Do you want to become a Credible & Authoritative Privacy Pro?

Odia Kagan unearths the secrets!

In this value-packed episode, we reveal why investing in training can make the difference between a mediocre career and a truly fulfilling one.

Odia shares the strategies that has really helped her to build a successful career and how you too can achieve the career you've always dreamed of.

Discover:

• Why you can't rely on a template privacy notice
• How the world is going to be different after the end of third party cookies
• How US States are using GDPR as the benchmark for new privacy laws
• Why being passionate about privacy will lead you to success

And so much more…

Odia Kagan is a Partner and Chair of GDPR Compliance & International Privacy Practice at Fox Rothschild LLP

Odia has advised more than 200 companies of varying industries and sizes on compliance with GDPR, the California Consumer Privacy Act (CCPA) and other US data protection laws.

With an emphasis on a pragmatic, risk based approach, Odia provides clients with practical advice on how to design and implement their products and services in a compliant manner.

Odia holds 3 law degrees, 5 bar admissions and 5 privacy certifications (FIP, CIPP/US/E, CIPM, CDPO).

If you want to make it as a successful Privacy Pro and take your career to a new level - You can't afford to miss out on this episode

Listen Now...

Connect with Jamal on LinkedIn: https://www.linkedin.com/in/kmjahmed/

Connect with Odia on LinkedIn: https://www.linkedin.com/in/odiakagan/

Get Exclusive Insights, Secret Expert Tips & Actionable Resources For A Thriving Privacy Career That We Only Share With Email Subscribers

► https://newsletter.privacypros.academy/sign-up

Subscribe to the Privacy Pros Academy YouTube Channel

► https://www.youtube.com/c/PrivacyPros

Join the Privacy Pros Academy Private Facebook Group for:

• Free LIVE Training
• Free Easy Peasy Data Privacy Guides
• Data Protection Updates and so much more

Apply to join here whilst it's still free: https://www.facebook.com/groups/privacypro

What does that mean? You may be able to get enough retained in your brain to pass an exam, but then you retain it later, because things that your brain doesn't grab, they don't stay. You go to practice, right? Because that's the whole point. You've got to understand how it applies in real life, because otherwise, if you don't, you're not helpful to your client.

Are you ready to know what you don't know about Privacy Pros? Then you're in the right place.

Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts. The podcast to launch progress and excel your career as a privacy pro.

Hear about the latest news and developments in the world of privacy.

Discover fascinating insights from leading global privacy.

Professionals, and hear real stories and top tips from the people who have been where you want to get to.

We're an official IAPP training partner.

We've trained people in over 137 countries and counting.

So whether you're thinking about starting a career in data privacy or you're an experienced professional, this is the podcast for you.

Hi everyone, and welcome to the Privacy Pros Academy podcast. My name is Jamilla, and I'm a data privacy analyst at Kazient Privacy Experts. I'm primarily responsible for conducting research on current and upcoming legislation, as well as any key developments and decisions by supervisory authorities. With me today is my co-host is Jamal Ahmed, who is a Fellow of Information Privacy and CEO at Kazient Privacy Experts. Jamal is an established and comprehensively qualified privacy professional with a demonstrable track record solving enterprise wide, data privacy and data security challenges for SMEs through complex global organizations. Jamal is a Certified Information Privacy Manager. Certified Information Privacy Professional, Certified EU GDPR practitioner, Master NLP practitioner, Prince II Practitioner. And he holds a Bachelor of Arts in Business with Law. He is a revered global privacy thought leader, world class trainer, and published author for publications such as Thompson, Reuters, The Independent, Euro News, as well as numerous industry publications. He makes regular appearances in the media, on television, radio, and in print, and has been dubbed the King of GDPR by the BBC. To date, he has provided privacy and GDPR compliance solutions to organizations across six continents and in over 30 jurisdictions, helping to safeguard the personal data of over a billion data subjects worldwide. Welcome Jamal, thanks for joining me again.

Hi Jamilla. Really happy to be back for another episode, and I want to share something with everyone listening. Every week we get lots of messages from people who have listened to the podcast, and they say lots of great things. But this week, Jose, one of our previous guests, he reached out and he said, hey, Jamal, check this out. I've got this message. It says, Hi, Jose, I'm a lawyer licensed to practice in a specific area, and I intend to specialize in the area of data protection and data privacy. I listened to the podcast where you were interviewed by Jamal Ahmed on having a career in data privacy and what it entails. I was deeply inspired by your interview. I gained a lot of insight on how intellectually stimulating, interesting and dynamic data privacy is. The rudiments of success in the profession in which you mentioned gaining experience in order to stand out from the competition, acquiring the relevant certifications to demonstrate knowledge, being resilient, and building oneself in order to approach the job better. Listening to your podcast fuelled me in the zeal and courage to keep striving till I get the desired success. Thanks for doing the interview.

