From Principle to Practice: What Privacy Pros Need to Succeed

Intro 0:00

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:21

Hi, Jodi Daniels, here, I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:36

Hi, I am Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:59

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e-commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. Well, hello, Mr. I’m having a bad hair day.

Justin Daniels 1:39

Yes, You warned me this morning, and I didn’t listen.

Jodi Daniels 1:43

Like little spiky things.

Justin Daniels 1:45

I was — so for the benefit of our users, I splash some water on —

Jodi Daniels 1:50

Running too many contracts. I just did all the podcast. This is a pop they’re listening, yes, so we’re watching true.

Justin Daniels 1:58

So they can go out to YouTube and say, Wow, that guy needs a little hair renovation.

Jodi Daniels 2:05

Okay, well, how about we’ll come back to hair later, and we’ll talk privacy now. Okay, all right, so today we have Peter Kosmala, who is currently the course developer and instructor at York University. Peter currently leads the information privacy program at York, which is based in Canada. He is a former marketer, technologist, lobbyist and association leader. He’s a current consultant, educator and international speaker. And he also served as the IAPP as vice president and led the launch of the CIPP certification in the early 2000s so Peter, I’m so excited to have you join us today,

Peter Kosmala 2:44

Jodi, thank you and Justin two, and you look great. Justin. And I thought we were going to talk about hair, but now we’re going to talk about privacy. But thank you both.

Jodi Daniels 2:53

You know, like great to be here. I mean, some people might then tune us out. Talk to you people.

Justin Daniels 3:01

I could cut Jodi’s hair. I’ve seen some of her hair.

Jodi Daniels 3:03

No, you will not cut my hair. Okay, we’re going back to privacy now. So off you go. Justin, pick us up.

Justin Daniels 3:10

You see how quick I got cut off. Yes, I did move along. So Peter, can you share a little bit about your career path and what led you to specialize in privacy

