Where Does Digital Trust Fit into Board's Agenda

Punit 00:00  
Where does Digital Trust fit into Board's agenda? Well, yes, we've been talking of digital trust, we've been talking of AI. We are talking of privacy, security and so on. But what is board's priority? How do they look at Digital trust? Is it important for them or maybe it is not? So, what does board think about digital trust? Is it a compliance focus that they have? Do they have a trust focus or are they focused on a broad business view saying like portals, five forces, or things like that, and focusing on the business. And then technology or the changes in technology or compliance is just an element in driving that business. Now these are very interesting, very fascinating questions. So how about talking with someone who has been consistently talking to boards in last few years and is a known public speaker while I'm talking about Bruno Soares, who's a dear friend of mine, and we will have a fascinating conversation with him.

FIT4Privacy Introduction 01:09 
Hello and welcome to the Fit4Privacy Podcast with Punit Bhatia. This is the podcast for those who care about their privacy. Here your host Punit Bhatia has conversations with industry leaders about their perspectives, ideas, and opinions relating to privacy, data protection, and related matters. Be aware that the views and opinions expressed in this podcast are not legal advice. Let us get started.  

Punit 01:37 
Hello and welcome to the Fit4Privacy podcast and today we have a very unique guest and that's Bruno Soares. Did I pronounce your name? Well, I don't think so.   

Bruno 01:47
Perfect.   

Punit 01:48 
Okay. Welcome Bruno. Welcome to Fit4Privacy podcast.   

Bruno 01:52 
Welcome. Thank you for inviting me. Punit.  

Punit 01:54 
It's a pleasure to have you. And let's start with the very fundamental question in this AI quantum emerging tech world, what is this concept of digital trust? Wasn't trust enough?  

Bruno 02:06 
So the trust is very funny because recently I was in exactly one conversation. I was exempt, for example, I was discussing zero trust and there's different approaches. There are the more technical ones, the more strategic ones the ones that are singly only related with the word itself. But if you pick up the zero trust one I hate that word and why I do hate the word itself because zero trust is completely the opposite of the mindset that we are trying to deliver to the market is we need to trust ourselves. So,  I understand that is if we know technically what we are saying is that basically we have to start all over again in any interaction because trust is so important and that is one part that we cannot just assume trust. Okay. But at the end of the day the trust is mostly the fact that nowadays organizations are not in the offer mood. That I will hook things internally and I will throw it to the market, throw it to the clients, throw it outside, and I actually need to interact in the ecosystem. So I need to be trustful. I need to trust my partner. So, it's pretty much associated with ecosystem, and that's why in that conversation I was remembering the famous words of Ronald Reagan and Gorbachev, when the guy said, actually is a proverb, a Russian proverb that Reagan quoted that was trust but verify. So I would say that I like that sense of we need to trust ourselves, otherwise we cannot move forward. But that doesn't mean that we are just trust and we just innocent relation with each others because we know that along the journey we need to verify something. So, I think it's a very strong term because it positions the organizations not internally where the board controls everything and govern everything.  It gives us this sense that nowadays organizations need to be organized and need to be actually a government thinking in the outside. So trust an ecosystem, I think they can go together in a very good way.  

Punit 04:21 
And just to build up on that, when we are talking about this concept of AI, the deep fakes and all that is becoming a reality. And then people are talking also of quantum computing, which would change the game completely. And some people say there would be no secrets. So can we expect trust or digital trust or zero trust, whatever acronym or term we use in an emerging world of new technology in say 10-20 years. Is that still going to be feasible?  

