The Truth About Managing Privacy Teams - Renowned Privacy Expert Reveals All

Hi, my name is Jamal Ahmed and I'd like to invite you to listen to this special episode of the #1 ranked Data Privacy podcast.

In this episode, discover:

• 3 Common Pitfalls New Managers Make And How To Avoid Them
• Why Expertise Isn't The Most Important Factor When Hiring Managers
• How To Make Privacy A Competitive Advantage For Your Business
• How To Use Ethical Hacking To Prevent Cyber Attacks

And so much more...

Ross Saunders is a global privacy, defensive security, and infrastructure specialist working with numerous industries to implement privacy programs and technical infrastructure controls.

With a background in IT administration, software development, and Governance, Risk & Compliance (GRC), he is able to assist in a wide range of disciplines surrounding compliance, security, and privacy, regularly assisting companies with advisory, awareness campaigns, and practical implementation of recommendations.

Ross holds a master’s degree in the Management of Technology and Innovation, and holds designations and certifications in privacy legislation (CIPP/E), ethical hacking (CEH v10), and paralegal practice. Ross currently serves as the co-chair of the Johannesburg chapter of the International Association of Privacy Professionals (IAPP) and is a Professional member of the Canadian Association of Professional Speakers (CAPS).

In 2019, Ross published a book called “This Is Not What I Signed Up For: A survival guide for first-time managers” to help technical subject matter experts move into management roles. It is available for purchase in eBook and softcover at Amazon.ca.

Discover more about The Privacy Pros Ultimate CIPPE and CIPM Training: http://bit.ly/3ZmiJZz

Follow Jamal on LinkedIn: https://www.linkedin.com/in/kmjahmed/

Follow Ross on LinkedIn: https://www.linkedin.com/in/rgsaunders/

Get Exclusive Insights, Secret Expert Tips & Actionable Resources For A Thriving Privacy Career That We Only Share With Email Subscribers

►https://newsletter.privacypros.academy/sign-up

Subscribe to the Privacy Pros Academy YouTube Channel

► https://www.youtube.com/c/PrivacyPros

Join the Privacy Pros Academy Private Facebook Group for:

• Free LIVE Training
• Free Easy Peasy Data Privacy Guides
• Data Protection Updates and so much more

Apply to join here whilst it's still free: https://www.facebook.com/groups/privacypro

No one tells you the practical implications of becoming a manager, but it was kind of sink or swim and I had to learn to swim and made huge mistakes along the way. I had teams walk out and things like that. It was a big learning curve. And when I had been in management for a while and was looking to hire people into roles around product management and that in the GRC space, I saw that so many people were having the same mistakes and we were seeing managers internally having the same mistakes that I made and it's like OK.

Are you ready to know what you don't know about Privacy Pros? Then you're in the right place. Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts. The podcast to launch progress and excel your career as a privacy pro.

Hear about the latest news and developments in the world of privacy. Discover fascinating insights from leading global privacy professionals and hear real stories and top tips from the people who have been where you want to get it.

We're an official IAPP training partner.

We've trained people in over 137 countries and counting. So whether you're thinking about starting a career in data of privacy or you are an experienced professional, this is the podcast for you.

Hi everyone and welcome to the Privacy Pros Academy podcast. My name is Jamilla and I am your podcast host. With me today as my co-host is Jamal Ahmed, Fellow of Information Privacy and CEO at Kazient Privacy Experts. Jamal is an astute and influential privacy consultant, strategist, board adviser and Fellow of Information Privacy. He's a charismatic leader, progressive thinker and innovator in the privacy sector who directs complex global privacy programs. He's a sought-after commentator contributing to the BBC, ITV News, Euro News, Talk Radio, the Independent and The Guardian, amongst others. So Jamal, last week to when we're filming this, we were at RISK. What did we do at RISK?

