hours. So, if you translate that 100 man hours of redaction, there are 8 hours in a day. So, if you’d given this role to somebody internal – and that’s okay! What I would say to people that want to appoint somebody internally is make sure there is sufficient budget to get them some decent training. Philipa Farley:  That’s exactly what I was going to say. Stuart Anderson:  By decent training, I mean, you know, not one of these 5 days, 40 multiple choice answers at the end of it, courses. You need something where you’re going to be challenged. Something like you’re given a task to do, a DPA, for example, and case studies from across the world, because when you are thrown in at the deep end, you just need that really good grounding, where 40 multiple choice questions and, you know, maybe a 35% pass rate is not going to stand you in good stead. So, if you’re being offered to transition into a role or do it part-time, make sure that your employer is gonna put a budget in place for you to go and get some real, really good, training. Philipa Farley:  Yeah, and you know what, Stuart, I’ll back that up as well because, and just so that anybody listening knows, we did not script this or discuss really anything beforehand. I’ll totally back that up, because practically every single client I’ve had where I’ve gone in and there’s been a reactionary situation where we’ve had to get compliance documentation, you know, up to scratch or work on supply chain relationships. Usually, there and, it’s usually a lady, a woman in the position; the stats are kind of skewed in my experience. You know, maybe they just come to a woman for help because they feel more comfortable. I don’t know. You know, stats are fascinating, but anyway, usually it’s a woman, and usually she hasn’t had the kind of training you’re talking about. And, one of the recommendations I would make high upon the list for each of these clients is budget for training, exactly what you’re saying, the exact type of training, you’re saying there. Please send one if not two people on that training, so they have support for each other. And, you have the peace of mind knowing that they’ve got that challenging experience, as you say. And, honestly, the only two courses that I’ve come across that have that depth of experience would be the UCD course. I don’t know exactly which one it is Dennis Kelleher, I’ve worked with the company assistant who has gone through that, yeah. And then, the Maastricht European DPO certification course they have that kind of experience. And those would be the two that I would say to people to have a look at. You know, I don’t know if you’ve got any to add to the list there. Stuart Anderson:  Yeah, I mean, I don’t have any in particular, in terms of, you know, we as you know, Philipa, we worked on Ireland’s QQI course, which I’m going to be delivering, you know. It goes into a lot of detail and there’s going to be a lot of work for those guys to do over the five weeks. But again, you know, in terms of,you know, established courses, the UCD courses, the one I did with Dennis Kelleher, and it was absolutely fantastic. I hadn’t done any real kind of formal education since leaving University, you know, decades ago. And it was, it was a bit of a culture shock, but I, I absolutely loved it. And Dennis is an amazing lecturer to have. It was, it was challenging, you know, you had to think. And, you know, having come from, you know, having done data protection for a while, and coming into that there was something that you could take away from each lecture, that makes you think or that, you know, changed your opinion on something. And the Maastricht course is very good as well. Lots of lots of people do that. So, you know, one thing, one point I want to make about the budget is to make sure that it’s there, year on year, because we’re talking recently about the next steps for each of us. Not what I’m going to do, I’m currently finishing up the King’s Law course. And I chose that, because I wanted to do a more law sort of orientated course, for personal reasons. So, I did that and it’s important that you do keep up that knowledge and keep current because, you know, the, the market in my opinion, both for consultancy and software solutions is still very immature. You know, we’re just under two years into the GDPR. Things are settling down, we’re only – I was having a conversation yesterday where the first GDPR case went through the courts in Dublin. So, we’re only now almost two years down the line seeing the litigation. Once those go through a due process, things will get a little bit clearer every time, and the grey areas will be cleared up. You’ve got to keep current, you’ve got to keep your knowledge current, you’ve got to do a lot of reading. Which is good, which is great, you know, but make sure the budget is there year on year to support your professional development. Philipa Farley:  Yes, Stuart. And, I’ll add to that and say like for people looking to budget for the GDPR because that’s another question I get asked quite often: “How do we budget for compliance in this space?” You know, cyber compliance budgets can go through the roof very quickly, when you look at all the cool tools out there that can help you with your cyber security and management in that space. But data protection is a bit different. Because, you know, we could talk about tools for another 10 hours, I’m sure. And that’s not the point of the discussion here. But you’re going to have to budget something for some kind of software management. And what you use depends on your stance, you know, within an organisation tools have different philosophical starting points. Shall we call it that, to be diplomatic about it, but with the budgets. And I’m not saying this because it’s you on the call, you know, I would say to people, also budget for the external assistance when you need it. And if you’re not going to have somebody regularly, like on a retainer, you know, that’s available to your employees to just pick up the phone or email, you know, budget for once a quarter or once every two months, at the beginning to have somebody come in for a couple of hours in the month, to just do the spot checks on you. You know, you have to have that in your budget. Stuart Anderson:  Yeah, we have a number of clients that are really great to work with actually, they don’t need us there every day. They don’t need us every two weeks, because we’ve worked with them to put in what we believe is a robust privacy programme or compliance programme. And they do things properly. They understand a bit, because, especially one of them, the space they work in is, you know, they have to deal with compliance in other areas of their industry. They’re a regulated industry, so they have to be compliant with all the regulations. So yeah, being GDPR compliant was challenging. They were used to having people audit them. They were used to having to comply with regulations, rather than somebody who’s completely unregulated. I embraced it and those clients are great because they get it. They know they have to do it. It’s just a cost of doing business. Whatever. The same as health and safety, where health and safety applies to people as a cost of doing business. Now, way back when, you know, the European Union brought in this concept of health and safety and everybody out to, you know, everything was brought in. People moan about it, in much the same way as people moan about GDPR. And this is why I’m saying that it’s still an immature market because people haven’t grasped the concept yet that it’s just the cost of doing business. And, you know, our clients that we see quarterly have that budget in place, we’re going to and see them once a quarter, we check everything, we check the Article 30 records, we check all documentation, and have any new processing operations… Philipa Farley:  And you check the logs, the incident management logs, the rights requests logs, you know, things like that, that should be kept up to date. Stuart Anderson:  Yeah. Yeah. Yeah. It’s, we’re in maintenance mode with them and it’s great and they have the satisfaction or the security that, if anything out of the ordinary happens, they can pick up the phone and talk to us and we’ll help them out. Yeah, Philipa Farley:  Yeah. If they’re starting a new project, Stuart, or like doing a bit of research into something and they need to DPIA done, you know, I’m just throwing in the things here that we land up doing because you do the same, you know. And people need to know, kind of, what’s going on out there. People are very sort of tied to their chests about data protection compliance, because it is a reputational thing, too. So we’re well aware of that. But this is what people are spending money on, you know, the professional help to come in and do the sessions and to maintain as you say. And, I do like your tagline ‘your data protection partner’, you know, that’s the message that needs to go out there. Personally, I’ll quickly say, before I start asking you the questions here, otherwise, we’re going to have a super long recording and people are going to fall asleep, I think. So don’t think everybody loves compliance as much as we do. My business mentor says I’m very sad. I love compliance. But anyway, he probably ever forgot what he’s going to say about the partner, or whatever. Anyway, yeah. Should I ask you? Should I? Oh, yes, that’s what I was gonna say no, I’m gonna actually say it. When we came to Ireland, because lots of people might not know we only arrived in September 2017. We’d been planning for quite a long time to come here. A lot of my work would have been being a translator between lawyers and high-end IT departments, particularly in the contract space where substance was, you know, on the table like exactly what services were going on, what data flows, etc, etc, security practices. That was the large part of my work before I came here, and then we arrived here and there was a gap in the market, obviously, and there were skills needed. There still are skills needed in this space because it’s quite a complex set of skills that’s needed to do your job. Particularly IT management does help a huge part. You see, our culture in South Africa is very much based, I suppose, the ,like most people wouldn’t know the drill here is based on Ubuntu, you know. Generally like I’m not going to give you the good translation, but generally like in business, it will kind of translate into “your success is my success.” Yeah. You know, where there is healthy competition, definitely. But we understand that, you know, by putting handouts and pulling each other up, we’re only making better everybody else. So when I came across this phrase of fear mongering, and a lot of people would put online: “Oh, you’re just what scaremongering or fear mongering”. It wasn’t a phrase that I was familiar with, and I’ve watched it from a distance for the last two and a half years now. And honestly, like, this is my personal opinion. That phrase has done nothing for the industry here because, what it did was, it psychologically attached to GDPR. So, anytime people look at GDPR, there’s this message that has gone out, it’s very negative of GDPR. There’s fear or scaremongering attached to it. And actually, I’m just gonna put my hands up in the air and walk away because people are just trying to take my money, you know, for nothing. And we have to break down that stereotype that’s being created in an immature market, and it’s quite difficult sometimes getting the message out that you’re getting here that you’re a positive partner. You save people time, you save people money, and actually in a crisis, you’re the lynchpin of the operation a lot of the time, you know, and you’re keeping everybody stable. That is, that is fact and it’s happening time and time again, you know, I’ll say it for you. Stuart Anderson:  Yeah, I mean, we we, the reason that I chose ‘partner’, is because, when I set the business up, we can talk about that was one of the questions that you sent across. And that was one of the responses about how I arrived at setting up XpertDPO. But when I did, I made a conscious decision that, look, we’ve all come across people that give out bad advice, that give out rotten advice. You know, you know, we’ve walked into potential clients, and we’ve said, “Well, you know, where is all your data?” And they say well, “We had a guy three months ago tell us to shred everything and delete it.” And so, we’ve all come across those people and I made a conscious decision that you know, I really love nurturing relationships, whether it be friendships, whether that be business relationships, because the real value for any organisation is having a trusted advisor, the bit, you know that you can pick up the phone at three in the morning. Philipa Farley:  Exactly. Stuart Anderson:  And they’re going to answer that phone, and they’re going to help you. And yeah, we provide service that we get paid for. Okay? That’s the same as any business, but, and again, and it might sound corny to some people, but I started the business to give out the right advice, all of the time to people that we partner with. And let me tell you, Philipa, we’ve actually walked away from business that I have decided that if we did business with this, this client or that client or whatever, it was too much of a risk to our reputation. Yes, our name, it’s my name over the door. I ultimately make the decisions. And, you know, the reason that I’m saying that is but you know, we’re all in business to do business and make money but sometimes, you have to realise that this might not be good business to do and and that’s because it’s too high risk or they just don’t have they don’t have, they just see it as a box ticking exercise to get papered up or whatever you know that it’s because it doesn’t work like that, it’s a living breathing thing. So, we are really enthusiastic about building relationships with people that we can work with so that both sides, so both sides of the deal are successful. And you know, so that’s why that’s primarily why we chose ‘partner’ because I thought well, you know, you don’t want somebody you’re not, you don’t want and you’re not going to get somebody to hire us that comes in and tells you what to do, and then sends you an invoice and then that’s it, and you never see us again. It doesn’t work like that. You’ve got to build a relationship. And again, because if you’re going in and you’ll notice as well doing the consultancy, and whether it’s cyber security, or its GDPR, data protection. You know, you need to know what that business does. You need an intimate knowledge of how they, where they process data, how they, what their businesses, where our clients, from pharma clients, to health providers, to software clients. So there’s a whole range of people and we have to take that time to get an intimate knowledge of what they do and how they do it. So, you can translate that and build a compliance programme around how they do things. Philipa Farley:  Exactly. That’s that way without friction. I mean, there is a bit of friction obviously and that’s, that’s natural, but it should slide into the daily running of things and become natural for them to do. I think we’re very much on the same page there. I’ll just say one quickly before we go to the questions. Like, a huge thing for me, Stuart, was not socialising with clients but realising that going for a cup of coffee, or if somebody said let’s go for lunch, that it is good to say yes, because they’re trusting you so much, with such absolutely confidential documents, and happenings, and data, that they need to get to know you as a person as well. And working in the space, inherently we’re all very private people, with very little of our lives online, you know, so it’s quite difficult for them to get to know us as well. And it’s quite hard for us sometimes to open up and show them the kinds of people we are, so it’s a two way street as well you know, for them to understand that we are actually there for them, we have their best interests at heart and we are available. You know, it’s and that’s where ‘partner’ comes in because it’s a journey and it’s a road we walked down together. So absolutely, no, you’re not going to invest that kind of time into relationships, to dump an invoice on somebody’s desk, and walk away and be done with it. You know, it’s just as simple as that. It’s ongoing. You know, I’ll get calls, like, more than a year, two years later, sometimes put up a piece quickly, we need, you know, we haven’t seen you in a while, can you come in please? You know, and you do you just do because you do have that kind of relationship with somebody. Okay, I’m aware of the fact that it’s half an hour in and you’re very valuable with your time so quickly, quickly, Stuart. I sent some questions over. And the first one is: where did you first come to grips with data protection? We don’t even say that GDPR, but data protection, like where did it first dawn on you that this mattered? Stuart Anderson:  Yeah. So again, it was around just before 2016, and GDPR was coming onto the radar. So, you know, I was working in a software company. I worked at a software company. I was spending all of my time flying between Ireland, all over Ireland, to Cologne, to Milan, and back. And we had a piece of