So You Got the Privacy Officer Title, Now What? 

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st Century.

Jodi Daniels 0:21

Hi. Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:36

Hi, I’m Justin Daniels, I’m a shareholder in corporate a and tech transaction lawyer at the law firm, Baker Donaldson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cyber security risk. And when needed, I lead the legal cyber data breach response breaking.

Jodi Daniels 0:58

And this episode is brought to you by strange noises today. Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. Well, today is a very exciting day, because I have brought with me a privacy friend, a fellow privacy consultant and a newly minted best selling author of a really awesome new book. So we’re going to have a lot of fun today. We have Teresa “T” Troester-Falk, who has over 20 years of experience. Teresa builds these awesome privacy programs that work when resources are limited and timelines are real. She led initiatives at DoubleClick, Epsilon, Nielsen, and Nymity. If you didn’t know, Trustarc bought Nymity before founding BlueSky Privacy and BlueSky PrivacyStack. Today, she creates practical tools and systems that help privacy professionals step into their role with confidence and give executives decisions they can act on through her writing and teaching, she brings clarity to complex requirements and shows how privacy can succeed in practice. And I can’t wait to dive into her new book that everyone here should go and read. So Teresa, welcome to the show. Thank you. That is your cue. Mr. Justin.

Justin Daniels 2:41

well, Teresa, why don’t you share with us how you got to where you are today?

Teresa “T” Troester-Falk 2:48

Aha, well, I think Jodi, you and I, most people who’ve been in this space a long time, it was a happy accident of some sort. So I actually am writing a post about this tomorrow. In 2003 I applied for a job that I had no clue what it was, but it had the the word compliance in the title. I was an international trade lawyer in Canada and moved to the US, California, Colorado, looking to get back into work at two little boys. Wanted some things simple, and here was this job at a company called double click, which I didn’t know about but primacy compliance associate. I thought it looked like legal, interesting enough. Maybe, wouldn’t, you know, make me work 80 hours a week at that time, I was looking for work life balance, and that’s how I ended up here. And so that simple job, as for those of us who’ve been the space a long time, it’s kind of a litmus test. If you know the word double click, it tells you where you are in the history of privacy. Was an FTC investigation 50 state attorney general settlement. It was the defining consumer privacy case at the time, so that’s how I landed here.

Jodi Daniels 4:06

All right, so let’s fast forward to we, like skipped a couple decades and experience, and so now we have a really cool book and the title. Everyone listen? So you got the privacy office’s title now, what? So tell us a little bit about what inspired this book, and don’t give all the goods away so that we can dissect it in our conversation.

Teresa “T” Troester-Falk 4:29

Two things. One, I love to write, and you know, when we can do the things that give us energy, that’s just a bonus in our work, right? But also that writing was reflective of my life experience in this field, and feeling like I’m at this point where I want to give back to newer professionals in some way. And so writing is one way I can do that. The second part of what inspired. Me was seeing this strong need at this point in time, with so many new privacy professionals, newly minted Dipp something, who have done what they’re supposed to do, go and get certified. It’s the gateway into our profession, but our gate is pretty light, right? It is a multiple choice exam, and I’m not saying it’s easy, but it’s unlike other professions where, like in security, you need five years of documented experience before you can call yourself that Certified Professional. Justin. I’m sure you could tell us about that privacy or project management three years so I just felt so much need in our community with newer professionals, and even those within the space a long time who are certified, have done all of the knowledge training but don’t have the operational practical experience. So that’s what led me those, those two motivators. One, just blot out what gives me pleasure in life. And, you know, I love to write, and the reflection on my career, what I’ve learned, what I think are the key takeaways. And secondly, I just see a huge need for real, practical knowledge for people who hold certifications. In fact, the the original title of this book was going to be, so you got the CIPP now, what, but a little broader, so you got the Privacy Officer title. Now, what? How to build a program without budget

Jodi Daniels 6:31

authority or a clear plan? I love that you love writing, and it’s so interesting how you lean into that. Because for me, I love talking and speaking and presenting. And if I could do that all day long, that would be my happy that would be my happy place.

Teresa “T” Troester-Falk 6:46

All right, you speak, there you go. We make a perfect combo. So here we are. Yeah, interesting. What makes that interesting?

Jodi Daniels 6:55

Maybe that’s why I’m so happy today, because I got to start my day talking. But you’re so good at talking exactly, see.

Justin Daniels 7:06

So, you know, I think you said the subtitle is, you’re building a privacy program without a budget authority or a clear plan. Can you talk a little bit more about how to navigate that?