Wow, that's nice. I think it's really good hearing feedback, because sometimes when we're doing the podcast, I feel like I'm just having a nice chat with people, and I forget that it's going out and people will be listening to it. So it's really great to get feedback like that.

Very excited about today's guest. We’ve got Odia Kagan with us. And she is a partner and Chair of GDPR Compliance and International Privacy Practice at Fox Rothschild LLP a US National law firm. She has advised more than 200 companies of varying industries and sizes on compliance with GDPR, the California Consumer Privacy Act, and other US Data protection laws. With an emphasis on a pragmatic risk based approach, Odia provides clients with practical advice on how to design and implement their products and services in a compliant manner. She holds three law degrees, five bar admissions, and five privacy certifications, and you can follow her on LinkedIn.com/Odiakagan, and we will link that below. But welcome. Thank you so much for joining us.

Thank you. It's great to be here.

What an amazing set of credentials. Three law degrees. I mean, that's amazing.

But I really like studying. You can tell, right?

I share that passion. I'm currently doing my PhD.

Very cool.

As we always do on the Privacy Pros academy podcast. We start with an ice breaker question what's got your attention today and why?

So actually, I read my little updates every morning, and I read that the NAI actually published an opt out tool for hashed emails using targeted advertising, so I thought that was interesting. They're supplementing their third party cookie opt out tool with the hashed email in view of the change and migration towards first party data due to the deprecation of the third party cookies. So I thought that was interesting this morning.

Yeah, that could be a big game changer for a lot of firms.

What does that mean for the regular consumer online?

Basically, right now, targeted advertising is done to a great extent by third party cookies, right? That's going to be phased out. It was supposed to be now, but there's a delay, but it will be. So now companies are migrating their targeted advertising strategy to first party data. And that means if they can't use a third party cookie, then they use an email. So they use hash emails as your identifier. And so what this means is that for those parties that are using hash emails as the way to identify you in your travels across the web and for formulating the targeted advertising, you can opt out of it and have it be not targeted.

It's really good then. So will it prevent our data being sold to third parties?

Well, the whole idea of having it hashtag is nobody knows who it's related to, so it's protected anyway, like pseudonymized. It's not third party, so it's not sold onto somebody else, it's first party. So let's just say, for example, Jamilla you went onto your favourite handbag retailers website.

Right now they might use cookies like Facebook Pixels or from somewhere else, and then they might send you adverts, right? Let's just say you're reading an article next and then you see an advert pop up that might be based on those cookies and the third party cookies that they use to track you. Now what's happening is because those are being phased out and Google is introducing stuff like Flock, et cetera, what they're saying is, okay, we're going to use your email that you use to sign up to the account and we're going to follow you based on that unique email. So for data privacy reasons, we're going to hash it out.

So we're not going to see that email, but we still know that it's a unique identifier and we're going to follow you around. So now what you're saying is, okay, you can't have my cookies and you can't use my hash email to follow me around and send me targeted things. So it could be a good thing in a way where it means that no one is actually profiling you and trying to build this up and targeting you, but at the same time, you will start seeing a lot of things that are completely irrelevant to you. So there's two sides to the argument and we need to balance both of those things because how annoying is it going to be if every time you're walking around all you're seeing is adverts for football boots?

Might make me start off a new hobby, but there we are.

It could be. But let's just say something. You hate coffee.

I don't like coffee.

So imagine you started getting targeted. Like, coffee is a massive industry and there will be coffee shops and there'll be people who want to sell you coffee beans targeting you now because they don't know what your interests are. So they're like, yeah, why not send their own advert? One of the challenges, not having or not enabling somebody to understand what your interests and likes are. It works from both ways and as privacy professionals, you always have to take that balanced view. Right? Odia.

It's a big discussion now, right, like surveillance advertising. And there is a big trend now to talk about surveillance advertising. Should we phase it out completely? There's research being done right now to figure out whether the whole premise of targeted advertising and the tons of data that's being collected and collated. Right. So Jamal was saying the downside is you don't get good advertising, which is well curated to you. So that's definitely a problem. The question is, what is the solution for that? Is targeted advertising bias surveillance and third party cookies and things like that. Is that a good solution or not? Now, research has shown I mean, you've seen this. I mean, I see stuff on like Instagram or whatever. There's stuff that pops up there and sometimes you go in and it's like, why are you showing me these ads? And you go in and it's like your interests are sport. No, that is based on clicks and things and like what I do on the web. So, question is, what is the holy grail for targeting? And now there is a thinking about first party data using curation or data bunkers or whatever with like supplementing first party data with third party data. The trick being that this all needs to be permissioned. Depending on which legal regime you are or you are in the US. This whole thing still needs to be permissioned. So that's one option. And the other option which is being looked at is contextual advertising, which has always been there. Contextual advertising is I am reading an article about shoes, hypothetically, or makeup, and then I get an ad for shoes or makeup. Now, that's really simplistic. Right now, contextual advertising is a lot more advanced and there's a lot more data points, but it's more privacy preserving. So the question is, with the deprecation of cookies, with the deprecation of the IDFA on iOS 14.5, we need different ways to do this. And now the question is what they are and how to do them in a privacy preserving way.