Peter Kosmala 3:24

Absolutely. Thank you, Justin. I’ll put my hair tips away for now. We’ll leave those for later. It what is my privacy epiphany? So I was, you know, I was originally straight out of school. Back in the old days, I was coming out of advertising. So I’m an actual former Madison Ave, you know, Manhattan ad exec guy, a young kid coming straight out of school, that’s where I started. But it was at a time when, you know, when digital marketing, digital advertising, was slowly starting to emerge in the mid to late 90s, and that introduced an opportunity to start or being sort of familiar or exposed to this issue of privacy, which, of course, I knew about as a term. We and we sort of all have a certain understanding of it as a right, vaguely, depending on her our knowledge of the law as average folks. But I found myself quickly being pulled into that, into that picture, as I got more intrigued by this new this new thing called the internet, the World Wide Web, I was snatched by Wired Magazine, which, at the time was really a leader and a pioneer in talking about what they called the digital revolution, which was transforming not just business but life and culture and art. And, you know, everyday communications in pretty fundamental ways. And wow, is that an exciting hot bed to be involved in in the early days. You know, I was there when the first ad banner was served in October of 1993 by Hotwired, which is a wired property and one of at the time, and actually the first ad supported website ever, which sort of birth an entire industry. And now, of course, we look at ad tech today, which is being, you know, it’s an entire ecosystem. But from Wired, I moved on into technology itself, I worked with a company called CMGI, which was another innovator in the Boston area, an internet holding company, essentially, that had a number of major properties at the time, like Lycos, a search engine engage where a certain person named Trevor Hughes worked for a certain person named Mike Baker, who was the chief legal officer there. Ironically, we never met Trevor and I, despite we were at this sprawling internet company only years later to get connected through Mike Baker, our mutual friend. When Trevor was starting up this actually two organizations at the same time, the NAI, the network advertising initiative, and the IAPP. But back then, it didn’t really have any employees, and he was literally operating it out of his garage before it moved to a small office space in York, Maine and I became one of just the first five or six employees when the AIPP only had a membership get this of maybe a few hundred people, mostly in the states and mostly in very senior compliance positions. Now, in that experience of digital media and early internet advertising, I had also done some consulting and helping companies and individuals understand how to adapt to this environment and the different things they needed to cover. So my privacy lens was that was really the internet and digital media. I had no idea what health information issues may be, or financial services or children’s data, although I came to understand this quickly because Trevor was looking for someone who could help professionalize the field and elevate it, and escalate it and broaden it so that it became a real profession. And naturally, certification was part of that. And I hadn’t been a certification director before, but that’s what I was hired to do, to put together a curricula, a body of knowledge in close consultation with subject matter experts, and that’s how I absorbed a lot of privacy in a very short amount of time, but I enthusiastically embraced it because I found it fascinating. And through these leaders in the field at the time, and many still are working, and they’re my mentors, and I’m very appreciative of them. Many of them were early board directors of the IAPP itself, but these were essentially advisory boards that advised the first ever credential, which was the CIPP, the Certified Information Privacy professional. And in my nearly 10 years thereafter, of my tenure at IAPP, I oversaw the expansion of that into a portfolio of credentials, the first to occur outside of the CIPP, which, by the way back then, was an all encompassing credential. It covered everything, not just the US, but the world, and that’s actually the credential that I hold. But the first place we went after that was Canada. We decided, you know, this has to go beyond the states. It has to be looking at things in more and more jurisdictional manner, because that’s really what distinguishes privacy, as opposed to, say, security, which is less jurisdictional in that way. So Canada was the first then Europe, of course, then other disciplines like it and operations. And so those were the credentials. I was involved with, launching the CIPC in 2006 and the CIPM and the CIPT to follow. And by then I was Vice President, and I was also doing other things like business development, and just to compress the most recent few years, you know, I got in, I sort of returned out of association life, wanting to get my hands sort of dirty with the real policy making. So naturally, that brought me to the epicenter of at least American policy making, which was Washington, D.C. So I adored my years of IPP, and I got to see the world, and I’m very grateful for that, and learning from all these leaders and just becoming essentially a privacy expert by absorption and certifying many hundreds of people. You know, back then we, we just, we proctored the exam in person. So I literally proctored every single exam event ever. Today, of course, it’s computer based, but I move forward from there into technology, or, sorry, into that’s my was, my lobbying life in D.C., working for, actually an advertising trade association, but now in more of a privacy context and other issues as well, like IP and and children’s advertising and, you know, disclosures, all these sorts of things before, to bring this full circle, I came to an ad tech company which is now the advertising enabling technology of Roku, the streaming services provider, and on to teaching. And this is kind of a full circle, because the reason I got introduced to York by a colleague was really by virtue of helping to launch the Canadian certification way back in 2006 so York was figuring we’re launching a postgraduate program for the first time. How should we do this? Who should we talk to? And everyone was saying, Oh, you gotta talk to Peter. Even though he’s American, he can help you with this. So initially it was just in an advisory capacity, but as we got more into it, it became abundantly clear that they really needed more help, and they were very, just very interested in having me to do this in terms of curriculum development and instruction. And that’s where that started. So that’s a full circle summary of how it all happened.

Jodi Daniels 9:40

And with the history of IAPP along the way, which I did not know exactly, for anyone listening, and you were kind of curious, how did IAPP CIPP get started, and all the inner connections really fun and fascinating. I did not know that, nor did I know how wired was a subset of wired it is. It was a set. Realize that, but

Peter Kosmala 10:00

it was there, all you know, based out of San Francisco, and that was their online venture. And it eventually, they eventually sort of grew in sort of symbiosis with each other, before, eventually, fast forward, you know, the hot wire kind of went by the wayside. In a certain sense, the magazine was acquired by Conde Nast and became part of their publishing empire. Still a good publication today, but starkly different than the early days, where it was a really sort of vivid, electric experience in so many ways.

Jodi Daniels 10:27

Yeah, no, I remember it so you know, you just kind of shared how you helped shape privacy education for working professionals and certifications and kind of privacy through osmosis. So what lessons or frameworks from teaching and now where you’re teaching today. Do you think are really helpful for privacy pros who are trying to navigate today’s challenges?

