43:38
SUMMARY KEYWORDS
people, data protection, organization, regulator, plain english, risk appetite, linkedin, job, company, data protection officer, data, compliance, privacy, risk, governance framework, ico, role, languages, frankly, ultimately
SPEAKERS
Debbie Reynolds, Emma Butler
Debbie Reynolds 00:00
Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds, they call me "The Data Diva". This is "The Data Diva" Talks Privacy podcast where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. Our very special guest on the show, all the way from the United Kingdom, is Emma Butler. She is with Creative Privacy, her own company in London, England. Welcome.
Emma Butler 00:42
Thank you, Debbie. Thank you for having me.
Debbie Reynolds 00:45
Well, you and I have been connected on LinkedIn for a number of years, we actually collaborated together when you were at Yoti about BIPA actually is pretty interesting, a number of years ago. And I've always loved to see you on LinkedIn, because you bring a lot of pragmatism and common sense to some of the wacky things that we see on LinkedIn. And as a professional, I'd love for you to give your background. I think you're really unique, have that background of working at a regulator like the ICO, working in private companies, and then there's your own independent consultancy, but I would love to talk about how did you get into privacy? How did you get to where you are right now?
Emma Butler 01:30
Almost, honestly, by accident, which is common for a lot of people, it's the one thing about this profession is that particularly in the UK, maybe less so in the States where it's more lawyer focused. But in the UK, people come from all sorts of backgrounds into this, and a lot of people you talk to have fallen into it by accident, to be honest, my background was languages. I did French and Italian linguistics at university and got qualification to teach English as a foreign language and went off to Italy for two and a half years to teach English as a foreign language, which was great. Came back to the UK did some more teaching English mostly to refugees in the northwest of England, and then got fed up at teaching basically. But that kind of languages linguistics thing continued because in the northwest of England, there is a very particular organization called Plain English campaign, they essentially edit documents into plain English. I joined them for about a year, which was great and really interesting and really played to my kind of interest in languages and grammar and communicated trying to teach people English I was now communicating and writing and trying to turn people's written nonsense into plain English basically. And I really enjoyed it. But I found just doing that one thing was sort of a bit monotonous. So I started looking around for other options. And the regulator is based in the northwest of England, and the local sort of newspaper, the Manchester Evening News. Back in the days when you would buy an actual newspaper and look at job ads in it, which is maybe less common now, there was an advert for the ICO, I'd never heard of them, didn't know who they were. They were advertising at the time for a range of roles across data protection and freedom of information. It just sounded really interesting. I think if I remember correctly, it was something like do you want to come and work in human rights or there was definitely a human rights angle to it. That always interested me. And I'd always been threaded that through other stuff I've done. So I thought, well, that sounds interesting. I'll apply for that. And at the time, I didn't know this, but one of the roles that of the many they were recruiting for was to lead the international team in the policy department. And so because I had languages and so I spoke three languages effectively. And I've got the Plain English background as well. At the time in the ICO, that policy department was the one tasked with writing a lot of the ICO guidance. And the commissioner at the time Richard Thomas had started a big Plain English push, and said our guidance needs to be understandable by everyone. You know, it can't be written in legalese, etc. So it's all sort of coincided really that I interviewed and they felt that she's got the languages and the experience overseas and dealing with people from other countries, as well as the Plain English, this fits nicely into one of the roles we're hiring for. So they offered me that role as head of the international team in their policy department. And I thought, my sounds interesting. Yes, it was a team of two at the time. And I kind of turned up on my first day and the the manager at the time had been a bit lax and hadn't sorted the IT so I turned up to a an empty desk, apart from one thing on it, which was a paper copy of the Data Protection Act 1998. And it was like, there you go, get stuck in what the hell have I done? What is this? What? I don't do anything. And so it was a massive learning curve. But I spent seven years there, grew the team to a team of three and did all the overseas stuff basically at the ICO so all the stuff with other regulators in Europe primarily but bits and pieces of others around the world and it was really, really Interesting. And at no point in my career there did anything else come up, you know, promotion wise that felt more interesting than what I was doing. So I stayed in the position because it always felt to me like the most interesting job in the ICO. And I thought, why would I move into something less interesting, even if it was a step up or whatever. So yeah, so totally by accident. But once I was in it, I thought I quite like this. And I seem to be quite good at it. So I stayed, as I say, and then after seven years, and under two different commissioners, I got to the point where I thought, and I feel like I need something new and you challenge. My husband also works in the profession, he got a job in London. And that kind of set the path to looking for a job in London, selling our house in the Northwest, moving down. And that's when I went in-house. And we moved to London. And I had various in-house Data Protection Officer roles, the different companies, big multinationals, Yoti, as you mentioned, which is a small one, which only about 100 staff when I joined to several years doing that, again, I thought, I'm doing the same thing day in day out for an organization. And I'd like a bit more variety. So I've been toying with the idea of going self employed. And then I finally went for it in 2021. And haven't looked back, really, and it's been great. And it absolutely is that variety that I wanted with clients from all different sectors, mostly small, rather than anyone a decent size has got their own in house team. But they're quite varied in what they do. It's just been fascinating, basically. And it's been really brilliant to help all these different companies with different aspects of compliance, I kind of decided I wanted to offer more than just data protection. So I also do Plain English editing and training from that bit of my background. And I'm also training to be a life coach, although my interest will be career coaching. So once I get qualified, hopefully next year, then that's something I'll be able to offer as well and have all these different strings to my bow. And they also often dovetail in interesting ways as well, which can be good. So yeah, that's me basically by accident. But it worked out all right.
