Click for Full Transcript

Intro  0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:22

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:36

Hello, Justin Daniels here, I am a corporate and M&A tech transaction partner at the law firm Baker Donelson. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  1:00

And this episode is brought to you by oh my god that was so loved Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there is greater trust between companies and consumers to learn more, and to check out our best selling book data reimagined building trust one bite at a time, visit Are you ready? This is our first podcast recording of 2024.

Justin Daniels  1:42

I have a question for you. Yes. What’s your question for our audience? Tomorrow happens to be our wedding.

Jodi Daniels  1:48

Great 16 year.

Justin Daniels  1:50

So my question for Jodi, for the benefit of our listeners is, what is your biggest memory from your wedding day?

Jodi Daniels  1:59

Oh, there’s so many, when might be the fact that you had to dance in front of a whole bunch of people because you don’t like to dance. Balong was really fun. But then we also got married in Florida, where it was a absolutely beautiful, perfect Floridian January day, and our pictures outside on the golf course. Because at the time you really liked golf and played golf. And so that was really fun. And my long flowy dress.

Justin Daniels  2:28

That’s good, getting married and having two kids will kill golf game in short order.

Jodi Daniels  2:34

Yes, but sweet 16, we hit 16. Alright, so today we’re going to talk about privacy, though. What else do we have? Apparently, we’re talking about Florida and golf courses. That was all right, well, but today, we have Jamal Ahmed, who is the king of data protection, as dubbed by the BBC. And he is the reigning digital expert on data privacy. He’s passionate about privacy rights. And he’s an acclaimed author of the international number one best seller, The Easy Peasy Guide to the GDPR. And he has transformed the complex world of data compliance into an accessible subject for everyone, which is near and dear to my heart, because privacy is big and complex. And we need many people to help simplify it for companies. So small. Welcome to the show.

Jamal Ahmed  3:29

Thank you very much for having me. And congratulations on your wedding anniversary, which is upcoming tomorrow.

Jodi Daniels  3:34

Well, thank you. Thank you. Thank you. Indeed, that’s where you, it’s your turn now.

Justin Daniels  3:42

Okay. So Jamal, talk to us a little bit about your career journey and how you got to where you are today?

Jamal Ahmed  3:53

That’s a very interesting question. I always have two versions. So I’ll give you the candid version. So essentially, I went to university, it was an average university, but out of university, and I thought I’d be snapped up, right. But that didn’t quite happen. Eventually, I managed to secure a role as a business consultant. And I was like, “Wow, I’m gonna go and do some really cool stuff.” But it turned out to be almost like a glorified business management, business development role. But one thing I did get to do was work with small businesses, people, entrepreneurs who are setting up their business, and be able to advise them on what they need to do from a legal point of view, give them some marketing advice, financial advice on how to manage their accounts and get all of those things set up. So they can just worry about focusing on the business and not get bogged down by all the legalese stuff. And one of the things that I had to focus on back in those early days was what we had here, the Data Protection Act 1998 involved registering with the actual supervisory authority, making sure they understood what the principles were and getting those things sorted. So I thought I was quite — actually I was the best at advising our clients on that at the time, but I didn’t go into private. He consulted and he was very limited, it was just getting them set up. And then from there, I moved on to financial services. And I found myself three, four years into my career. Although I’d moved roles a few times, I was always stuck doing similar things. It was always case handling. And every one of these cases was one of three types of outcomes, and it wasn’t much fun, it was very repetitive, very boring. And I was like, Surely there must be more to life and work than just waking up doing the same thing every single day. And it got to a point where it was getting difficult to find the motivation to continue that and look forward to that. And with those kinds of roles, there isn’t really any growth, what you can do is go to middle management. And then what, where do you go from there? Where am I making the impact? Where am I bringing all of the other tools, skills and resources that I’ve been practicing? What am I bringing all of the other personal development stuff that I’ve been investing in myself, so I was kind of frustrated. And what really came together was, somehow I managed to find myself at this event, where there was somebody talking about becoming an expert in a niche. And coincidentally, it was around 2015 2016, when GDPR was really starting to become a focus of businesses. And somehow I managed to get myself in on working on some of the transformation projects that the bank was working on. And what also happened at the time was, my wife got pregnant for the first time. So here I am thinking about the future, thinking about what I want to do, I’ve got a mentor now who’s guiding me. And this GDPR is on the horizon. So it was all coming together. And I said the universe was conspiring for this company. And I decided, You know what, I’m gonna go all in. And I’m going to start investing in really developing learning and growing in the field of privacy. So I started looking more into it, researching, learning as much as I could, spending time with people who I know that we’re doing here offering additional hours at the company to spend more time with the people who were in the Data Protection Team at a time. But the challenge I found was that I couldn’t land a role in it. And I believed it was my lack of technical skills that helped me back then. I believe it was my lack of legal education that I came across all of these hurdles that kept knocking me back. And eventually I managed to figure out that regurgitating laws, regurgitating stuff that I’ve heard on a webinar, regurgitating stuff doesn’t impress anyone, in fact, it confuses. And what’s really helped me do well in my previous roles, and what I really do, is take that and explain it in a language that everyone can understand. So I started doing more of that. And what I found was that it started opening up more and more doors, more and more opportunities. And over the last five years, it’s really helped me to catapult my career to a point where I have the privilege and the honor to help hundreds of companies around the world, and help thousands of professionals really get the clarity, confidence, and credibility they need to also make this accessible to everyone. One of the things I’m really grateful I’ve managed to put out there is the easy peasy guide to the GED. But I take all of that complexity, and break it down. So even my 11-year-old niece.