Peter Kosmala 10:51

Well, obviously you have to be well, well, immersed in the legal requirements. And while, I would say, looking back, you know the laws were paramount from the very beginning, certainly as these were starting to arise. You know, the US doesn’t have a federal privacy law, but they have 50 different state laws of various varieties. So that you know that in itself, is a complex environment. You have Europe, widely regarded as the gold standard of the world. You have nations coming into play that are the major, you know, economic and population centers of their regions, like Brazil and China, but far more recent in development of their laws. So the early emphasis really was, Do you know the laws and the requirements, and can you operationalize those? Now, I’m finding more recently that we’re in this new era of AI, yes, but I’m not really so anchored to AI alone as to the notion of emerging technologies generally. And I find that, you know, things like blockchain, or soon, eventually, quantum, going to be very transformative. And now we have to, sort of, we have to move at a pace and with a dexterity that we didn’t before, frankly, and where, frankly, some of the laws are going to find great difficulty keeping pace or catching up. And it may not prove to be the method to use anymore, or at least exclusively. So where I recommend privacy pros to look with greater scrutiny is in some of the fundamentals. For example, the privacy principles frameworks. And there’s a number of them, you know, there’s the original FIPS, the fair information practice principles from the US, way back from the 1970s there’s the OECD framework. More sort of a global economic picture from 28 member economies, not even nations per se, but looking at how trade flows or cross border flows of data impact economic development, that’s critical. You have the APEC framework, the Asia Pacific Economic Cooperation. Here in Canada, we have a framework jointly developed with the Americans, called the gap framework, the generally accepted privacy principles. But I find what’s beautiful about those is they’re fundamental, and they’re just very literate and understandable. So folks are getting started in privacy can use them to start to frame how they need to be thinking about these issues, because those are essentially the foundation of many of the laws. So while the legal language can get confusing, you can always sort of reduce it to those core principles. That’s especially helpful when you’re working as a privacy pro with other areas, which are going to do with greater frequency. You’re going to be working with IT and marketing and HR and these all other areas, and you need to speak a language that isn’t well the law says this because that’s simply going to confuse them. That’s not their responsibility. Strictly speaking, they may have other legal comp compliance to be concerned with. So how do you distill that down into something that you can action? And I think principles is the way to do that. You know that that could also lead you to, for example, codes of conduct and other frameworks.

Jodi Daniels 13:32

That makes sense.

Justin Daniels 13:34

So privacy laws are constantly evolving, and as you said, different across regions can you share some advice for professionals that are trying to stay informed and compliant in this ever changing global privacy environment?

Peter Kosmala 13:51

Sure, I think, you know, there’s kind of the dare I say clerical side to this, which is literally looking at the law, looking at the language, or getting an expert to interpret it for you, if that’s your, you know, your general counsel, or your outside counselor, for example, someone that can translate what some of those requirements are. And in many, many of these examples, it’s literally translating it, because it may be in Portuguese in Brazil or in China, you know, in Mandarin in China. But I would say there’s, you know, there is a certain skill that I don’t see. It’s certainly not abundant, and I would like to see more of it. And that is a cultural literacy that’s sort of taking this back a bit and understanding what are the, what are the social and and almost political drivers of this law that you’re looking at, like, how did, how did we get to this point? There’s, there’s a tendency for us in privacy, to kind of just dive right into the law without sort of making the attempt to take a step back for a moment and understand the context and how, how this law came to be and what inspired that, and maybe if there are, you know, principles to look at, or other other sort of dynamics or catalysts that brought us here, and that’s when you’ll discover that just how personal and cultural privacy truly is right. We like to think of it as purely legal, in legal and regulatory terms, like, what are the rules and what are the legal obligations? That’s hugely important. I’m not saying skirt that, but really what, what informs that is a cultural perception of this is, this is how this region of this jurisdiction views the role of personal information in their economy, in their society, in their technology innovation. And the more understanding you have of that, which you won’t necessarily get from an attorney, all due respect, but from, frankly, a deeper understanding of maybe the trade relations or the political dimension, or even the history or philosophy of the people that are there that will really help you, because that’s sort of an instinctive sense that you can follow. And hopefully the law matches, it matches to it, and usually does, but not always. And I think if you prevent, if you’re presented that rather indelicate situation of do I interpret the law specifically, just so I know I’m compliant and my job is done, I would suggest to you, no, your job isn’t necessarily done, because if you’re not listening to the individuals you’re serving with what their preferences and expectations are provided. Those are reasonable and not crazy, right? Just to a reasonable person, then you know your instinct may be off. You need to be looking at both.