We were at the Excel in London, which is the largest exhibition space in London, and we were there representing the Privacy Pros Academy and speaking to all the amazing people who came to say hello to us that want to actually develop their professional skills when it comes to privacy. So some people actually want to get into data privacy so we were speaking about the programs that we have suitable for them. Other people have already been in privacy for a few years and now they're thinking about moving up the role so they can have bigger impact, be more happy and get more responsibility. And then we spoke to those people who are leaders who just need a little bit more guidance, a little bit more confidence, a little bit more support on how they can actually show up better, do better, and get that buy in. And then there was one specific person I spoke to that really stood out to me. She said I've got this nickname as The Blocker and they see me as the blocker across the organization. And I don't really like that title. What can I do to change it? So it's about how we can support her to show how privacy can actually be a positive influence and help the organizational objectives, rather than she’s just here telling people what they shouldn't be doing. So it's all about cultural change and a little bit of training and empowerment. But those conversations were fascinating. We got to meet so many of our peers there. We got to meet Richard Merrygold, we got to meet Ibrahim from ACT Now. We saw Max Schrems and all of the other fantastic speakers. There are too many speakers to name, so I'm not going to do that because I miss out more than I name. It was a really great experience, actually. We were there for two days, and just the passion that you heard from people about privacy and about protecting people's data and upholding those rights was fascinating. And it just was really nice to be able to see people again because a lot of these people haven't been out since the pandemic. So it's really nice to be able to meet people, shake hands. Oh my gosh, how many people did I hug Jamilla, it was amazing.

I enjoyed it. Loads of stalls. Thank you for all the tote bags and free stuff, all the international stalls. I went up to them at the end and I was like, oh, you don't want to take that back on the plane, I opened my bag and I just put their freebies in. So I've got hand sanitizer to last me at least another ten years. So that's great.

I heard a rumour that you managed to collect so much stuff that you went around bartering and you ended up getting Amazon Vouchers in exchange.

So I bartered from stall to stall because I thought that if you're on one stall, you're not necessarily going to have time to go and look at other stalls. So I went to one stall and traded a pair of socks and chocolates. I got on another stall for a 15 pound Amazon voucher. Then I traded some squishy balls because they gave me about ten. I traded one for some pens and one for some Lindt chocolate, reindeers and teddy bears. So, yeah bartering, key to any good conference.

All right, so if you're going to a conference soon, guys, remember, Jamilla's top tips is collect as much stuff as you can and then going around bartering.

Thank you for having me.

Wow, Ross, what an impressive bio.

You have to sit there listening to it.

You should be three times older than you look right now.

Before Jamal jumps into the questions, because I know he's raring to go. I can see it in his eyes. We're going to start with our ice breaker question. Ross, if you could clone anyone or anything, what would you clone?

Oh, anyone or anything. I would probably regret the chaos that would go up in the house. But our dog, I would likely clone her and have more of her, but it would be chaotic.

What kind of dog do you have?

We've got an Italian greyhound cross whippet, and the biggest personality you've ever seen.

Jamal, what would you clone? Well, you first. My questions, my rules.

I would clone myself just so I can get my stuff done.

Yeah, that's a good idea.

I'd keep one version of myself doing all the working stuff that I need to do, and then I'll take another version of myself and park it with the family. So then work gets me and family gets me, and everybody's happy, and I'm twice as happy because everything's getting done.

I'd say I would clone my fridge because then I'd have twice the amount of food and I wouldn't have to go to the shop. A variety of answers there. Interesting answers. Anyway, on to the data privacy questions. Ross, why did you go into data privacy in the first place?

Wow. If you don't mind us asking, what kind of identity theft was it?

There was a profile created of me, basically. Thankfully it wasn't anything like a passport clone or anything like that. They built a national identity document for me, as well as fake pay slips and proof of residence and all of that. And they ended up just taking out accounts and accounts and accounts after accounts, I purchased I don't know how many laptops, lounge suites, patio furniture, all of this that I never, ever saw, but woke up to a drained bank account a few months in a row. And then you’re playing catch up to try and get rid of it for a long time.

My God. So yes, understandable why you wouldn't want anyone to go through the same.

I’m sorry to hear you had to go through that rough, but if that's what has led you into serving so many people and helping all of these businesses in Canada, then I guess there is some positive to take away from it.