And do you think that the new privacy legislations that have been coming in have had quite an effect on advertisers?

Oh, for sure. I think that the entire industry right, is affected by this and everybody needs to change their strategy, right? Like if your whole tech stack and your whole strategy has been relying on third party cookies, then obviously the lane ends kind of thing. Like what's the meter equivalent when the lane ends?

I can ask Alexa if you’d like.

Like, lane ends in 50 meters, right? So you have that sign. So this is now right? Like, okay, third party cookie is ending in 50 meters, and we've got to figure out different ways. So it's definitely affecting companies but then the argument is, okay, who is being affected by it? So the argument is some people are saying that small and medium companies, enterprises and publishers are being more affected by this because the bigger companies, either the so called, like walled gardens or just big companies, right? They already have a very solid first party data set. They have loyalty programs, they have Instagram followers, they have multichannel presence, and so they already have their first party data, and they just need to ameliorate it, build on it, build the trust. If you're a small company, let's say that's the issue is, how is this affecting small companies? Like on Instagram or you were some small company. This is typical, like, pandemic example. You guys probably saw all these companies with paint by number canvases. I'm guilty of I still haven't finished my detailed lion of, like, the paint by number lion thing. There's like a bazillion companies that popped up about this. Now, a company like that, one is small. Two, that is new. You're trying to create a category. You don't have a following. You need to generate that following. People who used to do that was through third party cookies. And so now what? The marketers are looking at it, publishers are looking at it. It’s definitely a game changer.

Yes. I wouldn't want to be an advertiser right now. I feel it's quite like when GDPR came into effect in the UK and everyone started getting loads of emails from all these different companies saying, we're changing this and we're doing this, they were confused. And I think it sounds kind of similar with the new advertising rules with cookies. Let's get into the questions. Odia, what first sparked your interest in data privacy?

I was doing a lot of work in tech when I started out, like high techs, and then I started learning about the European the data protection directive. It always interested me to see what's the ramifications of using somebody's information in a way that isn't compliant with rules. I always gravitated towards that. And even now when I have, like, discussions with people, I do a lot of automotive, for example, privacy. And so I have conversations with my husband about the sensors and how they work. And so you can see he's a tech and innovation person, so he's thinking, oh, what do I need to program here? So the car does this, and it recognizes this, and it stops and it breaks and it moves. And I'm thinking, what are they going to do with the data? Who are they going to share it with? Who is this going to affect? And then I started out practicing more European privacy because of GDPR. Now, obviously, the US laws are catching up, and there's a lot of stuff to do there.

Given the most recent announcement by Joe Biden, do you think there's going to be a federal privacy law in the US comes in?