Jodi Daniels 16:09

So interesting you say that I use the simplified version of that often when I’m trying to explain GDPR to people and how to think through making a decision. And to really go back to the concept of fundamental rights, where it comes from, why it’s there, and as an organization might be trying to decide, can they do something to then think about, well, not just that technicality, but also just what you described, which is what that person in that place might be thinking. So it’s really interesting that you share that.

Peter Kosmala 16:41

Thank you. And I think you know a lot of people recognize the GDPR, even average folks on the street. It’s entered in the public vernacular in a certain sense. But it’s not just a regulation, and it’s not just one of the higher standards in the world. It’s informed by a discrete social and political history, a post war history, but particularly in Eastern Europe, and even in Western Europe like Spain, in the Franco years, you know, we saw evidence of authoritarian regimes. Or, you know, information, the East German Stasi, for example, using information against the people. And that’s really what informed Europe’s understanding and definition of the fundamental right. Which does beg the question is, you know, is this a global fundamental right? And sort of, the provocative thought I have to offer is that’s not something you can declare for the world. That’s something you have to have to interpret within your own culture. I would hope you would arrive at it being so. But you know, just a cautionary thought here, which is, I don’t know that Europe has the right to declare that it is a fundamental right for the world. It is for Europe. It is potentially for other regions that share a similar history like South America, for example, I mentioned Brazil, lot of turbulent history in the 1960s or Chile under Pinochet in the 50s, 60s and 70s, same sort of parallel history there. But yet, South American nations need to interpret that on their own terms. It’s not simply become an extension of Europe.

Jodi Daniels 17:58

One of the things we share in common as a passion for digital media and privacy, and nowadays, people are trying to use data and create personalized experiences which can sometimes butt up against privacy. So what are your thoughts or advice that you’d have for companies as they’re trying to sort through what’s ethical to use. What’s okay to use? How do I line it up against all these different privacy laws?