Jodi Daniels  8:05

Well, we’ll have to have, I would love to hear her interpretation of what she thinks about GDPR. But we’ll save that for another day. And as you just alluded to, you have been helping so many people on their privacy journey. Can you share a little bit more about what is the common misconception that you find for people trying to enter privacy or advance their career in privacy?

Jamal Ahmed  8:33

I think the most common misconception I find amongst just professionals in general, forget about them trying to enter privacy. I’ll go into that in a second. They think that privacy is just about legal compliance, in reality it is a really dynamic field where law, technology and ethics all intersect. And it’s not just about understanding regulation. It’s about how we apply that knowledge operationally. And the impact it’s actually going to have on people’s lives and staying ahead of those technological developments. And that multifaceted nature requires a broader skill set, and much more holistic understanding than just being legal compliance. For people who are looking to enter the field, one of the biggest misconceptions I think they have is they believe if they just go and get certified, then people are going to be knocking on the door and trying to offer them jobs. The key here is yes, recruiters and hiring managers would expect to see those because you’re competing with the pool of people who would already have that. So that’s kind of like getting in through the gate. But once you’re in through the gate, that’s not going to do anything to help you, that’s not going to make you stand up. You need to be able to show and demonstrate that you’ve got a strong grasp of the depth of this. Not that you’ve managed to beat an exam by answering multiple questions, but you can really understand how to appreciate it and apply it from different viewpoints in different scenarios and explaining to stakeholders in a way that makes sense to them and that aligns with the business objectives at the same time. I think what most people fail to understand is, yes, you’re fixated on getting that certification. But what happens after that? Why are there so many privacy roles that are not filled, and why there’re so many certified people who can’t rely on the roles, there is something missing in the middle. And that’s really what I tried to do is make what’s missing from just having a certification to what businesses actually need for you to be able to hit the ground running and take all of that theory and apply in a way that solves those challenges, whilst being respectful whilst appreciating what the business is trying to achieve, and ultimately respecting the users.

Jodi Daniels  10:34

That’s an important misconception. And for everyone listening, we did not have a pre show where I knew what that answer was going to be. But that is the same thing that I would, I would say, I see so many times I’m going I have this certification, or that’s the first step I think I have to do. And I’m trying to find my job and it says, If certification equals Now I’m ready, I have what I need for the job. And that is very much just a, you know, a piece of paper, the practical piece is so very important. I’m excited to hear that you’re helping solve that very real gap for people.

Justin Daniels  11:14

Jamal, as a follow-up question I have for the majority as well is, do you really think what it comes down to to be a standout privacy professional is what you said, it’s really understanding the intersection of the technology, the privacy laws, and how they interact? Like if you don’t understand how ad tech technology works? How can you really, really think through in a meaningful way that you can explain to a client, how the privacy laws might impact a particular use case like that for data?

Jamal Ahmed  11:49

Yeah, you’re absolutely right. And the thing is, you have to understand just because one law says there has to be like, this need to achieve this, you can’t just focus on that one law on its own, you have to appreciate the bigger picture. So there’ll be technology knows, there’ll be marketing laws, if you’re dealing with your employees, they might even be employment and labor laws. And some parts of Europe have really stringent labor laws, where you have to sometimes go and get permission from the trade unions to be able to do something with the personal data of your staff. So you have to appreciate the bigger picture. And you have to understand where you fit in, what your strengths are, but also where your limitations are, and where you need to go and find other people to get their opinions, get their advice and how you can solve this together.