You mean the executive order? So, I mean, the Executive order highlights a lot of issues with respect to the enforcement of privacy compliance. And it highlights that this is an issue that is important. I think this has already been a trend. I mean, it's not with CCPA and CPRA and the different state laws and the different bills even that didn't come to fruition. I mean, we've had tens of bills in the past year. I think it's obvious that the US approach for privacy is serious and people are aware of it. This is very big because I used to teach privacy law and Internet law at a university, at a law school here, like six, seven years ago. And I would ask people, the students, okay, well, what do you think is privacy? And the overwhelming response had to do with Fourth Amendment, search and seizure, government intervention, government surveillance. And very few were like, oh, private companies and cookies and social media. This just wasn't a thing. And now it's very overwhelmingly a thing. Everybody is aware of it. I think the pandemic also, and everything moving online obviously heightened that. So I think that there's definitely a push. There's definitely an awareness there's a push. There is a heightened need for enforcement in the US. Whether or not that takes the shape of a federal privacy law in the immediate future is not certain, I don't know if it's likely. The reason is that there are very big differences of opinions with respect to key aspects of what a federal privacy law would need to entail, namely the enforcement, who enforces it? And so you've seen in the past few weeks, there have been U.S bills, one, about the establishment of a Federal Data Protection Authority that would take away from the authority and the toolbox of the FTC. On the other hand, I read about this yesterday. So it's just like in the past few days, two different bills for boosting and bolstering the authority of the FTC as a privacy enforcer, right. There is one bill that went to undo the Supreme Court decision with respect to Section 13B of the FCT Act that allows a certain type of remedy. And there is another one. So then there's a question. The first question is, okay, well, one, do we need a separate law? But two, who is enforcing this? Is it still the FTC? Is it the FTC in the way they've been doing it, do we give them more power? Is it a different authority? And then we have in the US. A lot of authorities that have privacy enforcement rights and capabilities. We have the FTC, we have the OCR, we have the CFPB. And so what do you do with them? So that's kind of one aspect. The other aspect is pre-emption does the federal law needs to be a threshold or a ceiling? And that is a very big debate and so because of that and you can see it in the state laws like some of the state laws that didn't come to fruition like Washington or Florida, private right of action, should people be able to sue in court for remedies or should this be an AG or a DPA type thing like it is in Europe to some degree even though in Europe you can also sue. So then the question is okay, can you sue, can you do class actions? And a lot of the state laws fell because of that debate. So that I think to me is going to be an impediment. The only other thing that I can add here is there is an initiative of a uniform like a model law that was just proposed and there is precedent for model laws in the US where states kind of look at this model and adopt on a state by state basis. They adopt a model and then de facto you have a standard but it is adopted by the states. So that is an interesting concept. The question is whether or not this model is the model to go with because that one specifically is very different from GDPR and from the US laws. And so query whether that will be a standard to go by but that could be a way.

Sounds very interesting and this model sounds very similar to the directive that we had before the GDPR, the General Data Protection Regulations came in and made it a blanket law. It seems like US could be looking forward to seeing what's happening in Europe and try and find solutions from there to model and replicate and bring in and maybe in 10,15, maybe 30 years time who knows where we might be, we might have something very similar to the GDPR that's blankly applied across the whole of the states.

So GDPR has been flagged by the preambles in a number of the laws. I think Colorado had it, maybe not in the iteration. I think the Washington Privacy Act had it and a bunch of the bills in the Preamble they're saying Europe and GDPR and that's the standard and that is what we go by etc. And so definitely GDPR is something that the US legislators are looking at. Now between that and we're going to adopt this verbatim, I think there is a long distance, I think the approach in the US are very different to things and so there will need to be differences. And so one difference for example that I can flag that was very on trend and in the news recently is public information. So the LinkedIn, the Facebook so called hack, is this a breach? It wasn't a hack but is it a breach? Is it a breach? Is it an article 33 34 issue under GDPR? Is it a technical and organizational measures under Article 32. And the approach in the US to public information is very different. Just like, mentality wise I think that my friends and European friends that I've spoken with, they have a bad gut reaction to their public information being repurposed. And I think that in the US, the approach is, well, I mean, like, you made it public, like, what's the problem here? And there are grey areas in the middle, which is, yes, I made it public for charitable contributions, but I didn't want you to go and use it for picking me up for a donation or I posted it for a social media photo. I didn't want you to go and figure out that I'm disabled and, like, discriminate against me. If you see the US laws, even the ones that were passed and the others, there is a definition of personal information, there is a carve out for publicly available information, and then there is a difference as to what that carve out encompasses. Some of it is just information available from government, federal and government authorities. And some of it is information that the controller reasonably believes has purposely been made available by the individual. And so I think that GDPR is a benchmark for US regulators and legislators to look at. I think that the implementation, I mean, has been and continues to be somewhat different. But the new laws CPRA, Colorado, Virginia some aspects are closer to GPR than CCPA. Specifically, I'm going to call out the definition of consent, which is literally copy based from the definition of consent in GDPR, the concept of DPIAs. And so that's going to be interesting as to how that plays out, because that's also a big game changer as to how we're used to looking at consent here.

Why is it that the CCPA has been passed when you mentioned it was Florida has failed in its attempt to get a data protection law at state level. So what is it about the CCPA that works?

So, CCPA and its continuation, CPRA were passed as a ballot initiative. And that's a unique kind of construct. It exists in a number of states, but California is one of them. And that basically means that it was passed by the people. So there was an initiative, the initiative was by the proponent of Alistair Mactaggart, basically formulated this proposal, got the required number of signatures, and then in the beginning it was basically, okay, I'm going to pass it as a ballot initiative or, hey, California legislation, either I passed this as is, or you pass it as a law. The CCPA got passed as a law, CPRA got passed as a ballot initiative. And that's really interesting because it also means that the ability to amend CPRA is limited and depends on the people, which is really interesting.

If they wanted to amend it, it would have to go back to the ballot. We can obviously tell that you're very passionate about the data privacy sector. What is it that you love most about working in data privacy?