Peter Kosmala 18:26

Yeah, thank you. That’s a, that’s a, you know, that’s a, that’s a complex question. And I, you know, I approach it in part from part of me irresistibly taps into my experience from the early days when we were all very excited, meaning internet, early days when we were really excited about the potential here, the possibility, you know, here’s a media, here’s a channel, the internet. The Web, in particular, the web is a graphical interface, an opportunity for us to be truly interactive and have, as a marketer or a brand or an organization, even a non commercial organization, to have genuine, real time, authentic conversations with people, and what’s more, what we’re delivering to them, if it’s web content, or even if it’s another product, can be something that’s tailored more precisely than what we’ve done historically. How exciting is that that should suggest sort of an intimacy and a familiarity that consumers would appreciate, that was the inherent promise of personalization. But as we quickly learned, you know that rubbed up against Whoa, I think you know a little bit too much about me, or you’re anticipating what my next decision will be, or you’ve been following me in a certain sense, my behavior. And you know, I think while some may giggle, that does come from a genuine place, from the brands that they simply just want to know, can we give you a message or an offer that’s relevant? And part of this, too, relates to the internet as being fundamentally, or at least the web fundamentally, an advertising based business model. So that’s where it gets complex. Because I think if you’re really going to crack this issue, you’d have to revisit the business model itself. If there’s an inherent difficulty or a struggle with the fact that ads are being served in exchange for observed behavior or interests to make those ads relevant, and thus. Performing, because there’s money involved there. You know, these are not free services online, as many people may assume, just by paying their ISP bill that month, they’re advertising subsidized. So the alternative would be, you have to pay for it in another way or but the, you know, the ads are the way we do this, that we offer this. So there’s that essential conflict between the promise of personalization, but these fundamental conflicts around how invasive This is, how you know, how surveilled you may feel with legitimate concerns. And you know, again, I love that you brought up ethics, because I don’t, you know, again, I don’t mean to skirt the legal obligations those are there. But in many cases, the technologies and even the consumer behaviors are developing so quickly that law is finding it difficult to keep pace with that. So yes, there, to certain extent, there are requirements that apply to online behavioral advertising, for example, but not in others. And then you have to figure out, well, where do I go? That as an organization or as a professional? This is where self regulatory frameworks can offer guidance, because there are essentially a proxy. You know, there are critics of self regulation who say that that’s too close to industry itself. It cannot police itself. But there’s another line of argument, which says that actually, these are the organizations who have the greatest frequency of contact with individuals. Regulators don’t, legislators don’t, despite that, they were elected by these people. They don’t have the level of contact in terms of frequency and volume by any stretch that actual organizations do, customer facing organization, so those organizations have a pretty intimate understanding of what people want and expect. They can feel it from the feedback they get or the attrition they experience because people are leaving or not taking the product and service anymore. My recommendation is they have to be more tuned into that. I don’t think there’s sufficient. You know, my ad tech friends are going to kick me under the table for saying this. Some are friends and some are clients, but like, they need to be tuned into that more. There’s even a reticence among industry players to really ascribe to self regulatory frameworks, because they just want to do what the law says and nothing more. And that’s that won’t suffice anymore, as I alluded earlier, like you cannot just base everything off the law anymore. That has to be your basis. But it’s no longer the limit. That’s the foundation now, and you have to layer on other things on top of that.

Jodi Daniels 22:10

I always say, just because you can. So even if you look at the law and the law says you can, it doesn’t mean you should, because it might not mean a customer expectation. And the whole point is, right? Businesses are here to be able to serve customers regardless of what you’re doing

Peter Kosmala 22:27

precisely. And do you really, I mean, you know it confront yourself. Do you really understand, as a professional, as an organization, what individuals want? Are you authentically listening to that and patiently? Are you listening rather than dictating? And do you have a strong ethical foundation, like, what is your mission as an organization? And is that just an arbitrary statement on the wall? Are you following it? I mean, I think those are deep conversations that organizations need to reflect on,

Justin Daniels 22:53

absolutely So speaking about some of your key roles. You played a very important role in developing the CIPP certification. So for someone who works in or adjacent to privacy, how can certification or structured learning help build confidence and capability?

Peter Kosmala 23:17

It can greatly and it’s also important as really as a moniker to you, a seal of approval of sorts, but really a validation from the leading sanctioning body in the world, the IAPP, that you know what you know, and that you can apply that in a you know, in a skillful and an effective way to the organizations or clients you serve. So it establishes these standards of knowledge and practice that are absolutely critical, but it is a validation. So taking the CIPP exam itself doesn’t teach you anything. It simply validates what you know. So that begs the further question, how do you know what you know? And you know, there’s lots of ways to achieve that learning. You can do it by jumping right in, as I did back in the day, you know, where there weren’t so many training programs or even literature on this apart from just law books. But you can take courses like we have at York for example, at a university level training workshops that the IPP offers itself. You can do lots of reading. The good news is there are so many really good books on this topic now, and not just sort of academic or legal reference, but topical that tap into what’s going on in Europe, or where the technology is taking us, or how culture is informing the development of this issue. So that kind of studying helps you and enriches your knowledge, so that you can demonstrate that you know what to do in situations that are getting increasingly complex. So certification validates that, and it’s a way to save the world. I do know this. It’s from an independent, authoritative body. Now you’re more marketable. That really distinguishes you from a candidate who’s claiming to know this. But do you, in fact, know so as a hiring manager, you can say, Yes, I recognize this credential. I’m even going to make it as one of the prerequisites in my hiring criteria. And we’re seeing more and more of that, and the IAPP has demonstrated. Trade that there is, that there is, in fact, a measurable increase in what you can earn, or the value or your promotability, or how quickly you’ll elevate through the roles you seek by virtue of that certification. And the great thing is, you have such a wide variety of credentials to choose from, even now, one for AI, the AI GP, the AI governance professional, which is not even, strictly speaking, a privacy credential. It’s a data governance credential for AI, but it’s looking at it from a privacy lens.

