PrivacyLabs Compliance Technology Podcast

Bringing Coherence to Privacy Compliance with Jodi Daniels

Paul
Paul Starrett:

Hello, welcome everybody. This is Paul Starrett, founder of PrivacyLabs. Remember, PrivacyLabs is one word. And as you have noticed, I have an increasing number of podcasts many than devoted AI. But I thought today we'd pull back a little bit more and really look at the holistic aspects of privacy and compliance. From the standpoint of the bigger picture from the horizontal viewpoint, and who I have today is somebody who I, who is my go to person for this type of an approach. She is she specializes in the use of tools to help kind of marshal the whole cause in one environment, one tool, she's been doing this for quite a number of years, has done some impressive things in the past and some impressive clients and so forth. And so, but we'll get into that in our in our questions, and so forth. So without further ado, I'm Jodi. Jodi Daniels, please introduce yourself, tell us more about you and your firm.

Jodi Daniels:

Sure, well, hi. And thank you so much for having me really happy to be here today. I am a privacy consultant, and our company's called red clover advisors. And earlier today, I was having a conversation with someone and it was actually a lot more business than privacy. And so what's exciting about that is we really bring a business perspective to the lens of privacy. And that's because personally, I started my career as an accountant. So I have a variety of finance and strategy and marketing skills. And I kind of found my way to privacy, most recently, when I had created a targeted ad network at autotrader.com. So we used to stock you for cars before Facebook did that. And now everyone knows what that is. But I did it way back when which is strange to say way back when. But that led me to the world of privacy and my favorite, which is really the intersection of marketing and privacy. red clover advisors, we're all about helping companies figure out this world of privacy, what it means and what you need to do with, like the operational arm, if you will, for companies.

Paul Starrett:

I see. I think something that jumped out at me, before I get into my first formal question is that this really seems to be a very, the privacy and compliance aspects really do kind of wrap around the business itself, its needs, its risks, and so forth. It's probably stating the obvious, but as something you would sign on to?

Jodi Daniels:

I would I think people always think privacy equals just protection security. Literally, I had a call today, and I must have said privacy about five times. And they kept saying, so tell me about your cybersecurity business like no, but it's privacy. Uh, you know, I think they're intertwined. And they're certainly an important aspect to them. So much of the business part of what people are doing today, it's all about data. And the privacy part is just making sure that we're using it in a manner that makes sense is complying with some laws that have been put in place, and of course, protecting it.

Paul Starrett:

got it got it. You touched on some things I was going to explore with you. But I think we're gonna find that some of our questions here coming up. One thing I noticed, excuse me in looking at your site, and and kind of doing some research on you is that you are a certified women owned business. And correct me if I've got those words out of order. But that that is something that you are active in. And I always love to see those efforts kind of unfold. Most of the people I do business with are actually women on businesses, which is, which is interesting. But did you want to maybe tell us a bit about that path for you?

Jodi Daniels:

Absolutely. And you're right. It's a lot of letters. And there's kind of different parts. There's the federal certification, there's the national certification. And so we have the national certification that we're women owned business, it's for an organization called WBENC. They're, they're kind of the leaders and people who do the certification. For me, it was really important for a variety of reasons. I am proud to be a woman owned business. There are not a whole lot of those out there in the universe. And I want I want it to be known. There's a certification offered. It's a standard one. And I thought that that would make some sense to have that symbol for someone who comes to our site and to be familiar with it. And at the same time, it's also really important for a lot of companies. They're looking to diversify their supplier base, and they're looking for diverse companies. And this way I have the opportunity to be able to kind of publicly raise our flag and let them know Hi, we're here, and we're happy to work with you.

Paul Starrett:

Great. I think that for the listeners, I'm just obvious, I'm sure but that's very important to making sure that we have a balanced workforce and business community. And it's great to see. I think I applaud you for that, by the way. I think it's great that you're you're taking that as Yes. It's great. You're taking that. Yeah. That we have. And we. I see. Got it. Got it. Well, good for you. Kudos there. So there, it seems to be that moving on to the next question here is privacy and compliance touches on, it seems to me, I mean, we're in the business privacy, technology, privacy, compliance technology. So we certainly see this. Right. From your perspective. How do you see this? Where does this where does privacy generally speaking, let's say for the midsize business? Where does privacy touch? Which departments which efforts that an enterprise is typically involved with? Is it touch? Where do you see it touching? And where do you find the pain points are generally the most troublesome?

