"The Data Diva" Talks Privacy Podcast

The Data Diva E107 - Keith Budden and Debbie Reynolds

November 22, 2022 Season 3 Episode 107
"The Data Diva" Talks Privacy Podcast
The Data Diva E107 - Keith Budden and Debbie Reynolds
Show Notes Transcript

Debbie Reynolds “The Data Diva” talks to Keith Budden, Managing Director at Ensurety.  We discuss his podcast and book, “GDPR Made Simple”, the tendency to overstate the complexity of the GDPR, the generally false threat of disgruntled employees and the true nature of insider threats, the correct mindset and fewer errors, the reactionary view of GDPR in the US, actions are needed as well as policies, frustration when advice is ignored, and the need to emphasize it’s the importance and document it, the human side of data privacy training, common sense, and GDPR, over-emphasis on consent, regulations not connected to current reality, UK is between US and EU in terms of privacy, and his hope for Data Privacy in the future.

Support the show

people, company, data, consent, agree, talking, uk, debbie, world, law, policies, regulation, eu, day, person, refugee, bit, privacy, organization, put
Keith Budden, Debbie Reynolds

Debbie Reynolds  00:00
Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.

Hello, my name is Debbie Reynolds; they call me "The Data Diva". This is "The Data Diva" Talks Privacy Podcast where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know right now. I have a special guest on the show. Keith Budden. He is the Managing Director of Ensurety in the United Kingdom. Welcome to the show.

Keith Budden  00:41
Thanks Debbie, yeah. Great to be here.

Debbie Reynolds  00:44
Yeah. Well, I had the pleasure of being on your podcast, which is The GDPR weekly. It was a fun time, and I thought it'd be great to have you on my podcast. I'm a baby podcaster compared to what you've been doing. You recently had a great milestone you're over 200 episodes of your show. Now, you've had 75,000 downloads, and you also have a book out on Amazon, right? GDPR Made Simple.

Keith Budden  01:21
That's right. Yeah, yeah, the book is doing very well. And basically, I managed to get the whole GDPR into a book that is 150 pages long. Will it make you a GDPR expert? No, it won't. But will it make your business GDPR compliant? Yes, it will. So you know, so yet, there's still a need for people like me; I'm trying to do myself a business. But yeah, I mean, for most small businesses, it will give them everything they need to become GDPR compliant. And that was my aim, was to put it in everyday English that, you know, wasn't legalese that people could just pick up and, and run with.

Debbie Reynolds  02:02
Yeah, I don't know how you feel about this. But I feel like some people purposely try to make things like GDPR more complicated than it should be. Is it? Is it me?

Keith Budden  02:14
No, I would agree with you. I have a pet hate, which is those people oh, GDPR. Or indeed CCPA, do things in the States where they concentrate on penalties so that you know, you've got, otherwise, someone's going to come around and conversate your dog and sell it on eBay? It doesn't happen, you know, for your average small business. Yeah, dependency on their costs they are not important. But actually, you know, what? Don't concentrate on those. It's a bit like, Yeah, I suppose in the same way, Debbie, about data breaches, isn't it? You know, it's the big high-profile ones that hit the headlines, whereas, in fact, sending a bill to the wrong person in the wrong envelope is probably much, much more common. But it's never going to make the front page of The New York Times, it just isn't that relevant.

Debbie Reynolds  03:08
Right. And I think those other places where people fall down on these regulations are not the most sexy story, but it's probably the most common. So, for example, our kids like a lot of people like talk about insider threats within organizations about like data breaches and stuff, but I saw a study recently that said only, you know, when they talk about insider threats, I think about like some, you know, employee, disgruntled employee or whatever, and I saw statistics and they say, almost never is it a disgruntled employee. You're like, focusing on oh my God, this person's disgruntled or they did this thing, and not and also, not all insider threats are nefarious, right? So a lot of them are mistakes that people make. There are gaps that are there. That's probably the most common way that people have problems. I try to tell people this a lot.

Keith Budden  04:06
Exactly. Yeah, I always tell people how important it is that you record any data breaches that you have over time, that you make a record of them. And at the same time, though, you ought to look at that in the same way as in the company you might look at your accident. But yeah, if you've got someone whose job is posting out invoices to people, and every week, when they do it, they cut their finger on the paper. You don't fire them because of that you find a thimble to put on their finger. And I think it needs to be the same logic, you know, is to me at a data breach register is not about penalties. Really. It's about let's identify the needs for training within that organization. What are people they're commonly doing wrong? And yeah, a bit of training then do they actually, do you know what if you didn't do it this way if you do it slightly differently? Actually, you've solved a problem. And it's my idea one of my pet sayings, I think I might have said it when we spoke last time. But to me, Data Privacy, if you look at it right is a mindset, not a rule set. And if you can get the mindset right, then the rules are simple.