Justin Daniels 25:26

Well, Peter, I want you and our listeners to know that I have my AI degree Summa Cum Laude from YouTube University.

Peter Kosmala 25:37

Congratulations. Kudos, Justin.

Justin Daniels 25:39

But to your point, nowadays, you can reinvent and learn all kinds of new things, as long as you have the interest and the motivation to do it, because there are so many resources out there these days that you can learn from. I mean, you know, Peter, I was at my own AI workshop last week, and I was doing this thing, and three people come up to me and they say, “aren’t you Jodi Daniels husband, I love the Red Clover newsletter.” I about fell off my chair laughing. But again, there’s so many different ways to learn and have resources. Yes, Jodi, you’re looking at me oddly.

Jodi Daniels 26:19

Well, I just think you might have forgotten you actually did go at night and take some courses to study from some universities as well. It wasn’t only YouTube University. There was actually some name. It doesn’t matter who that. There was a named universities, right? Multiple courses, tests and stuff.

Justin Daniels 26:38

That’s true.

Jodi Daniels 26:42

But anyways, you can pick your flavor and you can keep learning. I think that’s what you’re trying to say.

Justin Daniels 26:46

Just think we have to all be lifelong learners. You know, Peter in the outset, he was talking about quantum he was talking about AI, and whatever we learn at this moment on this podcast is going to change, and we have to be open to all kinds of learning. And when it comes to privacy, IPP is a pretty good resource.

Jodi Daniels 27:03

IPP is a great resource. And since we have to keep learning, yay. That means our podcast is going to continue. Good enough. Well, I think you —

Peter Kosmala 27:10

This is part of that very same process, and you’re both celebrities, by the way, so that you can recognize from, you know, from the people who inspire you and help you learn. And that’s, I think you’ve nailed it. Justin in that, if you have an appetite for knowledge, like you just like to learn and experience, you know that alone, as an impulse, will guarantee you, as a level of success and privacy, because there’s so much here happening and developing. I’m still learning, and I hope the learning never ends. I’m teaching, but I’m still learning. You know, I learned from my students, in many cases, because you can’t be, you can’t have your finger on the pulse of everything in the world at the same time, but that can come into your classroom and really inform that. So learning is critical. And I would just, I would just close with this thought, despite all that, it’s it’s not just about knowledge, it’s not just about what you’ve learned, but you have to be able to do and I would say that, you know, the biggest challenge still that I hear from people that come to our program at York, for example, or people that want to transition into privacy. Maybe they’re a records manager or an IT manager or something in an adjacent field, or maybe they’re in privacy, but at a basic level, they want to elevate that into a deeper investment. The major challenge is, I don’t, you know, I haven’t done enough of this, and that’s why, you know, at York, I’ve deliberately, we collectively have deliberately divided the course into three, because we’ve decided that it’s not just about principles, laws and legal concepts. That’s just the first course. It’s increasingly about technology, which has nothing. You know, we don’t really get into law as much as what does AI mean in terms of privacy issues like automated decision making, algorithmic fairness and all that. But then the closing course, arguably the most important one, is operations. And at York you actually write a pia, you actually conduct a data subject access request, a DSR, you actually evaluate a real vendor from a PII perspective. You present a privacy communications plan that speaks simultaneously to customers, regulators and the general public. These are all schools. These are all things that you need to do at in some capacity when you’re doing privacy work. But how do you get that started, right if you haven’t done it? So there has to be more of that. There has to be more of the operational education and real sort of application of skills before any of this has traction. It can’t be just theoretical 100%.