Debbie Reynolds 07:01
Well, you're definitely multifaceted. I think people can tell that when they read the things that you post on LinkedIn, I think it's really brilliant, the work that you do. And so I really appreciate the guidance that you give, and always pragmatic. Some people talk more pie in the sky. And I'm like, that's just not real life, you know, so be realistic, it's important.
Emma Butler 07:27
Pragmatism and common sense for me, it's all about people, my entire career, the common thread has been all the different stuff I've done, it's always been about people in some way. And people being at the center. And that really informs my approach now, but you know, not just to the Data Protection stuff, but to the Plain English stuff, and obviously, the coaching stuff. It's ultimately all about people, and putting people at the center. And my take on data protection tends to be people and outcomes. Yes, there's specifics of the law and all the rest of it. But ultimately, if you're focused on people and outcomes, you don't tend to go too far wrong.
Debbie Reynolds 08:04
I agree with that, and I love your Plain English background. I think that's really important. And I think that that definitely shines through to me, in the ICO, their materials over the years. So definitely thank you for that. I think we have a bit of a challenge with Plain English in the US. As you can see, a lot of the privacy policies and notices are very legalistic, they're entirely too long. And that's the challenge that we have now here in the West, and I'm hoping that maybe I can help. I'm working on some things with the government about Plain English, actually.
Emma Butler 08:45
Yeah. And also, I think it depends what they're for, there's a lot more, we know that US has been a more of a litigious society, and that a lot of things are not really designed for the end user, really, they're designed to cover the company's backside from a litigation point of view. So you know, my approach is always target your audience, you write for your audience. So who is it that this is supposed to be for and what's going to make the most sense to them, and write it in that way. And whether that's a privacy notice or even you know, if you're in-house and you're having to write stuff internally, and policies and guidance and help out your colleagues, you know, and advise your colleagues and that kind of thing. You're not going to get anywhere if you speak in mumbo jumbo that no one understands. There's a lot of people who are quite insecure, I think, and they rely on making a living by this being some mystical thing that only they know about, or you know, some people believe only lawyers can do it because it's about the law and which I don't believe at all. The ICO was a really good training ground via many other people who've gone on to great things from it, but also because they they took that approach of we will teach you about the law. What we need is other skills. And so if you're in the complaints department, there's a particular set of skills to deal with individuals and complaint If you're in investigations or enforcement or in policy, you know, the International stuff dealing with people from different countries, cultures, languages, data protection is different in other countries, the culture, the legal and societal norms, they lead you to a slightly different place. And that's why all the regulators often have different views in Europe. And they don't necessarily agree, it doesn't doesn't mean the same thing doesn't have the same place in their society. So if you're in that world, you want a certain set of skills to deal with that. So because the regulator was kind of handed a law in the beginning that the Data Protection Act of 1984, and then over time, was then handed other laws, freedom of information, environmental information, regulations, and there's a few others they have to do now as well, like they lose track, to be honest, sometimes, they're constantly being handed different laws to regulate and enforce. And when a new law like when freedom of information came in, nobody was an expert in freedom of information, because it was a new law. So their view was very much okay, anybody can learn the law, anybody can learn what it says and what the requirements are, that actually we need other skills. So whatever law it is, you end up dealing with will teach you that bit, don't worry about that. And their in house training was really good at from that point of view. So yeah, it's very much about anybody can do it, basically. And so if you're able to communicate, clearly, that's going to get you to the best place, having this kind of ivory tower approach where it's so specialized, only certain people can do it, I don't think is very helpful. Yes, it has a lot of technicalities in it. And part of the challenge is how you communicate simply some quite complex notions and aspects of law to people who are not surrounded by the day to day you have other jobs in the organization. And so it's about understanding Well, what's important for them to know. And whether that's in speaking or in writing, how do I communicate what they need to know in a language they understand. So we all get to where we're trying to get to. And again, we get back to outcomes and people every time.
