Punit 00:01
Does privacy play a role in Digital Trust? Well, that's a difficult question, right? How does privacy play a role in digital trust? In fact, maybe. What is digital trust? How does it link to privacy? What role does privacy play? Maybe? What are the return on investments on privacy? These are all complex questions. And how about talking about these questions with the fellow privacy colleague, with the fellow privacy professional, Andy Chesterman, who is going to help us tell through and dissect these questions, let's go and talk to him. Hello and welcome to the FIT4Privacy Podcast with Punit Bhatia. This is the podcast for those who care about their privacy. Here your host, Punit Bhatia has conversations with industry leaders about their perspectives, ideas and opinions relating to privacy, data protection and related matters. Be aware that the views and opinions expressed in this podcast are not legal advice. Let us get started.
Punit 01:18
So here we are with Andy Chesterman, Andy, welcome to FIT4Privacy Podcast.
Andy 01:23
Thank you.
Punit 01:26
It's a pleasure to have you. So let me start with the basic question. Few years ago, we were talking about data privacy, protecting data. Then some of us were talking data governance, some of us were starting to talk about leveraging data. And then came AI. And then we were talking, AI will kill us. I will take everything away. We will not have jobs. Now, that thing is bit settling down, but we are starting to talk about the concept of digital trust. That means you need to protect privacy, you need to take care of security, you need to manage your risk and compliance and all those things. So how would you describe this concept of Digital Trust?
Andy 02:07
I think I would hop back to the days when GDPR was first implemented enforced apologies. In back in 2018 there was a lot of scare mongering by certain members of the industry as to what it meant for companies, and I think over the last few years, we have watered down those concerns, and we've built, built compliance into the culture of companies, and that's what it should be, and by default, that helps companies have now understanding that they have to embrace privacy, embrace the concept of privacy into their businesses, which then encourages trust within their employees or staff within their prospects, their customers. People expect now to for companies to look after their personal data and no matter how it's being used, whether it be via traditional storage methods or latest platforms or AI, as it's now being utilized in businesses. And the whole landscape is changing the whole time, you know. So, privacy has a key theme here in terms of it should be utilized to embrace trust. Okay, so if you, if you can help demonstrate to people what you're doing, then you can, then trust comes into that in a big way.
Punit 03:34
That makes sense. And you mentioned, when the GDPR came up, it a little bit put the burden of compliance or things like that. But I think people are starting to realize that privacy is not a compliance burden, but it's something that consumers are also demanding. Because few weeks back, my son was telling me he was opening a bank account with one of the, you know, the FinTech banks which came we will allow you to chat. We will allow you to do this and that. And he was like, hey, they were asking me my ID. Then they asked me to do a live video, and then they were asking me to speak words. What is this going on? I think you do that privacy stuff, right, isn't it with a breach of privacy? I was like, okay, finally, the penny is dropping, so people are starting to demand privacy rather than being a compliance burden, no?
Andy 04:21
I totally agree. I think that that's a very good explanation, very good example of where data collections has to be proportionate. You know, we can have all these that always tech behind us, but if we have to give so many different types of data over like, you know, the your image, your ID, your voice, etc, does it? Do these systems need all that information to function? Or is it because companies want to have it and want to populate their systems with as much as many variants of our data as possible? It may be good for business to have that from a depth information perspective, if we go down to the you. For data minimization principle, again, going back to the basics, how much of it is actually necessary, or how much is it they just want, want to use. And I think in some ways, GDPR came in at the right time, because looking back now, you you've got AI, you've got huge technological developments, and it just has to happen that eight years previously, 10 years previously, the legislation's coming to force, and we now we, we now have the lowest also basics and principles based we have legislation in place that regulates how this information can be used. This platform can be used if you hadn't come in when it when it did. And AI is now in place. It be used like the Wild West. You know? How can we implement this? Chucky and let's see what we can do with it. There's now obligations of companies to implement this, this tech, in a responsible, proportionate, measured way. And that's what I think we need to try and embrace and realize that that's going to happen.