Jodi Daniels 29:23

Because that’s the hard part. You have to be able to translate these requirements into how you actually make it work in a company, and all the theory won’t do that. You have to really tackle and figure out what kind of assessment is going to work for this company and who are the people and a communication plan for company A might not be the same as Company B, because, is it audio? Is it video? Is it newsletter? Is it short? Is an executive? Is it tips? All those are really, really important. So with so much knowledge and privacy, we ask everyone, what is the best personal privacy tip that you might offer to your non. Not privacy friends, when you’re hanging out with them.

Peter Kosmala 30:03

Um, it’s really situational awareness. It’s understanding and having, having an appreciation for what others may be thinking or desiring or expecting, despite that. That might not be your worldview or your sort of daily existence, but it’s having some sensitivity and some openness to that. And yet, still, per you know, still basing it in what you instinctively feel is the right and responsible thing to do. So in a number of cases, that is Situ situational awareness. It’s being aware of what is the context and the circumstance that this privacy exchange may happen, whether that’s happening in the moment between you and someone else, or you’re just sort of impressing this upon others, like, you know what? Maybe you shouldn’t leave that billing statement out, or maybe the, you know, the laptop, you should turn the screen down, you know, brightness, or use a filter on the front so people can’t see it even laterally. It’s just sort of thinking in a more common sense, Safeguard way. Are there things that you can just be more aware of in the way you conduct yourself every days? Because while I wish we could just walk openly and freely and skip merrily down the hallway and the sidewalk. You can’t do that anymore, not that we live in a 100% surveillance society, despite what some academics may think, you just have to be more aware. And it’s just it’s instilling that, I think, basic instinct in others, whether that’s your friends, your family, the people that you love or admire and enjoy being with that you’d want to be protected, and that, hopefully they come to you if they have a question, because they recognize you as the expert.

Justin Daniels 31:28

Good advice. So Peter, when you’re not out doing all your privacy stuff, what do you like to do for fun?

Peter Kosmala 31:37

Well, I’m a music head, so I used to be on the radio, for example, back in the day. And on occasion, I have friends who are still radio DJs. They’re, you know, they’re teaching at other universities, and I’ll guest appear on their show, but I see live music a lot. So I’m out most, most days, most weeks. I’m out not just one night, but maybe several nights, seeing, seeing a band, or, you know, some kind of performance, not so much theater, but like clubs. Love club music and you know, but all genres, you know, indie rock, psychedelic, fuzz, rock, jazz, reggae, whatever it happens to be, I write about it too. You know, my Instagram account is devoted entirely to culture, to music, and also art and literature. So I go to a lot of readings When authors come into town, our openings, this sort of thing. It’s one of the joys of living in an international, culturally literate city like Toronto, which is a great city. It’s a great international city. It has a world class Film Festival TIFF, which I attend every year. That’s what I’m doing. I am plugged into city culture. I love the country too, and I lived there for a time, when I lived in rural Maine for many years. But really, this is where my heart thrives. So I’m really plugged into that. That’s where you’ll find me. You know, you’ll like, up there’s Pete. He’s at a reading. Or, like, there he has the front row, like, hugging the edge of the stage for an indie rock show.

Jodi Daniels 32:55

That’s where I am. I love that. I love when we ask those questions, because that’s, you know, people are people at the end of the day. So thank you so much for sharing. If people would like to connect and learn more, where should they go?

Peter Kosmala 33:09

You can visit our York University Program, if you like. You can drop me a line at pkosmala@yorku.ca, if you have questions, I’m on LinkedIn, of course. If you don’t even want to talk privacy, but you want to know what I’m listening to this week, then find me on Insta, which is @PK_soundsystem.

Jodi Daniels 33:25

Amazing. Well, we’re so glad that you came and shared a very fascinating history of online and digital and privacy and CIPP and everything in between. So thank you so much.

Peter Kosmala 33:38

My pleasure. Thank you both so much for inviting me. It was a pleasure to speak with you, and I’m looking forward to seeing you again soon.

Outro 33:47

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.