Click for Full Transcript

Prologue  0:01  

Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:38  

Hello, Justin Daniels here I am a technology attorney who is passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as the Manage and recover from data breaches.

Jodi Daniels  0:55  

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, Fast e-commerce, media, and professional and financial services. In short, we use data privacy to transform the way companies do business together for creating a future where there’s greater trust between companies and consumers. To learn more, visit

Jodi Daniels 1:33  

You’re very quiet today. You’re always very chatty after I do our whole intro.

Justin Daniels  1:38  

Well, maybe you should try to start with the chattiness today.

Jodi Daniels  1:40  

No, that’s your job.

Justin Daniels  1:43  

I see. Well, you have a nice haircut.

Jodi Daniels  1:44  

I do I do a nice haircut. For all those who are watching a video, I have a nice haircut. And for all of you listening, you should go check it out lovely hair day. But let’s chat about privacy, shall we? We have a really awesome guest today. All right, I’ll let you do the honors. So we have Daniel Barber, who is the CEO and Co-founder of DataGraill. In the new age of privacy DataGrail is the only purpose built privacy management platform that ensures sustained compliance with GDPR CCPA. And what other alphabet privacy laws we’re going to come up with. He is also the advisor to several high growth startups, including And sign on site. It is very much an alphabet soup. Daniel, welcome to the show. We’re so glad to have you.

Daniel Barber  2:37  

Yeah, no, thank you, Justin. Thank you, Jodi for the invite. And yeah, excited to chat with you guys today.

Jodi Daniels  2:44  

Well, so let’s dive in. Our first question we always ask people is how did they get to where they are in the privacy and security landscape? So fill us in a little bit on how you came to found DataGrail? Yes, so

Daniel Barber  2:58  

Yes, so as some of you may pick up pretty quickly, I grew up in Australia, on on the south coast, and moved to the US. My father started family from here and did my MBA in Japan and was fortunate to work for a Japanese company. They were very kind to transfer me and and move me to San Francisco. So in the Bay Area. And after 14 trips to Japan in 2011. I decided perhaps I should work for a company local and started working for a company called responses which at the time responses was really the leading provider for email marketing solutions. And so when you think about email marketing at this stage right, responses was working with some of the largest consumer brands on the planet. So think, you know, Whole Foods, Southwest Airlines, Lufthansa, JC Penney and others. And what I observed there was no companies at that stage. And even today, obviously, we’re using enormous amounts of personal information to drive these campaigns through through email, and collecting and sort of aggregating lots of personal information about us. Right. And so what am I actually talking about? I’m talking about, they would have your email address, they would buy demographic information from different data sources, they would buy local weather information to serve, you know, targeted email campaigns. So if you’re located in Minneapolis, and it happened to be snowing that day, when you would open your email, they would look at the IP address of that location dynamically populate the content based on you know, Jodie, you know, being a being a woman and age bracket x, they would say, okay, great. Maybe you need a snow jacket and some ski boots, because it’s snowing today. And so this was really cool. So in 2012, right, I was I was pretty unaware of what marketers were doing. But as we think about that outcome today, right, obviously, not really with privacy in mind. Right. And so this is pre GDPR, pre California Consumer Privacy Act. Certainly pre Cambridge Analytica as we fast forwarded, you know, I joined a smaller company, I knew I wanted to found a business and eventually solve a large problem. So I joined a company called ToutApp where we were actually doing email for salespeople. So really kind of leading the way in what is now described as sort of this sales engagement category. And so I partnered with the founder early on and had an amazing experience there, I kind of describe it as my startup MBA. So just over two years at tout app learned enormous amount. But the second kind of point of resonance around this problem with data privacy was that, you know, in 2015, I signed 200 data processing agreements. So when when you do something 200 times, you start to wonder why you’re doing it. And again, this is like pre GDPR, pre California Consumer Privacy Act Like obviously, pre Cambridge analytic. And so I came to the end of the year sort of asking myself, like, Why do businesses care about this? Like, there’s no fines in this data privacy agreement that I’m I’m reading, right, or data processing agreement? So you know, why is this important to businesses? And so, you know, what became clear was that there’s an enormous amount of information being transferred across all of these applications. By man, I saw that in my last experience working at a company called dot Annise, where we looked at 40 million websites, it looked at the technologies that people would use to run their business. And the last kind of realization that I came to was that every business runs on technology, including the one that we’re actually engaged in right now. Red Clover, we’re running on Zoom, right? You have other services to improve this recording. And so what those services are, I have no idea. And so we think about that, right? If there are many applications organized in a business, but the consumer has the expectation that they’re in control of their information. There’s a disconnect there. And that’s why we found the DataGrail.