Debbie Reynolds 11:54
I agree with that. I agree with that completely. You touched on something that I want to talk a bit about, which is people who are in data protection or Data Privacy who are not lawyers, I think for for me, as someone who has been doing data type jobs for longer than I like to admit, I think that's the case, definitely in Europe, not maybe as much in the US where a lot of people came to it from some type of data management type of background, right? Or they were put in those roles because they knew how to communicate across different parts of organizations, different types of areas. And I think, to me, that's a very important skill, as you say, people can learn the laws and understand that, but I think we don't have enough people who can talk across different levels of organization, talk in plain language, to people at different levels of organization, whether it be a consumer, be a regulator or be a customer, what are your thoughts about that?
Emma Butler 13:09
I agree, I've always taken that approach, anyone can learn the law and if you want legal advice. And that's a very specific term, you get into a lawyer, clearly. But there's so much about data protection law, that is what we call compliant and you distinguish kind of compliance practical on the ground compliance from legal advice, then you don't have to be a lawyer, you can understand what the law requires. From an organization, you can read and understand regulator guidance. You can look at what different organizations do talk to your peers understand different approaches. And from that toolbox, help whoever it is you're helping from an organization point of view with their compliance. And the difference for me is if you want legal advice or litigation, you have to get the lawyers in and they play a particular role and an important role. And we absolutely need them. Some people misinterpret my comments as lawyer bashing, and they absolutely not, and they never have been. Many of the people I admire most in privacy have been privacy lawyers, data protection lawyers, they're fantastic. I just think that sometimes they do something different to what a non lawyer Data Protection Officer something does. That's the point I'm making, that you don't have to be a lawyer to be in that practical compliance role. A lot of the time, if you are advising someone, you're not just saying this is what the law requires, you're part of the business, even as a consultant, you're there to work with them to get them to the right place to get them to the right outcome. So it isn't enough even to just communicate what the law requires. You've got to do what the regulator expects, in some cases where that's where the details filled in. You're there to help them on the journey and get there and so you don't just deliver your advice and disappear. You're very much then as you say, communicating to different people in different roles in the organization. What's their bit in this because it's rarely just one person who has to do something you know, you often involve different bits of the business and different people People have to do different tasks on whatever the topic or project is. So yes, you've communicated, but then you're working with them, because you're there as the subject matter experts. So if you tell them they need to achieve x, and then they go off and say, okay, well, we could do it like this, what do you think would that work? At that point, you can't kind of stand back and say, oh, I've told you what you need to require, you know, what, what the requirements are, what you need to do, you have to get on with it, you know, you have to be more involved than that, you have to kind of give an opinion. And as a consultant, you're a bit of a step removed, because ultimately, all the decisions do have to be made by the organization. And if you're in house, there's some people who would argue that that's the same, you know, the Data Protection Officer even in house is only there to advise, this just not reality, anyone who's worked in house as a data protection officer knows, you can't be hands off, you're an employee, you're paid by the organization, you're part of the team, you know, you've got to be a team player. And that doesn't necessarily mean that you're making decisions and signing off on things that the business should be. But you're an integral part of working together with people to get to a place where everybody's happy to some degree or another, and you still end up as an in house DPO in a place where you think, well, I'd rather you did path A but you've chosen path B fine, that's your decision. But I've told you what the options are, I've informed you of the requirements, I've explained the risk. And ultimately, you've decided to do B instead of A, if it was me, I do A but it's not my call. So you do B, but actually, in doing B, we've got somewhere which was better than where we were, I've done my job in advising you, you've played your role as the organization in making the final call and taking the risk and responsibility, if that turns out not to be good enough, that's just how it works. That's realistic to me. So you have to have a whole range of skills. And very often, a lot of what you do is an in-house DPO. As you bring the right people together. It's amazing how much of your job is getting this bit of the organization to talk to that other bit of the organization who were either doing the same thing, and they didn't realize, or who need to be brought together for a project, but they haven't quite realized it yet. Because a lot of silo working in organizations and people in legal compliance, those kind of roles, sometimes Information Security end up being the ones who actually get the right heads around the table, you know, who aren't previously talking to each other to make some progress or to get to the outcome, or whatever it is,
Debbie Reynolds 17:20