Punit 06:03
I agree with you. I think it came at about the right time. Of course, we always say that it could have come five years earlier. But yeah, the data started to be utilized about 2005 2006 when ai revolution came, the Internet revolution came, the companies got set up. And then around 2010 people started to understand it's happened. It's a bit too much, and there are no rules. And then about 2012 or 13, they start to talk about GDPR. And as the processes, it took four years to come, in two years to be what is applicable. So, it came at the right time. You're right, and the question then is, as you mentioned at the end of the My first question on Digital Trust, that privacy has a role to play, in essence, so in your view, what kind of a role does privacy compliance play in creating Digital Trust? Because on one hand, we were talking about culture of private privacy. Originally, we were saying a privacy culture is what we want to create, and nowadays we are saying culture of trust. So, what's How? How does privacy play that role?
Andy 07:13
Could you elaborate more in terms of what you mean? Sorry.
Punit 07:19
So, what I mean is we are talking about Digital Trust. And Digital Trust is basically something that's coming from, as you said, past like, let's say, 30 years ago. If you go to your bank, you talk to John, and John, you know him. He's in the branch every day. You're comfortable giving him your cash. You're comfortable taking money from him. And if one day John is not there, or you don't go, John knows you are ill, or he's ill, whatever those relationships develop, yes, then if one day John says, hey, bank is closed and keep the money. But I'll put it tomorrow, you will trust him, because that's the trust we were talking about. Now, all of a sudden, since 2012 or 15, we are more and more a bit earlier. Also, we are talking here the Digital Bank, yeah, like there is revolute, there is wise, there's n 26 and those banks, yeah. Now nobody has seen any branch.
Andy 08:17
There's no rush, yeah.
Punit 08:20
It's digital, yeah, and in that digital now, when it came up first, we were like, should I bang there? Do I want to move my 100,000 pounds in there, $100,000 in there? And some of us were like, No, I will keep it with Barclays while I'll open an account there, because it's fancy, so that trust is not there. And since that thing is digital now, we are talking Digital Trust, and how do you build that Digital Trust is you do risk management, you do security, you make sure Cyber Security is there, like one of the banks don't want I mentioned. Are talking. Your money is secure with us. Safe with us. Why are we talking? Because people doubt that absolutely. Yeah, if we extend that to the concept of privacy, because for me, there are three elements, broadly speaking, there's security, there's privacy and there's risk. If you manage risk, if you protect privacy and you protect data or secure transactions, then essentially you have digital trust. So, in my opinion, privacy does play a role in creating Digital Trust. That is the question I'm extending saying, what is your view? Similar, different, how these? I agree with you. I think if you put the security measures, the privacy measures, it creates trust. And also, privacy goes a step further compared to security, because it's the obligation of transparency, which means, in a privacy notice, in a cookie notice, you are telling the customer what you're doing, and that too, in a simple language, and when a user reads it, they would usually get to know how trustworthy or how is my privacy being protected or not, and that usually leads to trust. Of course, you can write something and do something, and then the trust is broken, yeah, but we all and you and me and our privacy colleagues usually recommend making investments in privacy, you say you should do this, you should do that. And typically, we are encountering a question, is there a return on investment, on privacy investments? I mean, like you sell a tool, and many others are selling a tool, and then this is the return on investment? How do you handle that question?