Bruno 04:57 
So I think we, we have to assume that technologies can be used where, wherever we use them it's not, yeah. It was never, and we, it is never about the technology itself. So, if we think about those technologies and we think about the data center closed data center, not connected data center. Maybe I can use it for some purpose but it's definitely not that, that we are talking, we are discussing this, these technologies that are always putting the organizations, interacting with other organizations and that's, that's why this is so important, the fact that we started to have this sense of in collaboration between the organization's position mostly organizations in this upper level of governance is not only about corporate governance, it's about ecosystem governance, because sometimes the processes start before my organization, across my organization, we will move to another organization and then we'll see the client. So, the center of the discussion is no longer my world is started to be the ecosystem, how we collaborate, how we can centralize in the clients, for example, and if that's the reality. First of all, that's the sense of digital transformation. That's the sense of an economy that is no longer an offer. Economy is mostly an let's say the economy of the individuals or the economy of the ones that are asking for the, the so-called experience, the personalization. And if that's the case, trust is exactly in the middle of everything. Okay. That's the good side of the story, that's the side of the opportunities. Because at the same time, if we want this level of openness, if we want actually to have a demand economy, we have to take care of that economy. We need to understand that the company it's no longer just, okay, that company was attacked. Most of the time, the attack to a company is no longer only a problem to that company will be a problem to the company, to all the companies that are somehow related with it. And at the end is even to the systems, to the market. If a bank is attacked, it's not the problem of that bank, it is the financial system. It is the digital economy. So, this is why trust is so important. We need to take the advantage of all the opportunities, but we need to know that the same opportunities have the side of the threats. So as long as we keep at least balancing opportunity and threats, if we take these actions or moving forward with this sense of risk involved, I think we are doing a great job. We need to understand that we will never be perfect, and the organizations can be perfect when they are closed and disconnected. In that case, they will not be attacked from the moment they want to interact. They want to sell more; they want to connect with other companies. The opportunities are there; the threats are there. So, I always say to my students and to ones, to the ones that I talk with, companies can keep the discussion, should I use this, should I use that? Is this good? Is this bad? The technology is evil or not? But at least the ones that are attacking companies, they don't question that. They are using all the technologies they can to attack us, to attack the systems, to attack the persons, to attack the companies. So at least the sense of being out there is the sense that we are out there because we want to take advantage of this ecosystem bu t that ecosystem is being attacked. So at least knowing that we have to balance our defenses with the power of the attackers. That's at least a good principle or a good value that everyone in the top management of organizations has to have.  

Punit: 08:44 
And you said have to have. So, when you are talking to the board members and boards. Then because when I'm talking to people in the GDPR space, they're saying it's still a compliance agenda. People don't look at GDPR as a value add, GDPR as a trust element. They look at GDPR as a compliance element, something to be dealt with. Same thing now when we are talking about EU Act, people are not saying it'll help me build responsible AI. So, and then we are starting to talk about this concept of digital trust. Now, is the board convinced about the value or the notion of digital trust, or are they still in the compliance mindset?  

Bruno 09:23 
So I would say that I work in these areas for more than 20 years, and the expression compliance for compliance was always there. So if we compliance as this trigger this thing that someone wants, and I just comply with that. That is just human nature. If I don't understand the value of the things and I just comply, I will comply with every checklist someone give me. Okay? For example, what I typically give to the boards that I advise or the students that I teach these subjects about governance never say that you do something because of compliance. Even for the internal teams, okay? For example, if you say that you are just taking care of data protection, you only care about privacy because there’s GDPR? That is so bad from a cultural perspective, that's so bad from the responsibility of the board that the less of the problems would be defined at the end. Okay. So, if we understand that the game now is that companies are trying to create value in their world, and the regulators are putting these laws and regulations just they are not concerned with the company A, B, or C again. They are concerned with the interaction of the company A, B, and C with the citizens. They are concerned with this ecosystem in a specific industry. So, I think what is missing now is that companies, I think many companies still think that the governments or the institutions are doing these laws because they want to control them. It's because of them. I want you to be protected. And if you go to the spirit of the laws, they don't care about your protection. They just don't want that. The impact of something that happens to you will end up. Taking care of the data of a person taking care of other element of the same system. So, think that's what's missing is that companies start to look a little bit more outside and less inside. And even for the boards, one of the questions that I try to do more and the responsibilities that I strike boards nowadays to move forward, Is to think a little bit less about controlling the inside and try to understand a little bit about evaluating the outside. Try to understand, first of all, why? why even I'm doing this? Okay so if they start by evaluating, they will direct better and they will end up monitoring better and this is the spirit and many boards are still more concerned with internal controlling these, doing micromanagement sometimes and be very concerned with one specific metric of this or that. And most of them don't, don't even look outside and try to say why? Why am I actually doing this? So, I think that's the movement that we are still missing the understanding why, why this is important. Of course if boards don't, don't know the answer to these questions and we keep seeing more and more and more regulations, there's a problem because there's an imbalance and companies say, oh, there there's a regulation fatigue, and there's no value in regulation. So, something is bigger. I think it's bigger than regulation itself okay.  

Punit 12:48 
No, I agree with you. I think there's already overregulation on, we have to the on the verge of saying it's overregulation, but regulation is necessary to make sure the citizen is safe and the ecosystem serves the citizen rather than other way around. The citizen continues to serve and provide data for the ecosystem. So Bruno, you talked to a lot of board members and executives and different boards per se, and digital trust is a priority for us. Digital trust is a priority for everyone. And you covered it very well saying digital trust is a concept wherein the governments are putting in regulation to ensure that the citizen is safe, and the ecosystem in itself is doing the right thing in protecting the citizen. But how do we convince, how do we sell this concept or convince the boards? Into this concept of digital trust. Any ideas? Because you also mentioned about the culture dimension, so I like that. But can you elaborate and build on that?  

