Debbie Reynolds “The Data Diva” talks to Samara Starkman, Managing Partner, and Co-Founder at INQ Consulting, Partner at INQ Law Canada. We discuss her journey into privacy, her current privacy concerns such as ransomware, the ongoing issues of security and privacy, privacy news in Canada, the cloud, her advice to prospective new consultants, her professional training program, the need for constant research from trusted sources, the need for information exchange, the best first step to enter privacy profession, her privacy concerns about future technological advancements, behavior effects on Data Privacy, risks of data retention, privacy should be a business decision and her hope for Data Privacy in the future.
Support the show
privacy, data, people, organizations, canada, business, law, happening, legislation, creating, decisions, world, breached, duplicates, information, province, ontario, canadian, necessarily, professionals
Debbie Reynolds, Samara Starkman
Debbie Reynolds 00:00
Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds. They call me "The Data Diva". This is "The Data Diva" Talks Privacy podcast where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. I have a special guest on the show from Toronto, Canada, Samara Starkman She's the managing partner and co-founder of INQ IQ Consulting, a Data Privacy consultancy up in Canada. So welcome.
Samara Starkman 00:42
Hi, Debbie. Nice to be here.
Debbie Reynolds 00:45
Yeah, it's great to have you here. I thought it was pretty cool that we get together and chat. We comment a lot on each other's posts and stuff on LinkedIn. And we actually have a friend in common, actually, a co-worker of yours. David Goodis was on the show. He was a former Privacy Commissioner up in Canada, so I really want to know, your journey into privacy, what got you interested in what you're doing now, in privacy with your company?
Samara Starkman 01:18
Sure. So I kind of fell into privacy by accident, which used to happen a lot. You know, a decade ago, I'm a lawyer by training, I practice law, and after I was called to the bar, I went back to school and did a degree in health law and policy. And I went into healthcare consulting. And from there, I ended up running the privacy department for a cancer agency here in Ontario. And I didn't really know about privacy at the time. So I really had a steep learning curve and learned a lot very quickly. And I quickly found that this was an incredibly dynamic and interesting area of not just law but of business. And that this was a really, it was growing. And as we rely more and more on data, I can see the potential. So after a few years there, I started my own consultancy. And we started in health privacy but have since expanded in 2021. My consultancy joined with INQ Law, and I now have both INQ Law and consulting as a combined kind of sister agencies or companies; I should say we've got the firm and the consulting firm. And I have two partners that I work with who are also experts in their own right, Carol Ann and Mary Jane Dykeman. And there's just so much potential ahead. And we're really excited about being involved in this really ever-changing field.
Debbie Reynolds 03:10
Excellent, excellent. What’s happening in privacy in the world right now, the concerns you have related to privacy.
Samara Starkman 03:20
So what I'm seeing a lot of lately, and we're hearing more and more about ransomware attacks. So even though it's a cybersecurity issue, it nevertheless impacts privacy and our preparedness around incidents and breaches. So we often talk about individuals being our weakest link, so to speak, within our organizations, whether it's malicious or not or clicking on a phishing email, but there are also just bad actors out there. Right now, there's a whole industry developing around when ransomware, and often, mid to mid and small-sized businesses are just not able to be prepared either financially or from a knowledge perspective. So we're really trying to; I'm really trying to help small and medium-sized businesses in this area these days. And really, I think there's a huge need to make sure that we are, that businesses at least know what to do in the event of a ransomware attack. Are you seeing the same thing kind of happening in your work?
Debbie Reynolds 04:35
Yeah, I think ransomware is always going to be an issue. Because everything is so data-driven now, right? So there's just much more data available, there’s data floating around other places, people aren't really as educated as they should be. And then, as we were saying, even really big companies are having struggles trying to figure out how best to secure their data. I think it's just an ongoing issue, and then privacy is part of that. Because if the data gets breached, and you have to figure out whose data is breached, what laws apply, and things like that. So that definitely comes up. Give me your thoughts about what's going on in Canada in terms of regulation. So, we in the US, we look, especially me, I speak for myself, jealously at what's happening in Canada, saying that you guys are having a lot of movement there related to privacy. So what was happening, or what is happening, what will happen in 2022 in Canada, as it relates to privacy regulation?