Andy 09:30
I agree. I think privacy is only one kind of pillar of this we need to look at. You know, you can't have privacy can't be all encompassing, in my opinion. Okay, it's got, there's got to be several elements to it. I think security is, is different to privacy, although the two are heavily overlapped. You privacy, I think it has tasty very often people get, get confused and think that privacy covers everything. It doesn't, doesn't. There's, there's too many. I. Facets do with security. I mean, Cyber Security is different to privacy. You know, risk is a all-encompassing as well. It's, there's lots of proportions of risk. So, I think privacy has to be thought about as to how people have confidence with what you're doing. You know, you're going to, you're going to look after my information, and that's different, that security is protecting it. Privacy is making sure that you only handling an appropriate way, and that you're administering an appropriate way is to handling an operation of it, rather than the securing and technical side of things. Maybe that's that. Maybe you agree with that. I'm not sure, but I think there's, there's so many different, different pillars involved that there's, there's no one, there's no one answer to that. It's gains trust from a consumer who, who wants to say, you experience bank with you. I mean, if I log into NatWest, for example, to the app on NatWest, I have absolute confidence and trust that they're going to look after my information. And that's there's appropriate security measures around it. If I forget my password, there's appropriate process to go through to renew it. I'm going to go click through emails, go to this got to show my fingerprint. I've got to do facial recognition. So, the biometrics in there help you to make sure that only you activating that information or reactivating that information. But if I was to go to a lesser-known institution that I haven't got trust with, then I may say, well, you know, if you're offshore, for example, I've never heard of you. Then I may, I may, I may be unwilling to submit such information without additional checks in place, but you have that confidence with a with a large impact, knowing they have the systems in place, they have the Security system in place. They've done all their pen testing, they've done all their vulnerability checks, and there's it's kind of safe as houses. In some respect. I would say most definitely, yes, there is, although lots of people we spoke, we speak to, are of the opinion that, oh, they just see the privacy as a cost focus, the cost center. It's going to cost, going to cost us. We had a chat in the office the other week saying, oh, one of our clients use us like their true company. They just pay for it, and they know it's gotta be covered off. But ultimately, you have gotta realize that if you invest in a in a privacy department, a consultant, a privacy however you do it from a private perspective, there are benefits to the business, because you're going to be able to if anyone sends you a supplier you didn't you're going to be able to respond to it. If you have details come through, you can respond to an efficient manner. If there's a complaint come through, you can respond to it. If the ISO come through to you. You've got all the documents in place. You've got everything that you need to show the IC what you're doing. And if you have a breach, you've got the professionals in place to deal with it. When you're doing a merger acquisition, again, any challenges they come up with. I look at the Star War hotels many years ago with Marriott. If they'd had that in place, it would have been covered off. They'd avoided the penalty the ICO put out to them. So, I think that there is most definitely a return on investment. You know, the companies that don't have privacy professionals, in place, in house, externally, whatever. I think it's a very short, short sciences view approach. We speak to lots of companies saying, oh, our office manager has done this, or our head of HR has done it. What experience you have in privacy? I did a course three years ago, and that's just that's great for a box ticking perspective, because our, you know, HR, head of office often only did a course, but can they implement the operation on day-to-day basis with ease? And the documents policies make sense. They reflect what you're doing. Do the processes make. So, they quote the EPA 98 those sort of things are so very things that people don't think are important, but they're critically important. So yes, in long short, I think there is most definitely return investments if you are committing to a privacy program.
Punit 15:17
Okay, and now we were talking about the tools, the software that helps you establish or demonstrate compliance, and you also happen to have a tool in that, can you tell us something about privacy helper, and how can people leverage? How is it different? And what does it do?
Andy 15:37
Yeah, I mean privacy helper is our privacy service that we offer so effectively. Give a bit of background, the business was born in 2017 as we it was the damn Solutions Group as the actual company's name, and people were saying to us, what the hell do you do? You know, we don't understand, because there's no relation to privacy there. So we thought, okay, that's a very good point. So we launched privacy of a brand. We do as accurate citizen Tim, we help with privacy, as simple as that. So the we don't offer. There's no actual SaaS platform, actual platform involved. It's simply we, we help companies with their privacy with zero fuss. There's no you know, if you want to go and engage low lawyers for you to for your privacy, work you can do, and they will confuse things. No, not confuse things. Sorry, they will. They'll do their job in terms of producing legal documents. Okay. But if you speak to somebody in HR or marketing, or it, or general operations for the business, and you try and explain to them, from a legal perspective, what that what that what privacy means to them, what it means to the business. You're going to lose them because you're talking the legal language. You're not talking to other lawyers. Okay, so, and that's nothing against lawyers, by the way, they do a fantastic job, but just if you if I talk to a lawyer, normally, I get lost because I'm not a lawyer. They're talking to me in their language. So effectively what we do is we offer zero fuss, and we lay online to in terms of what we're looking for. We act as a blocker. We act as a builder. If you want to get a product off the light, off the ground, if your business wants to get a certain strategy launched, then we will help you to do that in a way that is measured, is proportionate. We may have to reduce some activity so it so it is deemed compliant, whatever that compliance is, but we will help you to fulfill your business ambitions and business growth plans in a way that you can say, well, we've covered off our data protection obligations. We have everything in place. The D play is done, the risk assessments are done. The transfer impact assessments done. It was overseas suppliers, you deal has been done. Trains been done. Post has been written. We can go live now. Plenty of times, companies have said to us, I want to get this off the ground. You can do it, but you need to rein it in a little bit, because the information you collect at the moment, or user data is kind of over the boundaries of what we'd like to do. You know, from a risk point of view, this is our line here. We can bring it back a little bit, then we can, we can safely say, crack on. Let's go and just get this live.