Bruno 13:48 
So I always pay a lot of attention to the incentives. Okay So, because we always have this romantic view of some boards do it because they like and others don't, don't like. Everyone acts according to the incentives. Okay. So, for example, in Europe most of the incentives now to the boards speak about those, these subjects are mostly regulatory. So, the accountability that is given to the board of directors when it's coming from a regulation from the outside, wherever. It's not only I would say that 10 years ago a board will receive this regulation about cybersecurity or whatever and send it immediately to the IT team and now they understand, no, that's not for your IT team, that's for you. So, this give you the incentive of doing something because from the outside. I need to report. So, something that I need to report will put myself in a position that I, at least I need to understand a little bit. So, this is the type of relationship that I think I have mostly in Europe because most of the boards, they are just prioritizing and if they have other priorities, it's not, oh, you are not pay attention to privacy or security or whatever. No, they are not paying attention to that because they are paying attention to other stuff. Okay. They are always working. They don't have free time, let's say, and now. I think they are being pressured because the law said so which means that I definitely think that's not the best incentive because that' again, a compliance incentive and it's not directly related with the value creation. I'm not working now with the United States, but I teach in university with some American cases and sometimes say, oh, they don't have regulation. We have regulation actually, if we say we have regulation, because the incentive is not to pay the fines. Okay. That’s the final topic of regulation in Europe, in the United States because the companies are publicly traded. The incentive is if you are attacked, your company will lose the market value and you are attacked in the morning and you have to sell the company at the afternoon. So, the incentive is not because someone is asking, you are actually understanding that there's a direct connection short term connection between the value of your company and the topics of security or cybersecurity or cyber risk or whatever. So they, they also have pressures. They also have incentives and I would even say that they have even short term. Incentives that sometimes are more important than, okay, if I don't do these in one year or two years, I will pay a fine after I pay for some lawyers to question if that's actually the stuff. So in, in the United States, they have this market pressure  if something is  if I lost a database with client data  in the next day, I will have I will be sued. By an organization that will immediately ask me for millions and millions in Europe. And I see unfortunately in some countries, and unfortunately is also a little bit like that. There's no sense of the cities and themselves they, they understand they have these rights. And because it's like, okay, someone will take care of my rights. There's a huge gap between what the laws say and what the people feel. And when you have that separation, if you go outside in the streets and ask, do you care about your data? Do you know that database with your data in the government, whatever was leaked yesterday, no one knows. No one cares. So this is the difference is when you actually are doing something because you care. And because if you are not doing it companies the individual will change from your company to the other company that is right next to you. So at the end, I think it's always about economy. It's also always about if you are doing something because we'll give you a competitive advantage. And when these topics are not positioned as a competitive advantage. I see people caring, but it's all almost like a social responsibility, caring, you know what I mean? So that's the biggest difference when, when organizations connect this to the value creation, to the competitive advantage, they will do an amazing job. If this is just because of law is mostly like social responsibility. No. It's mandatory to comply with laws. That's to our job. Someone is in charge, and that's the biggest difference.  

Punit 18:23 
So you talked about the incentive part, you talked about the prioritization part and also linking it to the mandatory part, but then. What drives a board or a board member, incentives drive them. Then there are priorities and then there are these aspects, but what do they value most when it comes to neutrally? So because digital trust compliance, GDPR, security, AI. These are things which are happening and we go saying, we need to do this, we need to do that. But they usually have a broader agenda, like you earlier mentioned, the why. Why is this company existing? Fundamentally what? What is the mission we are on? What is the vision we have? So in that context, does it help, and I'm just maybe answering a bit, does it help if you link these concepts, whether it's trust, whether it's security, whether it's privacy. To that broader agenda they have in mind. And is it easier to find that agenda? Is that it's commonality in that agenda across boards?  