Samara Starkman 05:47
Yeah, it's an interesting time. There is quite a lot of activity on the regulations and translation side. So we haven't seen quite as much as in the past few years. Frankly, the health privacy law in Ontario was created in 2004, and we really didn't see much action on it for many, many years. And now we are in Quebec, and one of the provinces in Canada, Quebec, is itself passing legislation. Now, with some significant fines, we are moving much more in the direction of more of a GDPR type of regime, it is not quite the same. But there are certain aspects that are being being taken from that legislation. So we do see the right to be forgotten. Coming up, we see the need for a DPO, or a Data Privacy officer, as a requirement, the Federal Privacy Commissioner, so we have a private sector law that applies across the country. And maybe I'll just give a little bit of that foundation for some of your listeners who aren't as familiar with the Canadian legal system. So across Canada, we have private-sector privacy law that applies to any business that is in the private sector that doesn't have a provincial law that has been deemed substantially similar. So in Ontario, for instance, where I live, we have a health privacy law that applies, rather than that private sector privacy law, and that there's some of that in different provinces. But where there isn't another law, that is the one that would apply, all of them are very similar in terms of being based on the 10 fair information and privacy principles. But every province has the right to create their own laws as well around privacy and data. So we have, it's all consistent, but the standards may vary. And so, in the province of Quebec, that is where we're seeing quite a bit of action and legislation passing right now. There's also a health bill that was also just brought up, Bill 19. In Ontario, we've had some changes around the circle of care and who can share information and who can collect information. We've had changes or at least a suggestion of our own private sector privacy law. In BC, there are changes BC British Columbia, and we have changes around the Freedom of Information Protection of Privacy Act. So that is one that applies to the public sector in BC. And there was a requirement that data remain within Canada that too is changing based on just our commercial reality that many of our service providers are located in the States. So there's a lot of activity happening in privacy across the country. And it's an exciting time, but it is for us privacy professionals, but also a very challenging one, I would say, for businesses to keep up. Yeah, yeah. Well, I just want your opinion about this. So I think one thing that gets complicated in any type of privacy program or regime is when you have someone requesting data or information on behalf of someone else. So like a parent, for example, the minor or maybe the adult child of a parent or something. Tell me about how you manage those types of situations because I think that's something that the audience would be interested in. Yeah, so it really depends on the legislation that they're under. And if we're talking about health care, there isn't a specific age in Ontario at which you are officially able to make your own decisions. So there is a dependency on the child's capacity, let's say, then there is substitute decision-maker legislation. So if somebody is a substitute decision-maker for their child or for an incapacitated adult, then they have to show proof of that before they can access those records. But it can get quite complicated, right? As I'm sure you know, there's always nuances. We also have in the public sector the Freedom of Information Act. Across the country, every province has their own version, and who can access records is much broader, I would say. So you aren't entitled necessarily to access any and all information; there are exceptions. And David Goodiss is my go-to expert on that. But I think it is always a complicated issue that does interact with other laws, and there are considerations that need to be made.
Debbie Reynolds 11:10
Tell me, what is the cloud. So tell me about the types of questions that you get that come up related to the cloud and how that gets complicated as it relates to privacy. I know a lot of that has to do with where data is and things like that. What are your thoughts?
Samara Starkman 11:33
We would often think of it as being some ambiguous floating blob, and people are a little afraid of it, and privacy professionals would always default to on-premises being the key area. I think we've evolved to a better understanding of the cloud and some of the benefits that there are in terms of having security protections that perhaps are more affordable than having in your own premises and monitoring. But also, when we think about data residency, as you mentioned, there was and continues to be concern amongst many Canadian institutions around storing data outside of our borders because then we are not able to necessarily enforce Canadian laws, or they may be subject to other laws. And some of this is perception more than it is reality. So we are able to enter into contracts with the vendors to store data outside of Canada; it is not permitted, it is not prohibited, rather from any of our legislation. And now, in BC, there is there's a couple of provinces that do require data residency in Canada, but for the most part, that is not the case. And so, as long as that data is protected to the same extent as it would be within our borders and subject to Canadian laws, then a lot of the time, that is fine. But what we found, what we do see now is that the market has opened much more in Canada, and some of the large providers have data centers here as well. So we have the AWS and Microsoft, and Google have opened up data centers so that there isn't a concern around data residency to the same extent that there used to be.