Jodi Daniels:

Privacy is an interesting one, because it can impact so many different parts of a business, people often think about IT first. And that makes sense. We think of systems, we think, data in those systems, we think IT owns the big systems. But those systems could be used by the finance team, it could be used by the HR team, it could be used by kind of whatever product or service depends on what the company does, but kind of think of the main system, if you will, to make that business operate. And then marketing marketing can use big systems all the way down to little cloud based survey tools, or advertising tools that people forget about. So my my I love marketing, I shared earlier, my favorite part is the intersection of marketing and privacy, right. However, marketing is also where a lot of the data, and skeletons are sometimes hidden. So I see, it's really important to kind of understand that, even if privacy might feel owned, oh, that's the legal team, they have that or that's our compliance team, or where ever privacy is, quote, unquote, owned, which can truly vary in a company, and there's no right answer. It's really everyone in the company who has that ownership of it. But it does seem to keep falling to legal as owning privacy first, because it tends to come from a law, we have to comply with the law laws tends to fall in legal maybe risk, maybe compliance, and then it kind of goes downstream.

Paul Starrett:

Right, right. I think that that's my personal opinion, is that most privacy professionals would would mirror what you said very closely, including myself. I think it it's everything from processes, you know, are they privacy by design, you know, inspired, it follows the data, right? It follows training, right? There's so many different things. I think that With all of that said, then you have to start thinking about who is it that you're bringing to the table to help kind of marshal the quest, and to make sure you have a coherent kind of holistic process, because it can become I would imagine, very disjointed, and because of that unsuccessful. And so as a privacy compliance professional, yourself. This, I would imagine involves bringing many different multidisciplinary teams together. What, which professionals, I kind of touched on it already, I think impliedly. But which professionals do you think are vital to success? And how do you think about bringing those people together?

Jodi Daniels:

I think it depends on the company, because it depends on the kind of data that the company is collecting, and also where they're located because that also might impact what their requirements are a little bit. Certainly, whatever the main product in service of that company, the main kind of product or service owners, those folks need to be in participation, of course, some type of legal risk or compliance, or if there's a dedicated privacy professional, those folks, the security professional, my marketing folks that I've mentioned before, and, and then kind of again kind of depending on where you are, you might need someone from HR to represent employees, there's different employee laws. And then what's often forgot about is the finance team, but the finance team could have right contractors, they have vendor information and vendor information. It could be anywhere from a small vendor to a large vendor. So it's really important that we actually remember to include our finance team. I think when people are looking at who should be a part, there's there's all the different people process and technology, they all kind of come together. And I want listeners to understand it shouldn't only just be legal or privacy's problems, it's not It truly is a cohesive and collective effort.

Paul Starrett:

Right I yes. And I think that's only makes sense, from my perspective, I tend to what I tend to find, and I'm wondering what your thoughts are on this is that the technology becomes a bit of a challenge. If the team is not well versed in how, where the data is, how to find it, what type of data it is, what laws may apply to it, for example, marketing. You know, there are many issues related to when you do mark to people, when you're asking them for their information, what consent do you get from them? How do you maintain a record of their consent? And I'm going a little bit off, going a little bit down the rabbit hole here. But I do think it's important because I think that ultimate, as you said, you know, the laws, do kind of set the stage for who you're going to involve and how your data is going to be wrangled and managed. And so I think that's kind of just so I can kind of get our, our piece of this in here as the PrivacyLabs does specialize in, working with data, finding it, classifying it, monitoring it, and then working with someone like Jodi and her team, to include others to help find a place where we can bring that all together. That kind of brings me to my next question, and it's almost a loaded question is that there are tools that are built for this process and one that we both are, we spend a fair amount of time in you much more than me at right now I'm working on getting there. But as a platform called One Trust, there are others. There's BigID, there's a security.ai, some others, but for the sake of discussion, and for the fact that we are, I think a bit more familiar with One Trust. They've been great, by the way with the partner team, they really have been very helpful. Your sort of sense of what maybe it's helping that audience understand what One Trust solution is like, and how that can be used to really kind of make a very efficient, coherent, or cohesive, as you stated, path to gaining compliance and staying there.