Bruno 19:23 
I think it's always connected with the agenda and the agenda have these huge pressure because if for example, if your agenda is to grow, you have to look to the digital  business. If your agenda is just to keep the business you probably will more in will go in more defensive way, you will be more conservative. So, I think it's always associated with the type of mandate that the board gives to the exec, top management team. And what we see a lot in times where the economy is not growing. It's not valuing the innovation, it's not giving the sense of, okay, there are so many players for the same product and service. You are in a competitive market. When that doesn't happen, typically is that will, that will give the pressure. If you are a more monopoly, if you have lots of power in a specific product, you just don't want to fail. But again, you'll not lose the clients. The next day they will come to you again. They will not change for another company. So I think again, the topic here is always about business economy competitive advantage. That's why if you are looking to a more global perspective where companies are trying to thrive in many countries, many regions. That's actually a challenge because they are not controlling so much. The other elements of the context  if they are more local located in a specific region, a specific country, they are already controlling somehow. When I teach these topics, I remember everyone and specifically the war that. The pestle for example, the tool pestle didn't change. Okay? The boards are still looking to political, economical social, technological, environmental, and legal topics. Okay? So every time we are discussing digital, we are just talking about one that is technological. So that is the one that is global. There's no Portuguese technology or Netherlands or Spanish or Chinese or American. The technology is global. So that element is global, is the same technology everywhere. There's no, as you were saying before there's no quantum computing, Portuguese quantum computing. This doesn't make sense. The same technology is global. So what change are the other ones? How is my political environment? How is my social environment? How is my economic environment? How is my legal environment? So many times we have the same technology that is promoted in one country and is forbidden in another. So again when companies. Are more focused on, can I control the economy? Can I control the politics? Can I control the legal that works better? If they cannot control that and they use, they will use more. The pillar of technology. That's why we see these in markets where the technology moves forward the technology moves forward and then the companies start to using it. The people start to use it. The economy start developing social is changing, and the politicals go after this. In Europe, I remember last year I was in Italy when one week after ChatGPT I remember was launched and the technology was there and there was this political forbidden. They forbid it, I was there and I could not use it because it was, was forbidden by the state. Even in Portugal, we  started to have this web summit that is a, this big conference that happens every year in Portugal. And the, the first years everyone from everywhere was coming to Portugal to promote innovation startups, this ecosystem of excitement around technology. And they landed in Lisbon Airport and they enter it in a Uber that was not actually it was not forbidden, but it was also not allowed. You know what I mean? So I think at the end of the day, companies are concerned, of course, with technology, but what makes really sense is how to understand, again, all the elements and how all the elements can be understand, in a single vision, not in separated vision. So, the boards that control more of these elements. Maybe they are not paying so much attention to the technologies and to stuff if they actually excited and say, okay, I can do everything. That's why the spirit of the startups is so, so nice. They are not kind of constrained. Oh. The political or the laws in this country will not validate your product. Oh, I go to another country, let's move forward. You know, that's the spirit. I think this is the excitement that Europe needs a little bit. It's the excitement of let's not.What can you do in these boundaries but let people be more creativ. In Europe, you have laws before. You have technology that is a little bit crazy, isn't it? So letting people to be more creative and not so planned economy, I think would help everyone.  

Punit 24:34 
No, I agree with you. And I think, if I look at the conversation you started with saying it's a system and an ecosystem aspect. So digital trust doesn't need to be looked at in isolation, but as an ecosystem issue, there needs to be balance and there needs to be positioning and responsibility is the key when it comes to the boards and they want oversight. They want culture and they want risk. Those are three dimensions they look at. And then you expand it into the other dimension. They're driven by incentives and priorities. So when we go with trust, when we go with privacy, when we go with security, we need to factor that in. But then you expand it into what drives them. So what drives them or what makes them run a company is not the fantasy about AI or quantum or all these things. It is the Fundamental forces, supporters, five forces or the pastel, as you mentioned. Yep. The social economic and legal landscape or technological landscape across the T, the technology that dominates these days. But the T is dominating the business, but that doesn't mean the political, social and the legal don't exist, or economic doesn't exist. They do exist. It's all that combined in a balanced format. That's what drives a board, and that when combined, they are also caring for digital trust. But factoring everything all in right?  

Bruno 25:54 
Totally agree.  

Punit 25:56 
Good. So with that summary, I would say if someone wants to contact you, the two questions. From my side, what do they need? What is it that you can serve them with? And second, how can they reach out to you?   

Bruno 26:10 
So of course, LinkedIn is always the network the reference of the network. And I would say add me on LinkedIn. I would love to have to keep these conversations going. And I'm always speaking around the world because I really enjoy to share at least my view. I'm not saying that is the right or the wrong, but. It's also a little bit like you are doing here, Punit this sense of commitment with sharing. I think one of the trust parts is also the sense of sharing and see how it moved from the business is the secret, is the secret of the information. I have this information that you don't have and that's also the symbolic of what I said. It's the offer economy where everyone with some secret will move forward. Now it's not about secrets, it's about sharing, being, collaborative, and at least from my side, I will keep sharing and I would love to share with your audience in the near future.  

