Click for Full Transcript

Jodi Daniels  0:02  

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified information privacy professional, providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:17  

Hello, Justin Daniels here I am a corporate M&A and tech transaction partner at the law firm Baker Donelson. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  0:40  

And this episode is brought to you Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers. To learn more and to check out our new best selling book data reimagined building trust one bite at a time, visit redcloveradvisors.com

It’s Monday. It is Monday you are not as chipper and as exciting and energetic as our last podcast recording. You need to have more coffee, I guess well, or some coffee that would assume that I ever drank it. I’ve never seen me have a cup of coffee and all the years we’ve known each other nope, maybe you should try to try new things.

Okay, but let’s bring it back to privacy. today. We’re gonna have a really lovely conversation. We have Robin Andruss, who is the Chief Privacy Officer at Skyflow. She is a data protection leader and longtime friend of the IPP with 20 years of experience in the privacy risk audit finance strategy and compliance space, including stints at Google, Yahoo and Twilio. She holds a CIPP/E and CIPM certifications from IAPP. Robin, welcome to the show.

Robin Andruss  2:16  

Thank you, Jodi, and Justin. I’m so excited to be here. I’ve listened to your podcast and I enjoy the funny bickering back and forth.

Jodi Daniels  2:25  

In the pre show, you know, it just dawned on me reading your intro. It’s actually really similar path that I had I started in accounting, I did finance I did strategy. Then I found myself to privacy and I think we even share a former prior company at Deloitte together. All good fun, perhaps

Justin Daniels  2:46  

She probably has less bickering with her husband.

Jodi Daniels  2:48  

She might have less bickering. You’re gonna get started though, right? I will. Okay.

Justin Daniels  2:54  

So, Robin, take us on a little journey in your career and how you got to where you are today.

Robin Andruss  3:01  

Sir, I’m similar to Jodi Yes, I started out at Deloitte on the risk and assurance side, finance side, I, you know, kind of moved out of that world. Since I didn’t love being in spreadsheets all day long. On a day to day basis, I really enjoyed working with customers and clients and kind of learning about their business and their business model, but didn’t just love kind of, you know, being engrossed in budgets and forecasting all day long. So I, being in the San Francisco Bay Area ended up finding a role that sounded really interesting, and a company called TRUSTe at the time, which is now TrustArc, where I would work with top Chief Privacy Officers on their privacy practices and programs following kind of the established trustee framework at the time, right? They had COPPA certification, they had Safe Harbor. And, you know, I think, right, when you start your career, you’re like, Oh, I’m going to be this. Like, I know, there’s a lot of lawyers, right, that went out there. Like, I want to be a partner of a law firm. And maybe they kind of shifted their career to something else. When I kind of found privacy or privacy found me, the interesting thing was that I remember Googling, like, what is privacy? In 2008, when I started at TRUSTe and an ad, it’s the thing that was up there came up was the beacon settlement for Facebook, right, and a couple of kinds of FTC consent decrees. So that’s an interesting tidbit. But as I kind of moved into it, I thought, you know, oh, this is really a relevant industry, even though a lot of people didn’t know a lot about privacy at the time, right? I remember when, you know, in 2012, right, when like, they changed Facebook changed the profiles to public. And if you didn’t know how to go in and change your settings, like all of that data, you had just all of a sudden be public, and thinking about how it really impacts people’s individual lives. And now, you know, we’re seeing that proliferation of this 15 years later. So fast forward to my career, you know, started out privacy TRUSTe and then from there moved on to privacy roles and privacy leadership roles at Google, Yahoo, then Twilio, where I was their data protection officer when I left and came more recently, about a year or so ago to a company to a company called Skyflow data privacy vault delivered through an API.

Jodi Daniels  5:06  

Well, Robin, we’d love to hear a little bit more about what a data privacy vault is and what Skyflow does.

Robin Andruss  5:14  

Sure. So I’m not sure do you remember kind of GDPR prep in 2017-20? Oh, and

Jodi Daniels  5:22  

we’re gonna celebrate a birthday for GDPR. here soon, depending on it’s eight. Well, I guess depending on jurisdiction, it could be entering kindergarten next year.