You made an important point that I want to talk a little bit about. And this is risk appetite within an organization. So I've heard people talk about if a company doesn't do things my way, and then they're wrong or whatever. And that's just not real life. That's not realistic, right. But you as an advisor, you can just as you say, you can say this is what the guidance is, this is what I think you should do here what the risks are, but ultimately the company decides. And so you as a data protection or Data Privacy officer, you don't decide for the business, whether you're internal or external, you can give them advice, you can tell them what the risk are, but they have to choose companies have to deal with more than data protection. So there's a lot of other things that come into play that they need to think about. And so when I hear people say, I'm not going to work this company, because they didn't do this my way. And he's like, Well, that's not your job. You know, that's not what your role is within an organization. What do you think?
Emma Butler 18:23
Yeah, I agree. And I think the thing about risk is that often, too few organizations have actually thought about it properly in the first place. But yeah, the main thing is don't take it personally. I mean, it's not personal thing. And I know that we have a spectrum of people in data protection from people who aren't, kind of see themselves as advocates for the individual who see themselves as activists, through to people who say, it's just a job and it pays the bills, all those are fine, we need everybody. If you do feel like you take it personally, and you do feel very strongly about a certain outcome, then, really, that sort of should guide maybe where you look for jobs. And you may feel that certain companies or not, or sectors are not right for you, because you know, your values, and theirs don't line up. And that's absolutely fine. You know, everybody should ideally work in a situation that lines up with their values. Otherwise, you know, that's why a lot of people are unhappy in jobs. There's a mismatch between the values and perspectives in the organization. But ultimately, as you say, once in a role or as a consultant, it is personal. It is on the organization. And a lot of people even if they think about risk appetite at all, it's like it's one thing and that's not true as well. There's a different range of risk appetites for different aspects of data protection. And the example I usually use with clients is to say for example, you may say feel that your customer data, whatever that is, is absolutely paramount. And you absolutely have to get it right there and you have to be more towards the you know, belt and braces end of the compliance spectrum for your customer data. And that's absolutely crucial. Priority And so when you're looking at customer data, commercial factors may have slightly less weight than they would with perhaps your employee data, maybe you're willing to tolerate more risk more. So they're on employee data, that down the other end of the scale, particularly in the UK, at the moment, a lot of companies really couldn't give a toss about cookie compliance. And, frankly, it's the least of their worries, and there's no enforcement anyway. So why bother wasting time they're very comfortable with a higher degree of risk, having a non compliant website with cookies on it. But they would be in no way prepared to take the same levels of risk or be that relaxed about that customer data. So understanding that it's a nuanced thing, and that there isn't a single data protection risk appetite it, you've got to look at all the different aspects and whether it's the type of data or the type of activity or whatever it is, understanding where you sit, how you know, where you want to be on the spectrum, from bare legal minimum to gold standard belt and braces, for any individual thing. And once the organization has established that your job as the as the data protection person is to advise in line with that risk appetite. So that means if they are very relaxed about cookie compliance, don't spend all your internal capital of banging on about that they're not bothered. You've explained the risks, they're happy to take the risks. They've said, if the regulator comes knocking, we'll change it, until then we're leaving it as it is. You can't take it personally, even if you think well, I don't think that's right, fine. It's not compliant, they're happy with it. But if they've said that their customer data is paramount, and they want to do a new project with data, then you're advising more up towards the gold standard belt and braces. And because you know, that's what they are concerned about. And it isn't the case there that the commercial factors will always trump the data protection, because they place a certain importance on their customer data, and they have less appetite for non compliance there. So you advise accordingly. So your advice is slightly different. And that's where you focus your time and energy. So I think it's understanding your role. And understanding the point about risk of risk appetite not being one thing, and basically advising in line with the organization's risk appetite, not seeing it as some kind of personal slight or personal failure. If they don't do what you personally would do if you were in charge and not the Data Protection Officer. I think too often, within the profession, these days, people are too quick to judge others on this basis. Everyone who's been in-house knows what it's like to be in-house. And very often the people who haven't been in house are the people throwing stones. And thinking that the data protection officer must be rubbish, because Company A has done X Y Z. Anyone in-house knows though the data protection officer is probably banging their head on the desk, trying to get some attention and has ultimately done their job and the company's got a different way. And it's not the data protection officers fault. That doesn't mean they're rubbish, would have been, so I think they need that separation, the company, the data protection officers are not one of the same thing. They have different roles are ultimately as you said, the decision is on the company, the risk, and the acceptance of risk. And any consequences from taking risks and non compliance fall on the company. Very often the DPO is not necessarily in agreement, but they don't shout about it. They just crack on with their job.