Debbie Reynolds  05:19
I agree with that, right? And I tell people, like don't get all tangled up into the fine details of everything. Because like, if you, for example, you know, if you understand the data that someone gives to you, it's not your data, and you have an obligation to take care of it. That will cover almost any law that you can think of, right?

Keith Budden  05:40
Yeah, yeah.

Debbie Reynolds  05:43
You just don't do those bad things. You'll be part of the way there already.

Keith Budden  05:48
Yeah, absolutely. I mean, again, in a similar vein, there's, I mean, I always say to people, if you do a bit of data about someone, whether it's on a computer, or whether it's on paper, or whatever. Think about that as if it was your data. And if you want, you know, think better, if that was my data? Would I be happy with that? Whatever the processing is, wherever that is happening to it? And if the answer to that is no, well, then why should anyone else be? Yeah, you know, and I think if you can get that mindset of, yeah, as you say, treat a piece of data as it's valuable and that you guard it, you know, and you treat it with respect, then you're not going to go far wrong.

Debbie Reynolds  06:34
Yeah, I know. It's so funny. So when the GDPR came out in May of 2016, I had been watching the law brew for a while. And I thought, you know, I'm the only person I know of in the West, even interested in this at all. And I thought, when I woke up on the morning of May 25, 2016, all of a sudden, it would be all the news, and everyone would care about it. And like there was like my age story, anywhere in the US, like, I looked at all the press all the trades, and no one was talking about GDPR. And I'm like, this is like a huge major thing. And so people didn't really, so I thought, okay, well, between 2016 and 2018. I made it my mission to start to educate people about that. And eventually, a reporter called me from a news agency around May of 2018. And they started talking about it, right? But I think the EU and US I can say this because I'm an American. My view is that the US, the way businesses think about issues like this is very reactionary. So no one really cared about GDPR. Because until the fines came out because if you think about it, in my view, the GDPR isn't that different from the Data Directive.

Keith Budden  08:00
Yeah, that was out for a long time when people started complaining; I'm like, so what were you doing before? No, I think you're absolutely right. And I think part of that, if I'm honest, I think the regulators brought upon themselves because I think there were all of us before it came in on the 25th of May 2018. Four years ago now. And there was all this anticipation report came in and you Yeah, it was a great time for me, you know, in terms of training people and things I would be inclined to optimistic, but you then all of a sudden it was, it came in and nothing happened. Yeah. And I think the general feeling amongst the general business community was probably a fact some people said to me, it was just another millennium bug in it, you know, so though the hype talks up by you people, in fact, is that nothing? Yeah. I think the authorities didn't help themselves. They're certainly here in the UK. But now that people can actually see companies being fined and fined on quite a regular basis, then I think now it's concentrating the mind. Yeah. Because now they're thinking, oh, actually, I don't want that to be me. And I'm here to give you an example. One of my clients is a soccer club, Blackburn Rovers Football Club. And I still remember the first meeting I had with them where they said, your job here is to keep us on the back pages and off the front pages. And and, you know, I thought that was a really good way of putting it, that you know, their concern was not actually financial, their concern was reputation. And, again, I often say to companies here as you worry a lot more about the reputational damage than about the fine because the fine is tomorrow's chip paper is gone. But the reputational damage can take you months, if not years to recover; in fact, some companies probably never recover from it. And, you know, I think sometimes that's underplayed what that damage can do to you. Yeah, I mean, you take Capital One, there's probably an example, in chapter one of the thing you're so active in the US, you know, but those of us in the industry now are very aware of the fact that they've had more than one issue with data. And, you know, suddenly like, well, you know, would you give your details to Capital One? Probably, you'd have some doubts about it, you know, now, okay, that hasn't seeped through, probably into the general public perception quite so much. But we, you know, again, it's about perception is about reputation. And it's about making, making things work. And at the end of the day, I mean, when I work with clients, I always say to them, I'm going to come up with three lines of action. Yeah, I'm going to come up with the things you need to do straight away to that you're breaching the regulations on how you're doing things at the moment. Things which you're doing, which actually, you need to improve, and we can work on those over the next three to six months. And other things that actually, if you want to be 100%, compliant with GDPR, you should do. But actually, I would never lose any sleep over them. Because actually, you know, probably less than 1% of the companies in the world do that anyway. And yeah, hand on heart. Do I believe that any organization is 100% GDPR? compliant? 100% of the time? No, I don't even think the ICO is 100% GDPR compliant 100% of the time. I think also, we need to get past this idea that somehow if I create all these policies, and all of a sudden I'm done. Yeah. GDPR is kind of about what you do. Like, what actions are you taking, so you can have all the most perfect policies? And if you don't follow what you say you do, that's worse, you know? So I think people need to get out of this idea that okay, all I need is a template. And I fill this out, and I put it in a drawer somewhere, and then I don't do anything, or I don't follow anything I say. Yeah, absolutely. I 100% agree with you that you know that. Yes, of course, you do need policies. But as you say it's the application of those policies that's as important. But, you know, there's no point in having a data retention schedule that says you destroy your data every year. And in fact, no one does. And 10 years later, you have an audit, and suddenly the authorities find you've got lots more data than you said you had; you've got yourself a big problem. In fact, you'd almost probably been better off not having that policy.