Jodi Daniels:

Right? Well, that's obviously the technology piece. So when we think about people process and technology, let's actually go back to the people for a moment. So when we talked about the people part, we talked about the different, you know, the legal team, the marketing team, and whatnot, we also have to make sure that as part of that people team, there's someone who can help translate the specific legal requirement into what we actually have to do in the business. There might be an internal team member who can help us with that, you might need to bring in a privacy consultant, someone to help you actually what we call operationalize what the requirement is, and why that then is so important, and how it connects with the technology is you need a way to help you do that. There's old fashioned Google Docs, and Microsoft docs to help you manage all of that for large scale company. And depending on the complexity of what we need to do, we really need some tools to help us do that. So one of the easiest might be a cookie banner, I've seen plenty of companies tried to say we're going to build our own cookie banner. And I say, well, by the time you've designed the cookie banner, you could have just bought the license to one from a company who's done that they've built the technology, they're selling it at scale, and they're going to be the ones keeping up with it. Every time there's a new change. So I always love the development happy companies who want to try and develop everything themselves. But you know, when we think of like a cookie tool, I need to consent, I need a way to do that. So again, there's many tools out there. One Trust is a fabulous tool to be able to help you manage cookie consent. Another one might be data inventory, I need to know what kind of data that I have in the company. So from a legal perspective, you might have received, I need to have a data inventory. Now you need that business person to help you translate. Okay, what what does that mean? What is the data inventory? I hear I have to have this GDPR report. What What is that? What do I actually have to have on it? What are we even talking about? You can have a tool help you manage that. You can create workflows, you can create systems, you can have logs, you can have what we did this year, you can copy it to next year, you can use it you can update it for going forward. Anytime you want to make a change of schmokes. We forgot about that extra question. We want to go and ask that to everybody. You don't have to go and insert lines, you can just add the question once and poof, it magically can go out to everyone who has what we call an assessment to help you get that information. So that's just kind of some of the ways that privacy tools privacy management software is going to help a company be able to manage its privacy obligations. And this will become even more important. As in the United States, we have new state laws coming on board. Pretty soon, there's a high chance we're going to have California and Virginia, which are passed and signed. In Colorado, as of this recording is waiting to be signed by the governor. Everyone expects it to be signed. So can you imagine as a company, you have three state laws that you have to manage? Well, they all might be slightly different, maybe your business and what you do in each of those states could be slightly different. And you really want to be able to know what you're doing. So a tool is going to help you really easily manage what those obligations are. It's important though, that the tool by itself is not going to solve that it's the people and the tool, plus the process to help you use it. That is really going to help make it all work together.

Paul Starrett:

Great. And by the way, I have to compliment you on your the way your style and explaining things just so people know, Jodi has her own podcast on her site. redcloveradvisors.com, I think I'm just to make sure I have it, right. There's a podcast and you're very good at this. I just wanted to

Jodi Daniels:

It's what I do all day long is help explain this to companies. It's complex. And this is something that we do all day long. But if you're not a privacy professional, you, you know, we're talking to you, like we're, you know, crazy creatures. And so it's important to understand what the basics are for someone to be able to have it all make sense.

Paul Starrett:

Yes. And again, just to shout out that, I've listened to your podcast, and you and Justin, each kind of have sort of a fun way of introducing your topic, and so forth. And if there are a lot of fun if you want to go in and learn more about Jodi's business and learn more generally, that's a great place to do so. Great. So, um, yeah, I think that I would mirror much of that I would also, from my perspective, from the technology side, and I'm not trying to separate them, I'm just saying that, you know, someone like yourself, and my firm, would come together, maybe with the lawyers, or the it could be any of the IT team, this their security team, depending on how many different verticals, vertical teams they have within an enterprise, how all that comes together in one place, how you can, for example, if you have a marketing presence, and you're ingesting personal information from your customers, that now that goes into your system, and you now are required by those laws you mentioned, and that's becoming increasingly more complex, and more onerous. As far as how the enforcement happens, the information comes in, you store it, now you have to make sure that you understand what consent you have, from those people who whose data, you now are the custodian of if you will, you are sort of they trust you with that information comes back into the system. How do you make sure that you have high quality data? Where if you have two records that are to the same person that you don't, you know, mistakenly consider them as two different people. And they're, in fact, the same person? Where's the data kept? Which different jurisdictions are they in? If you have to generate a report, as you said, GDPR 30 report? I believe it is. All of that is really impossible, I think, to manage without a tool like One Trust. Again, there are others out there. But I think One Trust is really kind of at the front of the pack. I think let's see what else I think that. Is there anything else, Jodi, that we haven't talked about, I always like to give people that I interview, a chance to just sort of come up with something that they feel is something the audience needs to hear that we haven't discussed, yet.