Justin Daniels  12:32

So Jamal, for people who are listening to our podcast, who might be security pros, and they want to hop over to privacy or their attorneys who want to be more operational, like we talked about, what do you recommend that they do? First?

Jamal Ahmed  12:48

I think the first step is to build a foundational understanding of privacy beyond the current expertise. For security pros, that could mean learning the legal and ethical implications of handling that data. And for the lawyers, yes, certainly, this is probably more about understanding the technological aspects, as well as the operational challenges. Most people I work with actually have some kind of legal background. And what they really struggle with is operationalizing those requirements into pragmatic business solutions. And I recommend starting with listening to podcasts, just like this one, just like privacy pros, people like David Reynolds, just listen to the conversations and hear the thought process. And that will start getting you familiar. And then you need to build up on that by going in and finding experts who can really train you and help you to get ahead in the field. And if you do that, what you find is you start getting this comprehensive overview, and that will help you bridge your existing skills with the demands that you need for those top tier privacy rules.

Justin Daniels  13:47

So kind of building on that maybe as an example of that. Love to hear what you and Jodi think of, for example, a fundamental concept amongst a variety of privacy laws might be around notice and consent and understanding not just under GDPR or CCPA how that works. But understand what is the fundamental impact of what it means to opt in or opt out? Because you’re really talking about when are we consenting? When do we opt in or we have to consent to opt out? Is that a fair example of how you want to be thinking about this differently when you’re really trying to come into the field as opposed to just trying to memorize laws?

Jamal Ahmed  14:27

Yeah, because there’s going to be requirements. So let’s say let’s take the GDPR, for example. It says, If you want to do anything with personal data, the seven principles that you need to follow, anyone can memorize the seven principles, but now you have to put that into practice. So if you’re collecting someone’s data, and one of the legal requirements is you have to have a lawful basis for that process. The GDPR gives you six options. Consent is just one of them. Now, when we’re talking about fairness and transparency, that’s the customer or does the user or does whoever the status subject is really genuinely have a choice. If they don’t have a choice You shouldn’t be offering concern as the lawful basis. And you shouldn’t mislead them to believe they have to ask because that’s actually being unfair. And it’s not being transparent. And oftentimes, what you’ll see is people get fascinated and fixated with this consent. And around 2018, we saw so much terrible advice being given. But consent isn’t always the correct or the most appropriate lawful basis, use, you should consider all the other ones in my opinion, and then see if consent is actually the most appropriate one. And if the customer or the user or the patient or the employee doesn’t have a genuine choice, don’t mislead them to believe they do. So make sure you understand the principles, but concretely how to apply it, and what the purpose behind those principles were.

Jodi Daniels  15:42

I would add that a big piece is let’s say, understanding data on anyone listening knows Justin’s favorite hashtag is know your data. And if you’re someone who hears the law, go document your data, we asked a couple different questions, let’s use the marketing team marketing team tells us the kind of data you use, they say we collect name and email, we hold webinars, we have sponsors, and they kind of rattle off down the line. A good privacy Pro will dig a little bit deeper to the business processes behind and ask extra questions beyond just the few points that are given verbatim from the business person, it’s trying to understand. Okay, so if you collect name and email, well, what do I do with it? And? And oh, you bought it from them? Well, do you put it in this system? Oh, so you put it in this system? Also, then maybe I need a notice with that system? And so which, notice what I have, and it’s trying to connect all the different parts of these privacy laws in business, actual activities that are happening all day long.

Jamal Ahmed  16:49

Yeah, absolutely. And what you’re saying Jodi is gonna need — we need it to be an effective professional, you have to be curious. And you have to understand the bigger picture. So one of the things I often talk about is this sci fi methodology. And essentially, it’s what I use to drive the way I do things in the way my team does things in the way of material. So we need to gain the clarity and to gain that clarity. You can’t just look at what’s in front of you. But you’ve got to look at how he also said, so you mentioned what are the processes involved? How does it do? What about who else has access to them? Why do they have access to sharing? Who was going to use this information later, down the line? Are there any secondary purposes? How valuable is to the actual company? How long do we need to retain it for what are the risks associated. So we need to get clarity on the bigger picture and understand everything associated to it. And that gives you confidence that you know what you’re dealing with. But it also gives the people that you work with confidence that you understand what they want to do, what they’re trying to achieve, why this is important to them, then you need to make sure that you check with your compliance. So have you understood all of the applicable and relevant laws and what they require? And what you can do and what you can do? And have you made sure that you’ve actually thought about those things? Are you competent in what you’re delivering? Have you thought about anything like privacy by design? Have you thought about any other accountability reports that you might need to create as part of this? How do you then capture all of that and deliver it in a privacy notice that even a 11 year old can understand? And those are the challenges that I love solving.