Debbie Reynolds  12:40

Keith Budden  12:42
Everyone, you'll just ignore it. Because and the other thing is a thing. And this is something which I've been saying to my clients recently, is, you know, have a fairly obvious thing that you update, which is the privacy policy on your website, because I went to a website, and I see a privacy policy, which is still talking about teens, pre GDPR, right? I'm straight away that you know, that company or that organization doesn't get it. Yeah. Whereas if I didn't want that, and it says last updated December 2021, or something, I'm like, oh, okay, they're probably on the ball. Yeah. Yeah. And it's little things like that because, you know, the authorities are big day but however big they are, they're never going to have the resources to investigate everybody. It just ain't gonna happen. And I think also, that's part of the problem the authorities have had, certainly in it up until probably 12 months ago, was very much that they were being reactive rather than them being proactive. So you know that they got 10 complaints about companies. So they go and investigate what was going on. But they weren't actually looking for monetization. And indeed, something I raised with the ICO myself a few months ago when we were talking about changes to UK GDPR was I think we're in the wrong place. I'm very much a believer, you know, if it ain't broke, don't fix it. And the bigger issue is that even today, four years on from when it came in best estimates are in the UK, only 25% of companies who should be registered for GDPR have actually registered. And that to me is a far more worrying statistic than should we be tweaking a little bit with the legislation.

Debbie Reynolds  14:37
I agree with that. Right. You want people to get on board with what's happening. Right? I agree. So before you can start making trade changes and tweaks you need to get people fully on board with what you're doing right now. I want your thoughts about this. So I love to talk with people who are in Europe because, in the US, we have a very different view, obviously, of the way privacy or data protection or whatever you want to call it. We think about it here, but there's something that comes up in a debate with people a lot. And I want your thoughts on this. And I can tell you my thoughts. So I've had people who are kind of Data Privacy officers in Europe, and I've heard them be upset when, let's say they gave a company a particular type of advice, and the company didn't take their advice. They were like, upset as if what they said like the company had to take their advice. So what do you think? I can tell you when I think about that, but I want your thoughts on that.

Keith Budden  15:44
Oh, yeah, I mean, I mean, I get that in a way I get that, you know, if you, if you give a company advice, and they ignore you, then that's frustrating. Course it is. But I guess there are two parts to that, really; I guess, if I took a purely pragmatic view, I'd say, well, as long as they pay their invoice, do I actually care? You know, there are more fish in the sea. And I would say, you can lead a horse to water, but you can't make it drink. But what I've found with that is that if I'm getting that reaction that I find that people are, of course, it doesn't happen that often. But if I get their reaction where I think they're just not taking it seriously, then I think it's incumbent on the DPO to be forthright enough to say you're not taking it seriously. And I have actually only one trying to do this. But I've actually written a letter to them with a copy to the ICO saying that, you know, I've provided all the information, but they are not taking it on board. Therefore, although they've got policies that have been written by me, I'm absolving myself of responsibility for what they do with it. Because, you know, if they really, really don't take notice, then you want to hide. I mean, I had a very real-world example, this last week as a company, I had to jump; they hadn't done anything towards GDPR. I gave him a set of policies. We've seen it's a fairly chunky amount of documentation. Around three days later I said we should set up an appointment to actually go through the documents and make sure they understood. We don't need that. We've read them. We're all fine. Yeah, no way. Don't believe them. Yeah, yeah. I think you from where you were, where you had nothing. And now you've got all this and you're telling me that three days after I sent it, only three days, you read all that, and you really suddenly understand it? Okay, right. Think I'm good at writing things, but I'm not. You know, it's about yeah, a sense of realism. Really? Well, what were your thoughts on it, then Debbie?

