Our guest today is none other than Joanna Kennedy, an accomplished Data Protection Officer who has a wealth of experience in navigating the complex landscape of data protection. Joanna shares her inspiring story of how she made a successful pivot from marketing to privacy and how she continues to invest in her professional development to stay ahead of the game. She also gives us a sneak peek into the inner workings of an IAPP exam question writer, providing valuable insights for anyone looking to pursue a career in data privacy.
Hi, my name is Jamal Ahmed and I'd like to invite you to listen to this special episode of the #1 ranked Data Privacy podcast.
In this episode, discover:
Get ready to learn from one of the industry's top experts on data protection!
Joanna has overall global responsibility for data protection activities within the SAE Group, adopting a pragmatic, risk-based approach that focuses on the business benefits of compliance.
She has been appointed a Fellow of Information Privacy by the International Association of Privacy Professionals and is a qualified Data Protection Practitioner (PC.dp GDPR). She is also a Certified Information Privacy Manager (CIPM) and a Certified Information Privacy Professional – Europe (CIPP/E). Joanna has been recognized as a OneTrust Privacy Professional and a OneTrust Governance, Risk and Compliance Professional. She is an IAPP exam question writer and a OneTrust Insights author. She has also volunteered as a school governor, responsible for their data privacy policy.
Follow Jamal on LinkedIn: https://www.linkedin.com/in/kmjahmed/
Follow Joanna on LinkedIn: https://www.linkedin.com/in/joanna-kennedy-4a797613/
Ready to become a World Class Privacy Expert? Book your call to join the World's Leading Privacy Program
► https://www.youtube.com/c/PrivacyPros
Nobody wants people who are good at taking tests. You're not supposed to know everything, and that can be okay too. I'm always looking for trying to find that balance and again, I suspect this will be the same for any internal DPO, how do I maintain awareness without boring people to death and turning them off?
Intro:Are you ready to know what you don't know about Privacy Pros? Then you're in the right place.
Intro:Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts, the podcast to launch, progress and excel your career as a privacy pro.
Intro:Hear about the latest news and developments in the world of privacy, discover fascinating insights from leading global privacy professionals, and hear real stories and top tips from the people who've been where you want to get to.
Intro:We're an official IAPP training partner. We've trained people in over 137 countries and counting.
Intro:So whether you're thinking about starting a career in data privacy or you're an experienced professional, this is the podcast for you.
Jamilla:Hi, everyone, and welcome to the Privacy Pros Academy podcast. My name is Jamilla, and I'm a data privacy analyst at Kazient Privacy Experts. With me today is my co-host is Jamal Ahmed, Fellow of Information Privacy and CEO at Kazient Privacy Experts. Jamal is an astute and influential privacy consultant, strategist, board advisor, and Fellow of Information Privacy. He's a charismatic leader, progressive thinker, and innovator in the privacy sector who directs complex global privacy programs. He's a source after commentator, contributing to the BBC, ITV News, Euro News, Talk Radio, The Independent, and The Guardian, among others. Hi, Jamal.
Jamal:Hey, Jamilla. How are you?
Jamilla:I'm good. How are you?
Jamal:Fantastic. I'm really excited to speak to our guest today. And, you know, what makes it more exciting is that we do all of these podcasts with guests from all over the world right. But then when you've got a podcast you can do with people you've actually met in person, it makes it better. So I'm looking forward to the conversation.
Jamilla:Yes, me too. So, coming up on our podcast today, we'll go into a bit more about what qualifications you need to work in privacy, how to get the best buy in for privacy and what the future of privacy might look like, and many more topics. So our guest today is Joanna Kennedy and she is the Global Group Data Protection Officer at the Performance Review Institute. Joanna has overall global responsibility for data protection activities within the SAE Group, adopting a pragmatic, risk-based approach that focuses on the business benefits of compliance. She has been appointed a Fellow of Information Privacy by the International Association of Privacy Professionals and is a qualified Data Protection Practitioner (PC.dp GDPR). She is also a Certified Information Privacy Manager (CIPM) and a Certified Information Privacy Professional – Europe (CIPP/E). Joanna has been recognized as a OneTrust Privacy Professional and a OneTrust Governance, Risk and Compliance Professional. She is an IAPP exam question writer and a OneTrust Insights author. She has also volunteered as a school governor, responsible for their data privacy policy. Hi, Joanna, thank you for joining us.