Punit 18:26
Okay, that's pretty straightforward. So, it's consultancy that you offer, and who would be your ideal client, then?
Andy 18:34
ideal clients, I believe, are, again, we've been doing lots of work of this in house recently with the team companies, from 25 employees upwards, 2500 employees, maybe a bit more. There are more common clients. We deal with a lot, with a fair number of hospitality clients, schools, B to B, B, B to B, organizations, predominantly startups and growth and growth, you know, comes on growth projection is we get a lot of inquiries through from companies who are looking to grow in the next 18 to 24 months, and so, which we applaud, is saying to them, so we need, we know we've got to invoke, invoke privacy within our plans. How can we do this? So we can grow, we can satisfy our investors that we're growing in a proportionate way, and we're not just tagging on data protection as an afterthought, but we've actually put it into bolted into the business at this early stage, and we'll work with them over 24 month period and say, right. Well, you know this, this is our timeline of work. This is where we want to get to, and we embrace it with them as much, you know, we they can. They see us as part of their business, as a critical part of their business, to get to where they want to be without, without our assistance, these companies cannot achieve their growth goals, and that, that's what they view it. And it's that's very often, it's part it's a term of. Condition of their or Terms Conditions of their, of their growth, that they have to have our assistance.
Punit 20:09
I agree with you. I think even for me, when sometimes new client comes and they like, what's the fee for privacy compliance? I mean, it's not like a certificate I have to issue, and I can say it's 5000 euros, and take it or leave it Yes, not continuous partnership, like you mentioned. It's a collaborative journey in which we help you grow Yes, and we work with you to make sure all the assessments, the risks are done, documented, and you can be rest assured, ready for launch or ready for your go to market and grow together.
Andy 20:45
Yeah, totally. And we will have, we will walk hand in hand and say, right at this stage, this is required. There's milestones each, each, each area, they have to be ticked off, have to be approved. You know, we sit very often with board at board level and say, okay, well, in order for this next stage to happen, this is going to happen. If it doesn't happen, not saying you must happen. We're saying to you, we advise you, this is how to achieve this goal. Okay? And obviously it's discussed at a high level, and that's where companies see us as a critical partner to their to their path, and we, we help with as much as we can do.
Punit 21:28
I agree with you. I think it's a partnership approach, working together and understanding that it's a ongoing compliance, ongoing collaboration that is needed, not a one-off project or one of instance, when you say you hire somebody, and two months later you're done, it doesn't work like that.