Robin Andruss  5:32  

So I have a funny tidbit, I actually had a GDPR baby. I had a baby girl born May 10 2018. So I was the pregnant one. Asking all the engineers and product managers at Yahoo. I was like, please, please do all of these privacy things. You know, I’m pregnant baby’s coming. But the GDPR is going to kindergarten next year are my daughter’s the GDPR. Baby is going into kindergarten next year. But so just think about, you know, think about pre GDPR. Right. I mean, companies, some companies had is more established prior FC programs, depending on what industry you were maybe like health care fintech. But a lot of companies were at the time, you had to go and do a data map, right? For records processing activities, you have to go find the PII across multiple disparate systems. So I remember sitting down with engineers, and saying, you know, this is what PII is, you need to help me find it, we need to identify it in the system and build a records of processing activities. And just thinking about, you know, going through that exercise, whether you’re working with a global company for GDPR, or, you know, then a year later, everyone had to do it for CCPA, even if you didn’t for GDPR. And just learning about all the data sprawl, like all the PII sprawled across disparate systems, and access unrestricted. And, you know, then also there’s the whole data breach component, right? Like if you have more data spread across different systems, you don’t know the controls, or access controls around that data as well. So when I heard about Skyflow, I thought, you know, this the concept of a data privacy vault delivered through an API, it’s a simple to use product, where you put your most sensitive data and I say sensitive data in quotes, because we let the customer define what that is, right? You know, whether it’s personal data under the EU, or it’s something like social security number or sensitive personal data under CC CPRA. Like, we leave it up to the customer to define what they consider to be sensitive. But this data is stored in a data privacy vault where you can isolate and protect the data, and it’s highly secure storage. And what is shared outside of the vault with other systems is different levels of anonymized or de-identified data like redacted tokenized. So you don’t, you don’t have the PII, personal data proliferating in multiple systems, if you don’t hypothetically need to.

Jodi Daniels  7:52  

Robin, can you share maybe a use case example of how a company might have access or use that information like you just described.

Robin Andruss  8:03  

Um, so we do have a, like, I’ll use a customer that I can actually quote, IBM, you know, is one of our customers for their healthcare data, one of their healthcare data, AI uses. So they actually, you know, they obtain the data, put it into the vault from let’s say, like a healthcare organization than they do identify it, so they can merge it and then provide run analytics on this data for, like health care improvement purposes. So that’s kind of like an industry example. Another really, I think, more personal example is we also have, for example, a customer who kind of helps, just like people like you and me with online wills, right. And so like, think about all the sensitive data that is in a will, right, and you might go do your will and have like a lawyer’s office, and that’s on paper somewhere with like, your kids’ names, your names, your social security numbers, your assets, your bank accounts. But think about, you know, as the world becomes more digitized, and this data becomes put in the cloud or on different databases, like at least you’re not storing SSN somewhere in an unencrypted bucket, or like a CRM system. So that’s another use case is like thinking about it. If you were to build a FinTech app, or a health tech app, you know, really thinking about the consumer facing use cases as well.

Jodi Daniels  9:24  

Very helpful and very fascinating. I like the example also of the small business use case.

Justin Daniels  9:32  

I guess what’s interesting, from my perspective, as we talked about in our pre-show is, we now have what 10 states that have privacy laws, so they continue to proliferate. And in light of this proliferation, what are the challenges that you see companies facing today from a privacy perspective and how Skyflow can help them with that?

Robin Andruss  9:56  

Yes, putting on my privacy leader hat. There’s a lot of challenges we have to face, whether it’s you know, just keeping up what’s going on with all the new laws, the new regulations, the new enforcement actions. So, you know, just take like, really like when I think about Skyflow, like you’re really thinking about, like putting aside all the other things you need to do around privacy as well, right, like cookie consent. You know, Skyflow can really help you ensure that you’re storing ice, like finding, isolating and protecting the data and ensure you’re really storing it in a secure fashion. Which I feel like if you kind of look at all the different regulations, right, they talk about privacy by design, they have talked about privacy by design and default, and really thinking about how you’re building in privacy by engineering early on, right versus kind of bolting it on at the end.