Joanna:Thank you. Pleasure to be here.
Jamilla:And as we always do, starting off with an ice breaker question if you could teleport anywhere in the world right now, where would you go?
Joanna:Well, having just come through a period of cold and snow here in the UK, I think it has to be somewhere warm. I haven't been there for many years now, but I have spent some lovely holidays in Cuba, so it may be there.
Jamilla:Very nice. That's on my list of places I want to go to, do you recommend it?
Joanna:Very much.
Jamal:Yeah. And do you still have to have your passport stamp on a piece of paper in case you want to go to the US. Or are we okay with Cuba now?
Joanna:No, I think it's relaxed somewhat, but it kind of goes up and down a bit, I think their relationship.
Jamilla:That’s interesting because I had or used to have a Libyan passport. It's expired now, and that's one of the places I can go on my Libyan passport without a visa is Cuba. It's like Cuba and Venezuela. Really random. So maybe when I get my new passport, I'll go to Cuba.
Joanna:Do it.
Jamilla:Cool, let's get into the question. So, Joanna, you've got a varied background. I was reading your bio. It said you did a degree in French and German and got a background in marketing. So how did you get into privacy?
Joanna:Languages initially was what I was good at, at school, and I enjoyed. And so that's what I pursued for my honours degree. Then I frankly had no idea what I wanted to do with my life. I applied out of university for jobs in all kinds of fields HR, finance, sales, marketing, you name it. And I fell into marketing, happily, as it turns out, and I have been in marketing for over two decades now. When GDPR and data privacy became more prominent, right, a few years ago in the UK and Europe and worldwide, the organization I work for, we formed a team comprising people from across the organization where we felt there would be the highest risk, value and so on with regard to the data we're processing. So I was there representing marketing. We had someone from IT, HR. I'm sure this is a very familiar story. We had a kind of council, right, where we explored what this would mean for us as a business and for our departments. And I really just loved it. So having, as I say, kind of 20 years ago, fallen in love with marketing and subsequently gained various diplomas and accreditations and so on. So I'm also a Fellow of the Chartered Institute of Marketing and a Fellow of the Institute of Data and Marketing and so on. And I'm a chartered marketer. And like I said a few years ago, I thought, wow, this data privacy stuff is really exciting. Even now, people tell me I light up when I talk about it. I really am passionate about this. And so once GDPR came into force, literally that same day, pretty much, I was invited to become our data protection officer, which I accepted gladly, but I said, well, I have this long history in marketing. I enjoy this data privacy stuff, but I only know what I have learned myself, and I feel credibility for confidence I should gain some official qualifications. And I was very fortunate that my organization backed me for that, which led to me becoming a certified practitioner in data protection, specializing in the GDPR, as you mentioned, subsequently gaining CIPE and CIPM, and reaching the point where I was eligible to become a Fellow of Information Privacy. So I did, and so that was my journey. You mentioned a couple of organizations I work for is in my introduction. So I'm primarily employed by the Performance Review Institute, but that's part of a group of companies. And so initially I was the DPO for that one company, and subsequently I was appointed the group DPO. So what that now means is there are a number of companies that I serve as data protection officer for in the UK, the US. We have entities in Japan and China, in places in Europe as well, customers all around the world. So it's a really thrilling, always changing landscape. And that's how I got into it.
Jamal:Wow, what a story. We currently have one of similar to yourself, somebody with a very strong marketing background. In fact, she's known as an expert in marketing, and she's trying to pivot her career to data privacy as well. And what I love so much about the people that come from marketing or understand marketing, and they bring that to privacy, is they get how to talk to people to get the buy in. They understand how to give the calls to action in the right place. They understand that we don't want to lose people by using these complicated legalese and stuff. We just need to make it relatable to them, and then they're more likely to buy in, give us that culture. But anyway, I know you're going to share a lot about buy in later on, but I can already see you have that marketing background. That passion for marketing has really set you apart from other privacy professionals and really helped you to excel in your career. And I'm looking forward to learning more about that. You mentioned qualifications, and you said as you pivoted your career, as you were trying to look into this, you realize that I only know what I know because I've just taught myself, so I don't even know what I don't know right now. I want some more confidence, I want some more credibility. And then you mentioned three specific qualifications. So I know two of those, the CIPPE and the CIPM. They're from the International Association of Privacy Professionals, and you also mentioned another one. So what qualifications does somebody actually need to work in privacy?
