Navigating Digital Entropy: Insights from IAPP’s Organizational Digital Governance Report

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

 

Jodi Daniels  0:22  

Hi, Jodi Daniels, here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies. 

 

Justin Daniels  0:36  

Hello, I’m Justin Daniels, I’m a shareholder and corporate M&A and tech transaction lawyer at the law firm, Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade.

 

Jodi Daniels  1:00  

And this episode is brought to you by…

 

Justin Daniels  1:03  

Crickets. Crickets. 

 

Jodi Daniels  1:05  

Oh, it’s awful. Red Clover Advisors, though, crickets are kind of cute, I actually like grasshoppers better. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business. Together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. So you said on our next recording, Justin, you wanted to talk about the storm and our experience in the storm.

 

Justin Daniels  1:52  

I’m going to let you tell that story. You tell it so well.

 

Jodi Daniels  1:56  

No, no, no, I would not want to take away from your excitement or interest. Maybe excitement might not be the right word. No, I don’t know, but our listeners are waiting.

 

Justin Daniels  2:08  

Well, we were in the crosshairs of hurricane Helene, but we got lucky, so the worst thing that we had to do is Jodi and I donned our rain gear, and in the downpour, had to go out and figure out how to divert the rain from our flooded backyard, from going towards our house and going away. And so after figuring out what the gradient might be, and the first two times it didn’t work, we finally created a canal of mulch that sent this the the water from the small puddle to the big puddle, and then out the back of the backyard —

 

Jodi Daniels  2:43  

It was really quite exciting. Everyone, they are not engineers, but to figure out how to get our water to go away, and that it worked was really quite exhilarating. We were quite drenched, and it was, it was an experience. And we are very, very grateful, and this will likely air a little bit after the storm, but those in western North Carolina and Asheville will still need help. So if you have not already tried to make a donation or help people in that area, I encourage you to do so. Those areas are just decimated, and we are feeling grateful here in Atlanta telling our Talo, but it is truly nothing like what people experience there to bring it back to privacy and digital though, today we have to wait. No, you’re supposed to do the intro. 

 

Justin Daniels  3:33  

I’m gonna have you do the intro.

 

Jodi Daniels  3:36  

Yes, well, we have Joe Jones from IAPP, who’s director of research and insights, and before Director of Research and insights, Joe’s prior roles include serving as a senior official in the UK government responsible for digital policy and as a privacy lawyer in private practice. Joe, we welcome you to our silliness over here, and we people can’t if you’re listening, you can’t see but Joe has really cute flags in the background of his picture. I encourage you to watch, because then you can see these really cute flags.

 

Joe Jones  4:10  

Yeah, I’m very much a Brit abroad and bringing the flag with me wherever I end up. It’s a pleasure to be on this podcast. I can’t think of the last time I joined the podcast, a meeting, a call where canals of mulch featured so prominently, but I’m going to take that with me. I think there’s a metaphor in there with the work of privacy pros building canals as mulch.

 

Jodi Daniels  4:35  

There definitely is also the on the first try, when it doesn’t work, you try again, and then when that doesn’t work, you try for the third time, and then you cheer because it works. It’s that era of persistence.

 

Joe Jones  4:48  

I like it. I like it. 

 

Justin Daniels  4:52  

So Joe, can you tell us a little bit about your career journey?

 