Jodi Daniels  18:19

Now, we’ve talked a little bit about the IAPP certifications, and how we need to tie that into operational practice. Some of the advice you shared, listen to various podcasts and other resources to be able to hear and listen and learn from observing. What are some of the other ways that you think privacy enthusiasts, privacy people, privacy pros, can make that leap in connection?

Jamal Ahmed  18:49

Great question. So for me, IAPP certifications are a fantastic starting point. But the key is applying that knowledge practically, what we should do is start by identifying areas in your current role, whatever it is, where privacy is relevant, and start applying your learning there. Whether you’re in policy development, whether you’re looking at impact assessments, data management strategies, the goal should be to integrate those privacy considerations into your everyday business operations. And we can participate in community discussions or workshops and get real world scenarios and start applying your knowledge. There’s no point just having some alphabets after your name that said, you have this certification, you have to be able to take that and do something with it, which means apply it if you’re not in a privacy role right now or if you’re in a limited role, then just start looking at everyday process and start applying that and see where that goes.

Jodi Daniels  19:44

Thank you for sharing.

Justin Daniels  19:44

Funny when you say I A P P I thought it was being renamed the A I P P.

Jodi Daniels  19:49

Ah ha. That joke is old and has been around for I guess a whole whopping six months.

Justin Daniels  19:59

I’ll kidding aside, I guess the other thing I wanted to bring up and ask is, you know, to the two of you, you know, in my practice, I got confronted with a project on autonomous vehicles on which drones work a lot in blockchain. And now I’ve gotten very involved in AI. Talk to me a little bit about how the two of you felt when you just started out, you’re like, I don’t know that much about privacy. So you can make a choice to say, You know what, I don’t want to really do this until I know what I’m doing. Or you take the other choice of saying, You know what, I gotta wait in and learn this. Sometimes I think a lot of people don’t go down the path because they fear the consequences of the attempt. And so how did the two of you decide, “You know what, I’m going to get involved, maybe on the first project, I will know a lot.” But if you don’t start somewhere, we can’t get the knowledge.

Jodi Daniels  20:46

Well, you’re looking at me, I’m going to start and then Jamal, please join in? I would say when I started, and it’s still true now, because there are privacy laws popping up. Seems like every day, earlier this week, we had New Jersey pass the privacy law, and we’ll just keep having more privacy laws. And then we’ll have more interpretations. And then we’ll have AI and they will just continue, I think with the never ending having to learn and you don’t always know. And part of it is surrounding yourself with other peers who might also know what I like about the privacy community is it’s friendly. And last night, I had a question. And so I reached out to two different privacy pros. And I said, Here’s my question. I’m curious for your thoughts, they immediately responded with, here’s my thoughts, and you piece all of that information together and no different than any other area, you’re making an analysis based on the information that you have. So building a network of real relationships, and continuing to study and find who are the resources that are going to help you, I think are key areas to be able to learn and apply. And that’s essential. It’s just going to keep changing. Jamal, what are your thoughts?

Jamal Ahmed  22:03

Yeah, I completely echo what you said there about community, I think building a powerful community around yourself is super important. And one of the things I focused early on is realizing that I don’t have all the answers, and I don’t know everything. And I don’t know everything. And I don’t want to, and I can’t possibly know that. And so one of the things I created is a platform for privacy pros to come together. We’ve got about 100 people there from all different parts of the world. We’ve got commissioners, we’ve got people who are involved in policymaking in the regulators, we’ve got people who have technical background, people have non technical backgrounds, people who have so many amazing skills, and some of these people, you know, Debbie Reynolds, Jules Polonetsky, Emerald Leeuw, Iman Talos. So there’s some amazing people in the environment that are printed around me that really support me. But coming back to the beginning of your question, Justin, what you’re talking about is, would we do this? Or do we not do this, and a lot of people in the industry suffer with impostor syndrome, which means they don’t actually have the confidence to do what they need to do. So they hold themselves back and stop their own development. And that comes from self limiting decisions or negative beliefs that they’ve kind of reinforced upon themselves. I was fortunate enough to make sure I invest in my personal development. So I’ve done some NLP coaching. And I’ve developed a really strong mindset. And what I realize is that when you do one thing is how you do anything. How do you go about doing something for the first time and who can help you? One of the things I think people rely on too much, sometimes to their own detriment, is they rely on self study or figuring things out for themselves, I realized that my best level of thinking has gotten me to where I am. And if I need to grow and solve things outside of my comfort zone, that I need to go and find experts, I need to go and find people who can mentor me, people who know more about me, and be open about my limitations and go and bridge those gaps. So I think it’s about being brave enough to confront what you know, and what you don’t know. And owning that there’s nothing wrong. When I say to my clients, hey, I don’t know much about that, or I don’t have enough knowledge on that. But I do know someone who does, or I do know where I can go to find that information now. So it’s being OK with what you know, getting real insights on what you don’t know. But figuring out who are the people that can help me to upskill, to get the knowledge that I need and who’s already solved this problem before, but I can either pay to access that information, or I can bring on my team to help me support this challenge.