Debbie Reynolds  18:14
Yeah, I agree with you can lead them to water, but you can't make them drink. You can give them advice. I think it's important to document what that advice is. And like you say like you did a letter, or you can even create a document for yourself to say, this is what I did. This is what I agreed to. This is kind of what happened, but I think at the end of the day, the company has to decide what their level of risk appetite is. And then for you as the advisor, you need to document sort of what you said, and when you said it you know.

Keith Budden  18:53
Yeah, I think you're right. And I think you touched on something very, very valuable there, which, which is risk appetite, you know, I mean, I mean, somebody, I've had that with a company, as I'm working with at the moment where I was sort of meeting with them just this morning. And one of the things that came up there, we were talking about one part of their operation where they've only got a handful of people working in that organization in that part of the organization. And they recognize that that part of the organization is not at all GDPR compliant at the moment. But it's a small number of people. The only thing is a small number of personnel, veterans, they don't have any personal clients or anything. It's a b2b operation. So I said to him, Well, you know, at the end of the day, it depends on your risk appetites, like if you're going to say, well, actually, there's only five people there. They're very subdued. In fact, we even forgot about them when we were asking you what to do. And so we haven't included them. If you say actually, you know what, I'm not going to spend any money or time and effort on them. I'm just going to take that risk that the chance of something happening there is so small or live with it. Well, that's your risk appetite. And what I said to the time this morning was, I can't tell you to do that yet. And there's no way on I will put that into writing to you to say, you know, that's your, that's your choice. But the reality is, that's your choice. Yeah, I can't make you do it. And know what I want and know what I want to really because, at the end of the day, that's too short, that's not one; I've got enough people who do want to, fortunately, and other people who do want to do what I tell them to do. I don't need the ones who are doubtful. Yeah. So you know, so make your own mind that, yeah, what's your risk profile and process is going to vary from company to company from organization to organization? Some organizations, by their nature, are very risk-averse. And that's fine. Some, you know, maybe if you're talking to a company, I'd know there's those who are futures trading, their risk profile is going to be very different to a charity that, you know, and yeah, it's finding where are you comfortable with that risk? Because let's face it, all of us who are in business every day, what we do, is about risk. Because if we only ever made the right decisions, we'd make decisions a lot quicker. And a fact of life is we don't always make the right decisions. But sometimes we make decisions and we get them wrong. And there's a risk in doing that. And what do you feel comfortable with? Yeah, yeah, if I'm driving, if I drive in my car, and I parked it somewhere that I shouldn't, but I know, I'm only going to be five minutes, I might decide that's a risk worth taking a risk to get another ticket for that. But if I'm somewhere where I'm going to be gone away from the car for four hours, I might have to take their risk now if the risk is too high, their chance of getting a ticket is too strong. Now, okay, you should take an idealistic view, every holier-than-thou view and I can say you should never do that. But the fact of life is, is that we're all human. We're all fallible, and, you know, show show, show me a person who's never done something they shouldn't. And I'll show you a liar. Because, you know, at the end of the day, we all have at some, at some point, it's a question of magnitude.

Debbie Reynolds  22:40
Right. I agree. I agree with that. I would love to talk a bit about the human side of working with companies on policies and procedures and things they should do about GDPR. I've seen people who feel like, okay, I'm going to come in with this fistful of policies, and I'm going to tell everybody what to do, and they're going to do what I tell them to do. And they pretty much go down in flames, like that's such a not a helpful way to approach talking with people and getting to know them. Because I mean, really, you're only going to be as successful as people are comfortable with talking to you and giving you information. What are your thoughts? What's your experience there?