software that became more of a platform on which people could build workflows. And, you know, the GDPR started to come on the radar. So I read about the GDPR. I’d heard about data protection beforehand, and you know, had had some subject access requests to deal with, as part of working with a software company. And we were going to take that piece of software and build something to handle subject access requests. And that’s when I really started reading. I did the, you know, couple of day courses, and the 40 you know, multiple choice answer questions. Yeah. Yeah. And that’s how I really got into it. It was around 2015, we were going to make this great piece of software, that all kind of fell apart. And that’s how I ended up setting up XpertDPO. But I didn’t stop there. I went to do the UCD course with Dennis. And I’m probably going to do the CIPM later this year. That’s still 50/50 but it was around 2015, 16 when we knew GDPR was coming in, we, you know, anybody that was kind of working in a semi techie or a techie business, knew that this was going to be a game changer. You know, everybody was going to have to comply. It wasn’t just legislation, it was a regulation. So it was going to level the playing field. So, you know, considering myself to be you know, big tech savvy and things like that. I knew that this was going to be a big thing. Philipa Farley:  Yeah. Yeah. Stuart Anderson:  And you know, with hindsight, I made the right decision. Philipa Farley:  Absolutely. Like, when people hear what I studied, you know that the 90s and early 2000s they like, how did you know that is going to happen? And I was like, I didn’t, I just loved it. You know, I’m not some kind of, like, whatever. psychic, Stuart Anderson:  I think as well, you know, I’ve always been into tech. Yeah. Part of that, originally as a musician, but I’d always had a computer when I was a kid. Philipa Farley:   Yeah. And it’s actual curiosity that leads you to this space, you know, Stuart Anderson:  And, you know, having become aware of, you know, you see these things called data breaches. Yeah. Then when you, you realise, well, actually, that’s my data. And now my data is on the dark web. Philipa Farley:  Yeah. You know, that’s my next question. What is the impact on you personally, of the GDPR? Stuart Anderson:  Well, I mean, personally, I mean, I’ve had emails that my email address is on, you know, “you’ve been pwned.” So, I’ve had my data stolen, the LinkedIn breach, Yahoo breach, my data was taken in that. I’ve actually been breached on my, we had an unsuccessful phishing attempt on our corporate email, from a legal firm actually. And that was very sophisticated, but we didn’t fall for it, but we get lots of spam. You know, and we just don’t respond to it. So the impact of that, but the impact of GDPR I mean, my wife, my long suffering wife would tell you that I’m Philipa Farley:  Has she given you her consent to discuss this, Stuart? Stuart Anderson:  Well, I haven’t mentioned her name so we’re not processing under consent. I signed a marriage certificate. So I’d say. Philipa Farley:  Yeah. Stuart Anderson:  Um, you know, there’s no such thing as quickly buying the kids a pair of shoes online anymore, because the first thing I look at is a privacy policy. Yes. And, you know, it’s the same old thing. It’s this kind of stealth data collection by building profile building, you know, oh, can we send you a copy of you know, your receipt to your email? No, thank you. Just give me a paper one. Thank you very much. Philipa Farley:   And I don’t want your newsletter either for special offers, five times a day. Stuart Anderson:  I don’t mind sharing my data. I have an iPhone. I have a Facebook account. I have LinkedIn. Yeah, like the majority of people. But I want to know where my data is being shared. So I use a number of burner emails to see who’s, which organisation is selling my data without being… Philipa Farley:  Exactly, yeah. And this is a great tip for people to hear. So if you want to just quickly explain what a burner email is, and how you use that practice because I would know a couple of other privacy and data protection professionals and I see privacy because privacy advocates that we do this specifically that the people don’t know what you’re talking about. Stuart Anderson:  So I have a number of email accounts that you can use, I personally use protonmail. You can get a free protonmail, encrypted email account. Yes, I have a number of those that I don’t use for anything else. So for example, if I go into a retailer, and I decide that I’m going to get my receipt, emailed to me, I will use one of those burner emails. And I only use a particular burner email for a particular retailer, or group of retailers or for Facebook or for Twitter or ever. And if I start getting spam, into that particular email account or unsolicited emails from people that I’ve never done any business with, then I have a pretty good idea of who is selling my data and to whom they are selling it. Philipa Farley:  Exactly, exactly. So that’s it, that’s a fantastic tip to take out for people to use is to tie, tie your service providers back to that email address to hold them accountable. And this kind of goes to a point that came up in the AIB Network Ireland panel discussion. Last week, there in Dublin, Stuart, where the representative said that it’s really a war between good and evil. You know, that’s how they’ve kind of tried to sort of humanise the cyber security practices. When they explain to people you’ve got to understand it like that. And, and at some point, we have to start fighting back with the small things that we can do, to look after our identities. You know, we don’t have to accept the fact that we’re being profiled, and these things are happening online and there’s nothing we can do. We have to fight back. Stuart Anderson:  Absolutely. And it’s astonishing. The amount of data that we process on a daily basis is astonishing. And lots of people are just unaware of that. And that’s not to be, that’s not to denigrate them or anything like that. It’s because the people are unaware. And it’s, it’s great. I can use a free Gmail account, and that’s great. But have you read the Terms and Conditions? Philipa Farley:  What further is happening? Stuart Anderson:   It’s free. You have to understand that it is free for a reason. And the reason is that you are the product, they’re going to take your data and they’re going to slice it and dice it and share it with people and do whatever the hell they want with it. Philipa Farley:  And influence you, turn you into the perfect consumer for their purposes. Turn you into the perfect citizen for their purposes. And it goes very deep because our children, if you don’t have children, the next generation, is growing up in this world that is completely controlled through information that’s going directly into their minds. Yeah, no filter. Yeah. Stuart Anderson:  You know, it’s, it’s, you know, I’m not a conspiracy theorist, but I see people on social media advocating for a fully digital economy. Yeah. And that’s great. But I know people in Milan who do not have a bank account. Philipa Farley:  Yeah, I know. Stuart Anderson:   It is like forcing people into our predetermined pattern of behaviour. The other side of that is that you know, if I have to use a card and have electronic transactions, my bank has a very intimate knowledge of what where I’m spending what I’m spending it on. So if I decide you know if I’m if I’m in the takeaway every evening using my… Philipa Farley:  Your health insurance is going to phone you up and tell you to go to the gym! Stuart Anderson:  Well, and then I’m gonna get a ton of spam saying ‘go to the gym’ and the next time I come to get some health insurance I’m not going to be able to get it because I don’t exercise and I don’t diet. So that’s one of my concerns around this probably political economy and, again, the example I use is I think a while back in London before Christmas, the card machines went down and nobody could use their Oyster cards. So they had to use this thing called cash. Philipa Farley:  It must have been a nightmare in London, must have been a nightmare. Oh, God, no.  Yeah. Yeah. Okay, so, let’s see the next question: where have you seen opportunities for your own business in the context of GDPR? We spoke quite a lot about your ‘partner’ there. Stuart Anderson:   So, yeah. I mean, I set up XpertDPO in June 2018. So we would be just after GDPR. But as luck would have it, I finished work with the software company on the 23rd of May 2018. And I was kind of kicking around the house thinking: “What do I do? At this time, our second baby was due. And I actually set up the company on the Xero website, whilst I was sat in Hollis street, and my long suffering wife was in labour. So yeah. I wanted to run a business. I knew I was good enough. I knew that I knew my stuff. I knew that I wanted the principles of the business to be founded on reputation, and being good at what we do, and being reliable and knowing our stuff. And, you know, I met with a couple of people that I used to work with, I have a mentor who is absolutely fantastic. I, you know, if I paid him all the money in the world, it still wouldn’t be enough because he’s just, he’s been brilliant. I have to say, and, and, you know, so GDPR is, as I said earlier, is on the radar now. But, by the time I was up and running, we kind of lost all of the guys that were in it to make a quick buck. Philipa Farley:  Yes, yeah. Stuart Anderson:  And to kind of half ruin organisations. So it really is on the map. I think it was a LinkedIn survey last week. And the Data Protection Officer is the second biggest growth last year. Philipa Farley:  So yeah, I think like, if I can say, that the opportunity for your business in Ireland particularly, and you’ve said this point several times over and it’s a very salient point for people to take home, is that you don’t need you all the time, every day, hour by hour. So a lot of businesses in Ireland particularly don’t need somebody full time. They don’t. It’s an unnecessary expense. And I would say this over and over again to people. Yes, you do need to do it, you need that voice of reason. You need the voice of impartiality. You need to take your medicine as you said, absolutely you do, but you don’t need it every day. So I would see that as a huge opportunity for you in Ireland. Stuart Anderson:  And what we’re saying, and that is the opportunity because what we are seeing, I mean, obviously I keep an eye on the employment market. We saw salaries at the 100,000 plus scale around the time of the GDPR, two years ago, because everybody was panicking. And they’ve realised now that… Philipa Farley:  You’re lucky if you can get 40 now. Stuart Anderson:  Yeah. So, you know, between 40 and 60, I think it is the going rate now. But, people who appointed staff now have this expensive asset, sitting there, doing data protection stuff, one, maybe two, days a week. So they’re not fully utilised. So that’s where the opportunity is for us. Philipa Farley:  Well, some are. Some are overworked. Stuart Anderson:  Yeah, it’s a lot less than employing somebody full time. You don’t have the overheads of, you know, all the HR related costs. Philipa Farley:  Absolutely. Stuart Anderson:  And it’s a formalised arrangement. You know, there are contracts in place. Yes, both parties know from the outset what is expected of them, what is included and what is not included. So it’s a formal arrangement, but they don’t have to take on an extra member of staff. And that allows them to concentrate on what is important to them, like growing their business. Philipa Farley:  Exactly their business, it takes the stress away, saves them time and saves them money. Absolutely. I’ll tell you what my calculation was on time, Stuart, we worked it out on a case study and interesting one, where employees in 2018 2019, were spending 20 to 30% of their day, trying to get to grips with data protection in their space, doing it the right way, do like filling in forms the right way. Re-sorting data, archiving, you know, minimising data mostly took up the time, but 20 to 30% of their day was taken up on data protection related things that they were doing and that’s the last thing: productivity. So, really like having somebody like you around, I deeply believe, really can only benefit an organisation, really, because people would have to do that in their jobs every day, but they would find the most streamlined, efficient way of doing it from you and not waste time. It’s as simple as that. Yeah. Yeah. Okay, sorry. Stuart Anderson:  Our service, it depends on what we agree on in terms of engagement. Whether that’s days per week, or days per month, it really does differ from client to client, based on that. If we’re in there one day, per month, for example, the client knows that anytime they can email us or call us and, and that’s, you know, that’s an important part. And again, that brings us back to the ‘partner’ bit, you know, they know they have that security that we’re going to be there for them if something happens. Philipa Farley:  Yeah, absolutely. Okay. So the opportunities for your business are there and we hope people recognise that. That that you’re there too, to be that partner and that assistance. Just, very briefly, because we can’t really speak about clients’ business, obviously, that’s confidential. But just one small point, Stuart. The opportunities for your clients, like just if you have one small story to share, to show people that this isn’t a waste of expense, and it’s not a waste of time. Yeah, how has it benefited one of your clients? Stuart Anderson:  So one of one of our clients. I can’t give you a name. I can’t tell you what they do. But they, we did, we did an internal audit for them. And as part of that, we looked at their supply chain. And we came across one particular supplier who, on the face of it, looked like they’d gone through a robust compliance programme. It didn’t take as long to unpick that. So it was the usual thing. Privacy Policy. Yes. We asked for privacy policy retention policy, data security policy, access control policy, all that good stuff that people should have. Philipa Farley:  Training Records. Yeah. Stuart Anderson:  Yeah. We got a document that was a copy pasted boilerplate policy. The thing that set alarm bells off for us was it was very good. It had document version control. It was all this kind of stuff. And we looked at it, I was reading it over the weekend. And it said, you know, the author of this document is our Data Protection Officer. And we got further down the document and it said, you know, x organization has analysed deeply the requirements for the GDPR and we have come to the conclusion that we don’t need a Data Protection Officer, so I’m like “Er, who wrote this?” And so we put some of the text in that through a search engine and got about 2000 hits from people using the exact same policy. None of the other policies came forward. So we, you know, had to go back to the client, because the very sensitive nature of the work that they did was with a key supplier. So, you know, they had to have a conversation with that, that we ended up getting a little bit of work out of it as well, which was great, so positive for us. And look, it’s not just about finding problems with people, you know, we never use this as a finger pointing exercise, but we do say, look, you have an issue with one of your suppliers. Generally, it comes around DPAs and the data processing agreements, and, you know, again, being the outsourced person, we can be the piggy in the middle. Philipa Farley:  Yeah, exactly. Stuart Anderson:  We can do the good cop, bad cop. But, you know, that was a risk. That was a huge risk for my client. And we were able to highlight that they were able to resolve it really quickly and get it done. And they actually have a better business relationship now, because we got it out in the open, you know, we just got on with it, we fixed it. And that was that. So, it, you know, you don’t always get stories like that, you get people that won’t play ball with you. But luckily, we were able to resolve it and it was grand. But that business now is able to stand over the fact that they’ve done a full audit of their supply chain, and they have a comfortable level of assurance that people, you know, that they deal with doing things properly. Philipa Farley:  Exactly. And money can’t buy that really. You know, knowing that there’s trust relationships in place. Okay, positive story, that was a positive story. So shall we skip that and just ask for it? I will ask you for one piece of advice to potential clients of yours. Yeah, one piece of it. So? Stuart Anderson:  Ask the hard questions when you are choosing your DPO. So, again, if you’re going to appoint from within, give them a budget, support them. Okay? Let them go and do courses, let them go and get qualified. If you’re going to appoint from outside, ask for references, talk to people who they’ve worked with, and ask what the service includes, ask what it doesn’t include. Anything that’s not included, what is it going to cost me if the roof falls in? Philipa Farley:  Exactly. Stuart Anderson:  You know, DPO, the level of expertise is not defined within the GDPR. The same as the