Debbie Reynolds 23:21
I agree that's so true. And so real to life, I'm sure a lot of people will really be enriched by your perspective there. Let's talk a bit about professionalism and privacy. So, industry has grown so much, there arw a lot of newcomers, I will say, a lot of older people, a lot of newcomers people who are coming at it from different angles. And so as a growing profession, I think there are definitely some growing pains there. They were seeing, as it's definitely maturing, but what's your thoughts on maybe professionalism or lack thereof that you see in the industry?
Emma Butler 24:06
Yeah, sadly, it's more lack thereof at the moment, isn't it? I feel like there's an increasing polarization in the privacy community online, particularly on I mean, LinkedIn is the only social media I'm on frankly, I'm not on any other social media, by choice. So that's the only one I can comment on. But I feel like it's reflecting modern society, frankly, everything's got more combative, generally, people are shouting at each other from extremes and there is a general inability in society today, it feels to me to have any kind of reasoned debate or any nuanced opinion. It's sort of us and then it's either A or it's B, it's black, or it's white, there's there's very little middle ground anymore. And people are not either all good or all bad, but that's how we have to box them at the moment. I feel like the privacy community on LinkedIn is sort of really reflecting society in a way which is sad. And the whole point about data protection is it's a principles that phased approach broadly in most countries in the world still, context is key. The long standing joke in data protection is you ask a data protection person and the most common answer you get is it depends. It's a joke, but it's a kernel of truth under a job course it depends, because it depends on the facts. It depends on the context, it depends on the circumstances, you change one of those things, and it could change the requirements, it could change your advice. Ask 10 people, you get 10 different answers. And actually, for me, that part of the joy of it is the constant learning and the fact that you're applying what you know to a given situation, and then you presented with another situation. And even if it's similar, those few differences mean, you maybe come up with a different view. That's kind of the point. So I find it very sad to see an increase in absolutism on LinkedIn about it, people presenting interpretations and opinions as fact, rather than their interpretation and opinion, a lot of misinformation presented as fact. And I find it slightly ironic that there's a lot of people who have absolutely no truck with anyone who has a different opinion, or who wants to challenge or debate their point of view. Yet, our entire role relies on us challenging and questioning and providing different perspective, we've all got the story of the organization who whether it's a client or your employer who somebody went, I've had an idea, it's going to bring in loads of revenue, and then they proceed to explain on the most batshit things you can think of and you think, oh, my God, where do I even start with how wrong this is? And how difficult this will be? And you know, this ends up in the paper yourself, that kind of thing. And so you have to challenge you have to question you have to present an alternative view, you have to raise risks, you have to bring up the things they haven't thought of. That's our role. And yet there are some people who feel that they themselves are above all that, that you shouldn't dare question or challenge or debate with them or present another point of view. And that's mad to me, and it's a complete opposite of what the job is. And I don't really understand how you can be an effective privacy professional that is required to do all that questioning and challenging and yet absolutely refuse to have anybody question or challenge you, you know that you're somehow above it all, and you're infallible, and that's rubbish. So we end up with this idea of like, I'm right, you're wrong. And there's no critical thinking at all. And not only is it allowed a lot of charlatans to thrive, frankly, it's a bit of bandwagon jumping when GDPR came in. And there was a whole range of people who'd spent five minutes on data protection, who were suddenly experts. Sadly, not all of those have gone away. But there's also just loads of misinformation and an apparent willingness to just, frankly, and excuse the language but spout absolute shite, based on their personal opinion, their gut, feel what someone else wrote, instead of looking at the source, whether that's the law, the guidance, or whatever it is, and applying their brain, you know, applying that they're learning, that critical thinking, looking at the facts. Now we end up with this combative approach. And I do worry for people new to the profession, how do you know who to trust? How do you know who to rely on for their view as a sounding board? Maybe a mentoring who you can learn from? How do you sort the wheat from the chaff? It must be really difficult to see all this stuff on LinkedIn, how do you know who the right people are to follow and who's talking rubbish. And I think that I've known people who've left LinkedIn actually, because they felt in from privacy, you've got it's got toxic, there was sort of unnecessary and uncalled for abuse to perfectly reasonable comments and opinions. And they just