Keith Budden  23:27
Yeah, I'm again, I'm 100% with you because actually one of my interests in one of my, one of my largest clients, they're an FTSE 100 listed company, massive company, they actually said to me that one of the things they'd been impressed with me about was that between them, me first talking to them. And then we actually started working on policies with them. I spent several days of my own time at no charge to them, finding out what they did, actually investigating them as a company getting under the skin of the company, and finding yeah, how do they work? What were they doing? Where were they based, all these sorts of things? And they said that they actually took it very much to heart. And they've recently given me a testimonial because there's the fact that you did that. That meant that when you put the policies through at all when you were talking to us about what the policies were going to be. We didn't have to spend time explaining what we did because you'd already done that. We could spend time talking about how did we apply what the rules were to what we were doing? So you know, so those are the are you able to say well, okay, you don't have any consumers. So all the bits about consumers. I'm not going to bother with that, because you don't need that. There's no point in you reading 40 pages. That's actually something you're never going to need. So let's forget that. That's fine. Concentrate on just 10 pages you do need. And let's mold those to be as close as we can to the way you work now because you know, I don't know if you've found this Debbie, it's certainly been my experience. Actually, your average company is doing things at 90%. Right? They just don't realize that they are. And actually, you know, sometimes it's not a case of going into a company saying, You need to change this, this is this sensitiser just saying, we need to document that you do this, this, this and this. And in fact, you might tweak it a little bit, but actually, the main core of what they're doing, yeah, it's fine. You know. And again, I guess, in part, again, that comes back to this whole, we teach them better, but talking about this whole risk profile thing, of, you know, if I, my view is, if I'm the owner of a company, do I want procedures which are 100% boilerplate law? No, I don't. I want procedures, which achieved a legal result, but my staff didn't understand and will act in the way that they do. And part of what I think falls on people like ourselves, through commercial work that we do, but also through the podcasts that we do, and so on, is trying to put sometimes why things are important, rather than how things are important. Because if people get the why, against the mindset thing, if they get the why then the how comes easy. And it's just a case of yeah, actually, I spend time, always spend time, sitting there, talking to them, getting to understand how they work at the moment, what what's important to them. And you know, what, I always get over to the most important things like you know, you don't have a data breach register, I don't care, whether it's a sheet of paper in a folder, or whether it's an Excel spreadsheet, or whether it's the specialist program, I really don't care, they all do the same thing. At the end of the day, what I do care about is that you've got one and you put entries in it. Because if you're a reasonable sized company, and I'd come back in a year's time, and I said, can I have a look at your breach database register? And it's blank? I don't believe you. And, you know, because and again, is getting out of this thing, because I imagine with GDPR it's one thing that people really get hung up on, and I wish they wouldn't is people saying with GDPR, we must have consent for everything. Yeah, you know, were you there we were, we want that we must have your consent, we have a tick box to say you consent to that. Why? In a recent example, with a company I started working with a year ago now probably, I was talking to their marketing department and they said we need to go out to each of our customers and their HR contacts and ask them if they can send us marketing material. And I said, why? Well, because you know, we do that so long as I said, yes, no. I said, you know, I said, put yourself in that person's shoes. Again, this is where I would say to wear someone else's shoes. So put yourself in that person's shoes. Every week. For the last God knows how many years they've been receiving an email from you from your on a Friday afternoon with your officers a week. Have they ever complained about that? No. Ever clicked unsubscribe on that? No. Then why now? Do you want to ask them whether they want to have that every Friday? They just do. As long as you don't go mad? Yeah. You don't suddenly start making them every day when you have been only doing them once a week. Or you don't sell I don't know machine parts and all of a sudden you start making offers about spaghetti then there's not an issue. I just want to say don't overcomplicate the damn thing, right? If you've got clients or prospects or whatever, it'd be receiving that communication from you. And they've had no problem with it. Carry on sending it to them. Yeah, obviously, yeah. It's to cancel the drive or as I don't want these anymore. Yes, you need to unsubscribe them. End off. Just keep going. Yeah, because at the end of the day, it's about what you would reasonably expect. Yeah. If I take my car into the garage to be fixed, and they fix it. And then for two weeks after that, they send me offers about what about it seems they've got on offer on their forecourt. Hey, do you know what I'll say about that? No.

Debbie Reynolds  30:10

Keith Budden  30:11
If it's a garage that I've never had any dealings with in my life suddenly start emailing me about what they've got in their forecourt. Sure enough, yeah, I get upset about that. Because, you know, where did they get my details from? But otherwise? Now if it's what you've been doing and they're a customer of yours? Yeah, well, you can't get too stressed about it. No. And you know, what, if they get upset about it, they don't want it they'll tell you? So just carry on. And I think sometimes I'll tell you how best to describe it. The role is not a, it's not a line in the sand. It's not saying right, everything you forget. And now we start from there. Doesn't work like that.