Joe Jones  4:56  

Yeah, very happy to look like many people in our field. And there’s a streak of serendipity and just good fortune and randomness to it — I studied law. I had the best of intentions to be a lawyer, probably one of those lawyers that was on their feet in court, doing noble human rights work. Nonetheless, I qualified as a corporate lawyer, and I worked in the technology and media practice at the US headquarters firm. Uh, worked in London, in Brussels, and really had a broad practice. Uh, worked on some intellectual property issues, cybersecurity issues, and, lo and behold, privacy, the data protection were the draft GDPR, a very early draft GDPR kept me very busy, and I got quite heavily involved in the first Schrems case, and subsequently the second Schrems case and international data transfers became a little bit of a niche that grew up to be quite a prominent part of my career. That niche was a reason why I then joined the UK Government again, a bit of serendipity, UK voted to leave the EU in 2016 and all sorts of questions were raised about, what does this mean? So data transfers between the UK and the EU, the UK and the United States, the rest of the world. How are we going to do this work? Who’s going to do this work? I had written a law review article just before that referendum with the sort of hypothetical scenario, what might the UK want to do or want to think about doing, and that law review article, various bits of happenstance led to me actually doing the work with the UK Government for a number of years before I myself became a transfer moved from the UK to the United States to work at headquarters for the IPE from old England to New England.

 

Jodi Daniels  7:08  

I love that expression, and as a former New Englander myself, it is a lovely area.

 

Joe Jones  7:15  

Good choice, and very familiar to me with all these town names being the same, it’s great. 

 

Jodi Daniels  7:20  

Oh, that’s an interesting observation. I hadn’t even thought about that. Now I’m so curious. We’ll have to do some research after this. Well, IAPP recently put out its IAPP organizational digital governance report, and it provides a comprehensive look at how organizations are adapting to the growing challenges of digital governance, and it focused on privacy and security and data governance. Of course, we have to throw our friends AI in there. Can you share the primary goals and innovations behind the digital governance report?

 

Joe Jones  7:57  

Yeah. So look, we had been hearing and we’ve been seeing in the market, from our members, legislators around the world, that there are two key drivers, two key challenges in the broad digital policy, digital government space. The first is the external environment, that just the rapidity that there’s a variety of change, the number of new laws, the nature of those laws and their requirements, the complexity. And it’s not just the laws, the socio technical, cultural dimensions to what we’re all in, what I’m saying digital governance, but within that, we’re talking about privacy and AI and cyber and content moderation, just that external environment, the changes, the challenges, the demands that are paired with, secondly, the challenges and the real need or desire within organizations to make sense of all, to turn what they’re seeing out there into something actionable within the organization. How do you structure yourself? How do you respond as a company, as an organization that is faced with all of these different laws that are overlapping, maybe even conflicting with one another. How do you move from your existing structures, people, teams, tools, techniques, to deal with this more umbrella, more all encompassing moment. This is the moment that we think so many organizations are facing right now. We’ve called it digital entropy. We think that’s a way of defining the moment, the complexity, the challenge. For any listeners of your podcast that are experts in the second law of thermodynamics, they’ll know just what entropy means, but for those not initiated who want to save themselves the five minutes of YouTubing, I have become an expert. Entropy just captures this sense of irreversible chaos, confusion and complexity. But whereas in nature and in physics, it’s irreversible, what we’re seeing is the human instinct prevail. We want to bring order to the chaos. Companies want to structure themselves. They want to find the tools, the techniques, the practices, to bring some sense and order and practice to entropy. So that’s what this report was looking at.

 

Jodi Daniels  10:36  

I know we’re going to dig more into it. It’s so true. I mean, we hear, I’m sure you see this too, Justin, I definitely do where companies are, they are feeling a bit chaotic, and people want, they want order to chaos. It’s actually how I felt once when I was in China, my description of trying to walk across the street alongside bicyclists and cars, I described exactly as organized chaos.

 

Justin Daniels  11:01  

I would describe it differently. Okay, I think it’s more about the pressure that gets put on organizations from the top down, that for AI, hey, we’re concerned the competition’s going to get a leg up, so they in their effort to get to the market as quickly as possible. Because, you know, it’s competition, things like privacy, security and the things that IAPP talks about, things that you and I do, get shunted to the side because you’re afraid that if you slow down, hit the brakes, try to figure this stuff out, you’re going to lose out. And then we see some unintentional consequences that are pretty significant.