Joanna:So I think it's very interesting that within the legislation, there is nothing specified, right? We know this so officially, the answer is you don't need any qualifications, right? It's really, I think, a balance of experience. Like I say, confidence and qualifications. That said, I recall one of my very first meetings having already been the data protection officer for one company in our group. Then when I became the group data protection officer, one of my very first meetings, someone in IT said, so why should we listen to you? And it's a reasonable question. It wasn't obnoxious. I want to be clear about that. I think it's a reasonable question because these are serious things we deal with. So why should someone listen to you? And I think if you feel like you have a good answer for that, then without qualifications, then fine. I personally did not. I think it gives a lot of credibility. Certainly the IAPP qualifications where they're accredited, it's that other validation, right, that people look for. So I think that's what matters. But it's not a one and done. As you know, once you have these qualifications, you have to commit to maintaining them to continue professional development. And so I make a point where I've said to my boss, for as long as you're prepared to allow me to, I will go to conferences, and I will go to trainings, and I will do all these things. There's a certain minimum I have to do to maintain my accreditation. But beyond that, I enjoy it, I get a lot of value from it, and I bring that back to the organization. So I think that's very important. But I recognize not everyone is so fortunate to be in that position. So there are other things I think it's worth pointing out, right, that people can do. So I also get a lot of value from being a member of the International Association of Privacy Professionals, not just through attending their conferences and their qualifications and training, but for example, they publish lots of articles that are very useful and they also have a kind of community discussion forum that people post their queries and other people answer and I have an email feed on that. So not everything is relevant to me in my role, and that's fine. Some of them I just file, but some of them might be like, okay, that's an interesting idea. And when we talk about the benefits and getting the buy in, there was something very recently that was discussed there that I'm exploring to see, could we do? So we'll come back to that.
Jamal:Okay, fantastic. I love the answer. I completely agree with you. When I was trying to get my footing to go into privacy, everybody was like, okay, great, but why? What do you have that brings you to the table. And I found that the most credible and the most commercially valuable certificate or certifications out there was the one from the International Association of Privacy Professionals. And you can see now we have the Privacy Pros Academy, where we exclusively work on delivering just IAPP certifications because of how much the organization brings value to the industry, to professionals like me and you, and people looking to come in, people looking to get promoted, and also people just looking to become the leaders and the go to experts. So regardless of what stage you are, I value the IAPP resources, I value the membership, the certifications. As you said, they globally recognize their ISO accredited, which means you can go anywhere in the world, and as long as they recognize you’ve got the gold standard, you can potentially have a data privacy role anywhere. And you mentioned that you're covering global companies. So you're not just dealing with the UK or Europe, you're dealing with other parts of the Far East, China, US, Australia. So you really need that global understanding. And the CIPM for me really helped me to understand how to create a global privacy program that is compatible with all jurisdictions in the easiest and the most pragmatic way possible. The challenge I found when I was trying to do my certifications is there was lots of LinkedIn groups, WhatsApp groups, all of these social media platforms, and there was individuals in there, and the only thing they wanted to do was pass an exam to look smart. And I didn't like that. I didn't like that. I was like, no, I don't just want to get four letters after my name look smart. I think there's some sources where some people were going and buying, like, illegal question dumps with the answers and then failing because they were all wrong anyway. But I think there's two mindsets when it comes to it. So, yes, you can go and do the bare minimum and just try to pass the exam, but then you're going to very quickly going to get found out. And the reason we do this certification is to gain that credibility and to boost our confidence of if, you know, you've kind of cheated and you don't really know what you're talking about, then what gives you the right to go and try and serve organizations on the scale that you might potentially find yourself in? For example, you're working as part of a group, and I'm sure the decisions you're making and how you're helping the businesses having an impact on millions of people across the world, it's a lot of responsibility. So that's one of the reasons that led me to set up the Privacy Pros Academy, is I didn't want people just to want to pass an exam. And if people want to do that, that's great, but they're not going to be a good fit for us. The other problem I had was I went to a couple of different providers for my certifications. And what I found was the same thing is it was a large training company trying to sell as many courses as they can, get as many bums on seats, outsource the training to a lawyer who will come, read slides at you for two days and if you're lucky by