Jodi Daniels  10:51  

We cannot have a conversation these days without talking about AI. I feel like it shows up everywhere, whether it’s personal and people are talking about their cleaning robots to privacy. And you’re gonna say something funny.

Justin Daniels  11:07  

Or the Chatbot that can impersonate me talking to my spouse.

Jodi Daniels  11:10  

There’s that, too. What I was going to ask is, where do you feel like AI fits in the work that you do on a daily basis?

Robin Andruss  11:21  

Wait, is there a chat bot? Is that Dustin speaking? Can you build like a coffee chat bot of yourself? Can you just elaborate on that a little bit more?

Justin Daniels  11:31  

So my joke comes from — did you ever see the show Silicon Valley on HBO?

Robin Andruss  11:37  

I have, it’s been a while.

Justin Daniels  11:40  

It’s one of the episodes was two of the engineers who are always kind of arguing with each other, you know, kind of like how spouses sometimes have interesting conversations, the one created his own chat bot to interact with the other guy when he would email him and text him and the guy had no idea until he saw him doing it one day. So could you imagine being able to use a chat bot to impersonate you to talk to people, if those were conversations you didn’t want to have yourself. So I throw in the sidebar because you could be on the golf course right now.

Robin Andruss  12:09  

And we could just have like a picture of your head, kind of like arguing with God like bantering back and forth.

Jodi Daniels  12:17  

You can, and there are tools today where you can take a video and write put a picture in and it’s not actually the person recording, you can have the voice and the picture that is there. So that technology does, in my opinion, eerily exist. It’s funny.

Justin Daniels  12:34  

We bring this up, Robin, because one of my big concerns right now is whenever — say you’re going to do a wire, nobody should wire off of just an email ever. And a lot of times you want to call somebody and that’s your second method of authentication. But now with deep fakes and being able to recreate someone’s voice. Now you have to really be thinking proactively as to what that second factor of authentication is to wire money to somebody because I don’t think you can just rely on voice here for very long anymore because of the evolution of this technology.

Robin Andruss  13:10  

That’s a really good point. Like when you’re purchasing a house, I know there’s a lot of wire fraud of like a deposit, and like how the real estate industry is trying to prevent that. And, yeah, very good point. But I can go back to my original question. So Jodi, as you know. So AI has actually been, you know, in the b2b privacy space, kind of a conversation more, even in the past couple of years, right? Because there’s that controller processor relationship. So really making sure if you’re acting as a processor, that you’re not using your customers personal data, personal information for product improvements, or like certain contractual obligations that you’re committing to, which might include like aI modeling and such. So it’s an area I’d say, the privacy industry has been touching on. You know, as a privacy leader, like, you know, AI, I feel like fits into the world that I’m in really ensuring that me and my team and the company, we’re doing the right thing regarding AI internally and externally, educating the team around best practices, building internal policies and practices around AI. And then I feel like at kind of the more global big picture level, like, you know, I’m really excited about the different frameworks that you’re starting to see around AI from the different regulatory agencies and really thinking about, it’s more than just privacy, right? It’s more than just the PII that goes into the model. It’s around ethics, fairness, trust, security, as well and really, you know, trying to figure out how to, you know, take control of this technology, hopefully, and build it in a in the right way ethically, and from a privacy and trust angle. So we’ll see if that happens. But the privacy industry is on top of —

Jodi Daniels  14:51  

You’re looking like you’re gonna say something. No, oh, okay. Off you go.

Justin Daniels  14:57  

Oh, I’m allowed to, you can speak. No, no, it’s your turn. Okay.

Robin Andruss  15:01  

Did you have a comment to say on the AI?

Justin Daniels  15:05  

Actually, Robin, I wanted to ask you a little bit more of a follow-up question. Well, I feel like I’m the one here is responding. Okay. So I guess, Robin, like with all of your vast experience that you’ve had with privacy, for example, one of the areas where I’m advising clients is, depending upon your use case for AI, you have to be really careful where you’re getting the data from the ChatGPT of the world are scraping it all over the internet. And you may not be in compliance, for example, with certain privacy laws. And so I’d love to get your thought process behind how, as a leader, if you had to evaluate a product that your company may want to use or whatnot, how do you advise about balancing Hey, this AI is cool, but you know, what, guys, the wider net, we cast to collect data, we’re gonna run into a lot of different privacy laws.