Debbie Reynolds  30:51
Yeah, I love your common sense approach. I love this. I have heard early on, when GDPR came out, there was a church that they decided that they wouldn't do a prayer class because if they did a prayer and they say someone's name, they thought that they will be infringing upon GDPR. I'm like, that's not what this means.

Keith Budden  31:18
I had some information, you know when I'm not quite sure; it's been covered over and over in the States. But obviously, you know, all of our thoughts at the moment, and we're with the poor people in Ukraine and the suffering that they're having. And we're having in the UK, we're having teams with Ukrainian refugees coming to the UK, fair enough. And I was actually talking with a local authority this afternoon. And they said we don't feel that we can release how many Ukrainian refugees that are in each town and city in our state. Because that falls under GDPR. And I know it doesn't. I said, you know if you've got a city of 15,000 people, and you're saying there are 2 Ukrainian refugees now in that town, how is that personally identifiable information? It isn't, you know, I said, is that Ukrainian refugee walking down the street with a billboard saying, you know, I'm a Ukrainian refugee? No, they're not. So where's the issue? Yeah. Yeah. And also, it's a bit of common sense. Yeah, as I said, you know, if you need to notify the local health center, so that person can get health care, that person has arrived in the country and they're a refugee, then it just makes sense to do that as in their right to interest as one of the six conditions of GDPR. You don't need their consent to do that. You're actually helping them by doing that. So just do it. Sure, if you want to put a photograph of them in the local newspaper, yeah, you know, you need consent for that because that's not something they read, and it's very easy to do. But other than that, just download and get on with it; your life is too short. And it's at the end of the day, you know, I mean, I've put it to them this afternoon that I said today, the end of the day, if I'm a refugee, I've arrived from Ukraine, I've got absolutely nothing. Am I bothered that you gave my name to the food bank so that they can give me some food? No, you know, I'm not going to run into the ICO saying, you know, they gave my personally identifiable information away without my recommendation, but hey I got some food.

Debbie Reynolds  33:46
Yeah, that's true. That's true. Well, you touched on consent. So you know, we know that GDPR has these different legal bases, and people have gone kind of consent crazy. I do see other laws in different countries coming up where consent is the only basis right? They don't have other legitimate bases. But the GDPR isn't that way. But I feel like people have maybe this cookie, all the talks about cookies and stuff like that. People have made, people go bananas like they've gone crazy about consent because I mean, I asked the last question, and they're like, oh, someone did this and we need their consent. I'm like, no, you don't need their I mean, you can, you may be able to fit what you're doing within legitimate interests because the legitimate things that you're doing, you need this information to be able to provide a service so then why are you asking them for consent? That make sense.

Keith Budden  34:45
No, I tried to repeat people get too hung up on consent. They really, they really do. Yeah, because yeah, there's all these other legal bases, saying there's just my interest is that is probably most drama. One, if you need that information to perform whatever service that person is asking you to do, then you don't need consent. You just do it. Likewise, you know, the contractual interest, you know, if I'm an employee of a company, my employer doesn't have to ask me, can they post me my information so they can pay me? Yeah, it's just that this is there. And yeah, I think it's true. I mean, but talking about other laws that are, you know, yeah, let's face it. I mean, GDPR, for good or for bad is, in a way, and I suppose so take some pride in this, but it is becoming, if you like the platinum standard for Data Privacy across the day; we see more and more countries basing their laws upon GDPR. I do get worried, though, but I don't know where you've, you've seen it. But there's this new data law, which is emerging in India, where you have a database, you've got six hours to report it. Otherwise, you could actually end up in prison. And, you know, I think imprisonment's going too far for GDPR. To be honest, I mean, I think if I worked in a country where you can be imprisoned for things like that, then I think maybe it's the time I stopped being a GDPR consultant and find something else to do for a living. But I think that is where the timescale has to be realistic. Now, it now is the 72 hours we are bounded by GDPR realistic. Perhaps it sits out realistic? No, I don't think it is. Could I make a reasoned judgment within six hours of the day pitch of whether it needs recording or not? Right. That's a tough call. Yeah.

Debbie Reynolds  36:45
I think to me, I'm concerned about some of these regulations being untethered from technological realities. Right?