the end of it you can then go and do the everything yourself again and you're none the wiser. And the problem I have is when I learn something I have lots of questions and sometimes those questions don't come to me straight away, they'll come to me later on. But there was nobody to then get that clarification from. I can reach out to LinkedIn, I can reach out to other people. Some people answer you, some people won't. But I just wanted that relationship with the person who I thought was going to guide me. So I know that, hey, we had discussed this or you talked about this, how do I apply it here? Or what does it mean over here? But I'm looking at this and thinking it this way, am I right in my thinking? That was the biggest challenge for me and that's kind of what inspired me to create the Privacy Pros Academy where we've kind of taken the IAPP as a basic and expanded that to create our own programs. And what I have found is really effective is as we go through the material we don't just read the slides out or I don't just read the slides. What we do is we stop, we discuss it, we see what people's takeaways are we ask people how they've implemented that or what that means to them from the different parts of the world and the confidence people get and how they can then understand how to operationalize that knowledge they're getting is so valuable. And I think that's the biggest secret that we have at the Private Pros Academy that helps us to get the results that people are getting with the kind of 97% 1st time pass rate and 100% overall. But also then we create the community. So even after the training they're not just left on their own like they're there, we're there. We have weekly revision sessions which is peer led. And the reason I do peer led is what I find is when I deliver training it helps me to become a much better professional and it helps me improve my practice. So if it works for me, then I encourage all of those individuals who actually train with us to then say, okay, these are the topics, and you're going to hold a class and you're going to talk to people about them, and it really helps them to boost their confidence, get more clarity. And this community is everyone in the academy. So everyone's got the same mindset. Everyone wants to be great at what they do and really serve and I think that's what is compelling people, and that's what's giving the most value from people. How useful do you think something like that might have been when you were taking your qualifications?
Joanna:Well, as I was listening to you, Jamal, I was reflecting back on the training experiences I had and thinking to myself, gosh, I wish I had been part of that, and I wish I'd been aware of you then I think it would have been incredibly beneficial. There was actually again, I was just thinking when I did a training for my CIPPE, I was already by that point, a Certified Practitioner in data protection, specializing in GDPR so I probably could have passed the CIPPE exam anyway. But again, for confidence, I was like, let me take a training just in case. And I probably didn't need to. And in a way, I'm glad that I already knew a lot by that point, because I was surprised and disappointed that some of the information that was being taught in that CIPPE class was actually wrong. Just plain wrong. I think with data protection legislation, there are many shades of right, but there are certain things that are just wrong, and this definitely was. I love what you're saying about creating the community within the class and outside of that set up, because there's not always a one answer fits all. It depends on, as you indicated earlier, the jurisdictions you're working in, the size of the operation, budget, risk tolerance, all kinds of factors come into it. So you can have different people from different companies talking about experiencing the same situation, but the answer will be different for them. And so, yeah, I get a lot from those kinds of discussions, because it can be very easy when you're an in house DPO to have that focus, because that's what you've been paid for. That's your own experience. So that's why, for me, I spent four years volunteering as a school governor, helping them with data protection, because within my professional position, I don't have exposure to children's data. That's not what we touch as well as it was a good thing, but it was mutually beneficial. It gave me a more rounded experience. Also, like I say, why I like going to conferences and so on, and I still attend trainings, not necessarily CIPM or CIPPE or whatever, but data transfers masterclass, things like that, where they're very focused. And again, there are lots of shades of right. There are things that are definitely wrong, but it's so interesting to hear other people's perspectives and the issues they experience and how they've dealt with them, or, as you say, when people aren't sure what to do and we all kind of discuss it together. So that sounds incredibly valuable and I wish I'd been aware of it and participated.
Jamal: of the world who wake up like: Joanna:Yeah, I think that's important. I think I'm interested though in your opinion because as a data protection officer then I give advice and guidance but obviously there are many and this as you say, is where having a business background, marketing or otherwise helps because you can speak their language. Because I recognize that privacy compliance is one business imperative but there are many others. Profitability in some cases is one of them. And so I love that kind of mission about empowering and allowing everyone to kind of have that privacy. Do you find in your experience with the people you train and work with, do they face challenges within their businesses around that and what advice do you give them?