Debbie Reynolds 13:35
Yeah. You're running your own consultancy, what advice would you give someone who decided, okay, I want to strike out on my own, probably what was the thing that you learned and maybe you can pass on some advice to someone who's thinking about taking that step? What were you thinking?
Samara Starkman 13:58
So for me, it has been the best decision, and I can't imagine anything else. But what I did think when I went out on my own was that this would be a lot less work than working for someone else. And in reality, it is not as you know, Debbie, you know when you're your own boss, you are generally your everything. So you are not only delivering the work, but you're also running the business, and you're doing the marketing, and you're doing finances, and so my advice would just be to go in with your eyes open and know that it is more than than just delivering work on a schedule on your own schedule. It is nice to have that flexibility when you can have it, but it is not necessarily what's going to happen. I think it is incredibly rewarding, and I get to work with all kinds of different things, different organizations who are doing really innovative, exciting things. And that's certainly one of the things that I love about it. I meet so many people, and the privacy field is wonderful. It's full of other supportive privacy professionals. Everybody is sort of rooting for each other and trying to bring each other up because we are all more successful together, I think. There is a lovely camaraderie within the privacy profession. And the work is just incredibly rewarding. So, I would say go for it. But go into it with your eyes wide open because it is definitely not something that is easy.
Debbie Reynolds 15:45
Yeah, yeah. And you actually have a training program to put together to give advice to people who are doing DPO services and things like that based on your experience and building your business and things like that. So give me a little bit of idea about this training program.
Samara Starkman 16:08
Yeah, exactly. So when, as I mentioned, when I started leaving the privacy department, I really didn't know much about privacy. I didn't know how to run a privacy department, and I was looking for that how piece, you know, I can find the what and the legislation. What I couldn't find was really the how. So throughout the years, I've really noticed that a lot of our job as privacy professionals is very similar in organizations, no matter what industry you're in. And no matter what laws you are subjected to, the actual activities and responsibilities are pretty similar. And so I've put together the how pieces. So the framework around running a privacy program from assessment, prioritizing your risks, implementing what you decide to prioritize, and then monitoring, and it really is a cycle. So that's the Privacy Officer blueprint is what I've called it, and it's launching shortly. So I'm very excited to finally be bringing that to light and bringing it to the world because it really is something that is near and dear to my heart. I'm also seeing a ton more people who want to get into privacy and a lot more people hiring in privacy. So this is a really great time to be getting into the profession because there certainly are people looking.
Debbie Reynolds 17:38
Yeah, yeah, you're right, I think, especially privacy, many of the jobs that exist now, that are being created, they didn't exist in the same way many years ago. So I think people are looking to get into privacy on a lot of different paths. There isn't just one way to do it. But tell me about research. So I think if you're a privacy person, you have to constantly be reading, constantly researching. How do you find that part of privacy?
Samara Starkman 18:16
And I think there's always a lot to read, certainly. But there are also people that I follow on LinkedIn, like yourself, and others who distill the vast amount of information around the world. And so, I think it's finding those trusted sources and focusing on those. And then when I do have specific clients, specific cases, then I do a deeper dive into those issues. So keeping a pulse and keeping a good understanding based on trusted sources, I think, is a really important piece for all privacy professionals.
Debbie Reynolds 18:58
Yeah, I agree with that. I have a lot of people that I follow as well. We chat, and we exchange articles and stuff. And then I also point out something you said, even though I don't know, maybe it's not a complete kumbaya thing, but I feel like privacy people tend to be very open, sharing with, helping one another, giving people pointers and stuff. To me, I've not found it to be a situation where people have been not so tightly knit, even though I think there are probably parts where some people want to be; that's kind of their thing. So I feel like, in order to be successful in privacy, you have to learn how to have conversations with people at all levels. You sort of break down silos, so I don't think that you can be successful in privacy by creating more silos. What are your thoughts?