Yeah, I was really lucky because working in the governance risk and compliance space for so long in my team, in the company I was in, I had certified fraud examiners. So I had this beautiful resource available to me as to what to do in that circumstance. But I realized that most people don't know what to do in that kind of circumstance. So I had a leg up on getting identity protection and things like that but I wanted to bring it up and that's where the speaking started as well, to talk to people what to do to protect yourselves.

Yeah. So Ross, I hear that the Canadian Protection Enforcement has got a new set of teeth and that the fines are going to be much larger. What’s that done to the privacy landscape in Canada?

It must be a very busy time for Bamboo consulting right now.

It is indeed.

On that question, when you are looking to increase the team or when you're looking to hire as your experience as a manager, which led to you actually writing the survival guide for first time managers, what qualities or skills do you look for those specifically privacy managers?

That's a really interesting one. It's something we've wrestled with quite a bit as to what we're going to look for. And I mean, we've just been going through this process now. We were hiring, we found someone. But I think between Sharon and myself, my colleague from Bamboo, we're really adamant about getting the right fit. I think we are not the average stuffy advisory company. We want to be fun, we want to be interesting, and we look for people that have that same kind of aptitude. So privacy is super big and to try and find someone who knows everything is going to be very difficult. So we look for a lot of what's the fit going to be with us, but also looking for skills that are different to ours. We want to kind of get this positive result out of it as opposed to just strengthening skills we already have. So we look in different spaces. We've looked at folks from totally different industries to see where it relates. And it's been a very interesting process, seeing people from the marketing industry, seeing people from legal industry, from tech industry, because everyone kind of has a hand in privacy in these circumstances and you've got a different experience from each one. We look into these different spaces and we're having folks coming in from a health site now. So there we've got another experience coming.

That’s super interesting and the next thing I was going to sneak in there was some top tips for first time managers.

I think the biggest things that we go through, it’s with the book as well, is no one tells you the practical implications of becoming a manager. There's a load of models out there and you can follow this and you can take this checklist but it doesn't tell you necessarily about things like the soft skills you're going to have to deal with and the conflicts and that side of things. So I think one of the biggest things you need to learn when you're going into management for the first time is you need to manage. You're not doing the technical specialization as much anymore. And that does get difficult if you get promoted. And you need to work out that balance because there will be a handover. But you have to come from being a sole specialist, learn to delegate to people and make sure that they can take it on. And that takes listening, that takes communication, that takes ongoing rapport with the people that you're working with and that's a totally different skill set.

Yeah, that's really interesting. I think a lot of people I know have had managers where they've been promoted because they're good at their technical stuff but when you try and talk to them or you need the people side, they don't quite get that so I think that's really important. So what would you say the main reason is why you decided to write your book?

Pretty much exactly that. That's how I found myself in management. I was working well in the DevOps side and all that and really enjoying it and highly technical. We were in a very specialized team and then promoted and it was during a company sort of merger and acquisition and everything got restructured and that's how I found myself there but it was kind of sink or swim and I had to learn to swim and made huge mistakes along the way. I had teams walk out and things like that. It was a big learning curve. And when I had been in management for a while and was looking to hire people into roles around product management, and that in the GRC space, I saw that so many people were having the same mistakes, and we were seeing managers internally having the same mistakes that I made. And it's like, okay, I have a bit of a passion project now to get this on paper. As to, these are the mistakes I've made, let's try and not make them again. And that's where it came from. It's a lot of practical things that I learnt throughout my management career.

So on that note Ross, what's three of the most common biggest mistakes you see first time managers making?

The biggest one, I would say is still doing the work that you were doing previously and not being able to delegate that side of things. But then I think it comes into things like listening skills. So actually hearing what someone is saying, when you come into that management space, you're often wanting to impress because you're there. So you listen to respond as opposed to listening to actually listen and take it in and then respond quietly because you want to make a good impression and people will respond to try and get that across. But you've already made a good impression. You're in management now. You need to learn to listen and bring people in and actually hear their opinions and take it to heart. And I think that ties into perhaps the third one is being humble. You're not going to have all the right ideas at all the right times. Listening to the teams, bringing the team response in is a very important thing, too.