Jamal:Yeah, absolutely. I mean, look, everyone's going to have their own individual challenges. There's never going to be a day or a company you go to and you say, do XYZ and everyone will be like, okay, we're going to do it. Have we done it great or do you want us to do more? So there's always going to be challenges. So what my tips there are, first of all is if we want to be understood then we have to understand. So let's understand what their objectives are, let's understand what they care about, let's understand what they're working so hard on and then let's align their goals and objectives and show how privacy or how the guidance or advice we're giving is actually going to support that. And now when they know they've understood you, they're more open and more open and if you can align those things together and show them actually we're all focused on the bigger picture as a business it makes sense. And what I found ultimately is every single organization wants to protect their reputation. They want to protect themselves from enforcement action but they want to go beyond compliance. We work with the companies who go beyond compliance and instil confidence, inspire trust and achieve more success. Without trust and confidence, how are you going to win more clients? How are you going to be able to partner up with some of the big companies when you can't even meet the basic due diligence requirements? And this all comes back to understanding the business and the objectives and then looking at the greater objective. And when you can align all of those things together magic starts to happen. And it's not going to happen easily and straight away because some people will see that compliance is here, run away. Don't tell them the truth. They're here to cut us out. But if you can build those relationships, have coffees, meet them for lunch, just show an interest in what they do, they'll be much more open to speaking to you and explaining to you and even showing you what it is that they're doing. And you'll actually be surprised how much people actually do value what you're doing and do care about it because you can always share with them relatable stories. And kind of one of the top tips I share with some of the people on my program is if you just go around telling facts or just regurgitating the law it's not going to mean anything to anyone. Go and tell them stories. So this is why we do easy peasy summaries of enforcement actions because then we go and tell stories and then they can see how it's had an impact on people or how it's had an impact on individuals. And when they can relate to those things and they remember the stories, you shift that culture, you shift that mindset and you start having an effective privacy program which is one of the things that you're going to talk to us about next.
Joanna:Yeah, I think that's such a good point. What I try to do is say, okay, what is it we're trying to achieve? Let's not focus on what you want to do, but the why, where are we going? And then how can we work together to get you to that same place in a compliant way?
Jamal:Yes.
Joanna:So that we become not the department of no but the department of yes and how. But I think key to that is making sure, and this is on us as the data protection people as well as our colleagues to how to get involved early because if you're approached at the very end of a project, hey, we're launching this website tomorrow. Is that okay? And you're well hang on I need to look at it. You have to be the no, not right now. So being involved early gives you the opportunity to be more of the enabler than the no. Right. And like I say, well, we can't know what we don't know. So I don't know what's going on, what everyone is doing all the time but what we can influence is the processes. As an example, with procurement in a large organization, if you're going to be using third party vendors, which almost every company does for something, right, even small companies may not do their own payroll. So there's always kind of third party vendors out there. And so it's working with procurement to, say, building into the process, when we're onboarding a new vendor, whether it's for HR or marketing or sales or whatever, it might be, build into the process. The question, will this vendor be processing personal data on our behalf? It's a yes or no. It couldn't be easier, right? And the point is, if the answer is no, okay, great. Then carry on. Don't even talk to me, but if it's a yes, okay, raise it to me so I can then, like you said at the very beginning, as we're onboarding this vendor, before anything even happens, we can kind of be involved. So I think being involved early and having that collaborative, what's our end goal rather than how are you going about it? If we start with the end goal, then we can work together on the how.
Jamal:Yeah, absolutely. Joanna, you've shared so much value. I'm just going to summarize what we've covered so far, because this is too much valuable information. So, Joanna, you started telling us about your background in privacy and how the other experiences that you've had and the other passion you've had really helped you to become so much better because you bring all of that value with you into your privacy role. And then you spoke about the qualifications that are kind of good to have or great to have in the industry, although there is no actual qualification that is required legally to get a role in privacy. What does help commercially, what does help from a credibility point of view is having those IAPP certifications and the added value of the membership and all of the great community and the resources. And what you've planned particularly helpful is attending conferences. And one of the things that you mentioned not so clearly, but we read between the lines was how invested you are as an individual in your professional development, so you can be the best you can be, so you can bring that and back and really serve your organization. And I think your organization recognizes that about you, and that's why they're always willing and happy to support you, because they can see how it's having a positive impact on them. And then we spoke about different types of training and what to kind of look for and what. Would help and what might not be so helpful and how to make the right decision on if you are deciding to go and get certified, what you should be looking for with who you choose to go to. And finally, what we've just covered now is how do we actually approach the business and how should we approach our work so that we can actually make positive impacts on the businesses and really say, hey, we are here to understand the objectives and let's work together on that. Instead of focusing on how we do it, let's focus on why, and then the how will come for themselves.