Samara Starkman 19:54
I totally agree with you. I think a lot of the time, we come into projects, and we connect people. So we connect it with the project manager with the business with the legal, and if you are somebody who creates silos in your own work and your own life, it makes it harder to bring people together in other aspects. And so I think when I started in the field, I went to an IAPP conference. And I just felt so welcomed. And that was a lovely introduction to the privacy profession. And of course, you're going to find people everywhere in every profession that are competitive. But I think we've all recognized that we do rely on each other to a certain extent to understand what's going around on in the world, to get different perspectives. There's so many different interpretations of things, and we want to understand and debate. And I think we have a lot of, we just need help, like, there's just so much work out there. And so many projects. And so I talked to a lot of people, who want to help others get into privacy as well, which is a really nice way to pay it forward.
Debbie Reynolds 21:11
In terms of people getting into privacy, like what will be your advice, for a further, best first step to do that.
Samara Starkman 21:21
So I think that learning is always a good first step. So following people that you trust on social media, reading about it, and doing your IPSP certifications, I think, is a helpful tool. You know, not everybody feels that way. But I think that certainly shows that you are interested and committed to privacy. Doing my course, of course, and other attending conferences, I think, to the extent that you can demonstrate an interest in that you are learning, I think that's a really good first step and speak to people, talk to people who are in the field and, and start to get involved in the community. And I think that's the best way to have opportunity, please materialize?
Debbie Reynolds 22:14
I think so too. I think if you show genuine interest that you're really trying to help yourself, people will want to help you. So I think I've seen a lot of people, they say, oh, I want to get into privacy, like, well, so what, what books are you reading, what articles? Whoa, are you following someone? You know, they don't really, can't really answer that question. So it's hard to have people wanting to help you if you don't really show that interest.
Samara Starkman 22:48
That's right. Absolutely. And I think it's an attitude. I think if you're in privacy, you always have to be learning. And so, if you can at least show that you are somebody who is a continuous learner, then that also will go a long way.
Debbie Reynolds 23:04
Yeah, I totally think so. I totally think so. What is happening in tech, in terms of technological advancements, that concerns you about, maybe in the future about, privacy in any industry?
Samara Starkman 23:25
So, not not a concern, necessarily, but AI and machine learning are exploding in different ways. And the regulation of that is developing; I would say my partner, Carol, has been following the artificial intelligence developments for years. And I think that that's really the space where data governance, how to govern AI, I think that's a really big developing area that, if not handled well, could result in some unintended consequences. And so it's adjacent to privacy. But it's certainly one that is something that that will keep an eye on, and we're finding more and more clients are looking at. How do we make sure that we even can evaluate the robustness of this technology? And how do we make decisions around the data? And I think that's true, really, for privacy as well, that understanding that privacy does form a part of data governance more broadly. So we're seeing a lot more of that, I guess, within tech. The other thing, I guess, is distributed, federated data, which is an idea that I really, really like that data residing in place and being able to, rather than creating data lakes and large data repositories that are further at risk to be able to keep data federated is another really interesting development that we're seeing around tech.
Debbie Reynolds 25:07
Yeah. Both of those are really cool. I'm glad you brought those up. So, I agree with you on AI. I feel like the harm that can happen to people, and I feel like there may not be an adequate redress for harm that can happen to people, right? So, being able to get in front of that is very important, especially as we know, not all AI systems work the same for everybody. So pretending that it does, I think it's problematic in and of itself. And then also, I like your idea where you're talking about federated data. So, right, a lot of times where you have tools that are being introduced on the market, a lot of it is like, well, let's create a new bucket of data, so every application has its own bucket of data. But depending on how organizations are using data, they don't really understand even their risk because they're replicating this data in so many different places. So even though they say, okay, we're done in marketing, we're finished because we did all this mapping. We know where all the data is, and then you find out that that data is duplicated somewhere else so that you have that same problem all over again. What are your thoughts about that?
Samara Starkman 26:21
Yeah, absolutely. I think that's exactly it. I mean, internally, in companies, you have that issue of increasing your risk because you are retaining more data than you need, or you have multiple copies of it. And then we're seeing a lot of collaboration between different organizations that want to do good with data. So in healthcare, for instance, doing research or analytics on patient data, and rather than forming another repository of the data, where it's a copy, or you're constantly updating it, and may not be accurate, you're creating governance, that controls who has access to what but the data can stay in place. And so, I think that's one of the exciting technological innovations around data that can be much more privacy-protective than the creation of these large data repositories, which was always our only option in the past.