Jodi Daniels  7:01  

Now, we’re always saying that companies are in the data business. So you were kind of talking about what everyone’s using technology. And everyone’s utilizing data. And I remember those really early days of the dynamic content and email marketing. And I got my start in privacy by stalking people for cars, using data from autotrader. And, and anyone who bought a car, you’re welcome. It’s kind of the same, the same idea. The thanks for sharing. Yeah. Your smirky over there.

Justin Daniels  7:29  

Oh, why not? So from your view, how would you describe the current state of privacy programs and companies?

Daniel Barber  7:39  

Kind of in flux would be my first response, right? I think many businesses that are internationally focused, right, we’re leading up to the GDPR, trying to figure out what they need to do. This was a long walk, right, from 2016 through 17, through 18. And now we’re talking about that was three years ago, right. And so they might, they might have implemented something to stand up the program for domestically Blokus businesses, the CCPA was probably the first regulatory requirement that they had to jump over. Right. And so I would say, like, across the board, most companies have no idea what applications they’ve actually purchased. And this has accelerated in the last, you know, call it 18 months, because now we are doing work from home, right. And so, you know, people are in a dynamic work environment as well. So they might be working from home one day, they might be off the road or beach or another day, they might be, you know, who knows, right where they are. And so the application use, and as a result, the number of locations where personal information could be, has expanded dramatically. And so I think like, flux would be my one word to describe where we are today.

Jodi Daniels  8:52  

If you think about those 200 Data Protection agreements, which was actually very impressive, because I find today it’s really hard for companies to execute those things when they’re required, so that you had companies doing it when it was just a lovely, nice to have. If you think about where that was to what you see today. I know a scale of one to 10. Where do you How far have we moved?

Daniel Barber  9:18  

Good question. I think we have made some progress. Right? I think now, it’s very common that people at least understand that they need to do a data processing agreement. Right. That is that is generally understood what a DPA is, you know, completing 200 of them. There was a reason why we were doing it. It’s because tout up the solution, the provider I was working for at the time, we were tracking people’s emails, right. So the service basically allowed salespeople and anyone really to use ToutApp. If they would send an email, they could see whether you open that email whether you clicked a piece of content, whether you forwarded it where you opened it The location, pretty sensitive information, right? These systems and solutions exist today and in fact, proliferated everywhere. But that’s why companies were very sensitive about what we were doing with their information because it was fairly new. But I think now it is generally understood a DPA is something that any legal professional understands. Even if you’re buying technology as a member of the member of the workforce, right? If you’re in marketing team, or customer success team or wherever you are in the organization, you know that you probably need to do a DPA. So I think there’s generally more awareness, I think the consumer is substantially more aware than they were before. Right? This is a result of, you know, many, somewhat unfortunate circumstances that have happened with data breaches, and generally just understanding of one’s information and where it’s going. And so I think consumer awareness has increased, consumer expectations have increased too. But the challenges as businesses remain. And so I think, yeah, that that’s where there is opportunity to, you know, connect that gap.

Jodi Daniels  11:08  

And I also see from a b2b standpoint, that the awareness is increased. So we’re talking about consumers, but also a b2b environment. Many times vendors are requiring this of customers, customers are like, Ah, I gotta figure this out. I might start with a DPA might start with a question. So certainly moving in that direction.

Justin Daniels  11:30  

Great. So with individual rights being a big part of privacy regulations, what does a company need to know about honoring an individual’s data requests?