left LinkedIn completely. And that's not where we want to get to, you know, data protection is about people at the end of the day, and yet, why are we alienating each other? And I figure what's the worst that can happen? Right? So one presents a different perspective. You listen to it, you consider it and ultimately, you remain convinced of your own view. Fine. Or perhaps you learn something, perhaps you through the this, you make a connection, maybe even you make a friend to win win, you know, it's like, there is no losing there. For me, the best privacy professionals are the ones who are very happy to openly say, You know what, I don't know everything. And I'm still learning because that's real. And that's true. And that's authentic. You know, the people who who claim to know everything are absolutely telling Porky pies. Harmony lies in understanding and accepting differences. The world is full of different people with different views and perspectives. They don't think like you, they don't see the world as you do, their values are different, their priorities are different, and their life experiences are different. So why so judging? It feels like an insecurity, I have a different perspective on a data protection of point to you, does that really negatively impact your life? Does that stop you having your own opinions? No, of course it doesn't. Why waste time and energy on that approach? It takes way more effort to be angry and annoyed. Frankly, it's not good for your health. And you end up with people who I worry, you know, because they end up with no credibility, their apparent willingness to alienate other people in the profession, by the way they are. I fear for their work, careers and their potential because they're people who other people will openly, well, I've never hired them, I never recommend them for a job, well, I wouldn't work with them. And I do also worry actually, on a taking a slightly different note that perhaps for some people, they're not just being an asshole, frankly, that just their behavior might be a symptom that all is not well in their particular kingdom, and I worry for them. And I also worry for the fact that the people behind the scenes are quick to pour scorn on these people, but actually, they just as bad if you know what I mean, like, who knows what people are going through, and this kind of modern societies sort of approach of just jumping on people and shouting and judging people. And I'm right, you're wrong. And there's this refusal to see the human, it all comes back to the human, we're all human beings see the human think about the human. And it struck me the other day, I was thinking about this. And I thought, we have a lot of sayings in the English language that have existed for forever. A lot of things that persist, they exist for a reason. And they persist, because there's a truth there. Some of them, I think, have religious origins. I'm not religious myself, I don't quite get it right. But stuff about people in glass houses, not throwing stones, the one about not judging the book by its cover, treating others as you wish to be treated. The other one was, if you've got nothing nice to say, say nothing at all. And why do these exist? Because there's a truism behind them. There's a lot of great people in our profession, and one of them Rowena. Fielding, has a great almost catchphrase, dare I say it that's associated with her kind of thing, her sum it up in one sentence, when she's looking at compliance and what people are doing, and if it's the right approach, and it's don't be a git (creep), which is fantastic, and very short. And I often think a lot more of us should perhaps take a pause before we hit the keyboard and go, am I beating the get here might be needed here. And again, it's see the human think about the human, we're all on the same side here. You know, there's so much opportunity for learning and development and growing, we have all these different types of people, as I mentioned, people who see themselves as activists, as Policy Advocates, who are there to enable the business people who say it just pays the bills. But you know what, that's fine, we need all these people. And we have to accept that not everyone is like you, your values, your priorities, they're not necessarily the same as everybody else's. And because data protection is so context dependent, is so much about the the individual circumstances, of course, you're never gonna get to people with exactly the same view because they themselves are different. So to me, it just, that's how the obviously how the profession is, and this kind of slide into lack of professionalism with this absolutism, and, and all the rest of it, I've mentioned is really quite sad. And I really feel for those new to the profession, you know, and I would say to people out there, you know, understand who you are, and what kind of privacy professional you are, and accept that not everyone is going to come to the same conclusion. And they're not going to be the same type. Because you if you're an activist, great, don't expect everyone to be it for you. It's a job that just pays the bills. Great. But don't expect that to be the case for everyone. You got one shot one life on this planet, how do you want to spend your time being an annoying as hell on LinkedIn or cracking on or doing a good job? People? Don't mean your path is unique. It's you who walks it? Why do we think that everybody else is walking the same path? We're not.