Joanna:And I think one of the things we should all be conscious of, like I said, I'm very fortunate at this point that I'm able to travel for conferences and so on. Not everybody has that, but as we said, there are many free resources. I know you have some WhatsApp groups. As you mentioned, I'm in one of them. And like we said, being a member of the IAPP, okay, there is a fee. It's not excessive, and there's so much value from the content and the discussion forum there. So I think there is, in essence, something for everybody's budget because this world is changing all the time.
Jamilla:I wanted to ask because while I was reading your bio, I was very interested that you are an exam question writer. How did you get into that? And I guess how do you come up with your exam questions? How do you know what you want to test people on?
Joanna:That's a relatively new thing for me. So all I can talk about is my experience okay. I'm a big believer in giving as much as you can from situations and giving as much as you can as well. I think both benefit everybody involved. And so when, for example, I was at RISK London recently and I was invited to be on the podcast, I said yes. And so as a member of the IAPP, I get many emails from them and one of them said, hey, we're looking for people to write questions for our exams. If you're interested, get in touch, okay. And so I got in touch, and they carry out a rigorous training. I was very impressed on their expectations. You also go through the body of knowledge, so you can only write questions for a qualification you have. So for me, that's either the CIPPE or the CIPM. They ask you to go through the bodies of knowledge for whatever those are and highlight the sections that you feel your and I can't remember their exact wording, but where you're proficient, where you're okay, where you're not comfortable whatever. You kind of rate yourself. Then they kind of take that back and say, okay, well, we're going to ask you to write some questions on this area. Then. And they give you a lot of guidance because their exams are multiple choice. If someone in theory could go through and go, ABC, ABC. So they provide you with examples and there's a certain format and you have to make sure, for example, nothing is too obvious. It sounds silly, but if you write a question and then there's four, you provide the answer options as well. And three of them are one word answers and the fourth one is a super long detailed explanation. Maybe that's the one that's right then. Yeah. So they look at it in a lot of detail. It's not just accuracy, it's how easy it would be to fall the system, kind of to Jamal's point earlier. Right, yeah, they don't. Also, nobody wants people who are good at taking tests. That's not what this is supposed to be testing. It's supposed to be testing your knowledge. So there is a very rigorous process. But yes, fundamentally, being aware that there are opportunities out there and being open to them, I think is key within privacy or anything else. Like I said, that's how we ended up here today. It's also how I have written a couple of articles for OneTrust. They put calls out there. Does anyone feel like they know enough about something to write an article? So I've written a couple of articles to them, the most recent on consent in the context of marketing. So that's obviously for me a kind of perfect intersection of my skills. But yeah, I mean, there are so many opportunities out there, I think if you're able and willing to take them up.
Jamilla:Yeah, definitely. I think that's good advice, no matter what sector you're in. Especially, I think when you're just starting out in your career and you're trying to build yourself up. I've kind of said yes to things and then worked out how I'm going to do it later.
Joanna:Well, and on that, I have to give some kudos to my dad, so I'll make sure he hears this. I tell him, I'm not sure if he believes me or not. This goes back actually to marketing, but it's something in my head, clearly for years and years, where I had done my first marketing diploma and then my company offered to pay for me to do another one. And I remember saying to my dad, I've just done one, shall I bother? I need this. And he said to me two things. Firstly, if someone else is going to pay for it, do it. And secondly, he said, you can have a job and lose it. You can have a home, you can have money, a partner, you can have lots of things and lose them. But if you have education, no one can take that away from you. And I thought, yeah, both of those points are really good points. So I did that second diploma and I became a chartered marketer and a fellow of those institutes. And then, like I say, when the opportunity to move into privacy came up, like, right? I needed some training anyway. And like I say, I think if the opportunities are there that's beneficial to your business as well as yourself, then why not?