Keith Budden  36:55

Debbie Reynolds  36:55
How could you know, in six hours, like how could you even formulate something to tell anyone, within six hours or, you know, we were having these discussions too, in the US where they want to, we have maybe lawmakers that don't understand how the sausage is made in the background, and may not understand what it takes to actually execute on the things that that they're asking and are as a result, we have people creating tools, that say that they do this magical thing that people have asked for, but they really don't. So what are your thoughts?

Keith Budden  37:33
Yeah, I think you're absolutely right. As I say, I think there are sometimes too few plays by the lawmakers on how what is actually happening in the outside world, and what's actually practically possible, you know, I think there's something that worries me here in the UK, where we had the government in the Queen's speech a few weeks ago, and now it's the Data Reform bill, which is going to be looking at GDPR and, and how to make it a lighter touch. And so far, that's all they've said is, you know, we're going to look at it, we're going to look at how we can make the lighter touch, less impact on companies. I'm actually really worried by that. And I'm one of the people who has signed a petition to the government to actually say, don't do it. And for two reasons. One is I mentioned earlier about the fact we've got 75% of companies who've done well aren't registered anyway, and let's concentrate on getting them on board before we start changing things. But the second thing is, and I think it's something which the UK has to be really careful on is, you know, we had this whole thing of when we split away from the EU, and I'm not going to get into the rights and wrongs of Brexit, but we split away. And we needed UK GDPR to be said adequately. And you took until the 11th hour to do that, as I do it, you know, we used to that. But what lots of people ignore is that they put in their day directory statement that said, we can withdraw that added receipts, 24 hours’ notice. And that's the bit that worries me that I think, you know, we start playing around with UK GDPR too much. And the EU suddenly says do you know what? We're not satisfied that that's no secret anymore. We'd say it's not what we're going to put out a policy now was actually put out it was in 24 hours, even though they will say they didn't know they were I mean, that's just for the birds. But I suppose they even said we didn't pull it out in 90 days. Yeah. That I mean to be in a sense short term. It'd be fantastic news for people like myself. I mean, you would be like, pennies from heaven, but more serious now. It would throw the whole UK economy into meltdown. Because, you know, if you suddenly said to every organization that's exporting data to Europe, you've got an add on your standard contractual clauses onto the contract, and you've got to get them signed and everything else. Ain't gonna happen. Yeah. And I think that's the problem. And I think, you know, it's great that we've got GDPR; I think there are little bits of it that could be tweaked. It's not perfect. But I would hate to see it tweaked to the point where the EU said, you know what, we don't regard it as being adequate anymore. Because I think that would give us a very real problem. And that's why I say, I've certainly signed a petition to Parliament to say please don't do it. Because it's, at the end of the day, isn't perfect, but nothing is; life isn't perfect. Let's be honest.

Debbie Reynolds  41:03
No, to me, it's almost like abstinence education. Right. So let's do nothing and let that be our standard. As opposed to let's do something like no, it doesn't work that way. And then, you know, I don't know, I feel almost like the UK is in the middle between Europe and the US, where the EU, UK and the US have very strong ties, especially on the national security stuff. Yeah, so there's some shenanigans going on there. Right? That needs to be watched out for. But I think having the US having, hopefully, less so in the future, more of a laissez-faire, going on with our regulation and the EU and US don't agree on a lot of this stuff, I think almost like the UK wants to try to be a middle ground between and I think it's almost, it's almost impossible to do that, at this point, in my opinion, you have sort of a lack of law, lack of regulation in the US. Nothing to really hold on to at this point, and then you have a lot of regulation. So you're in the middle, where you know, I feel like especially you share and let you know, you're connected, you know?