Jodi Daniels  24:32

Speaking of skills, what are the skills that you think privacy pros will need this year?

Jamal Ahmed  24:40

Oh, in this year 2024. For me, I think privacy pros need to be not just well versed in all of the legal aspects that are coming up, but also in technology use, like understanding AI’s implication on privacy, data ethics and cybersecurity are becoming increasingly important for my clients and I see that trend, not just with my clients, but with the wider discussions that we’re having events, as well. But also equally as important as the soft skills, like communication, problem solving. Obviously, professionals need to focus really on developing those soft skills, because that’s what often holds them back. Sometimes they focus too much on the technical skills, too much on the legalese and the theory, and not enough on how to go and work with people deliver the solutions in a way where you actually are adding value to the team rather than being a blocker returning or people don’t actually understand what you do. They might agree and say, yes, yes, yes. But when you turn it around, nothing’s been done. And they’re still doing the same thing that you told them not to do anyway. So I think we need to make sure that we equip ourselves to deal with complex multi stakeholder environments. So we need to focus on the soft skills. But we also need to focus on the cybersecurity, the data ethics, and the understanding how technology is moving.

Jodi Daniels  25:57

Meaning we have a lot of work that we have to do after our day job, it’s a never ending learning is what I hear out of that.

Justin Daniels  26:09

Yes, my wife gives me a hard time all the time when I’m constantly reading articles online.

Jodi Daniels  26:13

Sometimes if you have an addiction to your phone, we can talk about that another time. We do appreciate that you’re continuously learning. Yeah, we do. There’s a lot to learn. And actually, in all seriousness, though, I do think Jamal, you made a really great point earlier in our conversation about how you won’t be the expert in all things. And what I have found is that privacy pros tend to kind of find something that they like about privacy, and that might, they might go really deep there. And they will create a circle around them to help on the other areas. So for example, I love marketing and privacy. And I know other people who love cross border data transfers, and that is, they’re really knowledgeable about that area, maybe just a little bit on the marketing piece. But they surround themselves with those that can help fill that void. And then collectively, they’re able to solve the different privacy pieces. So find something I think I would add, that’s also of interest to you to be that deep subject matter expert.

Justin Daniels  27:15

So Jamal, what is your best personal privacy tip that you might offer to our audience today?

Jamal Ahmed  27:23

Hmm, I think my number one privacy tip is to practice mindful data sharing, whether it’s personal data, or professional data, always consider is it necessary to share this information? And what are the implications of actually doing so. And I think everyone needs to focus on educating ourselves about privacy settings and platforms that we use, and actually be proactive in managing your own digital footprint. Privacy isn’t just a compliance requirement. For me, it’s also a personal responsibility.

Jodi Daniels  27:57

Now, when you are not helping build people’s privacy careers, and helping them operationalize privacy and serving clients, and talking on podcasts and hosting podcasts, what do you like to do for fun?

Jamal Ahmed  28:13

I eat. I’m joking. I’m a very curious person. So outside of work, I love traveling. I love exploring and discovering new things. I love exploring new food and new cuisine. I think it’s very important to have a balance and engage in activities that rejuvenate and inspire. So for me, exploring provides a perfect counterbalance to my professional life. That also helps me keep me grounded and also energizes me.

Jodi Daniels  28:39

Well, Jamal, we have really enjoyed our conversation today, you’ve provided so much, as we like on this show, very practical tips for people to operationalize their privacy knowledge and get into the field. Now, if they would like to learn more, where should we send them? Where can they connect?

Jamal Ahmed  28:56

The best place to connect with me is on LinkedIn.

Jodi Daniels  29:00

Wonderful. Well, we’ll be sure to include that in our show notes. Jamal, thank you so much for joining us today.

Jamal Ahmed  29:06

Thank you guys for having me.

Outro  29:13

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time!

Privacy doesn’t have to be complicated.