SUMMARY KEYWORDS
data, data protection, privacy, assessments, jamaica, data protection officer, business, clients, ensure, data protection act, organizations, work, practitioners, controllers, happening, importance, companies, program, required, regulators
SPEAKERS
Kashta Graham, Debbie Reynolds
Many thanks to the Data Diva Talks Privacy Podcast Privacy Visionary, Smartbox AI, for sponsoring this episode and supporting our podcast. Smartbox.ai, named British AI Company of the Year, provides cutting-edge AI, helps privacy and technology experts uniquely master their Data Request challenges, and makes it easier to comply with Global data protection requirements, FOIA requests, and various US state privacy regulations. Their technology is a game-changer for anyone needing to sift through complex data, find data, and redact sensitive information. With clients across North America and Europe and a major partnership with Xerox, Smartbox.ai is bringing their data expertise right to our doorstep, offering insights into navigating the complex world of global data laws For more information about Smartbox AI, visit their website at https://www.smartbox.ai. Enjoy the show.
Debbie reynolds 00:00
Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds. They call me the data diva. This is the data diva talks privacy podcast where we discuss data privacy issues with industry leaders around the world with information that businesses need to know. Now I have a very special guest all the way from Jamaica, Casta cram. She is the CEO of we manage trust. Welcome.
Kashta Graham 00:39
Thank you, Debbie, it's a pleasure to be here.
Debbie reynolds 00:44
Yeah, I'm glad to have you on the show. You and I have collaborated together do some advisory work with you, and you're delightful. So I'm happy to be able to have you on the show, and you have such really good skills around not just project management, but thinking through the real issues that companies need to grapple with around privacy. So why don't you give me your background and how you got into privacy with we manage trust.
Kashta Graham 01:16
You are so as you had mentioned, I am coming from a project management background so diverse types of projects, including business development. And it was a business development project management assignment with a medical practice that introduced me to privacy and data protection. So I was asked by a doctor to come and help them to streamline their processes and help them to get ready to implement their data protection and data privacy program, because, as you know, Jamaica recently implemented their Data Protection Act officially last year, and so we were working with this medical practice to help them get their systems aligned with the Data Protection Act. And I just fell in love. I fell in love with privacy and data protection as you know, privacy is a fundamental human right, and so I just decided to do a pivot. I got certified ISO 27,001 and have been just doing additional training and working under your guidance and mentorship to serve clients, and it's been a very, very exciting and rewarding journey. I am really happy that I made this transition.
Debbie reynolds 02:51
Well, I think a lot of people will be excited about your story, because I think there are tons of people who are interested in privacy, like you, and they make that pivot. So understanding how you did that, I think, is really, really good before we get into other things. I want you to be able to tell us, for those of us who don't understand, what's happening in Jamaica with data protection, tell us about your Data Protection Act and also what's happening in the Caribbean that we need to know Sure.
Kashta Graham 03:19
So the Data Protection Act, as I mentioned, came into fully effect December of last year. We still have a few nuances to work through, but it was fully enacted in December of last year, 2023 and prior to that, we had a two year transitionary period, and so there has been quite a bit of preparation, but the Data Protection Act is pretty similar to the GDPR, in that the data protection standards are the same age data protection standards that are outlined in the GDPR, and so we have quite a few similarities there. However, in Jamaica, data controllers are required to register with the regulatory authority, which is the Office of the Information Commissioner, and each year, data controllers will have to submit a data protection impact assessment, essentially to update the regulatory authority on any changes that they've made to their systems and processes that will impact their data subjects. So we as practitioners in the field are quite excited. We are sharing the regulatory authority on but as you know, it's good to have the policy, but the enforcement muscle is really what makes the difference. So we are, as I had mentioned, just hoping for the best that the authorities will do what is required to ensure that the data. How controllers are compliant, but it's pretty similar to the GDPR, and so we have found that it is quite easy, especially when we're engaging clients that are in other jurisdictions in the
Debbie reynolds 05:17
EU that is very different where something in GDPR, they may want you to do an assessment, but you may not have to provide it to the regulator on a regular basis. So that's very different. That's important.