definition of personal data is this great paragraph that it doesn’t list out first name, surname, email address, all this kind of stuff. It’s a catch-all, but, you know, the level of expertise must be proportionate to the sensitivity and complexity and the amount of data that an organisation is processing. Yes. You know, you might have an organisation that processes a million email addresses, but you might have an organisation that processes 50,000 health records. Philipa Farley:  Exactly. Stuart Anderson:  You have to look at it subjectively, you have to know you know, where is the risk in my daily practice and operations? And rate that risk and you know, so, you know, you’ve got to again, your DPO, ask them, you know: Where is their expertise? Do they know about European laws? Do they know about local laws? derogations? Do they understand the GDPR? When I say understand, have they done this role with anyone else? Or have they? Yes. Yeah. So ask, ask questions, probe the unknown. And, look, if they push back, then that tells you everything you need to know. If they’re open with you, and now and they’ll talk to you and, you know, honestly, is, is paramount. Philipa Farley:  It’s just a relationship. Yeah, it’s a trust relationship. Stuart Anderson:  And somebody who does things properly and who is a true professional, will not mind you asking those questions. Philipa Farley:  Absolutely. Yeah. Because we expect to be asked those questions, Stuart. We expect to be asked for references, or examples more, you know, crisis situations that we’ve dealt with, we expect to be asked how we integrate into an internal team, you know, how we deal with the board? You know, what is our level of expertise there from the ground, right up to the top and to partners even, you know. So get to know, get to know somebody. And I think that’s the point of this as well because like I say, we’re very private online, you know, you might catch us being, I like to think very witty, but probably terribly annoying on Twitter. You know, and you just see kind of on the face of it. You know, I personally have had people meet me at professional events and say, “Oh, we get a very different picture of you online.” And I never say, “Okay, what picture is that?” Because I’m very sensitive, so I don’t want to know, you know, but I think it’s time to sort of chill out a bit more and help the market mature a bit in their decision making. I think that’s really important. Stuart Anderson:  Yeah. Yeah. So that that will be it, you know, talk to people you know, and I would have no problem. I have many clients that are more than willing to provide references. Philipa Farley:  Yes, absolutely. Stuart Anderson:  Answer the phone to people and do that, and one on one. And, you know, I would even encourage it, you know. If we have a client, I would say, you know, you’re a software company, go and talk to this guy. He was customer number one. He’s a great guy. And, you know, in a general sense in terms of running the business and things, it is very lonely, go out there and expand your network. Because, you know, we still get calls from people that we spoke to, or maybe connected with two years ago, when we set the business up. And they’re only coming around now and talking to us, but that’s great. It’s great. Philipa Farley:  It’s long term, Stuart, like it’s pretty much like farming. You know, you sow the seeds, you know, to them, walk away, watch them grow. You know, some making some downs. This is how we cultivate our relationships. And we hope to, to have, you know, many productive ones in the future. But yeah, like, Is there anything else you want to add to what we said? Stuart Anderson:  No, I mean, just share a positive story. Yeah. Okay. So, this is my positive story. And this is to give hope to people that are only just coming into the industry now, or starting a business in general. So when I set the business up, I got a little bit of support from the local Enterprise Office. Yeah. And I had to go on a “start your own business course”. And I trot along… Philipa Farley:  I did too, they were lovely. Stuart Anderson:  Yeah. And the gentleman that ran that course, asked me what I did. And I said, Look, I’m in data protection. This is what I want to do. And, he said, “Oh, well, I have a trading company and we’re trying to get this data protection course off the ground. You know, is it alright if I contact you in a few months or whatever?” And he did contact me. But we were up and running. I’ve since designed the course content for that and we’re about to start the first one, this Friday. Yeah. So, you know, I started this business, I didn’t know anybody. I didn’t know really, I knew what I wanted to do. I didn’t really know how to do it. And it was just this, kind of the stars, aligned. And, you know, I’ve done more business. I’ve done more work with this crowd. They’ve done a bit of work for me. And it’s those relationships that will count if you nurture them. Philipa Farley:  Yes. Stuart Anderson:  That will, you know, be fruitful. So my little positive thing you know, it’s the first QQI certified one in the country. Philipa Farley:  Yeah. Stuart Anderson:  And, it’s astonishing when I look back, you know, the chance meetings or you just, you feel like you don’t want to go to something but you’re doing it. And you end up meeting somebody where you can connect and things like that. The best of the best relationships, I think, because they’re the most fruitful, I think as well. Philipa Farley:  Absolutely. You’ve got to get out there. You have got to talk and you got to tell people what you do. And, you know, don’t don’t fear criticism or negativity. There are fantastic people working in this industry, and they’re huge supporters. You know, I think there’s a lot of us who want to give back a little bit of what we’ve benefited over time, and we’re happy to put up that hand. Give a piece of advice here and there to two people joining. Stuart Anderson:  Absolutely. Philipa Farley:  We hope you enjoyed that episode of the GDPR series. If you do, please subscribe. Find us on social media. We’d love to have a chat. The post Do you want to hear some DPO Stories? Anonymised, obviously. Listen on with Stuart Anderson of XpertDPO appeared first on ProPrivacy Data Compliance Solutions.


21 Feb 2020

Rank #6

Podcast cover

Ransomware, GDPR Data Protection and Cyber Security with Liam Lynch

Today on The GDPR Series podcast, our focus is ransomware – cyber security AND data protection!  I chat with a well-known on the training circuit and expert cyber guy about the current ransomware landscape and how he got into data protection work.  Yes, it does involve managers reading employee emails. Heads up: he’ll be one of our Serity support consultants!   Listen to find out more. Our guest today is Liam Lynch who prides himself on keeping security simplified and training fun!  Yes, fun cyber security and data protection done excellently.  Liam was really involved in the GDPR Awareness Coalition and still hosts some great infographics on his site.  Fact – I met Liam for the first time in a Centra (inside joke).  Liam is based in Tipperary and Limerick and can be found at https://www.l2cybersecurity.com/ In this episode, Liam reflects on his journey from cyber security and the tech world into sharing his knowledge with us through GDPR data protection training.  We discuss dealing with data subject rights requests, CCTV footage requests, backups, TESTING your backups, and other interesting matters!  If you need training, consulting or audit done, give Liam a call or drop him an email! Tel: 087-436-2675 E-mail: info@L2CyberSecurity.com Liam’s Links: Liam’s Weekend Wisdom Blogs GDPR Resources (you’ll find the GDPR infographics on this page) L2Cyber on Twitter (great cyber security and data protection tips). Interview Transcription: Philipa Farley 0:01 Hi, and welcome to our podcast called The GDPR Series, where we discuss data protection, privacy, and cyber security matters, that ordinary people in everyday businesses face. We have a series of really interesting and lovely guests and we hope you enjoy listening along with us. Hi Liam, thank you for joining me on the call. I really appreciate the time and it’s great to chat to you. Yeah. So do you want to tell us a bit about yourself? I’m going to share the screen before you start here. So we’ve got your website up on the screen. Liam Lynch 0:42 Yeah, so thanks for arranging this, Philipa. So, as you said, my name is Liam Lynch. My company is L2 Cyber Security Solutions. I am a cyber security and data protection GDPR trainer and consultant. I have been in business since January 2016. So it’s just over four years now. And my main, I suppose, focus, my main way of doing things for my clients is: I keep it as simple as possible. Yeah, so therefore my maximum security simplified so you’ll, you’ll see me use security simplified absolutely everywhere. So, I take, you know, the kind of scary technical topics such as, you know, cyber security, and boring legal subjects like GDPR and turn them into, you know, simple plain English that anybody can understand. So, that’s, that’s the main focus of my business. A bit on the side then would be business continuity planning and security risk assessments for clients, the small business clients that are unsure about their, you know, that their security of their IT setup, I can go in and review it for them and make recommendations, etc. And I also then produce plans for disasters, such as fires, floods and ransomware, which I think we might discuss later. Philipa Farley 2:24 Yeah, absolutely. We’ll discuss it. I’m just gonna open that up here. It’s ready. Like what we’re trying to do with this series of chats, Liam, is get the message across that it’s not huge, and it’s not scary. And, for the most part, people know their own businesses and they know their own spaces, and they just need to get going. They need to start somewhere, wherever that starting point is, whether it’s with a privacy policy or notice, a data protection policy or notice, or whether it’s with the security side of things. You know, those will meet in the middle at some point, when you do your GDPR compliance, you’re naturally led towards cyber compliance. When you start your cyber compliance, you’re naturally led towards the data protection compliance. Yeah, yeah. So, we shall discuss somewhere, definitely, because I would like to cover that, but just so that people kind of get an idea of your background here, I sent you a couple of questions and we can just chat through them very quickly, before we start the real meaty discussion. Where would you first have come to grips with data protection and GDPR? Like, when when was that that moment in time when it kind of sort of hit you in the face and you kind of went “wow, okay. We need to do this now.” Liam Lynch 3:42 Yeah. Well, my background was mainly in infrastructure – IT infrastructure in corporations – but I always had a kind of a deep interest in the security side of things. And of course, on the security side, you know, it incorporates data protection. But I was also reading, doing a lot of reading of security newsletters and articles. And the result was a bit of a privacy aspect to them as well, you know, people having their identities stolen. You know, particularly, over in the States back in the 90s, this was happening quite a lot. So, I was always kind of interested in that aspect and the, you know, in Brooklyn and certain companies, there were certain, I suppose, managers that had, they used to insist that they have access to their team’s email boxes, so they could actually read and make sure that they’re not using the email for personal purposes, they must only be using it for for business purposes. And, you know, there was one manager who was particularly strict about this and he had like 15 staff. So, he was reading 15 staff email boxes. And I was thinking that’s, you know, that’s, that’s wrong. And you know, and I looked into it at the time and yeah, he was kind of breaking the law because he hadn’t told him anything about it. They weren’t aware that he was actually reading their mail. And, you know, he was horrified about it. So, you know, so that kind of was where I was really, kind of, I suppose, interested in looking into these things. And, you know, I tried to just look at the law and figure out, you know, that yeah, he was kind of breaking it and we had to make changes. So, that’s where I always had the interest and then, when I struck out in 2016 and set up L2 Cyber. I had at first focused on developing my cyber security awareness training, which is the best training in Ireland, of course. And it has improved several times since. But, that was my first focus. And that does say that that took me up until, you know, to have a proper detailed training programme developed in that took me up until about August, September. And that’s 2016. So, kind of back in April, the GDPR was rolled into the EU law. So, I knew this was coming. So I, then after I completed the cyber security training, I decided I’d look at the GDPR training. And I was looking around, doing some research and of course, my first port of call was to the Irish Data Protection Commissioner’s website, which had, you know, barely a mention about this GDPR thing at all. I think it was maybe one or two newsletters or news items about it. So, I made inquiries to the Data Protection Commissioner’s office. I sent him an email asking for details. I got a response from them some weeks later. to say “thank you for your enquiry, here’s a link to the GDPR legislation.” Yeah. So yeah, very helpful. And I suppose they did kind of answer my, my question. But then I started looking at this thing and like, I’m not a lawyer. Yeah, you know, and I know you love that kind of stuff. But I looked at as I went, I started reading and I start falling asleep. Basically, I just really struggled with it. So, I was highlighting and writing notes, and tagging, yeah, and going “What does that word mean?” And you know, I found it difficult. You know, I had to read reread things to truly understand what it was meaning, and I just found it a great struggle. So I then went, did a bit more research and I found the Information Commissioner’s Office in the UK, his website. And that was full of very easy to understandm very easy to use and digest information, which I found was much, much more beneficial thanobviously the link that the Data Protection Commissioner’s office gave to me. So I then, around that time in late 2016, I happened to bump into a lady called Molly O’ Neill, who was compliance consultant for regulated entities for mortgage brokers, insurance brokers, etc. And I just bumped into her, we just exchanged business cards are thought nothing more about it. And, a few months later, in early 2017, she contacted me and said, you know, hey, I’m going to do this, I’m going to do this presentation to some of my clients in Galway, and there was a kind of a cyber security aspect to it because the Central Bank had issued some guidelines for regulated entities. So she asked me would I do something on that ? And I said, sure. And she mentioned she was also going to cover things like anti money laundering. And then she mentioned that data protection though, she was talking about the old Data Protection Act. And so I said, Yeah, sure. And you’re gonna include this GDPR thing? And she said, “Oh, yeah, we probably should, because that’s coming down the line.” So I said, You know, I told her, I’d been doing some research on it, you know, and I’m happy to speak to that as well. So, that was that was pretty much it then, and we got together we did up the this this session for these clients of hers in government, and we went ahead and did the session and it was a great success. So we then kind of met afterwards said, you know, maybe we should take this bit harder, you know, this, this GDPR thing is now it was like, just over 12 months away from coming into law, and she said, “Yeah, let’s develop something.” And I was going well, I tried to read this GDPR thing and I could make no sense of it. You know, she was actually a qualified solicitor. So I said, “Would you mind translating it?” And she said, Sure, so she went away and translated into English which was a great benefit to me because then it was easy to break it downm and I was able to then scope it out and put it into different sections, which made sense because I’d also had recently qualified as a Training Development and Evaluation, which is a trainer kind of certification. So, with the English language version of the GDPR from Molly, then I was able to turn that into a plain simple English training material, which is what we we developed and started to roll out. But not only, but around that same time when we kind of had met up. There was also an initiative started by Gary Connelly, of the data centres of Ireland, or Data Ireland, or Hosting Ireland, sorry, Hosting Ireland. And they had set up and formed this GDPR Coalition, which was, you know, not for profit. It was a gathering of observers, it ended up with over 100, I think 120 companies, who were just spreading the awareness of GDPR across Ireland, throughout the remainder of 2017 and into 2018. And they they did this with and through the medium of like