Debbie Reynolds 27:22
Yeah, then too, some of it, I agree. I'm glad to see that there are technologies being created in a way that they don't really want to add to the problem, right? They don't want to add to the burden of adding more data, they don't need to, but then some of it is about behavior, and how people behave, and how they act. So some people like to keep duplicates, they like to keep stuff, and they don't like to share their data. So that's why I think it's pretty interesting for privacy people because when we see someone, and they're duplicating data, you're asking them the why. And sometimes, they can't really answer that question. Because I just want to have it myself, that's why.
Samara Starkman 28:05
Yeah, or it's just retained indefinitely because you never know if I'm going to need it in the future. And all of these things do increase risk to the organization. And as we're seeing more and more, I mean, this is something I've definitely seen with clients who have undergone breaches and ransomware attacks, where they just have data that goes so far back that has now been breached. And they're in a situation of having to notify a large number of people, which is quite costly and inconvenient, I guess. So that's definitely a huge risk for organizations.
Debbie Reynolds 28:43
Yeah. So let's talk; we touched on it a bit. Let's talk a little bit more about data retention. So to me, I feel like this is the low-hanging fruit in organizations that no one wants to actually work on or do. But I like to tell people if you have data that has a lower business value, it has a higher privacy or cyber risk because you don't really need it. And maybe you're not protecting it in the same way that you're protecting data. And then so, how do you have conversations with organizations about kind of this data retention, because nobody really wants to talk about it.
Samara Starkman 29:19
Nobody wants to talk about it. I think the first thing is to know what data you have. And even the creation of that data inventory is often something that organizations have not engaged in. And so there are now more technological tools as well that can help to identify that data and even keep your inventory up to date. And I think those are really useful tools as well and lessen that workload of creating the data inventory because that itself can be a challenge. And then, once you have your inventory, you can start to think about and look at what do I need to keep? Where do I have duplicates, as we've just mentioned, and then start to cull what you don't need. It is an education, and I think as well, too, for organizations that understand that if you can't see a use for it, then don't hold on to it. The idea that I might need it in the future is in itself problematic because that increases the risk for your organization. So I think there's an educational piece. And then there are some very tangible things that can be done like that inventory and thinking through with the business, it isn't a privacy decision, how long things are kept? It's a business decision. So have those conversations.
Debbie Reynolds 30:35
Yeah, right. I agree with that. So that's actually another good point that you made about being a business decision; I think, as a privacy person, you can bring up the points, right, you can give your advice, but at the end of the day, the company has to decide what they want to do. Right?
Samara Starkman 30:54
Absolutely. We're often consulted at the beginning of projects before any decisions have been made. And I always put it back to I said, don't have privacy drive this project, have your business needs drive it, and we'll create a privacy program that supports it. So it is often, I mean, these data decisions are ones about business needs, and privacy is there to enable and support. And that truly is, I think, we can raise risks, we can identify them and raise them. And then there are business decisions around what's going to be tolerated and how things are going to be a goal.
Debbie Reynolds 31:34
So if it was the world, according to Samara, and we did everything that you said, what would be your wish, for privacy anywhere in the world, or technology, law, anything?
Samara Starkman 31:48
That's a tough question. I think, you know, I don't know if I thought about it to that extent. I mean, I see privacy as people having choices and being able to know what's happening with their data and choose. And what that means. And what that looks like is not necessarily knowing every single use? But knowing how decisions are being made about my data. So I think in this world of artificial intelligence and big data, so to speak, it's challenging to actually even ask for consent necessarily for every single use of that data, but to understand how data is being governed and how decisions are being made about data, I think it is? a really important thing for individuals to have control over and be able to say no, we have to be able to control what happens with our data. And ultimately, privacy isn't about keeping everything secret. It's about choice.
Debbie Reynolds 32:48
Wow, that's great. I love that. That's a great answer. Well, thank you so much for being on the show. This is great. I'm always happy to chat with anyone in Canada. You guys have a great perspective. And I like what you're doing.
Samara Starkman 33:03
Thank you so much for having me. This was so much fun. And I will see you online on LinkedIn. Perfect. Perfect. Thanks, Debbie.