Andy 21:45
It doesn't business changes the whole time. There are different business challenges every day of the week. And sometimes they'll get some people will say to them, okay, well here back. You know, this is our next challenge, or it's our latest challenge, or got this project on go, and I hate to have the same answer, but can we do this? It depends. You know that I know it's a familiar old cliche in the day production terms, but it depends if, if you want to go as you're doing now, then I can't start off. I can't approve it. I can't say from day perspective, we're happy with what you're doing, because there are several areas in legislation. It does not satisfy however, if I say, if we look at it and we rough down the smooth, down the rough edges, then we've got a far better chance. Saying to you know what? You're in a very good position. If you're challenged by anybody the ice show, come knocking. If I did, then, then you have enough there to demonstrate to you that you are that you will have what you need in place. And I try to reassure clients the fact that I can't guarantee that won't come knocking, but I can say that they do come knocking with a query or complaint or whatever it is, then you got enough to show them that you've tried with damn this to achieve compliance, and more often than not, the regulator will work with you to fine tune that compliance. You know, the ICO, as I'm sure we're all aware, aren't the most active of enforcement agencies, but they are known to want to educate companies. So, I urge companies not to be concerned about the fire element. It's more about your own business partners, or business associates or third parties saying to you, come on. We, we're not classified with this
Punit 23:39
indeed, and that's the point we were talking of earlier trust. Because when companies say I'm not satisfied, they're essentially saying I don't know if I can trust you. And doing all these efforts of compliance, the risk assessments, the documentation allows companies to be feeling or to be demonstrating a trustworthy picture of themselves. And that's what privacy compliance is all about?
Andy 24:01
totally. And I think the advantages in sometimes in gaining out outsource or external assistance, even if we work alongside your internal privacy consultants, you know privacy team, is that they have that third party specialist suit of approval. That's not just, you know, head of privacy in X company, saying to the board, yet we're fine. They've actually had independent specialists who are aligned with the with what they're trying to achieve, saying, you know what we're on. We're on site with this. We can't think of any other areas that reasonably have to that are going to cause problems you're in. You're in a good position.
Punit 24:44
Yeah, I fully agree with you, and its amazing how time flies. You're almost at the end of the conversation. So, it's been wonderful to have you. Is there any one final message you would like to pass to audiences?
Andy 24:57
Well, first, we've been approached. Speaking to you. So, thank you for inviting me. Secondly, it's been I've my previous life. I worked in marketing before we're moving into data protection, and this has really given me a chance, that the industry has given me a chance to, I suppose, reassure companies and help companies that data protection isn't that big hurdle that people view it to be. Isn't that pain the backside? Granted, it's not sexy thing we'll talk about. But we when we have when we hear from companies that we are, we've helped them to achieve their goals, their milestones, their ambitions. We've taken that worry off the plate for them. Okay? Because we've come in and we've made it a very straightforward, simplified task, rather this big monster of a compliance task, then it makes it all worthwhile. Now, when you get letters from clients saying the email saying your you know your time with us went down really, really well, it gives you a warm feeling that you've helped a company with, taking that that pain away from them.
Punit 26:05
I agree with you. And if now somebody says, hey, I want to talk to Andy, what's the best way to reach out to you?
Andy 26:14
Best way is probably via our website, which is privacy helper, COVID, UK. All contact details on there. I'm on LinkedIn. I'm very active on LinkedIn sometimes, so hit me up on LinkedIn and to have a chat I love talking to new people. We run a business. We are of a have global coverage. We've grown massively in the last 18 months. We have a lot of regular clients, new, new conversations. What businesses thrive. So there's any, any privacy consultants out there who want to partner up with us, or work with us, strengthen their offering, or think we could help them, or they can help us, then drop us a line, get in touch. Unlike quite any clients there who want to maternity approach, then let's have a chat.
Punit 26:59
Indeed, that's a good way. So, with that, I want to say, Andy, thank you so much for your time. It was wonderful to have this conversation.
Andy 27:07
Thank you so much.
FIT4Privacy 27:09
Thanks for listening. If you liked the show, feel free to share it with a friend and write a review if you have already done so. Thank you so much. And if you did not like the show, don't bother and forget about it. Take care and stay safe. FIT4Privacy helps you to create a culture of privacy and manage risks by creating, defining and implementing a privacy strategy that includes delivering scenario-based training for your staff. We also help those who are looking to get certified in CIPPE, CIPM and CIPT through on demand courses that help you prepare and practice for certification exam. Want to know more, visit www.Fit4privacy.com, that's www. FIT the number 4 privacy.com. If you have questions or suggestions, drop an email at hello(@)fit4privacy.com. Until next time.