Great. Thank you for sharing your tips. So here's what I've got from those top three tips, and I'm sure there's so many more of those you can learn from the book, which is what I'm going to go and do straight after this podcast. So, Ross said, the first thing is what he found a common mistake that he was making and a lot of first time managers are making. And if you're a first time manager, you can probably relate to this is if you're still doing the thing, you were doing before you become a manager, that technically you need to find a way of letting go of that and actually trust the people in your team and delegate that. Because the moment you do that, you free yourself up to do actually what you've been promoted to do, which is manage and not run that process or look after that technical aspect that you're looking after. So the first thing is learn to delegate, trust your team and stop doing the same work you were doing beforehand because your role has changed. Second thing, Ross, you said is actually, we need to listen. As first time managers, we need to listen not just to respond to somebody and have a quick answer, or a smart answer, but actually listen to really hear and make the person feel that they've been heard and then take that on board before you come up with any quick decisions, actually reflect on that and then come back. And I think the first thing I really took away from that was it's not just I know everything and I have the best ideas because you probably don't. And that's probably going to lead to self doubt and imposter syndrome later down the line. But it's actually collaborating with your team, listening and getting feedback from the people that are doing some of these technical things, who might actually be quite insightful and useful when you're actually making some of the decisions and then to take on that information before you make any final decision. Have I got that about right, Ross?

Yeah, I think you summed that up beautifully.

It’s what you were saying about listening. There you go. Well done Jamal.

Excellent, excellent.

So something I wanted to ask you, and we were speaking briefly about before we started recording, is Ethical Hacking. I think you're the first person we've had on who's got some experience. You've got your certificate or your CEHB10 in Ethical Hacking. What is Ethical Hacking? Because I think I said to you before when you think of a hacker, you think of someone in a balaclava in a darkened room going into your bank.

Yes, I didn't have my hoodie right now, so I should have that on. Here we go, representing the cyber side. When we talk about Ethical Hacking, it's the same methodology. It's knowing the methodologies, the tools, the way a plain old hacker, I suppose, would be attacking a system. And it's learning to do this in an ethical way. And I mean, part of what we see from that is in the name the ethics, is how do you approach a company to do these kind of tests and things like that. There are companies with their bounty programs, things like that, but there are also companies that perhaps don't know that they should be looking at these. And there are ethics involved in actually approaching these companies to say, look, we may find vulnerabilities, can we get permission to look at your environment? Can we do certain attack simulations on your environment? Because you can in Ethical Hacking and trying to get into the system, you can end up taking it down, which that is a dangerous situation to be in because you could cause a breach in the process. So there is the ethics involved in it, but it's knowing those techniques that would be used out in the field for offensive attacks and then how to defend against those. So your red teams or blue teams or purple teams all start stemming out from that ethical hacking side of things.

Right? So I was recently delivering the ultimate CIPM programme for privacy leaders, and one of the questions that came up was what is the Red Team, what is the Blue Team? And what is this purple team? So you have all of these lovely colours but for those of us listening, we're not really familiar with what the different colours represent when it comes to penetration testing or Ethical Hacking. Could you just break it down for us?

Yeah, absolutely. I think there are so many acronyms that get thrown around and terms that get thrown around, like we're seeing a lot of shift left now, which is just moving security earlier in the process. But when we're talking about Red Team, Blue Team, Purple Team, it's the different aspects that you're going to have from cybersecurity sites. So your Red Team is generally an attack kind of team, an offensive team that would be trying to get into systems in any way possible, things like that. Your Blue Team is going to be more of that defensive team putting the walls up to make sure that the Red Team can't get in. So you have this defensive and offensive side of things that you're looking at on both sides. And when we're talking about Purple Team, it's kind of the blend of the two of those. Or we've seen it involved in DevOps and Devsec ops, where you'll have people that kind of have a bit of both roles in place where they're handling defensive and offensive.

Thank you. Thanks for your question. So the Red Team is they're going to focus on how to breach the system, how to get in and how to attack. Your blue team is a defense, they're there to guard against what the Red Team would potentially be doing and making sure they've got the defenses. And your Purple Team is like a hybrid of attackers and defenders altogether in one team.