infographics. Philipa Farley 12:02 Yeah, it’s amazing. Like that I came across it and I was like, wow, the effort that went into all of that, that’s that’s how we met. Okay. Thank you, you guys, you’ve done such an amazing thing here, you know, really helped so many people. Yeah. Liam Lynch 12:19 So it was, yes. That was a great initiative and like we were doing these infographics that were always like six point, simple, easy to digest infographics and, I say one thing I love is keeping things simple. So I was involved in the creation of quite a few of those infographics. So um, yeah, you’ll find them in my GDPR section. Philipa Farley 12:47 Like just sadly, so that people know that they coalition kind of, when did you guys shut down, like last year? Liam Lynch 12:54 Yeah. It formally finished at the end of May 2018. There’s one of the infographics, it was at the end of May, they waited until the Tech Connect conference in DRDS was starting, and just all sorts of meetings last Thursday or something in May. So and they they finished it then. And in fairness to them, they still any inquiries that come in on the GDPR coalition sites for like five or six months afterwards any inquiries that came through, angel from monster or I was central to meet myself. And yeah, so that was a great grouping to be involved with. So Philipa Farley 13:38 Yeah, so yeah, like you, Liam. What amazed me about like getting to know you was that you know, you could really easily have kind of just stuck with cyber and tech stuff, and not bothered with this like, yeah, I’m not gonna; this is not an accusation by kind of by any means, but A lot of the cyber guys are very comfortable in their space, they don’t want to, you know, cross over into the data protection slash privacy space because, there’s, I think, a lot more humanity there and policies and procedures and, you know, standard operating procedures business stuff, where, like lots of a lot of us have a comfort zone in tech. So I think it’s, it’s great how you came over into the space and made it so simple and easy to understand. And fun. Yeah, you know, Liam Lynch 14:35 yeah. Philipa Farley 14:39 Oh, yeah. So, these are, these are these are going to stay up on your site. You’re going to leave them here so people can come and have a look. Liam Lynch 14:46 Of course, yeah. Philipa Farley 14:49 So cool. And just so that people know if you follow Liam on Twitter, is it on your personal account, the L2 Cyber Account? You put up your video tips. They’re fantastic, you know, short little bite-sized videos on different topics. I enjoy watching them and sharing them. Because I really don’t like doing videos. Liam Lynch 15:12 What are you doing here? Philipa Farley 15:16 Having a chat with a mate! Okay, so the impact on you personally of your GDPR or with your understanding of the law, like, have you got a personal story to share because like, I’m quite cheeky on my Twitter where I try and keep it as anonymous as possible. And like I say, this happened to me today. I mean, our life insurance for work, you know, the business, that was seven months of drama, you know, that’s over, but like I very much done in principle and I go, okay, this isn’t right, and I’m not going to go with it. So people know that about me like, do you have a story where, like the GDPR directly impacted your own personal life? Liam Lynch 16:03 Yeah, it was nothing as elaborate and scary as what you had to go through. But, you know, like I love the way the GDPR has helped, you know, particularly in the one particular aspect, I suppose, of data subject’s rights, and that’s in relation to getting your data in an electronic format. You know, a portable electronic format, because in the past I have tried to when I’ve requested my prescription for my glasses, yeah, from a certain High Street chain. They’ve always provided as in a very poorly written, you know, kind of scribbled writing on a card. Which is, you know, effectively unreadable. And you know, you could never truly, you know, you have to say, you know, was that something else, is that is zero? Or no or whatever, you know, it’s just difficult to read. So I actually waited until the GDPR came in and gave it a month or two, and then I put in a request – I was also kind of busy at the time running around the country training people. But anyway, so I put in a request anyway to get my prescription in a readable format, electronic readable format. And the company’s Data Protection person did respond within a couple of weeks and just to clarify what I was looking for and why. And I said, you know, that’s fine. They went away and I heard nothing. So I gave them the up to the thirty days, I said, you know, by the way, you’re reaching the time limit here. And, you know, if I don’t hear back from you within a couple of weeks, you know, I might need to make a complaint. I think I think I might have given him one more, you know, kind of said, here, listen, I’m gonna give you another couple of days, would you mind? And then without a response, I think I’d given them over two weeks. So it was like into like 45 or 46 days after the initial request. I popped a report an issue into the Data Protection Commission. And, lo and behold, two days later, I get a response. Philipa Farley 18:41 Yeah, you know, and on that point I got, I’ve got your thing up here for this right. Particularly, it says: “You must respond without undue delay, and at the most in one month. This can be extended by two months where the request is complex, or you receive a number of requests, like, we’ve done as sort of like little unofficial survey amongst a bunch of independent consultants, okay. And I shall continue it with you, Liam, and ask you off the top of your head: Has there been a flood of data subject rights requests in the last two years? Liam Lynch 19:23 I probably wouldn’t think it was a flood. I certainly have heard some people I’ve been training they’ve mentioned they’ve received requests where they never received them before. Philipa Farley 19:37 But they can handle. Let’s just let’s just use that kind of terminology. Manageable handle. Yeah. Liam Lynch 19:45 I would think so. Yeah. Don’t think it’s been an absolute flood. Philipa Farley 19:50 So let’s go back to your example. How do you sit for nearly 60 days, just not responding? Yeah. And that is your function in life to respond to these things, you know. And like, for me, I really do kind of let the string get pulled longer and longer and longer and I just I wait, because sometimes, there’s some days where I feel like it’s very unfair of me to sort of unleash the the professional side on somebody who’s possibly overworked, and not equipped correctly to deal with this. You know, I try and understand, but then there’s some instances that you just go like, come on, guys, you know, can you please just actually just do this now? You know? Yeah. How do you balance that up? Like, in these situations, it’s very difficult. Liam Lynch 20:44 Like in the case of my requests, like that should have been something going, right. Here’s a person’s name, address, date of birth, print a PDF and get it off to me. Philipa Farley 20:55 Not difficult. Yeah. Yeah. So you know, it’s…people say to me when I’m like, I’ve had a couple of sort of not interviews, but yeah kind of interviews recently and they say, people think the GDPR is a bad thing. Do you think it’s a bad thing? And I’m like, no, it is a good thing. It is a good thing, because of stories like this every single day, you hear stories like this, and it’s, it’s more about the accountability and the transparency for me, you know, and the fact that people actually know now they can, they can know, you know, but you do still have walls, like thrown up in your way, you know, on the way to trying to find out and I think that’s what we try and break down, I suppose, as professionals in this space. Liam Lynch 21:39 Yeah. Yeah. And that is the really important thing from my understanding of the law is it really has put control of people’s data back into their hands. Definitely. Philipa Farley 21:49 And they must exercise that control, people must exercise that control and organisations and businesses must be ready for that. You know, it’s not it’s not a personal vendetta. A lot of the time sometimes it’s just really somebody needing something, you know? Liam Lynch 22:05 Absolutely, yeah. Philipa Farley 22:06 We’re trying to just understand something. Okay, so the third question I sent you was, and obviously, we’ve kind of discussed it already is where have you seen opportunities for your own business in the context of GDPR. So, you know, would you like to say something about that? Liam Lynch 22:23 Well, like I’ve done, I said I was running around the country quite a lot in 2018, doing lots of training and that, you know, when people receive the training or they have kind of gone away and got their businesses ready or their organisations prepared and ready for to GDPR themselves. In a nice handful of cases. I was called in, because they were so happy with having received training that they could understand and they actually knew a bit more about the GDPR day, but they still would prefer to have somebody who actually… Philipa Farley 23:00 Yeah, it takes time out of their day to do – we were chatting about this yesterday. The time-cost calculation. You know, like 20 to 30% out of somebody’s day who isn’t equipped in terms of, you know, trained or has experience in the field, that’s how much time they take out of their normal tasks, to do the portion that’s been delegated to them. It’s a real time cost to businesses. So this is not me trying to sell consultant services at all, it’s me being absolutely realistic. You know, this is my area of expertise, it’s your area of expertise. You do your business, I’ll help you do the bit that you’re not used to doing, you know, it’s as simple as that. So you can kind of fast track it and show them where the very risky areas that are pertinent to them lie, you know, and and how to how to cover those gaps. For me, if I can make a comment on, you know, where you’re so different from from others, is the humour that you bring it, but not funny haha humour, you know? Yeah there is but like it’s it’s just making it realistic for people, Liam, because this morning like when I was talking about data breaches I think I said you were talking about the big ones like Marriott and you know Travelex and Equifax and Ashley Madison, and like they’re these big massive data breaches but no like, guys, that’s not that’s not everyday reality. So I think it’s nice to have people like you around who make it real, you know? Yeah, yeah. Exactly, exactly. You know, give it context there. Okay, so you deal with businesses, you’re B2B sorry, B2B, you deal with businesses. I’ve been chatting to a couple of people who deal with actual consumers, you know, B2C, you’re B2B. So, where would you see opportunities for your customers or clients, like just one or two small examples like that have done their compliance as an encouragement to others to do it, you know? Liam Lynch 25:12 Well, there was one client, I think, he was quite possibly my first GDPR client, who I landed in 2017. And that was actually from a business networking group that I was in, in Limerick, and I got a referral there and I got talking to this gentleman. We worked anyway and gave them some training. We did some consultancy for them. And they were kind of an online platform. I won’t cover whatever business they are in, but it was an interesting one on right but we did. We got their GDPR policies and procedures and stuff in place and you know that, kind of, by about September or something 2017 they were pretty much ready to go GDPR wise. And then they had a tender, big client in Europe went out to tender. And one of the things your man he sent on to me, he said, you know, develop these questions about the GDPR which, you know, they were able to, my client was able to address you know, directly. And when they won the contract, they went to meet the client and start the project up. And they found out, that two of my client’s biggest competitors are these are big international companies just had nothing for the GDPR; they weren’t ready for GDPR back in September 2017. Whereas my client was, and he got a fine big contract over that. Philipa Farley 26:53 Yeah, amazing. Yeah. Yeah, no, and that’s that’s it. Liam like, people don’t want to take your risk onto themselves when they do business with you. It’s as simple as that. They don’t want to be tied into a relationship with you where you’re going to cause a problem for them down the line. Yeah, Liam Lynch 27:13 Exactly. Yeah. Philipa Farley 27:14 Yeah, the supply chain effect has been interesting. Okay, so positive story. You just shared a positive story. That’s a very positive story. Liam Lynch 27:24 I’ve got a doozy one. Yeah. Yeah. It is kind of a funny one as well. And I love telling people this. There was a not for profit organisation down in Kerry. I was doing some training for now. They had three locations in Kerry, and have a number of volunteers and a number of staff. So, the way they wanted the training done, was I was going to train in two locations: a morning session, in one place an afternoon session, in another office. This was kind of a very basic introduction to GDPR for the volunteers and staff. And then the following week, I was back down for a morning session again for staff in this was in Killarney, and we had a morning session again for volunteers and staff there and then the afternoon session then was going to be a much more deep detailed, deep dive on policies and procedures for the staff. And this involved know they brought the staff out from the other two locations for this afternoon session. So I did the training and I recall that when I was going into the first location on the previous week that I seen CCTV cameras up outside in the public area and inside the public areas of the premises, so I made sure to bring up and mention how they should be handling that data. Make sure that you know nobody is able to get access to equipment etc and hope to handle your requests. Yeah. So I passed on all that advice, anyway. And then the following week as I as I mentioned, I was in the afternoon session then. And like I had literally just started the session and one of the ladies from that four sessions stood up and said “Geez, that training you gave last week was wonderful, particularly about the CCTV.” Wait, what happened? And he said, “well, the day after the training, a detective arrived on the premises and said ‘may I review your CCTV footage, there was an incident last night. I would like to see if there’s anything picked up and your cameras.’ So they brought them to the DVR and they left them alone. So he was there a few minutes anyway, and he went to leave the premises and he was saying goodbye to the to the lady and says, oh, Thanks for that. I got the footage. I have it here. I’ve got it on my USB stick. And she stopped him. Have you got, and this was now before the GDPR was a thing, so it was called the section eight letter which as you know is the letter that a guard needs to produce from a superintendent to get it to a data controller to basically gain permission to take, to remove a recording from the premises. So, but detectives have never needed to do anything like this before and I’ve come and get the footage you just give it to me. And she said, no, no, we’ve received a training and this man was there and he was telling us all about this and you must produce this letter from your superintendent. And what I got really worried about was he didn’t say: “Who is this man? What’s his name? Where’s he from?” Jesus I’m gonna get arrested. No, next anyway, so no, she stood her ground and she said she took the USB stick off him, and he went away muttering but he came back three hours later. Much humbled and he said, Jesus, I went to the superintendent and he said, yeah, you need these letters to get CCTV footage. And here’s one, so he gave him one and he said none of the rest of the team down there were aware of this requirement. Yeah. And so much, ya know, she was delighted with herself and she even brought in the Section 8 letter to show it to everybody. And this is what you need to look for your footage. Yeah. That was a that was good fun anyway. And I haven’t stopped since so. Philipa Farley 31:45 You’re not on a list, Liam. Not at all.You’re a troublemaker, down there in Tipperary. But you know what, it’s, it’s it’s correct. And like, this is what I was saying earlier about standing on principle because, you know, it must be done properly, like it must be done properly. We’re all accountable at the end of the day. So, you know, that’s fantastic. It’s really good. Yeah. I’m going to share one story on training because, like, I know that you love the training, it would not be my my favourite sort of area of focus when I’m doing compliance work. You know, I really love the more the paper side of things. I do enjoy doing training in specific circumstances, but it would not be my focus, but I had a client that I signed off and – it’s happened a couple of times – but this specific one was really interesting. We signed off a job that was posted about five or six months in total, you know, it goes sometimes take that long to get through various aspects. And, one of the things that we had done was, we had recorded training PowerPoints, you know, the ready, bloody boring way of training guys, you know, voiceover PowerPoints, everybody wants our awareness training just to get it done and out of the way. Yeah, no, I know. Yeah, exactly. But to give this company credit, they took their training and they did a session, you know, she, HR manager session with everybody. So it wasn’t just literally like planking people. You know, she made them watch it. And they had a whole week, a whole week of awareness that she ran, she did herself, she ran posters around the place, you know, tips by email, that kind of thing. Not even two or three days, it was less than a week, Liam after we signed that job off that I got a phone call. We have a data breach. Now everybody says we don’t have data breaches, until they have their training right? Because then they actually realise that they do have a data breach. And I was like, okay, let’s go through it, explain what’s happened, and we’ll we’ll go from there. So they explained sorry, calendar notification there. They explained what had happened. And very simply, one of the staff members recognised the fact that an email was being sent out of one of their systems to an email address that nobody recognised. So really, it sounded absolutely off. So I was like, okay, go to the vendor, the software vendor, tell them to send you the logs when address was changed, and who changed it. Within an hour, Liam they had information and it was a contractor of theirs who was under contract. So they had received email with personal data in that they were entitled to receive, but the contractor had changed their business name, changed their domain name, changed their email address, the check and balance that’s missing is the fact that there wasn’t a verification step. My client, the business should have said, yes, we verify this change, you understand, like a change just be made on software. But the fact that one of her employees looked at the screen and way, that’s an email address I don’t recognise, I need to tell somebody. Yeah, that’s that. Yeah, that’s the difference that we’re kind of, we’re looking for, you know, training is not boring. It has a real, real, real change effect in a business if done properly. And I would really, really encourage people to get in touch with you, because I think your training is of that kind, you know, where you really personally pay attention to people in their different contexts and, and that change can happen where people know what’s going on. Yeah. So one piece of advice to potential clients of yours. What would you tell them? Liam Lynch 35:54 Yeah, well, you know, when you’re looking at the GDPR, it looks probably really, really big, there’s a huge amount of stuff to do, you know, you might even look at it like it might be like this big elephant, or maybe an elephant in the room. But, you know, how would you how do you eat an elephant? One bite at a time. Yeah. So, it’s just a case of just getting in there, you know, getting a consultant, like yourself and myself. And, you know, we can step you through it. Is there some tool or something we can use for this? Hehe, like Serity. Philipa Farley 36:31 Yeah, yeah. The people that made it are just wonderful. That’s exactly why that’s exactly why we made it so people can see the scope of it because it’s not just this never ending painful thing, you know? Yeah. Easy. You can do it. Just do it. Yeah. Yeah. Just pick a point, start and get it done. So now, the real meaty discussion that I’d like to have with you for the next sort of 10 minutes, because I don’t want to take up too much of your time. 10, 15 minutes is the actual real impact of ransomware on Irish small, I said small business bit more like the S and Ms of the SMEs, you know? Yeah. Because I think the Es in Ireland have a bit more resources to put towards managing this this type of thing. But the real impact of ransomware on Irish small business. I sat on a panel a week ago, two weeks ago, whenever it was, and one of the questions that was posed to us to prepare beforehand, I don’t think I was directly asked the question was, what is the biggest danger that you… what would you think the biggest danger to business in Ireland is, smaller business in Ireland? And my answer would be ransomware. But a different answer was given which was quite interesting. I won’t say what it was, but ransomware definitely, I believe, has the potential to have the biggest impact on small business. So, would you like to give us your thoughts on that, Liam, because I know that you do know this very well. Liam Lynch 38:13 Like, the whole kind of ransomware thing you know, when, you know, it’s obviously been around for a long, long time. But, you know, it initially peaked, there back in 2017 when we had the Wannacry and NotPetya, and then it seemed to tail off because crypto mining became fashionable and lucrative because Bitcoin was a stupid price at the time. But, that then dropped away. So ransomware has started becoming much more profitable. And they’ve been really, you know, going after big fish like, particularly in the US. They were targeting a lot of healthcare providers who usually used a similar kind of a certain, managed service providers, you know, IT support companies, that they would compromise the IT support company, and then they’d be able to reach into all of the these healthcare offices and companies. They also targeted a lot of municipalities. Yeah. So that that was very, very profitable, profitable for them there and now was the end of 2019 and as we came into 2020, there just seemed to be so many, so much of an increase in ransomware particularly likes of REvil are so they know to be as it’s known, and the really scary one, I would say from a from a data breach perspective, though, of course, you know, any ransomware impact or incident is is considered a data breach. But, the maze ransomware, where they steal the data before they encrypt it, and so they now have a copy of your data. And, they will then if you don’t pay the ransom to decrypt your data, they’ll just post it online. And you know, you definitely have a data breach then on your hands, which will be deeply embarrassing. So, this is the kind of environment that is really going to be badly damaging for, you know, any kind of small business because if they’re not, if they can’t prevent their data being leaked, like we all did, they could have not only, you know, their systems shut down because of ransomware and then they’re down for weeks on end. But, you know, they could then potentially end up with maybe a fine from the Data Protection Commissioner. Philipa Farley 41:04 Okay, well besides civial action you like, if it’s your health data or whatever, you know, your full insurance records that are sitting online, you know, you’re not going to be happy about that. Yeah, Liam Lynch 41:16 Absolutely. So, you know, there’s all these things could impact on a company like a small business. Unfortunately, in my first year, I was in business, I had a former colleague of mine from a previous job. Anyway, I was into cyber security game and she rang me up. At that point, she had been four weeks down because she had all of her data up in the cloud, in some weird storage provider that I had never heard before, and I’ve never heard of since. But, her IT provider had recommended she use this group, it got hit with ransomware, she opened that document and checked “enable macros” and you know, everything, and all her data was gone. And they struggled, they couldn’t get their data back. Even the backups they had were unrecoverable. And she went out of business two weeks later. Absolutely everything over there, like so. You know, this is where I always say to people, you don’t put all your eggs in one basket, you don’t just trust the cloud, because people say it’s secure, you’ve got to make sure it’s secure. You’ve got to take these extra steps. And so and, you know, the, as a kind of one of my recent videos, I talked about having data backups, and you know, obviously, these are things if you have good data backups, you will be able to recover from ransomware Philipa Farley 42:50 Absolutely. And, and backups in in different formats. Yeah, yeah. In different places, as well. Liam Lynch 42:56 Yeah, offline, offline, offsite. And, you know, on a hard disk or on a backup tape or, you know, all different formats of different locations. And the other thing is to make sure they’re tested, this is critical, they have to be tested. So if you have an IT department or an IT service provider, you should challenge them to tell you, to provide you proof that your backups are working. Philipa Farley 43:22 Stand there and say, put it there on a fresh install of whatever it is we’re using. Show me that you can get it working again. Liam Lynch 43:30 Yeah. Yeah. And this should be all part and parcel of the service they’re providing. Because when I when I did it in the corporate world, this was, you know, our IT department. This was our job. This is our responsibility we had. Philipa Farley 43:42 Yeah, yeah. Yeah. Yeah. And you had a timeframe within which to bring the system up. Yeah. You know, so like, if you go back to when you were discussing your services, you talk about disaster recovery, you know, document business continuity type documents. For a smaller business, like it’s not a huge task to come to somebody like you and say: “Can we do this process where we develop our disaster recovery business continuity plan, you know, and work out a plan that’s bespoke to us,? These are the systems we’re using.” And we can we can judge roughly, it’s going to take a day to bring it back up, it’s going to take half a day, a couple of hours, whatever it’s going to take, you know, and actually go through the exercise with you, because the cost of doing that is infinitely less than the cost of dealing with an incident like ransomware and losing your entire business, because that’s the reality of it Liam Lynch 44:34 Exactly, yeah. And, you know, then you’re okay, that’s you’re backing up your data from your ransomware which then, as we mentioned, we have this situation with the maze ransomware, where they get in and steal your data before they encrypt it. And, your protections there, you’re going to have to have, you know, proper, you know, keep everything of course, keep everything up to date as possible. Like we had the Travelex issue in the UK, they were using the pollsecure VPN, which had terrible, terrible vulnerability. And that’s how they logged in to the perimeter of their network. were wandering around for weeks on end. Philipa Farley 45:19 In teams we’re currently, looking at these four bad password practices. Like, how many people are using teamviewer? Liam Lynch 45:29 So all these remote access things, you got to make sure they’re fully secured and updated. And you know, in bigger organisations, you can have things like data loss prevention, and things that have pushed smaller business you just got to make sure you have a firewall in place, a good, maintained firewall, antivirus, anti malware… Philipa Farley 45:51 2-Factor Authentication where possible, Liam? Liam Lynch 45:53 Oh, yeah, absolutely. Go on. Unique passwords for every application, long and strong. So use a password manager folks. Philipa Farley 46:04 Yeah, OnePass, LastPass, etc. Liam Lynch 46:06 Yep, all these things, they’re all absolutely essential nowadays for keeping your data secure. So you know and still look, you know, we ourselves are all small businesses, we know what a small business faces. So, you know, you know, we can talk the talk of a of a small business owner, and, you know, we know what they’re facing, we can help. Philipa Farley 46:31 Absolutely. And like we had this discussion with one of the others on the chat, you know, we’re in business to make money. You know, we’re in business to stay in business, because we have those skill sets that’s desperately needed. And we would like to share that skill set with many more people than would get the benefit other than if each of us went to get a job. Because if you went to get a job, your skill set would be lost, the access to that skill set would be lost. If I went to get a job, the access to my skill set would be would be lost and and a couple of the other consultants I’ve chatted to, we’ve had this discussion because I think there’s there’s this perception out there that you know, we charge a lot of money or you know, you’re too expensive or how to justify that cost or whatever. And actually, you know, no, it’s not that what is, what is your business worth to you? What price tag are you going to put on your business, because, you know, you put up your CCTV cameras, you put up your alarm systems, you see where I’m going with this, you have your insurance for your vehicles and your goods and whatever else but there your computer is sitting with a big fat welcome, you know, the door is open sign on it. So I think it’s something that people really have to consider. This is now an actual cost of doing business. And you know, you mentioned Serity, and I’ll say it again, we made Serity to lower the cost of compliance, please use it so that you don’t have to spend that money on the initial benchmark. Yeah, call us in to do the actual, you know, works on your on your gaps and get you compliant, you know. Liam Lynch 48:16 They can take Serity themselves and do the questionnaire themselves sort of, for the simple cost of of the license first, and you know, then if they do if they do want help after that… Philipa Farley 48:28 And this is really not a Serity sales piece, this is like, this is just an actual example of professionals getting together and saying, you know, we understand, we completely understand that there’s a cost factor to this, but we don’t, I don’t want to see in County Cork, North Cork, I don’t want to hear that the business down the road has shut down because of ransomware, you don’t want to hear it in your community. We do not want that to happen because, you know, it shouldn’t. It shouldn’t. I feel very strongly about it. It shouldn’t. Liam Lynch 48:59 Absolutely. And like, you know, one thing I am is, you know, if somebody has me in as for their cyber security, I’m prevention. You know, I’m there everything I do for you will prevent this from happening. So you don’t have downtime are if there is downtime, it’s minimised. You know, it can all be done. Philipa Farley 49:22 Absolutely can. Yeah. So we hope people like hear the plea, because it is a plea. You know, please get your house in order, please, please pay attention to these things. It’s been two years since the GDPR. happened to everybody. Now we are heading for two years now. Let’s say the hype died down very quickly. I can honestly say, I don’t think it did, because it got very specific very quickly, in a lot of spaces. But I think that there is a general waking up to the fact that oh, you know if we don’t do our compliance, the security is compromised and there’s a there’s you know, there’s there’s gaps and holes there you know. And there’s a wider awareness also like of the supports that are in place you know in which you call them organisations like Cyber Ireland are very good and and here to stay, so, yeah. Like, there’s good newsletters to sign up to like yours and following you on social media is fantastic. People should, people should do that, Liam, they should because it’s just short bite sized, as I say, it just keeps it you know, kind of at the top of your mind and we need to be we need to be mindful of good practice. Yeah, Liam Lynch 50:38 Yes. Like if you go down to the bottom of the homepage, on my website, there, underneath the About Us, there’s a link to all my social media from myself. Oh yeah. There’s all the L2 Cyber ones as well. So I’m all over the socials. Philipa Farley 51:05 Yes, yeah. There’s some fantastic videos here. Liam Lynch 51:14 And if you’re not, if you’re not on any of the socials, you can also get them and I post them as a weekly blog on the website as well. So I put Funny Dog memes as the thumbnails. They’re kinda cute. Philipa Farley 51:31 Yeah, I think people people maybe underestimate our need for emotional support dogs. Liam Lynch 51:38 I have three beautiful dogs myself. Philipa Farley 51:41 Yeah. I just don’t. I don’t tell the young the young one that when she goes to school I just I use her Corgi as an emotional support dog. She would be very cross with me. Thank you so much, Liam, for chatting. It’s it’s been really great. Yeah. And again, I really hope people get in touch and just follow and listen, you know, and and learn a bit. Yeah. Anything else you want to say before we disconnect here? Liam Lynch 52:13 Just thank you for the chat because it’s always good to have a talk about these things. And yeah, good people were, you know, we’re out there. We’re available. Yeah. Yeah. Yeah. Thank you so much. So thanks for that. Philipa take care now. Philipa Farley 52:31 We hope you enjoyed that episode of The GDPR Series. If you do, please subscribe, find us on social media, we would love to have a chat. The post Ransomware, GDPR Data Protection and Cyber Security with Liam Lynch appeared first on ProPrivacy Data Compliance Solutions.