 

Joe Jones  11:46  

Yeah, I think, I think it’s yes and, and I think what you’re speaking to there is the sort of the death rip of privacy and data protection compliance being seen as a department of no or a function of slow. And you know, we’ve seen this renaissance of privacy teams, privacy people, compliance people, reinventing themselves as these enablers, these empowers, in order to keep pace with and to stay relevant to the more strategic, the more senior business decisions that are happening in organizations. There’s loads of good reasons why that should be the case. I mean, how many CEOs, chief product officers, business functions are saying we need more data and or we need to know more things about the data we’ve got? Well, a lot of privacy grows historically regarded as no and slow and just compliant, so that regulatory backwater are putting their hands up and saying, Hey, I actually know quite a lot about the data we’ve got, where it’s come from, how we collected it, what we do with it, how we might be able to do something innovative and neat with it, and and by the way, if we do this wrong, it could be really consequential, but I can help you with this strategic initiative that you’re trying to pursue

 

Jodi Daniels  13:08  

So and I know that you cover this in the report, if you can kind of pull out some of the big themes, how are you seeing companies approach this balance of privacy and security and governance in particular, are there any big trends or practices that you were finding companies were deploying?

 

Joe Jones  13:26  

Yeah. So look, companies are as varied as they are in number in terms of their approach to these issues. In the report, we tried to document three broad, illustrative approaches. The first, and this is where I think the vast majority is to and we’re calling this the analog approach. Keep doing what you’re doing with what you’ve got. Just keep piling on extra work. Give your privacy team some cyber work. Give your cyber team some AI work. There’s just more happening in the external environment. Add it onto the existing structures, people, resources and reporting up through the same lines of the C suite, and make do with what we’ve got. I think a lot of companies in that position recognize that that may not be sustainable, and that they need to sort of graduate or evolve to what we’re calling sort of the next phase of that, a more augmented model, a model that has structures that define a more overarching, more umbrella term for digital governance, digital policy, digital regulatory compliance and strategic steers and parameters to that more committees. One company said that we’re in this model, and it just feels like there’s an issue, there’s a committee, there’s a lot of inter and multi disciplinary work. It’s a more augmented model, and then looking further ahead. And I think some companies envisage getting here very. A few companies are here. And what does a more aligned model look like? Structure where we see Chief, I don’t know, Chief Digital governance officers, functions that are covering it all, digital policy, digital governance, some companies are thinking about how to get there. It would require streamlining, the death by committees approach, which is hard. These things take years to put into effect for so many different companies. So those are the three A’s for companies in an analog model, more augmented and then a more aligned model, where so many want to get to a lot that requires empowering existing people. You know, who? Where are these unicorns that can be experts on cyber, AI, privacy, content, moderation, e-commerce, they really don’t exist. And if they do exist, they’re at a premium. And the market is what it is. It’s hard to just create and grow these people. And so we’re seeing existing structures, existing staff, get this responsibility, do the training, work more multidisciplinary, that is the way of saying it to bringing order to the chaos.

 

Jodi Daniels  16:17  

I’m curious about this augmented approach, and one of the challenges people have with committee is there has to be a decision maker. Otherwise you have however many people all sharing their voice, which is lovely. Nothing gets decided if there isn’t some ring leader. Were there any themes that you saw as to how those types of leaders or decision makers were anointed?

 

Joe Jones  16:46  

Yeah. So we can see this in the I mean, if you just, if you peruse LinkedIn, you kind of see this in the job titles of C suite leaders. We’re definitely seeing an empowering of existing C suite leaders. We’re calling it the ampersand phenomenon, the chief privacy and officer and something else. So a lot of these functions further down in the organization are rolling up into CPOs, for example, or CISOs, who are acquiring extra responsibility. We ran a survey in the spring of this year, and of the respondents, we had over 600 respondents in over 45 different countries, over 80% just over 80% of C suite privacy leaders had acquired responsibility for other digital governance domains. So when you break it down, that’s 69% of CPOs who’ve got decision making authority, AI governance, 20% at the other end of it, 20% have acquired responsibility for platform liability. Now that’s actually quite a big number, because not every company is liable for different platform governance, regulations and responsibilities. So we’re seeing certain existing C suite roles get this and get extra responsibility.