The thing that I really like the best, and that is that there is a lot, it's very dynamic. There's a lot of changes. You have to keep up with the changes, which, based on our conversations from the beginning, I really love learning. So this is sort of like a built in learning experience, because if you don't keep up with everything, then Camille said something yesterday, and then Luxembourg said something and you missed it, and you're like, out of the loop, right? So that's one is that it's very dynamic, and the other is that I practice in some other areas of law. Like, for example, I used to do M and A transaction. And the thing that I really like about privacy is that you do an M and A transaction. It's an MNA transaction for widgets or it's an MMA transaction for an ad tech company, depending on your role in the transaction. You really don't need to know some of the insights, right? Because it's a company, you look at its ledger, you look at its stock set up, and that's it. And you have an asset exhibit. And the asset exhibit, somebody fills it out with other things. In privacy, the facts are very important, right? Somebody says my favourite question, right? Like, do you have a template privacy? No, I don't have a template privacy notice. You can have a template, right, for the pieces on, like, the rights and the changes but the piece that really matters, which is disclosing and analysing the use and the sharing of the information, that's super fact specific, and you need to kind of dig into the facts. And so I like it because I think it's kind of like a 3D puzzle, right? Like, you've got facts and then you've got laws, and the laws are changing, and then you've got to implement them into the facts to make it practical. So I like the challenge of that and the dynamic nature of that.

I love that example you've given me. What we teach people in the academy, there is no template approach. You can't take templates and try and apply them to every organization that you come across. You have to take a bespoke approach. Every organization does things differently. They have different purposes. Even if they're in the same space, they will still do things differently. They will collect different information, they use different processes. And therefore, you need to make sure that you understand how to take this information, how to collect this information from the business to begin with, and then put it in a way where everyone that leaves you can understand what's happening with their personal data. It's a bit like I said, these are tools, right? If you just have a hammer and you don't know anything, everything you do. You're just going to go on to try and bludgeon with the hammer. But it doesn't necessarily mean that you need to take a hammer to everything. You need to know that there is a hammer there, and when I need it, I will use it. But there is also a screwdriver, there's also a chisel, there's also a pencil, there's also a pen. And you need to craft what the solution looks like rather than just take that tool and smash everything up with it. And this is fascinating for me to hear, is that you also take the same approach and it's like, no, there isn't templates. And the reason people pay Privacy Pros a lot of money is because, yes, they can go and buy a template for a couple of $100 off the Internet somewhere, but they would rather pay someone to make sure that they get it right. And it's about getting it right first time. Because you've seen the horrendous privacy notices, you go in and you read something like this does not make sense, and you can tell it's copy and paste. And what that does for the end users, the lack of confidence they have in you when it comes to the privacy, the lack of trust they have, means you're ultimately going to start losing business with people who value their privacy. And if you're in Europe, that's a very big deal. Like you said, people in Europe are very uncomfortable even with data that they've made public. How is that being used outside of my control? Well, I didn't intend for it to be used in that way, so therefore I'm actually going to stop using that platform. I remember in Sweden, there was a little bit of news that came out about Facebook, and one in three people didn't think twice, shut down their Facebook account. If you think about how much of an impact that will have on the Facebook marketing revenue for Sweden, it's huge. It's huge. So simple things can make massive differences. And that's why, as privacy professionals, it's important to be able to understand how to do these things, and it's important to train the right way, so they don't just think, I have to use this template in this way. They can actually think for themselves.

So I'll share some clips to Say Yes To The Dress with you Jamal okay. I can't imagine you've ever seen it. Odia, what is your most memorable client story?

The challenging things with clients is that I have realized that as an attorney, people that are even consummate professionals who are not attorneys, their perception of which facts are relevant for me and what I need to do are different than what I know the facts are of what I need. Right. And so that is something that my team, the associates that I train, I also tell them because it's a complicated aspect of your practice, number one, to realize this, that what your client told you may not be the end all and be all of things. Right? It sometimes takes one question to realize that this is not what they meant. I actually saw this. I did not do this but I had predecessors that use this big GDPR questionnaire that they would send to clients for answers, and the questionnaire would come back and you'd read the questionnaire and you're supposed to draft the privacy notice by this questionnaire. And a conversation immediately revealed the black over white answer that you saw on the paper was not life itself. Right? So that's, number one, is realizing this. And then number two, the courage, I guess, that you need to stand up to the client and say, you said this, but you can say it. In a way, you guys are also very diplomatic in how you say it, but let's explore what this could mean. You don't just say, okay, this is wrong. But it's very difficult as an attorney, and especially starting out, to kind of have the courage to say, hey, I'm not sure this is exactly what it is, but it's your responsibility to do it because you're supposed to protect the client from exposure. And so I think that's something that sort of follows its way. I keep seeing this because especially in privacy, because it's so important to be fact accurate. That's something that I think is something that I would flag.