Robin Andruss  15:59  

Yeah, I mean, that’s, that’s a tough one. Because, you know, with this recent AI boom, everyone is, you know, using the technology more and more, and collecting more and more data. I mean, you know, I think what we are starting to see in the industry is, like, you know, privacy, security risk reviews, right, so then, and then we’re starting to see more kind of AI risk reviews built into those process, whether it’s internally or externally. So really thinking about, you know, as you’re vetting, whether it’s a tool you’re going to use internally as a vendor, or even your, your team meeting, or just using tools externally, maybe for their own personal use is really kind of looking at their practices and policies, how they’re collecting the data, what they’re collecting, what they’re stating, publicly, you know, going through almost like a vendor Privacy and Security Plus AI review, to feel that, you know, your customers you’re using are really, you know, following proper practices and policies around privacy data collection, just like you, you know, you touch on data reimagined, and really using data for the right purposes.

Jodi Daniels  17:04  

All about building trust. We like that. Robin, as a privacy leader, you have a lot of insight that you’ve gained, and you’ve learned and you’re able to apply to each of these other companies. And as privacy is booming, there are many other companies just putting in place privacy leaders, what would you offer to a new privacy leader as advice on how to get started and being successful in their new role?

Robin Andruss  17:34  

Yeah, I think those are two questions because you are starting to see people kind of learning how to get into privacy. So that’s an interesting area as well. I think I’ll kind of break that into two questions for you. I mean, I feel like the privacy industry has been in general pretty helpful and trying to help new people, you know, get into the space, whether they’re coming from security, or, you know, let’s say consulting, or law, or, you know, just really have this passion for the area of privacy, privacy, engineering and privacy law. I just did actually a podcast last week with the IAPP and a security organization, and we gave some tips. But you know, we talked about reaching out across the aisle, like reaching out to someone else in and asking them for a phone call, or, you know, ask them to kind of talk more about their journey and how they got there, or, and then also, I give advice on, you know, learn, right, like, like when I wanted to kind of move careers from, like, kind of the finance world into privacy. Like I said, it just started kind of googling things. There wasn’t a lot out there at the time. But now you could, you know, go on LinkedIn live and learn, like, what is privacy? What is data protection? What are the AI and privacy risks? How does privacy interact with security, I mean, you could, sometimes this is really boring, like, if I’m folding my clothes, I’ll like just put on like a YouTube video if I want to learn something new, but just really think about how you could learn and learn about the industry on yourself alone. And then as you start to kind of enter the industry. Now, let’s say, you’ve been in the world for a while, and you’re a new privacy leader, or you’ve kind of shifted from another role. I would say to take some time for yourself. It’s a marathon, not a sprint. At this point, I’m just kidding. But seriously, I mean, I think, you know, one of the one of the things that I’ve done in some of the programs that I’ve been part of or LED is that we’ve really thought about kind of building a scalable privacy program, right? Because you remember there was GDPR then there was CCPA. Now there CPRA does, there’s multiple state laws. I like the concept of kind of thinking about it from like a holistic global perspective, right. You know, there’s these control frameworks and security and the privacy rolled I feel like you know, if you can kind of think about if there’s like one framework you can follow with different controls where you can map it, and feel like, like I’ll use D SARS for example right? Like every privacy regulation is going to have a data subject access, right? Or a data subject deletion, right? So if you put that deletion in properly, you know, hopefully it fits as there’s new laws going into place, and you don’t have to recreate the wheel every time. So that’s why I say it’s a marathon. Not a sprint is thinking about how to kind of, you know, minimize your risk, obviously, there’s this, there’s things you need to do immediately, but also taking, like, think about the long picture view of where kind of these regulations are going and how to future proof yourself as well.

Jodi Daniels  20:31  

I appreciate the tactical example like those data deletion requests and things along those lines. Thank you for sharing.