Daniel Barber  11:41  

Yeah. So, this is kind of interesting. If you think about it, right. Last year, we survey to 2000 Americans. So I spoke on PBS about our survey, and we had 880 3% of people respond, say they want control over their information. So I think, regardless of the regulations, which of course, we can talk about the alphabet soup, God to your point, there’s lots of them. Consumers want control, right, that’s what they’re actually looking for here. And that’s a that’s like an emotional connection to they want to understand what a business is doing with their nation. And so I think we see the leading brands really leading with transparency in terms of, Hey, you, you can get access and control the information that we’ve collected about you, you can restrict to the sale of that information, if you don’t feel comfortable with that. The challenge is, is that most companies are starting from square one, right? They have purchased software, right, it might be zoom, it might be slack, it might be Salesforce, it might be, you know, named 200, other software tools. And they’ve purchased those over the last five years or a decade or multiple decades. Now, they have no idea where that relation is, or what those systems even do, the number of CISOs, Chief Privacy officers that I speak to that know all of the applications that they have, and what’s in them, I could count on one hand, right? Total in doing this for a while. And so I think like starting with understanding what you’ve purchased, is, is the only way to satisfy that data rights component, right? If you can’t actually satisfy that properly. And we see a lot of businesses shortcut here, right? So they’ll just provide the information that’s available in maybe two or three of the systems that they they own. But in reality, they’ve got 100 systems processing your information. So is that an accurate representation of what they hold about you? Definitely not.

Jodi Daniels  13:42  

Without being sad with it being so hard for companies or people to know all the different systems? Where does software come in to be able to help solve this problem?

Daniel Barber  13:54  

Yeah, that’s a good question, too. I think it’s, it’s really important to think about, like, first centralizing the applications that you use, right. And so there are solutions in the market that drive the security of those applications, right. So things like October and one login and forge rockin Ping Identity and others that will allow a business to say, Okay, any tool that we purchase needs to go through this secure process, meaning if you join a company, you get access to the 22 tools that you need in the marketing department. If you join that same company in HR, you get access to the 12 tools in HR that you would need to operate your job. That’s a good starting point. And certainly the mature organizations that we see have implemented, you know, single sign on is sort of commonly what that’s described as that’s, that’s a requirement really, at this stage, especially with a dynamic workforce. But then also the realization that not all applications will make their way into those applications, right. So even the tool that’s meant To control the other tools, the tools may not actually get in there. And so acknowledging that as well and saying, Okay, we probably need to find a tool that finds the tools that are not connected to the tool that’s meant to manage the tools. So you know, that’s, that’s an area that we we help with, and help businesses with, because it’s, it is a scary thing, right? This kind of concept of shadow IT and your employees using applications that process personal information, this is hard. And so the combination of like, usually a single sign on provider, and something like got a route to help with that is a good starting point.

Jodi Daniels  15:39  

The other thing I was going to say is a lot of times so we have like your tools for tools for tools, and right software to help be able to find tools, a lot of times people off, also think if I just find a software, I’m done. And I’d love for you to share a little bit about how at software plus people who know how to use the software to be able to help make it all work together.

Daniel Barber  16:03  

Yeah, so that’s an interesting area. So what we commonly see legal professionals and I imagine many of the folks that may listen to the podcasts or security professionals, right struggling with is, there is no way you could understand every application in marketing, right? You just can’t. And more importantly, you can’t understand the relationships between the applications, which is actually probably the more important part. So just like double clicking on that, to expand on it a little bit. If you bought Salesforce, right, and so Salesforce becomes a central application to manage your customer data, as an example, right? That application has an ecosystem of things that can connect to it. And so there might be 20 Other things downstream, that have been installed into your Salesforce environment that are also collecting the same personal information or more. And so just acknowledging that, like, it’s very unlikely that you’re going to try to figure out every application there, unless you really intend to, you know, go around and survey, right, which is the option go around and survey every department and try to keep that up to date, which is a monumental tasks that, you know, is really why we founded the company.

Justin Daniels  17:37  

Makes sense? So with privacy laws changing, how do you think about that evolution in terms of companies preparing to comply with multi state and this global privacy patchwork system that we seem to be going towards?