Jodi Daniels:

Sure, I think there's a couple. So one of the first ones is going to be companies are at all different stages. You can be a small company or a big company. And you could be at the beginning or an advanced stage. It's not just a size of company type thing. It's really all about the type of data that you process, what your needs are, where you are, and how you got there. And much like everything else, you have to at least just start. So maybe you are listening and you haven't done anything before. The first place is just to get started. Identify somebody figure out which laws are in place, begin to understand your data and build a plan, even just a person and a plan is going to be a big step. And if you're a large organization, and maybe you've been doing this for quite some time, it's going to be complex. Maybe it's time to review what you've done over the last couple years now that GDPR and CCPA and others are here. And we have other states coming in now's a great time to kind of step back and decide is how we've been doing it the right way for us to be able to move forward and scale and that also is then connected to my other big point, which is that there's these laws, there are requirements. companies want to be good business stewards and comply with the laws. They also want to be mindful that their customers are expecting this of them. I can't tell you how many phone calls, I get that say, we received this contract. And I can't sign it until I say that we can adhere to all these privacy and security standards. And we can't do that today. It's literally the contract, the sale is dangling because of a privacy obligation. And when it comes to the kind of actually in the b2b world, the other place that shows up is especially in technology companies. So think about today, we can go online, we can compare all the different tools out there, and people are gonna list all their features, I can integrate, I have cloud, I have security, I whatever all the fabulous features are. Nowadays, privacy and security as a feature. If you don't have the right features to be listed, you're missing out, you're missing out on the opportunity to compete on privacy and security, because that's now where we're where we are. And on the b2c side, companies are realizing that consumers care about privacy, more than 30% are concerned about the data that a company has 50% of them don't even want to give data to a company. 80% of them are extremely concerned and don't trust companies. So you have a lot of distrust. And here's the opportunity to explain to a customer, here's how you can trust us, here's what we're going to do with your data. So it's really an opportunity, not just that we have to comply with the law. In fact, it's so much so that you're starting to see privacy show up more and more in kind of the ESG, or the environmental social responsibility areas of a ompany and privacy is now going o be a measurement. Much like f you manufacture something, here do you manufacture? How re your labor practices? Is it air trade? Is that ethical? Are ou sustainable? privacy is oing to be one of those things. o realizing its importance in he revenue side of your usiness, I think is really mportant for people to nderstand.

Paul Starrett:

Well, I could not agree more, I'm so happy you brought that up. It really should have been something that I brought up earlier. And but the idea that you can turn the your quest to become privacy compliant, is really a commercially enabling effort. Because it does show people that you care about their data that you can be trusted with it. And that becomes something that you can let your your clientele know, your clients, whether you're b2b or b2c. And I think the other thing you touched on and I maybe we just flesh it out just a bit more is that it seems to me that security and privacy are really very tightly coupled, because I don't know the privacy law that doesn't put security right at the top or very near the top. And so with all these breaches that have been happening with, you know, with what's the names are gonna escaped me here, when I have to think about them. I don't, I don't, they don't come to mind. But you know, the the, the energy supplier, where the entire East Coast has shut down the gas supply lines, and then some other things or ransomware, things like that. But these are becoming very key concerns from the standpoint of people who you do business with, and your clients. So I don't think I could agree more with you on that piece of it. Compliance is often thought of as the you know, the necessary evil or it's not the fun spend. But it actually is a fun spend, I think people when you are able to say, Yes, we have your private data locked down, it's secure. And you should feel good about doing business with us. So I think that's pretty much it, I did want to just mention a few other things about tools that they did that you mentioned, you know, whether they're just starting out or midstream with their process of becoming compliant or as close as they can, is these tools do have things like assessment questionnaires where they can walk you through the process of finding what laws apply to you. And then having you sort of go into your, into your back to your team, essentially, and ask questions about what do we have in place? What policies do we use, and thereby sort of setup, where you are and where you're going to be going. And one last thing I do want to mention is that there's more tools in One Trust summer, designed for specific purposes. I know this particular tool called on Centrl. OnCentrl.com. They are they're good generally, but they tend to have a very robust cybersecurity capability very similar to what One Trust has, but they're very good with that. And the guy I know that works there, Zack Jarvinen. And I've known for years Very good in this area. And so there's there's other options, depending on your needs. And again, I think you mentioned that, you know, a tool shopping can be an important piece of this too. So I think that's it. Um, thank you for the thoughts there. Thank you for giving us your last thoughts there. I think that was a great way to end. And again, if anybody wants to know more about Jodi, it's redcloveradvisors.com. I did get that right. You did? Yep. Clever advisors. calm. That's it. Yeah. Great team, great podcast, great way to do things. And Jodi and I are planning on maybe joining forces here on some projects, because we complement each other pretty well. So Well, thank you, Jodi. Again, and I'm sure we'll have another podcast soon. And thank you again.

Jodi Daniels:

Absolutely. My pleasure. Thank you.