Is that something you feel you've gotten better with with experience, or did you ever struggle with that at the beginning of your career?

Yeah, for sure. And that's why I tell my associates that we have to,do brave is hard, courage is hard, I am a big fan of Brene Brown, and she says, you learn courage by couraging. Right? Like, you just got to do it and then you get better at it. And it's really difficult and this is not really privacy. But if we're talking to practitioners that are starting out, I think it's worth saying the other aspect is communication, right? Like communicating with clients. The epitome of, bane of our existence, we always have too much work. We're always behind. We're always like hamsters on a treadmill or whatever falling off right. But sometimes, and it's very scary, like you have a deadline, client is expecting something by midweek, by end of the week. You need to have the courage to say, look like I can't do it by tomorrow. The other is, okay, you thought you could, but something happened. It's really difficult and yet imperative that you look at and it's like, oh, I'm not going to be able to do it by tomorrow. I need another couple of days. And, you know, in the majority of the cases, it's more about the communication and the trust with the client. Oh, you were thinking of me, have me in your thoughts, you're prioritizing, I understand, as opposed to maybe they won't remember and just like keep dragging it. And then the deadline passes, and then you get an email from the client and then they're not happy. Right? And that is very difficult to do, totally difficult for me to have done early on. Also maybe generalization, but I also think that women have more of a tendency to open emails with an apology. I didn't do anything wrong. So that's definitely something that you have to learn. And I try to also kind of pass it forward to my team to start with and get that skill from the beginning.

That's really interesting. I was going to ask you, did you find it more difficult as a woman trying not to apologize? And I think there's a certain reputation that can come into it when a woman in a workplace is being confident she might get portrayed as aggressive and that kind of thing.

Yes, totally. Yes. I think that this issue is an issue on both sides of the table. It's an issue for us as women to not do it ,right also Brene Brown again, because she was saying that she was teaching class and she had her students self grade, and she said that all the men gave themselves A's, and all the women were like, undergrading themselves, so she had to stop doing it because of that. So, like, we as women also have to stop doing that. And I sort of do this informally, like in mentoring or teaching or whatever, women associates or partners, whatever, to not do that, because we can't do that. And the flip side is I think we should focus on the teaching and the training and the changing and whatever, because I think that if something is attributed to our behaviour, we should own it and change it. But I think that on the flip side, there is still an issue with when you don't do that and when you behave like everybody else behaves, like men behave, then you get a thing of like, oh, you're aggressive. If I were not a woman, you would not be saying that that I'm not that I'm aggressive. Right. You'd be saying, hey, that's a go getter, that's like an assertive person. So I think that we have issues on both sides and that need work.

As part of the twelve weeks accelerator program, one of the things that we teach is the whole mindset classes and the communication. And a big part of what we teach as part of that mindset and the communications is actually number one, you need to have a growth mindset and you need to be confident in yourself, but it's about being confident about balancing that with the mindset of a world class privacy professional, having the ecological and ethical framework, but also having those communication skills. And one of the things that I found when I first started my career was I was very black and white, I was very direct. And as you said, you can't always take that approach, especially when you're working with clients all over the world. You have to take into account cultures, you have to take into account language, you have to take into account how things land and there's different ways of doing things and you need to be very approachable and versatile. So we spend a lot of time just teaching people the skills and the art of communication and how to apply it in different situations. And when you can really understand the framework of how to communicate effectively. When you can listen out for people's preferred representational systems. When you understand that 55% of communication is your body language. The 38% is your tonality. And only 7% is the actual words that you use and really master all that. It becomes so much more powerful. It all becomes about you as an empowered world-class privacy professional really doing everything you need to do to protect the reputation of your customers so they can inspire confidence. So they can cultivate trust and ultimately secure more business if they're in the privacy business region.

Yes, I completely agree. The cultural issue and being mindful of the people that you're speaking with, you guys are English, so you probably have seen those chart, what English people say, what English people mean, right? Like for somebody like me, that's very used to very direct communication, it's like, it's shocking, right? But you have to understand it and you have to adapt yourself to your client's style, right? Like some clients want recurring meetings, some clients want email updates, some clients you’ve got to adapt yourself anyway. You definitely have to adapt yourself culturally. And then the other thing I'm going to say is the Carol Dweck book Mindset is like a life changing book that I think everybody should read. It's amazing. And once you grasp the concept of growth mindset and that you can by applying yourself with effort and tenacity, you can change pretty much anything that you want to change. That's I think a huge takeaway if people can take that on as early as possible in their careers and lives.