Daniel Barber  17:52  

Yeah, so this is not going to work? Like the path that we’re going down right now is like not gonna work? Right. I think, generally, the, the informed class of folks that are in this, like we are acknowledged, even the way that he described that question doesn’t, this is not gonna work. So there needs to be standards, right, like and global standards, right. And so there are industry groups that are working to do this and work on this area. I wrote a post in TechCrunch, a few weeks ago, specifically on this topic around standards. So the Consumer Reports is working with a consortium of different vendors datagram included, that we’re trying to understand how data rights can be standardized, right? Because even just like the simplest thing, have you asked for your information from Kohl’s? Right? What is Kohl’s collecting on you? Does Kohl’s provide the same information back in the format? That? I don’t know? Sears does right? I can guarantee you one thing? They don’t

Justin Daniels  18:59  

Sears still around? I think so. I wasn’t sure.

Daniel Barber  19:05  

And as I said that out loud, I actually had the question. But you get where I’m going there right of every business is operating differently. And the regulations are forcing them to adopt different standards based on where people are located. This is not going to work. And so actually there needs to be technology standards that are in partnership with legal standards. Right. So what do I mean by that? Well, if we had, you know, California has this do not sell provision. That’s great. I’m, I think that makes sense. I don’t want businesses selling my information in certain circumstances. But that is slightly different than the GDPR. And as we know, also different than other state regulatory requirements. So if we just went down the path of 14 different parts here, that doesn’t work, and so we need some technology standards in order to actually pragmatically think about how we solve this problem.

Jodi Daniels  19:58  

Yeah, it’s a great point. If you think about The three states, California and upcoming Virginia and Colorado, even their required links on the homepage are all supposed to be a little bit different. We can have links, because when are you going to pick? You can do. Targeted, as always? I thought they’re close, but not exactly. So it is certainly a big problem.

Justin Daniels  20:21  

So Daniel, I’m just curious as a follow up question, these state laws are proliferating, at least in the United States, because on a federal level, there’s no consensus, there’s no agreement over what to do about this problem. From what you see in your business and whatnot. Do you see that changing? Or is it going to take some kind of black swan event to precipitate a change to get some type of is really what we’re talking about here is having a GDPR, like federal law that covers all 50 states?

Daniel Barber  21:00  

Yes So but even if that happens, though, Justin, so like, you know, just simplifying it down to like the domestic level? Yes. But if you’re a global business, so you operate lgpd, you operate some national law, you operate GDP, that doesn’t work, either, right? Because if if you have 15 company countries, that you’re operating in all with different frameworks, like that doesn’t work. Now, we’re just talking about like, making it a little easier in the US, for the domestic folks. But if you’re international, you couldn’t afford to operate your program that way, either. So I think it actually goes further than just like a national bill, which certainly that wouldn’t hurt. But, you know, I think really what we’re talking about is some technology standards to make this a little easier for businesses. Because yes, you can’t have four different links on your homepage. Like if you talk to a marketer and propose that solution, they’re going to leave the building. Right. So like, you know, let’s talk about like practical business here. I think though, there’s there’s enough support for at, at the local level, some form of national bill, but like, when are we going to see that? I don’t know, I’m not getting a date at this point. And I think it’s like, it’s going to take some more pain before we see real change on that.

Jodi Daniels  22:21  

We’ve talked about a lot of different challenges. One of the one of the main ones, obviously, has been around just which How do you create a program to comply with all of these different laws? What are some of the other big challenges that you’re seeing companies face today?

Daniel Barber  22:39  

one of them is related to is related to California’s requirement around do not sell, right? Because the definition is quite wide. And, you know, obviously, the sale of information if you’re a Data Broker, I mean, that’s pretty obvious, right? I sold my email address to you, Jodi, you bought it for, you know, 25 cents. Okay, that’s selling information. Right. But, you know, loyalty programs. Okay. I think we extend those to that probably sale of information, if you’re extending that information to other service providers. Got it. Ad Tech. What do you do with that? Right? So you know, publishers are now selling your information indirectly, on the open market to other people in real time. That creates some challenges for folks of like, how they’re how they’re going to interpret that? And how far and how much risk they want to take to do that. So I think that’s one area that’s quite challenging for folks, especially if they don’t have legal support, right of like, how to interpret the requirements. I think another area that, you know, you’re seeing advances quite quickly. Right. So Apple’s new requirements around deletion of apps, right. So meaning, you know, as a requirement through privacy regulations, it is now a requirement for folks that do have apps to be able to delete that information. That’s difficult, right? People may not have actually set up their infrastructure in a way to do that. And you know, how many people have a mobile app on the App Store? A lot. So, you know, that’s really hard for folks. And they probably weren’t ready for that, right. Like, it’s not like there was a memo that went out two and a half years ago, like the GPR, to kind of figure out what to do there. So I think that’s, that’s quite hard for folks that are operating, you know, with mobile apps. And then the other piece that I described, right of just that, that dynamic workplace. That’s really hard. How do you try to empower your employees to share the applications they’re using or find some vehicle to be able to capture that information that needs to happen because the concept of a VPN rate is nice. In theory, until you have employees not using it, and we should expect that they’re not going to use it, because if you expect that they do use it every time, you know, you’re going to be disappointed with the outcome.