Yeah, we've seen a couple of different kinds of approaches to Purple Team, but in general we look at it that way. So it's exploiting the vulnerabilities and then making sure the vulnerabilities aren't there to exploit. And it's a race between the two I suppose.

And I think it's something that's really important. And I encourage all of our clients to get these penetration tests from the ethical hackers, because you would rather find out what your vulnerabilities are yourself from somebody who's doing it ethically and saying, hey, these are the problems. And it gives you an option to do something about it, rather than find out when you've been held to ransom, when you've had a breach, when you've had to turn your systems down, when you haven't been able to serve patients and having been able to serve your customers, and then the reputational damage comes into it. And then, of course, enforcement action. So it's so much of a better investment to invest in that while things are okay. So then you can identify your vulnerabilities, look at what you want to prioritize fixing those, and then get your blue team in to patch or identify and mitigate those vulnerabilities, I guess.

Yeah, it's great that you bring that up not only for the breach situation, but it's also great this is where that intersection of privacy and security comes in that when a company that's privacy mature is going to start doing a vendor due diligence on you, chances are you're going to be requested that kind of information. Have you done vulnerability assessments, penetration test, et cetera? If you haven't done it, that's a time consuming process to do and you can hold up a vendor process by having them or not having it, but when you have that in place, you can provide it. The vendor onboarding process goes a lot smoother, you can prove your compliance a lot better and you basically have a better turnaround time on what you would do on your day to day business.

So with hacking, that's kind of cyber security, how's the intersection between cybersecurity and privacy? Are they kind of done in separate from each other or do they merge together?

I think the two are completely intertwined, but places still go and do them separately, which is a risk in my view. So you have privacy that will fall to the legal department or compliance, and then you have cyber security that either falls to a security department or IT and never the two shall meet. And they don't talk to each other. And then you end up with conflicts and clashes and one does something the other doesn't like, and the wrong people are around the table or they're not at the table at all. But if we look at the privacy principles, if we look at the OECD principles, if we look at the principles that are in many laws around GDPR, PEPIDA, we're seeing these components that say you need to have security. You've got to have security for privacy. You've got to have your security safeguards. Under puppy, it's all there. You've got your technical and organizational measures when you sign secs, a lot of that is cybersecurity. I suggest there's policies and organizational controls, but there's technical controls, and I think a lot of the cybersecurity aspects come in there. And similarly, when you're dealing with the cybersecurity side, you're dealing with that CIA triad, the confidentiality, the integrity, the availability, and those three also relate through to privacy because confidentiality looking after the information that's there. Yes, cybersecurity is concerned with more than just personal information, but it's completely intertwined because you still have to have classifications of data. You still have to be knowing what your security safeguards are on things, who's doing role based access control for things. The two, I think, play together so well and really should be integrated because you should have privacy talking to cybersecurity and vice versa. When you have an incident and you've got everyone talking together and cooperating, the incident runs very smoothly because you have early communication between the two teams, and you know, that, okay, we might have a notification requirement coming up down the line. Who needs to be involved from privacy side, security side instead of just privacy, finding out after the incident has become a breach that upfront involvement helps a lot with those 72 hours turnarounds and things like that.

I couldn't agree more with everything you just said there Ross. One of the things that we really encouraged to the organization that we work with is we need to break out of the silos of security over here and privacy over here and start working together and having those conversations. In fact, where where possible, I say they should all actually be sitting around each other because then they can hear what's happening. And the thing is, there's also cost efficiencies of that because often times you'll see that they're duplicating efforts. They might be using this software, they might be using this software, they might be using x vendor, they might be using y vendor, but they're still trying to do the same things. So why are we duplicating that? And why don't we see how we can actually save money and increase the operational goals or the business objectives by working together? Because what you find is there's a lot of cross over, and the moment that they both accept that, hey, security is there, to protect data, privacy is there to also protect data. We both have the same objective. So why are we trying to figure out on our own? Why don't we just do it together? Because there are, like you said, both technical measures. So that's your firewalls, that antivirus software, that's your data loss prevention stuff. And then you've got your organizational measures, your policies, your processes, your standards, your training and awareness. Why would we want to do those things separately? Why don't we see where we can cross over and we do see a lot of cyber incidents. Why don't we bring that into some of our policies? And why don't we actually talk about that instead of having 50 different policies that no one's ever going to read, why don't we have four really good ones that have practical examples, both from a privacy and a security point of view. And when you do that, you actually see cultural change, you see organizational efficiencies, and you start seeing the positive effects of security and privacy rather than when it was just a drain on the business. Because this is a problem you see when you took stakeholders is they will see those functions as cost centres rather than how they're actually promoting and providing and bringing in revenue. But companies like Apple, companies like Amazon have actually proven to us that you can actually use privacy to cultivate trust, to inspire confidence, and ultimately increase revenue as well.