Keith Budden  42:30
Absolutely. And I think the problem with that, as you say is, you can't be as much as anyone might want to be. You can't be all things to all men. And so you need to start at the end of the day, the government needs to decide which side of the fence to set, do it. Do we sit with the EU GDPR side? Or do we sit with a lighter touch US side? And I know we decided I'd rather sit and not just because I've written a book about it. But no, I mean, seriously? Yeah. I actually think I had somebody the other day when I was speaking at a conference and taking q&a. And somebody actually said to me, did I think GDPR had achieved its objectives? And I said, if I'm totally honest, I said, it's not perfect. But yes, it has. Yeah, I said, just, if you look back to the situation, pre-21st of May 2018, when we had 27 different sets of laws across 27 different countries, some of which were good, some which are bad, some of which were cited on different things, some of which were very verbose on different things. We've actually managed to take all that and put it into one standard, which we all work to the same standard. And I agree there's still an issue with enforcement that, you know, do we just Spain, and it's the sort of, you know, if forcing every man is dog every minute of the day, against companies, countries like Bulgaria and Romania, who did it, I don't think some of them have issued one fine in order for years that it's been down. But nonetheless, in terms of the law and its understanding, we are, we're all singing from the same hymn sheet. And I think that's got to be a good thing. And so then when you look at India, when you look at Japan, when when you look to South Africa, you look at these other countries that are based their regulations on GDPR. And you're like, well, it must have some fundamentals then, the CCPA come to that. It must have some fundamental set of strong because otherwise why would these other countries be using it as the base of what they're working to? And you know, I mean, I'm sure for you for me for anyone who works in the information security space, manna from heaven. I deal with situations that would If we had one set of rules that covered the whole job because then everybody went on to the same field, and we don't know where we stood. And in fact, it would then become just common knowledge, if you like, everyone would just say, you know what, yeah, I know what I'm doing. I know. That's the way we work. That's what we went to. Right. Now, we're still a long way from that, you know, I recognize there's still a long way from that. The actions of Russia have made that worldwide theme probably met now much less likely than they might have been. But the more touches we can get on board with the same basic concept, the better it has to be for everyone. Will it be tweaked lately for different jurisdictions? Of course, it will; that's bound to happen. But if we can get the core concepts to be the same, then, you know, I actually think that that would be, sounds very profound to say, a better world for everyone. But you know what I mean? It would actually make a much simpler world for everyone.

Debbie Reynolds  46:09
Well, actually, I think you actually answered my question. I'm not sure. So my question always is, if it were the world, according to Keith, and we did everything you said, what would be your wish for privacy anywhere in the world?

Keith Budden  46:24
Yeah, I think I've just said it. Really, I think my wish would be that if everybody adopted a standard, whether it's GDPR or some other standard, everybody adopted a standard methodology across the world, by golly, seems it would be a lot simpler. Now, okay, you could argue, wait a minute, well, that's going to be people like yourself out of business out of the trade, potentially. Yeah, perhaps it would be do you know what I'd like to think a little bit about your manner that and that, and I think that the whole job will be far more difficult. But I think it's well, and I think the other thing that we've had in the last two years is we all had to go through the COVID-19 pandemic, unfortunately touching anything, where do you find that that seems to have sort of now be at least manageable? How much better would that have been? If we analyze is something the US working toward how much better would that have been if we had data standards similar to GDPR, that government medical research status that all the countries around the world could be sharing that data, all working on the solution at the same time, rather than as I suspect probably happened, that you had different labs around the world effectively reinventing the wheel? Because one of them actually found that was the solution, but the others just didn't know it? And I mean to the whole world of IP and pharmaceuticals, and that, yeah, that's for another day. But I think it's, I think, the more commonality we can have, the better it has to be.

Debbie Reynolds  48:10
I agree with that wholeheartedly, I feel like there should be some fundamental things that we should be able to agree on across the board, hopefully, most of the world, right? So let's say theft or theft of someone's data is bad, right? Oh, I can agree with that. And then, you know, build on those principles, somehow, you know, I feel like, you know, a lot of these laws are, they're saying the same thing in different ways. And they may want to be executed in different ways. But I think, you know, and I've talked about the five fundamentals that I see, and like privacy regulation, so a lot of them GDPR is kind of the crown jewel, so it covers all of those fundamentals. But not all laws do that. So maybe some only cover one or two or three or four or five. So obviously, we have differences there and how and how and also how the prescriptive those laws are, right, yeah. But when GDPR is more like, hey, let's do what's reasonable. Do you know find a way to have it fit your company where something like the CCPA California has, like put a button on your website front page that says that? So yeah, there has to be a middle ground in there somewhere. So yeah, yeah. Yeah. Well, this is all great to talk with you. Wow, I could talk to you for hours. This is amazing. But I would love for people to listen to your show. Your show is amazing. Your podcast is the GDPR Weekly podcast. Your book"GDPR Made Simple" is available on Amazon, and I hope we can have time to chat in the future and maybe do some collaborations.

Keith Budden  50:07
That would be brilliant Debbie. Yeah, I mean, yeah, I think let's start this to get things moving and I just think it's long overdue.

Debbie Reynolds  50:19
I agree. I agree. That'd be great. That'd be great. Well, I'll talk to you soon. Thank you, Keith.

Keith Budden  50:25
Thanks, Debbie. I enjoyed that.