 

Jodi Daniels  18:16  

Thank you for sharing.

 

Justin Daniels  18:17  

You know you said something else in your comment about the companies who want to take, what an analog and a slow approach. And I guess the question I have that around that is, I mean, I remember as little as a year ago, I would talk to general counsels, and they’d be like, yeah, we’re going to just ban AI. We’re not going to let our employees use it. But now you go to any of the search engines, AI is embedded in it. You can see it, so anybody who wants to do something like that, it’s, you can’t, it’s there. And so I’m just wondering if, with the evolution of all this technology, if, if an analog approach, if it isn’t already, will soon be just completely superfluous, because it’s, it’s everywhere, there’s no way to avoid it.

 

Joe Jones  19:01  

One of the really interesting bits of feedback we got to this report, and we’ve termed this digital governance. But is that right? Given the ubiquity of technology, you know, for so many companies, digital governance is just governance. Because even if you’re making widgets in a factory somewhere, your use of technology, digital technology to deliver that brings into scope what we’re calling digital laws, digital policies. And so it doesn’t make sense to kind of fashion out a separate term for this. I think, I think that trend that you’re speaking to is going to really shape and broaden how much this resonates with the wider economy.

 

Jodi Daniels  19:53  

What are some of the surprising findings that came from the research and how organizations might be thinking or not thinking about digital governance?

 

Joe Jones  20:07  

Yeah, look at some of those lots of surprises, in part because, as I said, companies are so different. Their footprints are different, risk appetites different. Their sort of propensity to use and acquire resources is so different. I was really surprised by the prevalence of ad hoc committees. As I said, one company said it feels like I’m drowning under this death by committee approach. New technology appears — committee for it. Another technology appears — committee for it. And if you look at a calendar of someone’s organization, they’re in so many different committees, you kind of wonder when they get a chance to do the work. So I’ve been taken back by this sort of attraction to standing up lots of committees and boards, and I’m curious as to how they’ll be, you know, wound down as organizations trying to align and streamline. I’ve been surprised, although I know, benefit of hindsight, maybe I’m not so surprised at that 80% figure I shared, that 80% of CPOs, of privacy leaders have acquired extra responsibility for other digital domains. That’s a lot. If you had five CPOs, at least four of them will say, “Hey, I do privacy, but I also do a privacy adjacent, or privacy relevant. I cover the decision making on that.” That’s surprising to me? Well, the reason that’s surprising is the privacy world is so complex, just the pace of change, the variety of change, isn’t letting up in privacy. So it’s not like privacy professionals have extra bandwidth, but nonetheless, they’re still being tapped up to do this extra work. There’s plenty of good reason why that’s the case, why they’re well placed to do it. I’m just surprised that, yeah, I think privacy pros have another hour in their day. They’ve got 25-hour days to do this.

 

Jodi Daniels  22:14  

That’s exactly the all day of meetings, meetings, meetings, and to your comment about committees, and it’s one of the big frustrations many, many people have in corporate because you’re just in meetings all day.

 

Justin Daniels  22:25  

Yes. So another thought is, you know, how can organizations use insights from this report to improve their digital governance frameworks moving forward, especially given the rapidly changing regulatory landscape?