14 Feb 2020

Rank #7

Podcast cover

GDPR Data Protection and Privacy Compliant Marketing with Finola Howard

Today on The GDPR Series podcast, our focus is data protection and privacy compliant marketing.  I chat with an expert marketing strategist about positive, permission-based marketing and how the personal data of your customer is a gift from them to you.  Besides some great discussion on the principles underpinning data protection – the GDPR – (and privacy), we have a bit of a chat about some marketing history and how strategies have evolved a little.  One certain book has been a bit of a revelation to me – completely missed that one!  Listen to find out more. Our guest today is Finola Howard who is an exceptional, inspirational and gifted (yes, my opinion and many others!) brand builder, marketing strategist and thinking partner.  Finola can be found at https://www.finolahoward.com/.  She is also the creator and founder of How Great Marketing Works (https://howgreatmarketingworks.com/) which is an accessible and affordable online course that teaches businesses of all sizes how to build a marketing process that works for their business. Current Offer from Finola:  Finola is running her ’30 Day Campaign Builder Program’ starting in March.  The cost of joining is $97 and $47 for members of the How Great Marketing Works course.  Sign Up Here for the 30 Day Campaign – https://courses.howgreatmarketingworks.com/offers/CupjDL85 Finola’s Links: The Whole Get Strategic System for Growth – https://courses.howgreatmarketingworks.com/ Get Strategic Course – http://bit.ly/GetStrategic15 Get Strategic Add an Expert – http://bit.ly/AddAnExpert Philipa Farley:  Hi, and welcome to our podcast called the GDPR Series, where we discuss data protection, privacy and cyber security matters that ordinary people in everyday businesses face. We have a series of really interesting and lovely guests, and we hope you enjoy listening.  Good morning, Finola! It’s so lovely to finally have you on the other side of the camera. Finola Howard:  I know!  Thank you so much. I’m honoured to have another chat with you. Philipa Farley:   Yeah, no, and this one should be a good one. I think people will really enjoy listening to it. I am going to share a screen with your website open. I just want to double check. Yeah, I’ve got Finola Howard and have How Great Marketing Works, so we can flip between the two, while I share the screen. Would you like to introduce yourself? Finola Howard:  Oh, I’m so not used to introducing myself. Well My name is Finola Howard and I am a brand builder, strategic marketer, lover of all entrepreneurial things. I have a consultancy practice here in Ireland. And, I also have an online offering for small to medium-sized businesses to help them build better marketing processes, so that they can create the business they always dreamed of having. So I have two sides to my business: one to one work with my clients and for larger companies, and I also have an online offering for small to medium sized companies. So there you go, that’s me. Philipa Farley:  And you are an amazing person to know. It’s really an honour to know you, and to be your friend and to have your input into business and access to your course. I’m just trying to change tabs here, it’s not changing so we’ll see what’s going on there later. I have been on your course, just so that everybody kind of knows. I have been on your course for two years now, yeah, I think about two years. And you know what, Finola? I’m still learning. Like, I dip in and out all the time, you might not realise it, but I go back on often. And I have my file of material, you know, your sheets and print out. And then obviously, I’m in the group, every now and then I don’t have too much time to be on social media these days, but really the way and, I’ve said this to so many people, the way that you think about marketing, and the way that you present it to us, who are not experts in it at all, is absolutely fantastic. And it just gives us such a fresh perspective on it, where in our space, privacy and data protection, marketing is kind of a bit of a dirty word. And I think people who are focusing on sales, specifically, really battle with it, because they don’t know, a lot of time where the boundaries are – there’s a lot of grey areas. Even though some people might say they’re black and white and well, they’re not really. And people are just lost at sea. Like, that’s the only way I can describe it. They’re lost at sea. So, I appreciate the provocation of thought that you bring to the space. And yeah, the thread of ethics that flows through it, because at the end of the day, when we’re trying to marry up different jurisdictions, like we look at marketing in, in the EU, South Africa, and Africa is this following quickly, where they have actually specifically written in direct marketing regulation into their Protection of Personal Information Act. Where the GDPR doesn’t have that it’s a separate directive at the moment and will be a regulation. So South Africa’s built direct marketing rules into their Protection of Personal Information Act. Canada has always been very strict. However, we have like the sort of the confusion there, that some people battle with when they get onto Canadian product that it’s a soft opt in, where we have to have that explicit consent given a lot of time. And then, we have the States, which is in a massive state of change at the moment. Yeah. So, when you’re building an online business, how, you know, how do you even begin to pull these threads together and do it the right way? And, we come back to the point of ethical marketing, you know, and I know that you can’t wait to share something with us. I sent you the questions and the first one is where you first came to grips with data protection and the GDPR. So I’d really love to hear Finola Howard:   Well, you know, I’m a lover of all things marketing, even though it’s so frowned upon, but yes… Philipa Farley:  It shouldn’t be frowned upon, because it’s an amazing message that all of us need to get out. So I’m going to tell you now not to be negative for now. Finola Howard:  Well, I’m going to say my perspective on it is, this is the way or the engine that allows you to give the gift of your knowledge, your expertise, your services, your products to the world. This is the engine that brings it to your customer. That’s how I think of it. Philipa Farley:  And, it’s amazing. Like, it just makes me feel it actually. And people who know me are going to laugh when they hear me say this, it makes me feel so good. When you say it like that, you know, because it’s… Finola Howard:  Yeah, well, I’m very passionate about it. But what I want to share with you is when you sent me that question, right? I just went, when I first started thinking about it in this way, right? And I just want to put this on screen, for people a little bit. And it’s a book called Permission Based Marketing by Seth Godin. And, I said to myself, I’ve had this a really long time, and I knew I got it fairly new at the time. And it’s dated 1999. Philipa Farley:  Wow. Wow. Finola Howard:  Yeah. Wow. Yeah. And that’s the year I started in business. Philipa Farley:  Wow. Finola Howard:  So it’s from the very beginning. And also, previous to this, I want to share with you, I know about data permission and because I worked, one of my first jobs, and I mean at the lower level, and I did move through the business, and all the rest of it, but my starting job as a temp was sheets of paper with company names, and I had to find, I had to ring every number to find the phone numbers, those sheets of paper. So this is direct marketing. So it’s pre-Internet, pre-orders. Yeah, I was on the phone. It was just riveting work. But, I was like so I was you know, I was very young. It was one of my first jobs. Oh, yeah, fantastic sharing this. But anyway, my first job was, I had sheets and sheets of paper, and each on there was maybe 10 or 20 lines on it. And I had to ring these landlines and find out the job title and the person who had that job title in the business. Yeah. So it was, that’s how you build a list then. We didn’t have what we have now. Now the way of building relationships, offering value in exchange for the permission to speak to them. And what I wanted to share with you in this book when I opened it was this, and this is fabulous. Now I have to say, right, and it’s in this groundbreaking book and it’s in 1999. To me, it’s still groundbreaking, right? Four tests for permission based marketing, right? The first one is: Does every single marketing effort you create, encourage a learning relationship with your customers? Does it invite your customers to raise their hands and start communicating? Number 1, first test. Your second test. You’ll love this one. Do you have a permission database? Do you track the number of people who have given you permission to communicate with them? This is 1999. Number 3. I love this one. If consumers gave you permission to talk to them, would you have anything to say? Have you developed a marketing curriculum to teach people about your products? That’s my most favourite one, because we live and – I’ll talk about this more in a second – we live in a very fragmented approach to marketing. Yeah. Whereas if you think in terms of, I build a curriculum, and I build it through all my social media and my email, and at all my touch points, if I think of it as a curriculum, not a one shot deal, not an isolated event, then it’s much better. Last one. Four. Once people become customers, do you work to deepen your permission to communicate with those people? Philipa Farley:  Yeah. Finola Howard:  Yeah, so that’s where I learnt about it. Philipa Farley:  Yeah, yeah. Finola Howard:  It’s always my great example, in this book, is when you start communicating with the customer. It’s this idea of this whole marriage analogy. It’s used everywhere. I’ve probably used it with you before and it comes from this book. And because this is the one thing I really remembered so strongly from, which was: if you were going on a blind date, would you ask the person to marry you on that blind date? And, you would get permission to tell them a little bit more, then they would share something with you. It’s the back and forth. And each you it’s about having a relationship with a human being, not a computer. Philipa Farley:  Yeah, yeah, exactly. Exactly. And, adding on to that, for me, has been, and I’m not sure because we’ve not really discussed ourselves out of, you know, work, the whole concept of vulnerability, Finola. You know, and and the message that Brene Brown puts out and I’m not like a Brene Brown evangelist or whatever, you know, I like to watch her to take the points that I need, but she has such salient points and she’s just herself, and adding that vulnerability into what you’re saying here, that permission to speak, please may I have permission to speak? And may I have permission to share my knowledge with you? Because I have presumed, maybe wrongly, that I kind of know from experience as well that I do have something to offer you that you will find useful. And I would like the opportunity, please, to just share that with you. You know, that vulnerability comes into it for a lot of people, because you’re not sure if what you have is worth enough for that person to give their time and attention to it. So, we revert back into this place of kind of anonymity. You know, and throwing out this vague, general message in our marketing. And, it’s kind of like a bit of a shotgun approach. We hope that somebody will respond, you know that it will stick somewhere. And somebody will come along saying: “Oh, you seem amazing and wonderful, and you’re the answer to all of my problems.” But we’ve basically said: “Do you want to come on my course?” And I’m speaking about myself here really, you know. So it’s like really getting deep down to their place and having that communication. And, I think, possibly what holds people back, is that absolute sort of panic when they realise they have to connect with other human beings in this way. You know, Finola Howard:  Yes. Because I even remember, a few years ago, a good few years ago, talking to someone about giving them feedback on their website, and they had disabled comments on their site. I always find this really interesting and, and a lot of web developers, their default position is to disable comments on a site on a blog. And I’m like, why don’t you want your customer to talk back to you? Yeah. And the answer is I’m afraid of what they’re going to say. Yeah. Well, it was nothing bad, even if they hate what you do then nobody – well, I can’t say nobody – but even if they hate what you do, even if it’s something you don’t want to hear, even if your product is wrong, isn’t it better to know that? Isn’t it better to allow the market to tell you what it wants, so that you can do it better? Like, that’s so much more useful to you. I mean, this is about the sustainability of your business. That’s what yeah, like getting, allowing your customers to talk to you so that you can hear them. I know we’re very focused on like, I mean, my course says: marketing is your truth told. Great marketing is truth shared. And the first obstacle is for you to have the ability to tell your truth about what you do. And to tell it in a way that resonates with the customer. And that magic happens, is when they say: Yes! And now I want to tell others about it, yes!” And that’s where sharing comes in. Philipa Farley:  Yeah. Finola Howard:  But it is to trust, to trust, the dynamic of this journey. That part of the journey is to learn what you get right, in what you’re offering and what you’re saying and what you need to adjust, in what you’re offering and what you’re saying. If you allow both viewpoints in, you are better able to communicate more effectively, and more coherently with the right customer for you. Your customers want you to find them. Philipa Farley:  Yeah, yeah, because this is the great divide now. Finola Howard:  They want you to find them because they have a problem, that they want you to help them with. So, be found! Philipa Farley:  Yeah, and you see now we get back to privacy and data protection. And I’ll use the term interchangeably here, because of the different jurisdictions that you work across and I work across, but also, the fact that some people listening might be B2C, where privacy is a concern, you know, as opposed to Data Protection more. I’m going to really confuse people with this, so don’t please don’t be confused with this, but the B2B space. You’re more than welcome to phone me and have a chat if you need to know what I’m talking about here. I’m sure Finola would be happy to take any people on board there. Okay, so like, this is now the Great Divide where okay, let’s go back to your moment where you first understood intrinsically, about what the GDPR was trying to put into law and their paralysis, the state of paralysis that some people are in in business, knowing that they they need to make sales, for their business to survive. And they just don’t know how to get to the point where a sale is made, because they think the law is stopping them from reaching out to customers. You know, there’s so many different ways that you can reach out and be found and I would strongly encourage people, you know, even if you’re not ready to engage with Finola, or somebody like Finola, if you don’t want to use Finola, your loss really. I’m just saying that, you know, go go on the courses that are offered. This course is amazing, and it takes you through how to take your customers through that journey. Finola Howard:  Well, let me tell you something very interesting with you, right? Yeah, I’m in a Master Class, because I believe also in and, I want you to scroll back on this landing page here, which is my site courses on howgreatmarketingworks.com and I want to share this with you, which is I want you to go to the top of the screen, if you don’t mind. So I’m in a master class with other entrepreneurs from around the world fantastic Master Class which is called A Significant Year by a lady called Robin Rice, but in one of the sessions and we meet weekly, and it’s to obviously we want to create a significant year for ourselves, but, and one of the sessions I was doing I had a live webinar going on, so I missed my class. Right. So, and it is so interesting, right? It was in the end, one of the so we take turns in the Master Class, everybody talks about what work struggle or challenge they’re facing at the time. And one of the things that came up was the idea of marketing. Right. And I wasn’t