Yeah, I mean, Caroline Dweck’s, the whole growth mindset, that's the first thing on growth mindset and fixed mindset for us. People have gone through the program, they double the salary. They come out the other end and you go back and say, look, what was the one thing that really stood out for you? They don't talk about the privacy training. They don't talk about the practical aspect of it. They always come back with the mindset is the change that made the biggest impact. When that kicks in, I think everything else falls into place. So that's the reason we have that at the beginning, because we know that if you can change your mindset and everything else becomes easier, everything else becomes more fluid and more consistent and you can really go and be the best you can be.

Great.

A lot of tips there and I think not just for people who are in the sector, but just generally. I mean, I've learned a few things from listening to that. I think I'm going to try and be more assertive when I'm working. We’ll see how it goes; I’ll keep you updated.

You know what, I'm going to add that as mandatory reading it will be the pre work they have to do before they can join the live session.

Yeah, they can all blame me now.

Oh, thank you.

There's a book that I read, so it's also in the same kind of vein as this. It's called Jennifer Government and it's also very kind of like futuristic dystopia and what happens when the government takes people's identities and whatever are taken over. I think, generally speaking, by the way, not as a specific recommendation, I would say that privacy professionals, or like any professionals I think should read and expose themselves to content that is diverse in general topics. So I think I listen to podcasts and read a lot of books on personal development and psychology and leadership or management. I mentioned Brene Brown, I follow her podcast. She has really two really good podcasts. One is called Dare to Lead which is leadership focused and the other is called Unlocking Us which talks about different aspects of life and people. And the cool thing about that is that we're cool and uncool because she speaks with different author of a book, usually current and effective. And so she interviews them for an hour with respect to the books. So that's really interesting because it gives you insight into different topics and different books and things that you want to kind of dig further into. So that's cool aspect, the bad aspect is now my audible wish list is like 60 books that I need to get to reading. That is kind of the downside of that but that's also an upside too.

We'll stick to links in. Odia why is it so important to train in data privacy with experts rather than just reading a book and learning how to pass an exam like the CIPPE or the CIPM?

I don't think it's impossible to do it yourself. It's just much more difficult, right? Like it's much more difficult to do and it's much more difficult to get two things. One, to get the discipline and the structure and the consistency. Number two, to understand what you didn't understand, right? Like there are things that you read like, all right, then what exactly? Either you know that you don't know but you've got nobody to ask or you don't even know that you don't know because you just completely glossed over this and you didn't realize that you didn't grasp the topic. And then the fourth one, which I think is the most important is when you do the training, the most important piece, important piece for people that are going to take an exam is to pass the exam, right? Like, great, fine. But the real life importance is you've got to understand how all of this stuff applies in real life. And I think that an instructor that is an actual practitioner and gives examples I think is priceless. And this is one of the things that I really strive to do as a goal. When I do, I post a lot on LinkedIn and my goal I'm really happy when people say, oh, that was so clear. I understood that because that's really what my goal is. To break down these concepts of GDPR that are really complex, really amorphic and like somewhat may be boring and kind of bring them down into what they actually need. So if somebody says, do you have a legitimate interest or do you have a right legal basis for it? Right? And you ask somebody that's, like what does that mean? What does that mean in life? What am I supposed to do? What am I looking at right? Those concepts that you throw around in like a legal opinion or something that doesn't help the client. You are collecting vins and you are collecting exact geolocation data. Ok what does that mean? You need to disclose it here. You need to have a pop up here, you need to get consent there, like breaking it down. When you read the article twelve transparency, okay what does that mean? Or like when the Article 29, what does that mean? And that's really important because, OK, you may be able to get enough retained in your brain to pass an exam, but then, OK, do you retain it later? Because things that your brain doesn't grasp, they don't stay. But later you go to practice, right? Because that's the whole point, is practicing. You've got to understand how it applies in real life, because otherwise, if you don't, you're not helpful to your client.

Absolutely. You've nailed it on the head there. And also, before you even get to practice it for your client, oftentimes people are looking to get hired. So how is somebody going to hire you when they're asking you these technical questions and you can't actually demonstrate you understand how to answer in practice? Or you regurgitate something you've memorized. The hiring manager at the end they don't want to hear that. They want to know that you know your stuff, you know how to apply it, and you can't read a book and learn how to apply it.