Teresa “T” Troester-Falk 7:17

Yeah, so I tested that idea. Let me give a bit of context on a LinkedIn post like I then sort of absent on LinkedIn for a few years. Just had to really focus on some other things. But in anticipation of writing, I went back into the whole LinkedIn role, which has changed tremendously, and did this post with this title. So you got the Privacy Officer title, but you didn’t get the budget authority, you know, or plan. And that little post went like, kind of quasi viral in our little world, right? There was like 500 likes in a short period of time, 100 comments, people reaching out, saying, Oh, my God, nobody is talking about this. Like I thought I was the only one and and so this book is about really emphasizing you are not the only one. It is all of us. It is every single one of us trying to figure this out every day, with in many cases, little budget, little authority and having no clue how to build a plan. So that’s that. That was the impetus, and just trying to distill not just my knowledge like it represents the collective knowledge of my peers, my friends, my you know, everything that I’ve learned is represented, represented in this let’s go back to the

Jodi Daniels 8:45

title you almost had. And there are a lot of newly minted certified privacy pros, and some of them have business experience, but have crossed over into privacy. So they might be new to privacy, but not new to business. And then some, this is their, their start of a career. In your mind, where do you think some of these newly minted certified privacy pros go wrong

Teresa “T” Troester-Falk 9:13

all the ways I went wrong when I was, you know, new in my profession, and that is trying to look for a perfect and complete answer and focusing on the details of the law and not on exercising judgment, making decisions in unclear and gray areas, and how that shows up is in how we relate to our business units, you know, and the people we have to talk to every day. It is being prescriptive, saying no too much instead of Yes. And this is how it is having the confidence or to make that decision in a gray area. So where do they go wrong? It’s, it’s all the ways I went wrong. You know, thinking the answer had to be perfect, worrying about every decision, looking for more information and blocking or slowing down initiatives that really could move forward with a reasonable framework in place.

Jodi Daniels 10:31

So what would you say might be one or two things, someone listening. They recently got their CIPP they’re looking for all that detail. What would you recommend to them listening today.

Teresa “T” Troester-Falk 10:44

So I you know, in our work with clients, we try to focus on these three pillars, explain the decision that you made, be able to maintain you know what you decided, and then defend like be able to prove it. So. So how can you move forward in really difficult, complex situations? It is making a decision, right? Whatever that, whatever your decision making criteria is, and documenting it, and then move on. Let me give an example. One of you, I’m sure you know our colleague, Jerry, Jerry steg Meyer, who’s been in the field a long time, and he was one of our outside counsel, you know, at the previous company I worked with, and he said something that really stuck with me, like, there’s no black and white here. But can you defend the decision that you’re making? Can you confidently defend it to your stakeholders, to your leader in the event that there’s a regulatory action, something and and, you know, his views? I want three things. I want to be able to say three things. I’ve got it in the contract. We updated the privacy notice. We worked through the consent files like whatever those three things are. Maybe your company wants five. Maybe they’re comfortable with two, but it’s making the decision and then moving on and knowing, I’ll share something else from one of my previous companies, a wonderful general counsel, and he gave us some wonderful advice at an at an off site, he looked at all of us and said, This is a big company. You know, we’re in 130 we’re public. You know, there’s a lot of weight on your shoulders, but I want to assure you that there is no decision that you will make that will bring this company down. So just make decisions, and you know, if we determine that they’re wrong, we can go back and fix them. And so I think that is the key takeaway. Learn to make decisions quicker faster, knowing that you know you’ve thought it through, you’ve documented how you’ve thought about and that it can be fixed if something goes wrong.

Jodi Daniels 12:46

It’s like I always say a math class show your work and be able to defend why you made the choice that you did. Yep, and we say that all the time, and I know we have a lot of enforcement and compliance focus. Regulators care about that too. What decision did you make? They may or may not agree with you. But then, if you have the rationale for how you got to where you are,

Teresa “T” Troester-Falk 13:07

that’s what’s important, 100% whether it’s in Europe, Asia or in the US regulators are looking for. What did you have in place? You know, if you have, if you can narrate some story, everybody understands that errors can happen, as long as they’re not systemic, you know, and they’re one off, and you had a plan, you’ll be much more lenient. And there’s a lot of evidence to show that

Jodi Daniels 13:34

makes sense. And so say someone else can say it too. That’s just me. So do you have any kind of

Justin Daniels 13:44

sneak peek examples about operationalizing privacy that you might share with us today?

Jodi Daniels 13:51

Well, yes, which is your favorite one? Maybe an easy, easy one you shared

Teresa “T” Troester-Falk 13:59

online now, I think it’s kind of really this book is not about a lot of templates. There are some in there, right? But what I have found, I’ll come back to Justin, but what I have found in practice is, and I work for software companies that provide a templates, they’re selling unique What is needed is so unique to every organization. And now, you know you can research. There’s tons of free things. You can use AI to build them, but I think one of the most important things is kind of a decision making framework, like, just that’s a sneak peek, like, just get used to what we’re talking about. That documentation. What is the decision that needs to be made? How did we make it? What is my evidence to back it out? Where is that decision stored? And just do that over and over and over again. And that one thing helps to build confidence becomes part of your underlying story. Becomes a way you communicate with you know, leadership and help you know, builds the confidence around you that you. Know what you know that you’re doing. You’re approaching this systemically. So there’s a very simple chapter on how to make, a simple decision making framework that you can adapt. But I think that’s the one thing that, more than anything,