 

Joe Jones  22:44  

Yeah, the landscape is such a catalyst for recognition in organizations that this is real and this requires work. Sony, just look at the EU and you’ve got this alphabet soup of laws, GDPR, Digital Services Act, digital markets act, new requirements on cybersecurity and operational resilience. These are wake up and stand up moments for companies. I think if you’re looking at this report as the solution finding resource to how do you deal with this? I would say pause. What we documented, what we illustrate in this report, really is the fact that so many organizations are aware of this. They’re prioritizing it, but, and this is quite big, but they are embracing the fact that their approach is not perfect. The approach today is not perfect, and their approach tomorrow may not be perfect either. This is really hard. The second point is that these company structures, though they seem really easy to document in an org chart on a piece of paper, are quite fluid. So look beyond the org charts and think about the connective tissue that exists in companies, the people that can work with each other, how they can do that in a more ad hoc, holistic, flexible way, outside of the contours of communities, and embrace the fact that these structures are not permanent. I expect to see lots of iteration when it comes to how companies are responding. Look, let’s look at the titles of these Chief Privacy officers companies. Let’s see what they look like. In two years, five years, we’ll see a lot of iteration in how organizations present these roles, how they cohere the moment of digital entropy. Now they put into practice their response.

 

Jodi Daniels  24:46  

Privacy pros are having to learn to be incredibly nimble, and it just keeps changing, and we have our own alphabet seat over here in the States, for sure. Yeah, Joe, we ask everyone — what is your best privacy or security tip that you might share with your non-privacy friends.

 

Joe Jones  25:07  

It’s culture. It’s definitely culture. For me, I’ve had the privilege of working and living in lots of different countries around the world, and I’m a strong believer that people that work in privacy to go far and to do well, need to become diplomats sort of, sort of need to be great translators. And I think understanding cultural contexts is so important. So I say to my friends, like, when you’re overseas, when you’re traveling, even when you’re at home, understand the like, the different cultural context and drivers that shape your experience of technology, your experience of the world. If you’re in Mongolia, for example, it’s illegal for there to be CCTV of private karaoke studios. That’s in the Data Protection Act. Really, lawmakers spend time debating, discussing that that was shaped as a policy proposal because of the context and the culture of the environment. You have quite strict laws in Thailand around speech criticizing the monarchy, again shaped by the culture, and so on and so forth. Here in the United States, on free speech. So I think once you embrace the difference and diversity that exists in the culture, you can really engage in conversations and practices about privacy and data protection in, frankly, a more interesting way. This is not your day job, and it isn’t for a lot of my friends, not just friends with privacy pros. Those are my best friends. If this isn’t your day job, embrace the cultural context that has shaped primacy historically, that causes it to vary around the world.

 

Jodi Daniels  26:50  

It’s a really unique answer we have not had. Thank you so much for sharing.

 

Joe Jones  26:56  

Should have said don’t have your cat’s name as your password.

 

Jodi Daniels  27:02  

There’s no right answer here, but that’s probably also a really good idea. Don’t use the cat’s name.

 

Justin Daniels  27:09  

So Joe, when you’re not reading, writing on privacy and all things digital, what do you like to do for fun?

 

Joe Jones  27:19  

Well, we have a very nearly one year old who is a very joyful handful, so that’s a lot of fun. But in my own time, I’m a late bloomer in the field of classical antiquity. I’m doing a lot of reading and research on Ancient Rome, the fall of the Republic, reading Cicero’s orations at the moment, really cool biography on Cleopatra. And yeah, I’m really into a lot of that. I probably consume way too many history podcasts that are sensible.

 

Jodi Daniels  27:57  

So we are so glad that you joined us today to talk about the IAPP digital governance report. If people would like to learn more about the report and or connect with you, where can they go?

 

Joe Jones  28:09  

They can find me online on LinkedIn, quite active on LinkedIn, and they can find my profile on the IAPP website. In the research team, we have a pretty steady cadence, cadence that reflects the environment we’re in of publications, infographics, articles. I tend to write a lot about European, EU, UK, transatlantic issues, so you can find me there as well.

 

Jodi Daniels  28:33  

Well Joe, thank you again. And if everyone listening has not checked out the report, I highly encourage you to do so.

 

Joe Jones  28:40  

Thank you so much. A pleasure to be on — great speaking.

 

Outro  28:48  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.