in the room, so that was great giggles, and you know, phew, Finola’s not here, haha. So, it was very interesting, right? And it was a question of, do I have to, you know, this idea of marketing has become so negative right. And do I have to follow the formula that everyone follows for marketing, right? What happened for me was because we need to have the, we need to find ways to hear the voice of our customers, and truly listen to us without our egos in the way. That’s the important thing. So yes, we might not like to hear things we don’t want to hear. But, we need to hear the voice of our customers so we can do what we do better. As a result, of course, these calls are recorded. So I got to listen to an entire conversation, but the traditional view of marketing. By the way, marketing is often done, not always done, often done. And, as a direct result of that, of hearing the voice of my customer, customer without me in the room, I changed my landing page. Philipa Farley:  Oh, yeah. Finola Howard:  I changed my landing page from about how to build a marketing process to actually because I started to realise what I was listening, listening in, to the calls, because it’s part of my own learning, and writing and then yeah, this hurts, but oh my god, it’s gold. Yeah, this hurts, but oh my god, it’s gold. And it’s gold, because it allowed me to go take the extra moment that I needed to go deeper into my own message to the marketplace, because I heard my customer. What often happens when we hear our customer is that we actually hear ourselves. That’s really important because entrepreneurs are passionate, they come to the market with a solution, because it was something that bothers them and troubled them. And, in the course of the journey, we often forget our own truth. Or it gets distilled in some way because we adjust it, because we think we do things we should do. And everyone falls prey to that, including me. So, in this part, while I would be very clear on what I do, sometimes there’s adjustments because I can hear the voice of my customer, because I allowed my customer to speak to me because I listened in on that call. And because I remembered the feedback and the testimonials from so many people about this programme, I went, I need this tweak this tweak needs to happen, so that my story and my message is not only more resonant with my customer, but it’s actually more resonant with me. And, that has great power: to hear your customer. And I do think GDPR, data privacy, all of that stuff makes us pause before we interact. That is the value. That is the value to say, today I want to give value and I don’t want to do, what’s the danger that’s happening is this hesitancy, if the scared part is if I give the wrong if I contact them in the wrong way. I will damage the relationship, but it’s not. Philipa Farley:  Or they’ll cut me off and I’ll never be able to speak to them again. It’s like an instant unsubscribe, No, leave me alone, you know. Finola Howard:  But if you take your brain, take yourself into the space of the intention of building greater trust and actually building anticipation for what you communicate, that you build this relationship that, you know, and I found this with my own marketing, as well and with clients. That now, as I communicate as I more consciously communicate, the desire is to open the email that I sent. Philipa Farley:  Yeah. Yeah. Finola Howard:  Because they won’t get a formula. They will get my voice, my truth, my intent to help them. My honest, authentic intent to provide value and to provide an answer to their problem. And if we go to that headspace, yeah, the legislation takes care of itself. Yeah, Philipa Farley:  Yeah, no. You’re absolutely right Finola, but can I add one more thing on to that? It’s like, I think people get to a place of desperation as well, as I’ve said before, where they need to make a sale and they’re desperate to make that sale. So, there’s an underlying tone of buy, buy, buy, buy, buy, not like Cork people are on the telephone, you know, but “Buy, buy, buy, buy what I have!” And, sometimes people aren’t ready to buy, they need to be warmed up, you know, however you want to say it. You know, it’s that journey towards the marriage, but it really requires it requires a lot of self control to take those 10 steps back and to start giving people what they need, you know, instead of taking what you need, Finola Howard:  Yeah, what I’ve found is there is more than one story and more than one message, that spins out from your core message, right? Yeah. Yeah. And I was working with a client on Friday, quite a large client and the approach that we were taking was you have time – this is the first thing I always say this ever, remember this: you have time. Philipa Farley:  I read that in my diary, every single week, the last 18 months. Finola Howard:  Yeah, but here’s the idea of how you are, we get happier with the time. And the time is because we are, we have death. Not only do we have depth as human beings, we also have depth as organisations, as companies, as businesses, I don’t care what size you are, you still, there is a depth and an identity around your business. Regardless of whether you’re a solopreneur, or a multinational, there is a depth and, if there is depth, then there are layers to your story. So, my approach and, even doing this last Friday with a client, was this idea of let us take those layers and just start to leak them out, share out one layer at a time. So that, we were talking about even that idea of the curriculum of sharing the story of your product. That’s one later, crack that single layer first. And where your intention is to create a sandwich of all the layers of your story. Yes, the layer one might be that you, if you are using Serity, which is your wonderful product, the layer one is to actually, you know, all the different parts of that puzzle that you can tell. So you might have, how to sign up, it might be out how much it costs, it might be, what you can expect to happen. It might be the preparation for getting yourself GDPR already. It might be all these small little stories, just one layer, that make a  lovely sandwich, all these stories. And the wonderful thing about social media, and about email and anything else, is that we have space to share the layer. So you could, if you are doing your scheduling for your social media and all the rest, right? Is to batch produce all of the different parts of these layers, create them, because if it is a product that is clearly, I mean, they are moved, but there’s some core things that stay the same. This is a layer of evergreen content that you put across all your social media. You figure what is in my curriculum, remember, you may also want to put that layer out four times a year; I’m going to do a webinar on how to do it right. And I would do that in that layer. That’s my education layer. I may have another layer which is about so for example, I know I did in my education layer at the start of this year, I did a webinar that was how to plan for success when you just hate planning. Arising from that, I know because it was appropriate. Arising from that, because that was the idea now, was consumer generated content. Right. Members in the program have said that, I mean, it came up in the programme. I said: “Oh, yeah, look, you know, would it be great if we could just, if I could do a walk along, a ride along cars campaign with you? Build a campaign along with you?” And everyone said: “Yes!” Like so, one of my things around here is: how do you create a space for your customer to share with you what they want, not just you do your layer of what you want to reach out and tell them, but maybe there’s a layer where you say, come tell me what you want? And so, as a result of having this ability to have a two way communication with my customers, I’m now rolling out a new programme, which is a 30 day campaign ride along, that we’re going to do from March because that’s not what I thought of, that’s what Customer told me they wanted. Philipa Farley:  Yeah, yeah yeah. And, Finola, like going, I am going to bank one point there, and just going, building on what you’re saying here because I think last year, beginning of last year was kind of where I started more concentrating on the strategic thinking that’s needed in a business and the strategic planning that’s needed in a business, as opposed to just servicing clients’ needs. People that don’t know me, my business started in a very kind of reactive way. Can you help me with this? Yes, I can. Okay, and it just started this ongoing rolling ball of: “Can you help me do this? Can you help me? Can you help me with this?” So yes, while we were doing very well, I was very tired, rundown, no time, not giving the best of myself to people. And I very quickly pulled myself away at that point, because I’m a slight bit of a perfectionist and I don’t like to think that I, you know, I’m not being of service to somebody that I work with. So I had to take a big step back and go, wow, okay, this has to change. And now I’ve actually got to do a company, and do all these things like I mean, I’ve got this book, The 10 day MBA, it’s also a pretty old one on my shelf. I don’t know if I got it in South Africa, it might have been published here. But books like that, you know, with the good solid business principles in, that was my go to. And then going on a couple of courses where, like your Mastermind, you are forced to stick to a schedule, and you have to put that time aside for that strategic thinking that goes into the business. So, if you go back to GDPR, and marketing, if you’re going and you’re just reacting to the marketplace, and what your customers are saying, not reacting to what your customers are saying, but reacting to what everybody else, your competition is doing, because I think competition analysis does trigger this in some people. Oh, God, that one’s done a course and, oh god that one’s written a book, I’d better go and do all of these things. You know, you’re not putting the value that your customers need into the information and the perspective. Finola Howard:  I look at it as a way to shine the light on your difference. Philipa Farley:  Okay, yeah, that’s beautiful. Finola Howard:  Yeah, absolutely. Because and I do this, you know me, I’m very methodical, and I like my, you know, see it really clearly. And it’s that and, I actually have a blog post about this, but it’s also part of the programme anyway, which is, you look at consistent components of your, of your competitor and you tabulate it in such a way, that this white space where they aren’t is where you are. Philipa Farley:  Yeah, yeah. Yeah. Yeah. I can’t find that one quickly, but back to the point, back to the point of what you’re saying about, right at the beginning, about trust building and the GDPR. There would have been a couple of people who, I think one person started it, obviously, but the acronym GDPR. They would say: Give Data Proper Respect, you know? Yeah. And it ties into exactly what you’re saying. Well, some people might have thought it was quite silly to say that. That’s, it’s not silly at all, because and I say this again, I’m gonna roll back a little bit. But when I talk to people about data protection and privacy in their business, I feel that it should be one of the core values of the business. How are we approaching this? Because it’s such a strong and huge component of trust building now that you can’t ignore it. So everything you’re saying feeds into, like the message we try and put out of: please give this the proper attention it requires because it is the foundation of so much more in your business, not just a compliance exercise. You know, it really builds a very, very strong foundation for you to lift everything up off of. Finola Howard:  Yes. It is the care, it is customer care. You know the care of your customer, sometimes, when we say customer care, we just forget it, you know, these terms have become so yeah, everywhere that you just, it loses meaning but it is about care for your customer. But if you care for your customer, you care for your business. Philipa Farley:  Exactly. Exactly, exactly. I mean, yeah, we’ll take that into GDPR straight away there and go with rights requests and the panic and trauma and about a business that data subject rights requests. You know, sometimes people just want to have like, they just want to have their information. There’s nothing sinister about it. There’s nothing sometimes they might just want the photo on their name, you know, deal with it. Like that’s just fix it. Don’t take it personally like they are your customer. You should be honouring what they say, Finola Howard:  You know, their data is a gift to you. Philipa Farley:  Exactly. Finola Howard:  So, you must unwrap it carefully, place it somewhere carefully, and respect it. It’s a gift – you have to consider it as a gift. Philipa Farley:  Oh, that’s, that’s really beautiful, Finola. And this is exactly why I asked you to please come and chat with us because so many people need to hear that. Thank you, you know, you say it so beautifully. And when you see it like that you do stop with the bad practices, and you become very mindful over it. And I think I’ve used the word ‘mindful’ so much in the last few months, especially because the only way to describe how to sort of stop, take that deep breath, be in the here and now and think about exactly what you’re doing, you know. Finola Howard:  Well, I liked that kind of hesitance, before you act is the thing that. Like, one of the questions you asked was about “How am I different?” And, I suppose, that even though I always had this perspective, I do now hesitate. And I ask myself: “Am I bringing value here? Do I? Am I helping with a clear heart?” And I would not be afraid to use the word heart here… Yeah, clear heart that this is offering value. This is not me being on some automated cycle that’s just pushing, which is the danger of the marketing, which is here to automate everything to the extent that we lose the humanity in it. It is about communicating, but it is to help to bring this hesitance, to hesitate, to pause to look and say: “What? Am I deepening my relationship here? Do I bring value? Will they treat this email with the same anticipation of the other ones because and because I always bring value?” When you do that, your open rates soar. Philipa Farley:  Yeah, yeah, yeah, yeah, absolutely. Finola Howard:  Be open. It’s not just about it’s the right thing to do, or it’s a good thing, it’s nice to be nice. It is, it has that component, which is important for me anyway, in business and in all of my clients. I know. And, but it’s the other practical pragmatic side of it is the open rate score. Philipa Farley:  Yeah. And I’ll even add to that, because people yeah, people are quite surprised when they start learning about domain reputation. You know, like, if your emails are not being opened, if they’re being marked as spam, if they’re just being deleted, your domain reputation is going to go down the tubes. And your emails are going to start being marked as spam immediately, no matter what you send out. Finola Howard:  And I think that this other key message that I would be saying to people is: this idea of the curriculum; is this idea of, to move away from this fragmented style of marketing, and to think about this idea of these layers in here that are all connected. But it’s not that your email does one thing and your social media does something else, and your trade show does something else, and your networking does something else. It’s that: how are we building a process that actually brings these all into play? And, when you bring them all into play, oh my god, the open rates and the conversions climb through the roof, because it’s not fragmented. And it’s so powerful. Even, because I ran a campaign even recently, and I’m about to launch another one, but the one for the planning webinar, because I could integrate and learn what my ads told me about the audience on my Facebook page. What happened when I sent an email, to what happened in social media. And the shareability of things across that and because, and I remember I didn’t do everything the way I would have loved to do it, but I definitely connected. Connection between all of these things meant that I, within a very short space of time, like in a five day window, I was full. Philipa Farley:  Yeah. And that’s the impact. Finola Howard:  The thing that is really important for me to share also with people is that don’t stop communicating just because you’re scared. Philipa Farley:  Yeah. Yeah, please can we get that