We've seen it in practice, exactly what you mentioned there. We talk about things like breach plans, where you have privacy has their breach plan, security has their breach plan. Generally they're under the same headings of identify, remediate, and contain and all of that, but they have slightly different steps. But it's two separate processes and it’s time consuming. You can merge those into bringing in privacy where it's necessary, security where necessary, and it helps. We've even seen cost savings for things like setting retention periods better. So you've got a shorter retention period, your cloud storage costs go down because you're not saving so much data out there and your risks go down because you don't have the data at that time either. So, very beneficial there.

Yeah, absolutely.

Right, so one of the things that we wanted to speak about, Ross, is privacy as being a good business practice. We're speaking about how sometimes companies are reluctant to adopt privacy practices because they just feel it won't add value to their business. It's more of a chore than can give them benefit. Do you see that a lot?

We do, and I think it comes into a lot of how you implement privacy. There's a benefit and a curse, in that the privacy legislation don't tell you step by step what to do. And the curse is then you need to figure out what to do. But the blessing is we can do this according to how our business operates. Which is great because you can then bring in these components very well as to how the business is running. And you can relate the components of privacy to business objectives and to business KPIs, executive KPIs and that's where you get this kind of seamless integration. And yes, privacy is a lot of work upfront to get everything in place if you don't have anything in place. Once it's in place, it's maintenance. And you can, as Jamal said, Apple does this well. You've got this trust from your consumers that you can bring in. And it's a marketing boom that you can have that really helps. It is good business practice. If we look at principles of data protection, about being accountable for the information we have about specifying our purposes, about limiting data, about being open, about having transparency, all these translates into good business practices as far as I'm concerned. And it can be beneficial to your business, and it can streamline your business. A lot of places haven't thought about these considerations. And when you do start mapping your processes out, your activities, you find out across the business what you're doing double work on. You find out which activities, in which departments take too much data. And it really is a benefit to the business. It’s a good practice to do it.

Yeah. And just to add to what Ross was saying, the reason a lot of businesses and a lot of stakeholders I speak to on the consulting side, they find they have this attitude is because, as Ross mentioned, the privacy laws, they're not very prescriptive. They're more generic. And they give you guiding principles because they realize that how one business does something, another business will be completely differently. How you do something, one industry is completely different risks than the other industry. And therefore, when you get lawyers, and if you're a lawyer and you're listening, I mean, no respect, but one of the things lawyers find very challenging is then how to operationalize that theory. Like, oh, they're great at writing policies, they're great at writing loads of documents, but then the business has to go and actually put that into practice. And the reason businesses have this attitude is because what they find is the lawyers that they've brought in, or the consultants they brought in, they're giving very rich templated frameworks. The business can't work with templates that they've created for somebody else. They need something that's bespoke and that's why we need more pragmatic, we need more practical professionals like Ross, like Sharon, like we do at Kazient, to actually go and really serve those clients, build a solution that's right for them in a way that's tailored to the way that business work, identifying the risks they have and also in line with the business objectives, just using basic common sense. And this is why we attract so many lawyers to the Privacy Pros Academy, is because they've identified, they're struggling a little bit and it's causing them some kind of self doubt and imposter syndrome and it's actually making them feel quite miserable about what they want to do. And instead, what we help them to do is to really understand the principles and how they apply. Often all you have to do is take a step back, like too many people, focus too much on the details and the technicalities and all the nuances of the article. But actually all you have to do is take a step back, look at the bigger picture. What is the organization doing? What are the objectives? What are the guiding principles that we need to follow here, and Ross mentioned you've got the Privacy by the Design and Default principles. The GDPR gives you principles, the OECD gives you principles. So it doesn't matter what part of the world you're in, all you need to do is find a mentor who can really help you to take that theory that you're so great at and really enhance yourself as a professional by just getting that practical and pragmatic understanding of how to operationalise the theory. And then you can make massive change. And instead of seeing being this blocker, you will actually be the hero who's helped all aspects of the business, and you've also helped some of the business objectives when it comes to getting more clients, getting more customers, and you can feel great. It would make you be more happy, you will get more success from your career and ultimately it will lead you to have more freedom.