Justin Daniels  25:16  

So, if we were at a cocktail party and we are having a this kind of conversation as a privacy Pro, what do you what is your best personal tip that you might give to our audience?

Daniel Barber  25:29  

Yeah, it’s funny when I read that, because I was like, oh, that’s kind of cool. You know, I think I think what I find interesting, and it may not be necessarily a personal tip, it’s more just validation that we are going to be and the three of us are going to be solving this problem for the next decade. So Rick Arne is the co author of the CCPA. And, you know, I was having a conversation with him a few months ago, and he shared a little bit about his path to passing that bill, and what that looked like and proposition 24, with our civic target and the group. And something that stood out to me was just, you know, the, the legislature in California has come to terms with the fact that any bill that passes the watermark standard is 90%. Right. So 90% is the highest amount you can get in terms of support for a bill. And what is that watermark based on? It’s based on human trafficking, right. So when when laws were passed around that area, support for restricting human trafficking was 90%. So 10% of people that of course, just don’t support the process. And so as a result will, by default, select No under all circumstances, right. So but it’s, it’s you basically, the highest you’re going to get is nonsense. But what was interesting move forward support for the bill was that 88%. So there was literally not a similar a bill that has been passed that received the same level of support. So the the legislature in California is supporting. And the electorate is supporting privacy reform at a level only compared to human trafficking. And neither of those topics are funny. But the point is, we’re going through a change. And so I think just as a as an area of excitement, there’s there is excitement ahead around trying to solve this problem. And we’re going to be doing this for the next decade.

Jodi Daniels  27:43  

Well, Justin, that’s good job security. Someone, we’re not all going to be trying to help companies solve this problem for the next decade. What do you like to do for fun? That is not privacy and security,

Justin Daniels  27:58  

you go by consumer products and read the privacy policies?

Daniel Barber  28:02  

I may do that. No, I, you know, at this point, I have a I have traveled to a number of places, right? I’m sort of, by definition, you know, global citizen, if you were I lived in seven different countries to get to here. And so I do like traveling a lot. My fiance is also from New Zealand. And so the two of us kind of have fun wherever we can go. So yeah, traveling as much as we can. hiking around the Bay Area is is pretty popular. And so I do that a lot. Also just working, it’s nice to have some outdoor time. And so combination, those two things are probably my short list.

Jodi Daniels  28:41  

We must attract similar people, because many times people always say that they love hiking, and they love the outdoors, which is very similar to it. What we really enjoy here too. Lovely. Well, it was such a lovely discussion if people want to be able to connect with you and learn more also about DataGrail. Where should they go?

Daniel Barber  29:03  

Yep. So you can find me on the white pages of the internet, otherwise known as LinkedIn. So if you just search Daniel Barber, you’ll probably find me there. You can find me on Twitter. So my handle is a little strange. It’s @gaijindan. That is Japanese for foreign person. So foreign person Dan to find me there. There’s probably the best two places.

Jodi Daniels  29:29

Awesome. Justin any closing thoughts.

Justin Daniels  29:34  

Data privacy is job security. That could be a bumper sticker. Thank you, Daniel.

Jodi Daniels  29:40  

Thank you so much for joining us today.

Justin Daniels  29:44

Yeah, had fun.

Prologue  29:49  

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time

Privacy doesn’t have to be complicated.