message out, please? Because I just, I hear it on a daily basis for now. And I’m not even joking like people, they just don’t know what to do. They just don’t know what to do so, like, well, I can help them. I think this message that we’re discussing here of principles, respect, and trust building, is essentially what this law is about. So, if you sit down and examine what you’re about to do, without going to checklists and tick boxes against the law… If you look at it and you go, benching against what you said here: Am I offering value? Am I giving the customer messages that they need to hear? Am I doing… Finola Howard:  Also, what would they like to know, not what would I like to say. Philipa Farley:  Exactly Exactly. If you’re coming up with No, no, no, no, no” Finola Howard:  Like, review it and change your offering exactly. It’s not that hard. Because, sometimes it’s a tweak here. There are so many stories of someone changing direction, actually moving, changing customers, or the product or the adaptation of a product, and much greater sales as a result. Philipa Farley:  Yeah, yeah, yeah, and they’re happier because it’s actually where they should be. Finola Howard:  And they become more profitable. Their customers are happy because they’ve got the right customers. Their product is better because they heard their customers’ voice and applied that to the product. Philipa Farley:  Yeah, absolutely. Absolutely. Okay, back to my questions. Very, very quickly, Finola, the impact on you personally, of the GDPR. Has it personally affected you in some way? Finola Howard:  Well, as I say, one, it makes me hesitate, before I communicate. And it makes me make sure that I understand that I’m bringing value and, am I actually connecting the dots here? Am I doing two things? One, am I helping them and two, does this contribute to my business? Does it help my business? And, is it taking me on the right track? As I said, those stories of, you know, listening to my customer, over hearing what they were saying and then actually adding those two things together, makes me a better communication for what I do. And yes, and the same with, even when you talk about direct impact for clients, I think about the client who I was with last Friday, and how we created a sandwich. I think if I wanted someone to walk away from this conversation with one thing, I would say walk away with a sandwich. And you are not overwhelmed by this desire to sell and to communicate but actually thinking strategically about it and creating this; these layers of things that must be communicated. And take a breath, just a breath. Because, people fall down when they’re in this mad panic, because they’re desperate. And desperation will never solve the problem. There’s a few things. One, if you’re in that state of desperation, first breathe, because and also to say to you, everyone hits this note because it’s the test of you in the marketplace. Philipa Farley:  Yeah. Finola Howard:  Take the breath. And listen. Your customer has given you a gift, they’re gifting you data, they’re gifting you knowledge. Philipa Farley:  Yeah, thank you. Finola Howard:  Yes, I want this, or this is not quite right, or nothing? And, nothing is something. If there is silence, then you’ve not hit the right customer with the right offer. If you need to find another customer? Maybe your product is not viable, but maybe it is? Maybe it is gold, but to somebody else. Philipa Farley:  Yeah, yeah, yeah. And in the end you need time, time is what it is. And in an instant age of instant solutions and loads of people on the Internet shouting about, you know, make whatever 678 900 figures in the next week. No. Finola Howard:  No, it takes time. It takes and it takes that accessing this truth, that is not just yours, but your customers. That, somewhere, there is this magic in between both, where both needs are served. Philipa Farley:  Yeah, absolutely. Absolutely. Okay, so the next question, have you seen any opportunities for your own business in the context of the GDPR? And I’ll tell you why I asked that question. You probably already know. But I asked that question because, people I get asked it repeatedly: do you think that the GDPR is a good or bad thing? I get asked it in interviews, even: do you think it’s a good or a bad thing? And then I get my soapbox out and preach about why it’s a good thing, you know. Because, absolutely, it’s put the control in the hands of the individual, not even the customer, consumer kind of the individual, you now have power over your own data. And there’s many reasons why I think that’s a good thing. So, when we look at opportunities in business, people have this perception that the GDPR is a block, as we’ve been talking about. It’s a block: “I can’t do that.” Or, they use it as an excuse: “I can’t do that because of the GDPR.” So, have you seen any positive opportunities for your own business? Finola Howard:  Well, what I talk to my clients about a lot, because the overriding message that I get from my clients is they don’t want to add to the spam that’s already out there. They don’t want to add to that, the quantity of data or the quantity of contacts that are  unsolicited, it’s just so strong, right? And my answer is always the opportunity is here. So you speak your truth in your voice and you will reach them. It comes back to, I know I’m repeating myself, and I hope this is okay. But it’s important to me. Yeah. Be brave enough to tell your story and and this is not doing a I want to uplift everybody, blah, blah blah. It’s not. It’s a very pragmatic thing. You created this business with purpose. You created this business by identifying a need in the market. Then trust that trust that you created, that you identified a need in the market and that your passion is… I worked with somebody before Christmas, and it makes this the most interesting thing…it makes you fulfill your own mission for your company, your own vision.. Because you know, and I say this a lot, you must you now have to have the balls to follow through. Your starting point of why you went into business in the first place previously, in old methods of marketing, pre-GDPR you never had to put your vulnerability as we go back to Brene Brown, you never had to put your vulnerability on the line because you could just play the game. Yeah, it’s no longer playing the game. It’s about and this is you know the overused term authenticity. It’s about putting your balls on the line, your mission of why you started it and not that you’re in this garden shed going ,or whatever it’s because I think this is such an interesting part. But, most of my clients, most of them have some passion, they have a part of the world that they want to change, they want to change something in the world. And, imagine if we all had the balls to change the piece we knew that needed changing. Philipa Farley:  Wow. Yeah, Exactly. Finola Howard:  And, I believe that the GDPR makes us back our own mission. Philipa Farley:  Oh, it does. It does. And that’s that’s an amazing statement. It’s an amazing statement, but it does. It does. Remember that show that was on the TV? I don’t know if you got it here. And it might have been a BBC show, about looking good naked? Oh my god. Like I just you know, I watch those shows like this, but you have to watch it, you know? And it’s kind of like a similar feeling like, oh my god, Finola, you want me to do? You want me to do what now? You know? Like, like, live video. What now? When? When? Finola Howard:  When we speak about our passions, our customers believe us. And really, we’ve had to have the GDPR to make us do that. Really? Philipa Farley:  Yeah. It’s quite, it’s quite funny, isn’t it? Yeah. But it is a huge opportunity. Finola Howard:  It is about authenticity. It is about…don’t, don’t send me stuff that you send to everyone. Send me stuff I’ve looked for. Send me stuff that helps me. Philipa Farley:  Yeah, exactly. Okay, so we’ve discussed already where you see the opportunities for your clients, because they are there. And would you like to share a positive story, Finola, related to the GDPR. Finola Howard:  I have lots of them and they all revolve around better open rates., better products, better products, better services. And better insight, because of this desire to communicate better it means we listen better. That’s the untold story of the communication arts, remember communications receiver phenomenon, it’s there’s a possibility of the person who sends that the message comes through intact to the other side. Yes, and because of that, because of this now this approach is permission-based marketing approach, we have to lend an ear. Yes. Because we need feedback to know what we’re doing right. Know what we’re doing wrong to know where to adjust. Yeah. And I think that’s also another big win for GDPR is it makes us listen. In fact, it’s possibly the biggest win for GDPR is that it makes us listen. Philipa Farley:  Yeah, yeah. And it’s what we take away, we can throw it away. And we can ruin ourselves ourselves. Or we can take it and actually process it and apply our learnings. You know, I think that’s, that’s what people need to do. Yeah. Okay. Your time is very valuable. And I’m very aware of that. And I’m so deeply grateful to you, Finola, seriously for being with us today. Do you have one piece of advice to potential clients of yours, because I would really hope and encourage everybody listening to this, to engage with you in some way. You know, I really hope people do. Finola Howard:  Well, my piece of advice is number test three of permission-based marketing. Because this, if consumers gave me permission to talk to them, would you have anything to say? Have you developed a marketing curriculum to teach people about your products? And it’s this idea of the layers, you will have a layer to teach, you will have a layer to show them who they are, you will have a layer to show benefits, you will have a layer, and I think take it piece by piece, layer by layer, in a connected way. And if you think of it as a curriculum, you will automatically think in a connected way. And, I’m a believer in connected thinking in terms of the impact that it has on marketing, because the numbers speak for themselves. You will have a greater route to success because you connect how you think and how you act in the marketing context. So if that’s, I mean, look at that book, that book is amazing, those four even if just reading the jacket like. Back in 1999, it was asked the question of a permission database. Philipa Farley:  Yeah, yeah. I mean, wow, that man is like, I will admit, I have not read that book. And I’m going to get it today in hardcopy, and have it on my shelf, because actually it should be there on all of our shelves. And he was so way ahead of his time. And I just, I love that about you too Finola, because you don’t just sort of take one thing and then disregard the rest. You hold on to these absolutely beautiful nuggets of information and it benefits the rest of us. So, thank you for bringing 1999 back to us and reminding us that, you know, I think and I say this to people so often now. I think the world went crazy there for a while, you know, the app era and just these masses of useless lists that were made ever, just data harvesting and sucking. So, it would be nice to go back to that time when the Internet was just – I know the Internet’s not always been sort of fairy tales, sunshine, and roses, and whatever. But, back to that calm space where it was such an amazing phenomenon to be connected to somebody on the other side of the world. I mean, do you remember that first time? You got into a chat room or a forum and you were like: “Oh my god, so he’s somebody in America, I’m sitting here on the bottom end of the world!” Like maybe it wasn’t like that in Europe, but it was us, you know? And the learning that you could get from other people, you know, and then the information that started being put up in the courses that became accessible, like, I think there’s just so much good out there. And I’d really like people listening to this, to understand that they can be part of putting in more good out there, more information. Finola Howard:  You know, like them to leave with this idea to which is that: the software and the technology has moved on in a very productive sense, as well. That we don’t have to, we can personalise what we do and how we communicate. In a way, we can watch behaviours, we can be more, be more capable of giving people what they want because the technology allows us. Even if you look at it from an email marketing context, you have ways of tagging what people are interested in based on their behaviour. And then as a result, you just send them what they want, because they tell you what they want. We have MailChimp, everything, all of these wonderful pieces of software that make it easy for our customers to self select what they want. Philipa Farley:  Yeah, and and on that point, Finola, because I know there will be a couple of people listening to this, who are part of the data protection and privacy circles, and they would, a few of them would immediately go, “Oh my god, that’s not GDPR compliant software! That’s not GPR compliant software!” And, my answer to that it actually depends on how you use it, how you configure it, how you set it up. It’s not the software. It’s your use of it. Finola Howard:  It’s just, you know, it’s letting people know you. You tell people, say, when you sign up for this, would you like to have? And they? And if they don’t take it, they’re not on the list. Yeah. Yeah. And yes, as a human being having to go through those lists, like when I started off in mind, yeah, yeah. And pages and pages it’s not they said select by ticking a box to say yes, I would like that. Philipa Farley:  Yeah. And, and, and the opting out of the tracking and that is there if you if you want to do it. So yeah, let’s not spend too much time on the technicalities, because that’s not the point. The point is the positive message of, you know, please, please don’t feel paralysed. You can speak to your customer, you should speak to your customers, you should really want to let your light shine. You know, Finola Howard:  I would follow up this conversation also, when I said to you about having this wonderful opportunity to listen to, and people in my Master Class, talk about marketing and I tweaked my messaging and changed some and how it was positioned. And I actually contacted those people. And I said: “What do you think of this, then? Does this resonate more? Does this entice you? Does this reflect? What? Does this fit now?” And I got, straight back, “Yes! This is what I wanted to see!” Because I heard them, and I got that email in this morning. Philipa Farley:  yeah, yeah. Finola Howard:  Your customers will help you, and will help you be a better you. Philipa Farley:  And I really hope people received that message, Finola, and just started changing the mindset, and let that flow of business happen again, because that’s what should be happening. You know, it really should. But thank you so much for being with us. I really, I love talking to you. I could sit here the whole day and talk to you. For 12 hours of it for people, but thank you, Finola. If people want to reach you, where’s the best place to get you? Finola Howard:  Well, I have an online programme, and you can find that on www.howgreatmarketingworks.com. But, I have a very interesting thing to offer at the moment, which is if you go to www.courses.howgreatmarketingworks.com , anyone who registered for this affordable accessible programme, which is just $15 a month, you will also be invited to take part in a Let’s Do It Together 30 day campaign builder. So, if you register now, you will get 30 days of me breaking down how to build a successful GDPR compliant campaign, to start rolling out on the second of March. And I think that would be really, really fun. I like to have fun, and yes, correct and build a campaign together. That was the whole idea so that people wouldn’t be alone on this. So, if you sign up today for just $15 a month, you have the option of self selecting to go in there. Philipa Farley:  And that’ll be amazing. I hope people sign up for that. Thank you so much, Finola. I’m going to stop recording now. Finola Howard:  It’s always my pleasure. Thank you. Philipa Farley:  Hope you enjoyed that episode of The GDPR series. If you do, please subscribe. Find us on social media. We’d love to have a chat! The post GDPR Data Protection and Privacy Compliant Marketing with Finola Howard appeared first on ProPrivacy Data Compliance Solutions.


10 Feb 2020

Rank #8