Kashta Graham 05:30
And we were very, very impressed with the regulatory authorities approach in that regard, because I'm sure you may have found, Debbie, that quite a few data controllers are just doing the bare minimum. IE, they may just draft a privacy policy and a privacy notice without doing the actual assessment to prepare the record of processing activities and the data mapping and vulnerability scams, etcetera. So we are very pleased with the approach that has been taken, and we have been working to do our part, to educate as best as we can and to prepare our clients to ensure that they are compliant.
Debbie reynolds 06:24
Yeah, I want to talk a little bit about assessments. Yeah. I think when people hear privacy, companies hear privacy, the first thing they think is, oh, well, let's make sure we have a policy. Let's make sure we have a notice. And that's the window dressing of everything, because that's public facing stuff. Indeed,
Kashta Graham 06:44
I love that. I love that term,
Debbie reynolds 06:48
but the assessments are of vital importance, and I think in the US, we're just getting accustomed to that. Assessments have been a part of GDPR and even the prior Data directive in the EU for a long time, but we're seeing in the US more laws calling for assessments, and it's a little bit uncomfortable for companies that haven't done that. And so having Jamaica be a jurisdiction where you're not only saying you have to do these assessments, but there actually is a report that has to go to a regulator. So tell me a little bit about the importance of those assessments, and what are your thoughts about that,
Kashta Graham 07:27
right? So the assessments, we emphasize the importance to our clients, just to help them to understand it. It really is a best practice. It's a first step. There is no way for you to really guarantee compliance without doing a gap analysis to determine what your current state is versus your desired state and identifying the risks and the various gaps that need to be filled. So this is what we're most passionate about, going in the weeds with the client, you know, working with the departmental heads and the frontline staff to understand where their data is, what measures they're putting in place to protect the data, ensuring that they Have lawful basis to process the data, etc. So as you know, the record of processing activities is one of the main activities that you would have to conduct to identify the data and just track the data along the cycle. So we spend most of our time either doing records of processing activities and data mapping, or sensitizing the staff, because that's also another key aspect, ensuring that all members of staff are sensitized. And when we are sensitizing Debbie, we sensitize from the chairman of the board straight down to the frontline staff, the technical staff, the cleaning lady, especially in facilities such as medical facilities in Jamaica, we still have quite a few practitioners that are paper based, so they're not utilizing electronic medical records. And so you may find that in instances where patients files go missing, and it may very well end up in a trash can, a rubbish bin, that a cleaning lady may end up having to get rid of or dispose up. And so it's important for every member of staff to understand the role they play in protecting personal data, whether it be personal data of the staff members of the customers or patients or clients that they serve. We really emphasize the people aspect of data privacy. Privacy and data protection when we're working with our clients.
Debbie reynolds 10:05
Yeah, I want your thoughts about something that I hear some companies say. So companies that aren't accustomed to doing this work and data protection, maybe some of the higher ups board level or the C suite folks, they're like, Okay, so when are we going to get compliant? Almost like It's like prep to finish line. It's like, whoo. We're compliant, and we don't have to do anything else. What are your thoughts about that? When you talk to people that way, we
Kashta Graham 10:31
make sure to just help them to understand that it is a journey. Yes, assessment is critical, training is critical, but constant monitoring and evaluation is also very important. And so this is where data governance comes into play. And so what one of the first steps, and as a best practice, we ensure that a Data Governance Committee is established, or at least a team with some small organizations it might not be referred to as a data governance committee, but a team of advocates within the organization that are able to outline the objectives of the data privacy and data protection program put KPIs Key Performance Indicators in place to ensure that they are monitoring and tracking the progress of the program and ensuring that there is ongoing training and sensitization. As businesses evolve, they introduce different systems. So one year you may have CCTV camera, and the next year you may decide to do an upgrade or expand that CCTV camera system, which will have an impact on the data protection and data privacy program, and so we emphasize the importance of putting in measures to monitor the progress and to also help our stakeholders, which are our clients, to appreciate the fact that it really is a journey. It's not just a one and done, as we would say in Jamaica. So the assessment is the first step. Training and ongoing sensitization is also critical. Establishing a Data Governance team or committee to constantly monitor the progress of the data protection and data privacy program are very important, and so we recommend, at least on a quarterly basis that that governance committee report into the board on the progress of the data protection program and data privacy program and provide them with insights and recommendations and so on as it relates to Just the general management of that program.