Jodi Daniels 15:13

I want to build on the subtitle building a privacy program without budget authority or a clear plan. I in talking to a lot of companies, and they feel like their budgets are getting cut. They I presented this morning, and they said, Well, how, how do I test if my cookie consent solution is working? If I have no budget, someone else shared their company thinks AI, governance and privacy are all the same thing. So this is a common theme for when you post it and people said, Oh my gosh, I’m so not alone. Thank you to those people who are here. They should read the book. They should document their decisions. What? What piece of advice might you also offer for those types of people to be able to try and make some progress, because they are amazing privacy champions in their company. Yeah, I think

Teresa “T” Troester-Falk 16:06

it comes down to risk and prioritization. So I’ve worked on all spectrums. I’ve worked for companies that have had a huge budget. You know, when I was working in house, like endless budget for outside counsel, and we want to be gold class standard, privacy, those were amazing days, few and far between, right? Looking at your wheel behind you, we use something similar. There’s lots out there, like frameworks. To do all of that, you need a huge budget and resource, right? So let’s think about your wheel. That’s a great narrative to work with a company and say, Ave all these things, what are the most important activities that we need to adjust right now and why? And you do those three things, not the 100 things, and you start there, and you get them done. And that’s an approach we use over and over with companies, and it’s we’re facing this all, all of our clients are like, budgets are being cut. What do we need to do? And like, okay, in the US, we have a blueprint. We know the four things we need to do, because it’s what the California you know actions are around. And the coordinate enforcement actors like cookie notices. Make sure your D stars work, and make sure your notices are right for employees also, and check those vendor contracts you know that you know are involved in targeting. You’ve got four things that you just need to make sure you do. And then, though, if you can target those and do those, and do those, well, you know, that’s that’s the blueprint in the US right now. So in short, it’s thinking about the frameworks like the one that you have is so useful to think about everything that needs to be done. It becomes a conversation piece to say, of all of these, what’s our risk level as a company? And getting clarity on that with you know, your leadership, what where do we have exposure in all of this? And do those things first and well and keep doing them.

Jodi Daniels 17:59

I think it’s really important to highlight you talked about risk. So find where the risky areas, because Company A might have different risks and a different risk profile than Company B. So identify your risks unique to you, then be able to prioritize, and you can’t do all of them. You might have 10 risks. You can only pick the few that you can actually handle in that year. Work on those and then come back around and keep working diligently on that program and adding in what you talked about before, which is document the decisions that you have along the way.

Teresa “T” Troester-Falk 18:29

I’d add one more thing, and I agree with all of that, and underline all of that, is the concept of ownership and accountability, right? Because you can do all of those things. You might hire John, you might hire me, whomever, to help bill. But if nobody is owning that process, it’s not sustainable, and it doesn’t maintain so you can folk. You can assess your risk. You have to decide the three or four things you can work on them, but at the end of the day, who owns those procedures and processes that you’ve put in place, who makes sure that they keep getting done. Because I’ve worked for companies where we spent months working on a process and it’s like, wow, all this work, teamwork, binder this thick, and then this group thought we were owning it. We thought they and the whole thing falls apart because there was no ownership around it.

Jodi Daniels 19:21

Yeah, that’s really, really important, and we see that all the time as AI governance, committees are getting created. Everyone wants a committee, and committees are lovely, but someone still has to own but the committee is going to do anything, and who’s going to have the final decision and things like that. So ownership is very much important. I’m glad you brought that up.

Justin Daniels 19:41

So is there a best personal privacy tip you can share with our audience?

Teresa “T” Troester-Falk 19:47

Well, one, there’s so many, but one, passwords, passwords, passwords change that. I mean, it’s such a pain. You know, make sure they’re changed often. Don’t use the same one. Use password managers. I think that is just so critical. It’s it’s a little bit of work, but it’s the one that I think will make the most difference right now,

Jodi Daniels 20:10

and when you are not helping companies with privacy programs, writing books or just writing, what do you like to do for fun?

Teresa “T” Troester-Falk 20:19

Well, I am trying to change the world one Bachata step at a time. So if you don’t know what that is, as you know, sometimes I live or spend a lot of time in the Dominican Republic, and Bachata is one of the dances that was culturally developed here the Chatham merengue, and the first time I heard and I just fell in love with it. So that is what I do. A lot of Latin dance, but Chadha and Salsa and Merengue and all of it,

Jodi Daniels 20:55

super fun, super fun. Well, where can people go to connect with you and grab the book.

Teresa “T” Troester-Falk 21:02

The book is available on all major book sites, but especially on Amazon, in three versions, hardback, paper, Kindle. You can go to my website. I have two but the one I’m directing most people through now two companies, consulting company where we have our bread and butter kind of work with clients like you do, which is blueskyprivacy.com. bluekkyprivacystack.com has information about the book and other forthcoming operational resources to support privacy professionals. Amazing.

Jodi Daniels 21:38

Well, Teresa , thank you so much for coming today and sharing what you know after so much experience to help others be able to build successful privacy programs. Thank you.

Outro 21:54

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.