Debbie Reynolds 33:19
I could not have said it better myself, I think you said at all. One thing I want to talk with you about is maturity, maturity level within organizations. So we know that not every company is at the same level of maturity. And I think part of your role when you're a data protection officer is to really assess where companies are, and then help them along a path of maturity, right? Some companies I've seen, they'll say, well, are we in compliance? Or are we not? Right? They think, okay, if I fill out these forms, and we have these policies, then all of a sudden we're quote, unquote, in compliance, but I have to tell people, compliance is about action. Right? So you just filled out a form or put a policy together, you're not actually doing what the policy says, then you're out of compliance. So the forms and the policies in place whenever people have a title, that doesn't mean that you're walking the walk, they said, so tell me a little bit about maturity level, how you deal with that when you're working with clients.
Emma Butler 34:25
Sure, yeah. And you're absolutely right. And again, it comes down to that sense of absolutism, isn't it? Well, either we're compliant or we're not. No, no, that's not how it works. It's an ongoing thing. It's a journey. No one is ever 100% compliant with everything 100% of the time, that's just an impossibility. It's like that. What's the phrase this one information security, isn't there? Like there's no such thing as 100% security or something, you know, it's exactly the same. So you know, there isn't a kind of one and done. It's ongoing. It's about cycling as you say the stuff you are doing in practice, and very often with my clients who are often charities, they're often startups, SMEs, that if they're any decent size, turnover, they're going to have their own in-house staff. So if you're getting someone like me, and it's because you don't have that in-house expertise, but you recognize that you need to do something or to get your house in order, or whatever it is. So for very small, and as you said before, their focus is on their business, and ultimately private sector businesses that making money, and particularly the startups and the small organizations, they get to a stage when Yeah, the money is crucial, because suddenly the founder, the CEO, is responsible for the salaries of 10 people, those 10 people are using that salaries to pay their mortgage and their bills. So yeah, it's absolutely crucial they make money otherwise, there's 11 people struggling and out of work. If that company goes under, of course, the bottom line is important. The fact that they've got someone in to help with compliance is already a step above the many organizations out there who are not even thinking about it. I think sometimes we can be too hard on companies who are focused on the bottom line, because, again, see the humans behind it, why is it important that they are afloat, and they make a success? And they keep going? And at least they're thinking about compliance to some degree. So you've got to sort of approach it with them in mind, and what is going to work for them? Yes, there is a bare minimum level of compliance. Given that you can't be 100% compliant with everything all of the time, and organizations have different risk appetite, all these things come together to basically give you a way forward with the organization and it is that collaborative, it's, you know, what's important to them? What are they able to focus on? What can they give time and resource to effectively? Where do they want to be on the scale? Where are the priorities? Where is the risk appetite, and you come up with a plan. And that plan is often long term. And he eventually deals with lots of different things, but he can't deal with everything right at the start. And so there has to be an acceptance that there's maybe non compliance or not great practices, or no policy in a certain area yet, we'll get to that it's on the list. But that can't be the priority right now. And the priorities and the risk appetites are different for every organization, the amount of resource they have is different. You know, I've had a couple of clients who have been two persons startups, literally two people, they're doing everything. They are both CEO, marketing, finance, to a certain extent HR, because they were hoping to expand the team. Business Development, they're literally doing everything, because there's two of them, and they're trying to get a business off the ground. They know enough to know they need to get some data protection stuff in I come in, and they're like, great, what do we need to do? When you've got an organization like that, everybody's very focused, but also everybody's very pragmatic. There's two of those and we were doing everything, we have to get this business off the ground. So it's sort of To the Point it's focused, it's where's the priority? What's the action plan who needs to do what, but ultimately, you don't just want to be a sticking plaster, you don't just want to go in and go, okay, your immediate focus is how you do marketing compliantly. So we'll look at that. You always try and encourage them to look holistically at what I call their governance framework generally, and say, Okay, if you can put the time and effort into building a good governance framework, that's your foundation going forward. If you're just sticking plaster individual projects, you'll never get anywhere and it'll fall