I mean, I did that when I was teaching in law school. My law school experience, everything was open book, so my exams were always open book. It was like I wrote a hypo. I wrote this as a hypothetical case. And it's like, okay, we'll solve it. And I didn't have a word limit or a page limit, right? So people, especially today, right, with their laptops, everybody was copy pasting everything that I said in class, right? And like, copy paste all this stuff. And I'm like, okay, I know that you copied over my PowerPoint. Why is this helpful to me? People submit like, 15 pages of stuff, and then there was somebody else who had like, eight pages of stuff, but they were actually implementing and analysing. And that's much more helpful because at least my experience is that clients are no longer interested in 30, 40, page memos with citations and things like, what do I need to do? What am I doing? What does it look like in real life? I actually get screenshots. I was like, can you send me the screenshots? Can you send me the flow? Can you do a demo? And then I'm like, okay, this screen no, put this here. Yesterday I had a client, we were talking about notices at collection, and they sent me the link. And I'm like I cropped. There is this very helpful thing in Windows, the Snip tool, right? I snip little pieces of the screen. I'm like, here, take that out, move that here, move out there. And that's what, if I tell a client, present the information in a way that's most helpful to the consumer like, do they know what that means? No. Right. So it doesn't need, you need to kind of apply it to real life.

So the last question, as I mentioned earlier, gives you an opportunity to ask Jamal a question. Anything you'd like at all, the floor is yours.

What do you look for when you're getting instructors for the program?

Yes, the top three things. Number one is that they have to actually be passionate about data privacy. They have to have a real passion for data privacy. And I've come across people who have invested good money. Sometimes they've self-funded other times, it's been paid for by their business where they've gone through training, whether it be two days or a week. And they're like, it was so dry, the instructor had no passion for what they were talking about. Sometimes people actually go and they are led by instructors who are just instructors, as in they have no field experience. So what I look for is people with practical experience who are really passionate about privacy. And the practical experience needs to be like breadth and depth. It's not just good enough to have sat in an office and written a couple of policies and said, here, it’s people that actually know they've had breadth and depth of experience. They bring all of that experience and now, because they have so much experience, they can actually break down what all of these concepts mean. Well, how does it apply? Okay, you don't understand it from this example let me share a story from this client, or let me share a problem from this industry. Oh, I did it like this here, but I wouldn't do it like this over there. So people that have that richness and experience and also people that are really passionate about privacy, you need to be passionate about this stuff. If you're not passionate, then you're not good enough to train. You don't deserve the stage or the privilege to train the people or to mentor the people who really want to know. So those are the two things that I really look at.

And I would say one, I think it's really important because I've taken courses by people that I do webinars a lot, and people are like, oh, we need a PowerPoint, we need a PowerPoint. And I'm like, fine. I mean, sometimes you do need a PowerPoint, but if you're reading off the PowerPoint, we don't need you. I can just read the PowerPoint. Right? And so that's one aspect. And the other is that I would say is I think you need to have passion for privacy generally, if you want to be in that field. Right? Like, if you're not passionate about it and I have a lot of people like two L’s or people starting out, like, what should I do? You've got to really like it. If you don't really like it, let me tell you, this is like me and the harsh Truth. You're like, what's the book?

The Al Gore book, right? The Ugly truth. So if you're not passionate about this and you want to be privacy professional or an attorney, not a good idea, because it's not an easy job. It is a lot. It is time consuming. It is intense. It is a service profession. You need to cater to clients. They have their preferences, they have their deadlines, they have their problems. It is not easy. If it's not easy plus you don't love it, it’ll be really difficult. Much better to get a job that's much more relaxed. I mean, I think it's kind of important to get a job that you love anyway. But I think if you're going to not love your job, you'd better pick something that's less demanding than this. Like, when I'm sitting in, my kids are, like, laughing at me because I'm sitting with my phone and reading all my stuff. They're like, mom, how many emails do you have? Is it still 100? But I enjoy it, right? I'm interested. My husband laughs at me because I'm like reading and I'm like, I can't, I have ten more pages. I can't connect, I can't move. Right? So if you don't like it super hard to trudge through the days. And so I would say you need to be passionate both if you're an instructor, but both if you're a privacy professional. And there are so many things in this area that you could like. So if you're like, oh, well, I really don't like compliance. Well, maybe you like counselling, or maybe you like incident response or maybe you like litigation or maybe you like privacy engineering. There's so much stuff. It's important to kind of spend the time to figure out what you like and like it.

Yeah and find your niche.

Thank you so much for your answers.

If you enjoyed this episode, be sure to subscribe, like, and share so you're notified when a new episode is released.

Remember to join the Privacy Pros Academy Facebook group, where we answer your questions.

Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world-class Privacy Pro.

Please leave us a four or five star review.

And if you'd like to appear on a future episode of our podcast or.

Have a suggestion for a topic you'd like to hear more about, please send.

An email to team@kazient.co.uk

Until next time, peace be with you.