Punit 27:10 
Absolutely. It's all about sharing and collaboration, and we all learn from each other. Yeah, that's how we grow and we expand our awareness. So thank you so much Bruno, for your time and your wisdom and your information that you shared.  

Bruno 27:23 
Okay, Punit. See you next time. Bye-bye.  

Punit 27:27 
See you.  

About FIT4Privacy 27:27 

Thanks for listening. If you liked the show, feel free to share it with a friend and write a review if you have already done so. Thank you so much. And if you did not like the show, don't bother and forget about it. Take care and stay safe. Fit4privacy helps you to create a culture of privacy and manage risks by creating, defining and implementing a privacy strategy that includes delivering scenario based training for your staff. We also help those who are looking to get certified in CIPPE, CIPM and CIPT through on demand courses that help you prepare and practice for certification exam. If you want to know more, visit www.fit4privacy.com. If you have questions or suggestions, drop an email at hello@fit4privacy.com. 

Digital trust is no longer just a “nice to have” but a critical part of the board’s agenda. The speakers highlighted that boards must understand the risks and opportunities of digital technologies and ensure that trust is built into every decision. It’s not enough to just focus on profits or compliance—they need to think about how technology affects customers, employees, and the company’s reputation.

The discussion also pointed out that trust depends on transparency, strong data governance, and a clear strategy that involves everyone at the top. Boards have to stay curious, ask tough questions, and keep learning about emerging risks like AI and data privacy. This is key to protecting the business and staying competitive.

The episode reminds us that digital trust is a shared responsibility. When boards lead with openness and care, companies can create real value—earning loyalty, reducing risks, and building a stronger future. This makes digital trust an essential part of leadership in today’s digital world.

Bruno Horta Soares is a seasoned executive advisor, professor, and keynote speaker with over 20 years of experience in Governance, Digital Transformation, Risk Management, and Information Security. He is the founder of GOVaaS – Governance Advisors as-a-Service and has worked with organizations across Portugal, Angola, Brazil, and Mozambique to align governance and technology for sustainable business value. 

Since 2015, Bruno has served as Leading Executive Senior Advisor at IDC Portugal, guiding C-level leaders in digital strategy, transformation, governance, and cybersecurity. He is also a professor at top Portuguese business schools, including NOVA SBE, Católica Lisbon, ISCTE, ISEG, and Porto Business School, teaching in Masters, MBA, and Executive programs on topics such as IT Governance, Cybersecurity, Digital Transformation, and AI for Leadership. 

He holds a degree in Management and Computer Science (ISCTE), an executive program in Project Management (ISLA), and numerous professional certifications: PMP®, CISA®, CGEIT®, CRISC™, ITIL®, ISO/IEC 27001 LA, and COBIT® Trainer. As a LEGO® SERIOUS PLAY® Facilitator, he brings creativity into strategy and leadership development. 

Bruno received the ISACA John Kuyers Award for Best Speaker in 2019 and is the founder and current President of the ISACA Lisbon Chapter. A frequent international speaker, he shares expertise on governance and digital innovation globally. 

Outside his corporate and academic roles, Bruno co-founded Iniciativa Liberal, ran for Mayor of Lisbon in 2021, and is now leading a rural tourism venture in Alentejo, reflecting his broader commitment to sustainable and innovative growth. 

Bruno’s blend of technical acumen, strategic leadership, and passion for education positions him as a trusted voice in today’s digital transformation landscape.

Punit Bhatia is one of the leading privacy experts who works independently and has worked with professionals in over 30 countries. Punit works with business and privacy leaders to create an organization culture with high AI & privacy awareness and compliance as a business priority by creating and implementing a AI & privacy strategy and policy.

Punit is the author of books “Be Ready for GDPR” which was rated as the best GDPR Book, “AI & Privacy – How to Find Balance”, “Intro To GDPR”, and “Be an Effective DPO”. Punit is a global speaker who has spoken at over 50 global events. Punit is the creator and host of the FIT4PRIVACY Podcast. This podcast has been featured amongst top GDPR and privacy podcasts.

As a person, Punit is an avid thinker and believes in thinking, believing, and acting in line with one’s value to have joy in life. He has developed the philosophy named ‘ABC for joy of life’ which passionately shares. Punit is based out of Belgium, the heart of Europe.

For more information, please click here.