apart. At some point. If you can take that step back and create a governance structure that then frames everything you do, you can move forward with government confidence that you're in a reasonable place for compliance purposes. When you've got two people in there doing every other job in the business, how on earth do you give them a data protection governance framework that two people can manage? That is sustainable and scalable, and that's where the ICO does better than a lot of other regulators. The CNIL's not been too bad with with a lot of good guidance in both French and English in recent years. But ultimately, I've yet to come across a regulator that really put stuff out that is really actionable and scalable for that type of organization. For a two person startup or a seven person charity, or that kind of thing. There's still an element of what they put out is too much. It's overcomplicated. So the feeling is very much in being able to take what they are, where they are, and what they've got to work with them on risk and priorities and focus, to come up with a realistic action plan and ultimately, to build them a governance framework that is suitable for them and who they are and also scalable and sustainable. When I walk away, is it all just going to be forgotten about? Then It's pointless, what have I achieved? So you've got to try and work with them to build something that in the case of the two person startup, these two individuals can also manage and take forward without suddenly becoming data protection subject matter expert themselves. And so a lot of it is about scaling down the stuff that's out there, taking the compliance requirements and going how do we make this work for such a small organization with very limited resource? And so it is often about simplifying things. You don't have fancy tools and software and All the rest of it you work on Word documents, Google Documents and Spreadsheets, you know that that's the reality of it. But if that's how they're doing everything that's going to work for them, you've got to help them can't get to a place where it works for them, you can't impose your own views there on, you know, well, you need to have this really complicated record of processing activity. No, you don't you need a spreadsheet with a few columns in it that I mean, just at least it's something you know, and you'll get there. And it's a journey. And so it is very much about working with them, as I said, to match the governance stuff to who they are and what they've got available. And what's realistic, because if it's not realistic, and it's not sustainable, it's not going to happen.
Debbie Reynolds 40:43
I agree completely 1,000%. So if it were the world according to you, Emma, and we did everything that you said, what would be your wish for data protection anywhere in the world, whether that be through regulation, human behavior, or technology.
Emma Butler 41:03
Okay, so if I have my wish it would be make it about the people, it always comes down to the people and the outcomes, put people front and center. So if you're an organization, when you're building developing stuff, when you're looking at how you deal with complaints and rights requests, when you partner with and work with other organizations, when you outsource stuff to others, you're a government looking at use of data, if you put the people front and center one, you get to a much better place by default, you're going to end up being compliant with stuff, sort of, you're halfway there. Basically, people will have trust and confidence in you, your employees, your customers, your users, lawmakers would develop local legislation that works for their context and culture if they thought about the people rather than copying things from other jurisdictions that don't quite make sense. tacking on you see a lot of people copy GDPR tack on some local bits and it's a bit of a dog's breakfast. No, put the people front and center. What do we need here? What does the law need to look like here? If regulators put people from the center, they would focus on where the real harms are, they would do things that make a real difference to the lives of everyday people, putting the people front and center. If all the regulators could be like Emma Martin's post, which was Guernsey, frankly, if all the regulators were like her, we'd be in a much better place. She's been a fantastic regulator. She's very, very people focused. She's very pragmatic, but she takes action when action needs to be taken. But she's very much about the human. She sees the human behind all of this. As long as we put profit before people and we focus on exploiting people in their data. It's never going to happen. But if I had one wish it will be let's turn it around. Let's do people first people front and center. What's the right outcome for the people? Whoever those people are? That for me would make a fantastic difference.
Debbie Reynolds 42:51
Oh wow, this has been tremendous episode. Thank you so much for sharing your wisdom, your expertise; we all need a dose of your pragmatism and common sense, so thank you.
Emma Butler 43:05
You're welcome. Thank you very much for having me.
Debbie Reynolds 43:07
Well, yeah, I'd love to chat further in the future. Maybe find other ways to collaborate together. I think your work is absolutely brilliant.
Emma Butler 43:18
Oh, thank you. That's very nice.
Debbie Reynolds 43:20
We'll talk soon. Thank you so much.
Emma Butler 43:23
No, thank you.