Robin Andruss  20:38  

Yeah, and I’m sure that’s what you’re doing in your day to day life with all of your customers, right? Because you know, the state laws that are coming, and you’re, you’re probably helping them build scalable privacy programs.

Jodi Daniels  20:48  

We are, it’s interesting, because you will still have companies who say, for example, I’m working with one right now they have people in California, Florida, Texas, a couple other states that might not have any privacy laws. And they have to make the decision, what will they do for the states that don’t require them to do that. But then if you build the process in place, if they choose to change their minds, or if the states kind of turn on, they’ll be in a better position to be able to manage it, and you can’t do all of the requirements at the exact same time, you have to be able to build prioritization, even though we want to, we want to do all the things that we have to do. The reality is a company only has so many resources, both time and money and people and capability to put in place process, you have to start with what’s most critical for your organization be able to build from there.

Robin Andruss  21:43  

Right, maybe it’s more of a triathlon lon instead of a marathon because it’ll just with a marathon, you’re just running and you just run more more, and then you do your marathon where with the capital on, it’s a good exam, like let’s say you’re swimming isn’t as good as you’re running. So you know, you have to swim more to be faster and that angle.

Justin Daniels  22:05  

I think it’s interesting, the two of you bring up this trapline or decathlon idea, because it kind of goes to what I wanted to ask the both of you. And it’s this. So in my world, we’re all waiting for the new SEC regulation on public companies that relates to cyber disclosures. And an interesting area of intersection that I’m always dealing with is where privacy and security overlap when you have to classify data, and you’re concerned about if the worst happens with a data breach. And so what I was interested from both of your perspectives is how do you see privacy professionals interacting with management when it comes to it’s great, we have a privacy program, great. We’re reminding that well, but how are we integrating that with if the worst happens when it comes to data breaches, because I can still tell both of you, when we’ve gone in to handle a data breach. They don’t have an incident response plan, they’ve never practiced, they’re running around as a chicken with their head cut off. And so what role does that kind of thing play in a privacy program? Or is it more now we do our privacy program? That’s really what these security people ought to be doing?

Jodi Daniels  23:15  

Yeah, Robin?

Robin Andruss  23:17  

Yeah. I mean, I feel like in the companies I’ve been at, you know, privacy and security have worked really well together. I think, you know, we know, you know, as you know, you should have like a detailed Incident Response Program, and do you know, tabletop exercises, and really make sure you’re prepared when something like that happens. And the privacy and security leaders and legal counsel kind of work lockstep hand in hand to prevent something like that from becoming, you know, a chicken with your head cut off situation. I would also say, you know, I think it’s the security industry, I feel like, there’s a lot of things we can learn from that industry, because, right, they’ve been around like, 20. Like they’re more mature than privacy industry associations are more mature than privacy programs, and really thinking about how to, you know, have kind of that incident response, ready to go and execute on it as a team, you know, not as adversarial. So, Jodie, what are your thoughts?

Jodi Daniels  24:14  

I would add for a lot of the smaller companies, they tend to have security in place first. Yeah. And then they come and bring the privacy pieces in. And it’s a little bit of a hurdle to get them to understand privacy is equally as important as security. They’re, they’re different issues. And sometimes it takes an incident to make that happen. Sometimes it takes the pressure of a sale, or the competitive nature, or risk of fines with more states coming on, and then they realize, oh, well, I don’t want to be in trouble with fines. I guess I should start paying attention.

Justin Daniels  24:51  

One last thing I wanted to ask the both of you for the benefit of our audience is this. So as we’ve talked about privacy laws are proliferating. 10 states now have them So I’m going to ask you to wear two hats for this question. One is your consumer hat. And then one is your company hat. What are your thoughts around whether or how good an idea it is for state legislation to have the private right of action that always seems to be a serious stumbling block creates a lot of fierce conversations on both sides of that conversation, I’d love to get the perspectives of our two experts on podcast today.

Jodi Daniels  25:27  

So I’m gonna pass it to Robin first as our guest.