Very well put.

Ross, you've said that privacy is not a show stopper. What do you mean by that?

I think it leads on very well from what Jamal was saying now, I think a lot of companies get scared of privacy as well, thinking if we have to do these assessments that our clients are asking us to do, our vendors are asking us to do, then the fact that we've answered no to one thing means it's a show stopper and we can't deal with them. And it's chaos, panic, disorder, how do we get this stuff in? But it's not the case. And I think it comes in that just because you don't have a certain aspect, it doesn't mean that it's a showstopper. We see it all the time in these assessments where someone will get an assessment and they suddenly don't have a specific policy inside the business and no, we can't get it. We've got to drop this policy quickly because it's got to be out there and before we can get the deal, no, it's down to the substance. Do you have something similar that covers that? Do you even need that? It might be a case that you're providing this service. You're being asked for privacy assessments, but you don't deal with personal information and it's not actually valid for your service offering that you're giving, or you're not a business critical service. Therefore, you don't need high availability and uptime. So I think that's where I come in, that privacy is not a show stopper. It's there to help with that good business practice and make sure we're holding ourselves to a good standard. But it doesn't also mean that business stands still. And I think a lot of businesses get scared of the whole privacy thing because now it's going to stop their business. They've got to stop and do these projects for years and what's the outcome? But it's not that it's a stopper.

That makes a lot of sense. Thank you very much. So the last thing before we wrap up Ross, we like to get our guests to ask Jamal a question. It can be about anything?

Okay. I would ask what is something that because of your profession and working in the privacy space, someone does not know about you?

I like this, thanks for asking.

What is it that someone doesn't know about me?

Yeah. Outside of the profession.

All right, well, where do I start? What might be interesting to know is that I'm a trained Ericksonian master hypnotherapist, and before my life in privacy, I used to do a lot of life coaching, which washelping people get from where they were at the time. We're feeling a bit stuck and frustrated with certain things to getting to where they want to be in an area, for example, to focus on their career or to focus on some of the other challenges they might have in life. And what is great and what some people might have discovered when they trained with me is I bring a lot of those skills and a lot of that into what we do. And I do a lot of hypnotic or subconscious suggestions, positive suggestions to help them. And when you see people leaving their recommendations, you see how they talk about this transformation they've had and how they've gone through the boost of confidence. It's all because I'm able to bring what I know from before into that, and really serve.

That's really fascinating.

Yeah. I'm looking forward to the day when you bring a pocket watch into the meeting and hypnotize us all. It was great speaking with you, Ross. We really enjoyed the podcast and definitely learnt a lot. So thank you so much for joining us.

Thank you for having me. This was a lot of fun.

And on behalf of all the listeners, Ross, thank you for sharing some of those valuable gems. And if anyone wants to grab the book again, it is called This Is Not What I Signed Up For, A Survival Guide for First Time Managers.

If you enjoyed this episode, be sure to subscribe, like and share so you're notified when a new episode is released.

Remember to join the Privacy Pros Academy Facebook group where we answer your questions.

Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world class privacy pro.

Please leave us a four- or five-star review and if you'd like, on a future episode of our podcast, or.

Have a suggestion for a topic you'd like to hear more about, please send an email to team@kazient.co.uk

Until next time, peace be with you.