Jamal:I love those values your father had instilled in you about investing in yourself and growing and developing yourself and how that is one of the only things that no one else can take from you and you won't lose, you’ll only grow with it. Joanna the other thing is, I'm actually really happy to hear that you are going to be contributing to writing some of the questions in the exam. And the reason I say that is because one of my biggest gripes with some of the questions at the moment is I can't honestly say whether they're testing somebody's knowledge or somebody's comprehension. And for those people around the world where English isn't their first language, I feel it puts them at an unfair disadvantage because I've spent time with them, I know they know their stuff. I know it's just a question of a challenge of comprehension. So if we can have somebody like you, who understands people, whose got marketing language and knows how to make things nice and clear, we can just go and test people's knowledge. And the other thing you mentioned about the actual process of the IAPP, which I love so much about the IAPP questions, is, look, if an exam is so easy that everyone can get it, then there's no value in it. And this is why the IAPP is the most rigorous. This is why they're so valued it's because it's designed to make sure that a company can say, if this person has acquired the certification, then it means they know at least this much, and then we can actually afford to bring them one to add value to our organization.
Joanna:I think you're absolutely right, and I think any kind of qualification, probably, again, in any field, is only going to be a baseline. Right? And one of the things I think it says about that individual is they have the capacity to learn and improve their knowledge. They know, like you say, a certain amount. But as I said, I'm learning all the time. I will never say I know everything about this stuff. If anyone ever said that to me, I wouldn't believe them because it's changing all the time, because there's anyway so much to know. So I think that's the important thing, certainly I think for someone who is experienced in this field, like I say, they have a certain level of knowledge, but also to get to a certain level, it's more that you know where to find information, right? So I don't know everything. I've been asked about what are the rules around cookies in 60 different countries? Off the top of my head, I could not tell you. But I know how to find out and I did. And I think that's the key.
Jamal:Yes. It's not necessarily knowing the answers, but I think it's important to know what we know and what we don't know, but how to find the answer. That's the kind of people we want, and that's the kind of people we want to be, is I don't know all the answers, but I know how to find the answer. And that, I think, is such a valuable quality to have.
Joanna:Yeah. And I think the point about communities that you raised already, sometimes everyone, every now and then someone says something we think, I don't think that's right. I'm having a bit of a moment. Let me just run that past somebody else and say, am I going insane here? And it's very reassuring and necessary sometimes just have someone to go, no, no, you're right. Sense check. And to give you that, because no one I would be, again, not only worried if someone said they knew everything, but very worried if they never doubted themselves either. So I think having those communities is very important as well.
Jamal:One of the things we speak about in our C Five methodology is clarity. And for me, clarity comes from knowing what you know clearly, but also knowing where your gaps are. And it's important to know where your gaps are.
Joanna:I think you're absolutely right. And I think the other part of that I would have knowing where your gaps should be, right. I'm not for example, I'm not an IT specialist. I never will be. Probably at this point, I know stuff, but that is my gap. And I'm not a lawyer. That's also okay. I'm actually going to be facilitating a discussion panel at the IAPP DPIA event in March in the UK around what value do non lawyers bring to the privacy profession. We talked about, like, marketing, but like we said, IT there are many routes into privacy. It's not just lawyers. And so there are gaps that we will have. And you're right, being aware of them is important, but also understanding you're not supposed to know everything, and that can be okay, too.
Jamilla:Joanna, how do you know how good a privacy program is?
Joanna: ut with a report that said in: Jamilla:That's going to be our next team away day or something.