Robin Andruss  25:29  

Okay. Um, you know, that’s a tough one, because I feel that, and this is widely debated in the privacy industry. You know, if you don’t have that, like, like that private right of action is more of like that stick that makes people really wake up and are really worried about doing, you know, making sure they’re actually there. They know that the plaintiff’s attorneys are going to come after them, right. So they are going to make sure they’re following the law. And they’re more concerned about it, maybe than say, like a regulation that’s passed, where you know, that there’s really no one who can really enforce it. But then you see the flip side where, you know, there could be too much regulation, too much kind of legal action with the private right of action. So balancing the two, you know, it’s a tough one in the US, I think, you know, what are your thoughts?

Jodi Daniels  26:21  

So my challenge is, I feel like you have plaintiff’s attorneys who will find every single little loophole and a company might have really put their best foot forward, and there’s some little area that they were able to, to get in, you have big legal action. And then I feel like it trickles down to customers in a negative way with some type of increased pricing that could be reflective and insurance pricing across the board, increase regular pricing for whatever the product or services. And ultimately, I don’t actually think it raises the stakes for privacy at an individual level, I would rather see more fines and more enforcement at a regulatory agency body than have it be at a litigation level.

Robin Andruss  27:09  

Yeah, and you think about CCPA, and then CPRA, right, you know, CPRA, they actually put in place like that the body that will actually enforce the CPRA. And so, you know, they kind of enforce that law by doing it that way.

Justin Daniels  27:25  

And I would add, I think the key to both points, or the points that both of you are making is funding, you can stand up an agency, but if you don’t fund it, and give it the resources, it needs to go out and enforce it. It’s like you’ve created a toothless tiger. Fair point, anyway. Well, Robin,

Jodi Daniels  27:44  

with all that, you know, in the privacy and security space, perhaps when you’re out with friends, they might be asking you what should I be doing to protect my data out in the universe? So what advice would you offer them?

Robin Andruss  28:00  

If this was six years ago, I probably would have said, make sure you understand your privacy settings on like Facebook, and Instagram and LinkedIn. I feel like people for some reason, have gotten better at that in the last couple of years. So that’s good. I’m not sure if the settings just became easier to understand, or people became more aware of what they were sharing, and how, you know, I think it is kind of shocking. On a separate note, like how many people might be using really simple passwords that can easily be hacked, or like multiple passwords across different sites, like one password across different sites, I mean, so think of you know, really thinking about using strong passwords and maybe using a passcode manager, like a keeper or something, although there is the caveat, there was a data breach with LastPass. But you know, really thinking about your personal information. And then another one is, you know, using a free credit monitoring service to know like, how many accounts do you have, you know, is your credit still good? Or how can you improve it? Because that, you know, if you are hacked and which is probably, there’s other issues around privacy that harms right, that could happen to someone but I feel like you know, someone getting access to your personal financial information is one of like, the most severe you kind of have to like, come back from and fix. So being aware of what’s going on with your accounts.

Jodi Daniels  29:15  

Great advice.

Justin Daniels  29:18  

So, Robin, when you’re not leading privacy at Skyflow, and you are looking for those opportunities to have Robin time, what do you like to do for fun?

Robin Andruss  29:31  

I have two small children, as we know we have a kindergartener and a first grader so when I’m not chasing after them and enjoying time with them, I feel like my kind of like working out has been more like me time like going to a workout class or going to a yoga class or like a hike or a nature walk or something like that, just to kind of, you know, maybe listen to a podcast around privacy.

Jodi Daniels  29:57  

You know, if that counts as fun then that works. Robin, thank you so much for sharing all that you did today. If people would like to learn more or connect, where should they go?

Robin Andruss  30:09  

On LinkedIn. I’m the most active on LinkedIn. So you can look me up or and connect with me. I like to connect with people. And then I am on Twitter. I can’t say I post that much. But I’d say LinkedIn is the first place you go to find me.

Jodi Daniels  30:23  

Awesome. Well, we’ll be sure to put that in the show notes. And we’re so glad that you stopped by to share all the insights you did with us today. Thank you.

Robin Andruss  30:32  

Thank you both.

Privacy doesn’t have to be complicated.