Joanna:Well, yeah, it's apparently only in Dutch right now, which is rather strange from my point of view, but apparently there's been so much interest that they're looking to translate it into English because it's just a bit different right. I want things that I do to be memorable and engaging. I think that's how you can move the needle like we're talking about in that privacy by design to change the culture, obviously. Then things like, are we facilitating data, subject rights, managing our vendors properly? What about cross border transfer? How do we handle breaches? These are all other measures to assess how mature, how good is your privacy program once you've done that assessment? What I did with some of the elements, again, we reflect back what we were talking about, the gap. Right. So the security of data. Our IT team is obviously very heavily involved in that. And so there were some things I just didn't know, and that's okay. So I went to them. I think, again, it's you can't think you're going to know everything you're not, that's okay, but like you said, knowing where to go. And so once I felt like, I had assessed all this either by myself or with input. Right. Then, like I said, I did a benchmarking exercise against other similar organizations and came up with we've done our assessment, and then realistically, where do I think we can get to? Right? And so for that, I use the very common cybersecurity measures. You're on a scale of zero to five, where zero is you've done nothing. Five is like, wow, you couldn't possibly do any more, you know, and recognizing that not every organization needs to be at a five. Right. And this goes to, I think, the point although we talked about, yes, there's nothing specified exactly in the legislation about the DPO qualifications, but there is something about being proportionately and appropriately qualified. And so depending on the nature of the organization and the nature of that personal data you're processing, you may say we should be at a five. Maybe if you're a hospital or a domestic violence refuge or no, we need to be super good at it. There may be others where you say we need to be at three. We've got to be implemented and do it, but we don't need to be like, best in class. It really depends what you're trying to achieve, like we talked about before. Anyway, there are other expectations, business imperatives. Do we have millions of pounds to throw at this thing or not? That's going to make a big difference. Right, so all that kind of stuff. But that in a very long winded way to answer your question about how do you know how good your program is, that is what I did. So, in short, identified what measures to assess, conducted the assessment, recognizing where I didn't know the answers and getting that input as needed, determining, let's say, on that scale of zero to five, where are we, what's our target, and when do I think we can get that by? And then that gives us okay, so now I know what our focuses are. For example, I said clearly, yes, we have a data protection officer check. Who is qualified, check. So I said, we're doing pretty well on that. I can't remember the exact number I gave it, but we're doing pretty well. Where, like I say, in general, I don't think this is unique. Privacy by design, it's a change of mindset for many people. Right. And so we scored certainly lower than on the DPO part. So, okay, I say now that means that's something I have to work on, which is why, okay, a Fireside chat. What is the training and policies that everyone has to do? How do I get people engaged and excited? So a Fireside chat where they can ask questions, potentially an escape room. I've heard of people doing kind of Jeopardy style quizzes where we have teams. There's all kinds of things, I think. And obviously there's a great opportunity at the end of January being data privacy day. So can you leverage that? So, like I say, that's how I went about that.
Jamal:Thank you, Joanna. Super valuable. And in between everything you were saying, I just kept thinking, you know, what I love most about what you're saying is how she is talking about understanding the context in which you operate and not one size fits all, but it goes back to your bio, a pragmatic, risk based approach. And that's the approach that I favour and that's the approach that clients love, because it's the one that makes the most sense. And as you said, the GDPR, the regulation isn't prescriptive, but it tells you here's the principles, apply some common sense and apply them. And to apply them well you're probably going to need someone who has relevant experience. And it doesn't tell you what that relevant experience is. Because, again, when you apply that pragmatic, risk based approach, it's going to depend on the context of what the processing is taking place, the context of the industry, the context of the state of the art. And when you put all of those things together, you can make really good business decisions. What I would encourage everyone to do is to pause the podcast right here, rewind back five minutes and listen to what Joanna has said again, because those are valuable nuggets that you don't want to miss, especially if you're finding yourself in a senior position and you're looking to assess what your privacy program is like. Those are super valuable tips. So make sure you listen to that part again and then share your takeaways with us. Tag me. Tag Joanna. And we'll definitely come and interact and respond with you and give you some more insights or just share our insights based on what you've taken away from that. Joanna, it's been an absolute pleasure speaking with you today. You've given us so much value, so much more than we could have asked. And the thing I love most about what you said throughout the whole progress is how much you love to learn and how much you love to give. And I think it's important to give. And I really thank you so much for giving to the world and to everyone who's listening to us and on behalf of all of the members of our academy, thank you so much.
Joanna:Thank you. It's been an absolute pleasure. I love speaking to people who have the same passion as I do, we could talk for hours. I can't believe we have already spent so long on it. Happy to connect with anybody and support you as much as I can. So thank you very much for inviting me.
Outro:If you enjoyed this episode, be sure to subscribe, like and share so you're notified when a new episode is released.
Outro:Remember to join the previously pros Academy Facebook group where we answer your questions.
Outro:Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world class privacy pro.
Outro:Please leave us a four or five star review. And if you'd like to appear on a future episode of our podcast or have a suggestion for a topic you'd like to hear more about, please send an email to team@kazient.co.uk