Debbie reynolds 13:00
Yeah, I think larger organizations, they know that they have to do this, so even if they have to do it, they may grumble and mumble, but they'll do it. But the small and medium sized companies, I think, is difficult, because a lot of times those companies may not have a dedicated resource to privacy or data protection. There are people wearing a lot of different hats, yeah, people within organizations that may not even be interested in privacy at all. So how do you get that buy in and develop those champions internally in those small and medium businesses for data protection?
Kashta Graham 13:37
That's a very good question. So our target group is actually medium sized to small businesses, particularly those that manage sensitive data, so medical practitioners, micro financing institutions, small insurance brokerage firms, etc, law firms and so on. And as you had mentioned in most instances, is a challenge, because you may find that the operations manager, the general manager, is doing everything from HR to accounting to marketing and sales. It really is difficult to be introducing another responsibility under that person's portfolio. And so one of the services that we offer is the outsource Data Protection Officer service, which is much more suited for those organizations, because in terms of pricing, which is one of the biggest challenges for those organizations, it works out much more cost effective, and because we're able to do flexible pricing to really map out exactly what it is that will be required on a day to day basis or on a monthly basis to maintain the data protection. Production and data privacy program and in a price accordingly, as opposed to them having to go out and engage or recruit a Data Protection Officer. So that is one recommendation that we make, that they outsource the Data Protection Officer surveys and solicit support internally, as we had said, instead of everything landing on one person's desk. So yesterday, I met with a client, and we were just discussing who the members of this data protection and data privacy committee should be. And so it was, the general manager, the finance manager, the compliance officer, and the IT support staff member, as well as a representative on the front line who interfaces with the customers. And so this was important because they're able to share the responsibilities. Because, as you know, once you do the assessment, Debbie, there's a list of recommended changes that the organization has to make, from revising the HR manuals to revising the employment contracts and so on and so forth, and drafting different policies, and so it's very important that they establish a team, as opposed to having all the responsibility land on one person's desk. And also consider doing going the route of outsourcing Data Protection Officer services. If it is that it is an organization that requires the service of a data protection officer. I know that different jurisdictions operate differently, but in Jamaica, similar to the GDPR, entities that handle sensitive personal data, will require the services of a data protection officer. Large scale processors as well will require the services of a data protection officer. And all public authorities. So ministries, departments and agencies of government will require a Data Protection Officer. So these three categories of entities definitely will need a data protection officer, and in most instances, for a small to medium sized and micro enterprise, they will find it more efficient and cost Effective to engage an outsourced Data Protection Officer service.
Debbie reynolds 17:42
So what in the world is happening now that concerns you and the data protection or data privacy arena, like something you see in the news, or something just what's happening in the world that says, Oh, wow, this is going to be an issue we need to really think through.
Kashta Graham 17:58
Yeah, well, I mean, everybody is concerned about AI and deep fake and all of these rapidly evolving technologies, and we as practitioners are trying to grapple with it, because, as you know, the technology changes so rapidly, sometimes it can be a bit intimidating, but I guess you'd really just have to take it one step at a time and try to stay abreast and participate in webinars and conferences and so on to to ensure that we are on the cutting edge and on the front line understanding the changes that will affect the work that we do. But absolutely, Debbie AI is evolving at a pace that is superseding the policy makers, superseding the practitioners, and we know that this is going to definitely be an area that will post significant challenges to manage as it relates to privacy and general data protection, so that for sure is one area of concern. We are pleased to see the progress being made in the US. Um, as you know, the concept of adequacy, or the principle of adequacy is a big conversation amongst practitioners. So when we work with our clients here in Jamaica, there are many service providers that they engage in the US and in the absence of a federal data privacy and data protection law, it believes certain gray areas as it relates to the management and compliance the Data Protection Act here in Jamaica. So we are happy to see that more states are coming on board. We know California had set a very, very good and strong example from a legislative. Standpoint, and there are several other states that are following suit, and so we are just watching as things progress. So there are areas of concern, but there are also other areas that cause us to feel reassured that privacy and data protection is taking on globally and is being prioritized in the various jurisdictions.
Debbie reynolds 20:28
I think so too. And I think the assessments even though, for example, in the US on the state level, we have many, many states now, well, actually not enough, but enough to be annoying states to have their own data privacy law and regulation, and not all of them call for assessments, but enough of them do that, I think it will be incumbent upon businesses to decide, why would I just do an assessment for California or a different State and not for everything. So I think there has to be a lot of business change, and I think some of that will end up getting pushed down, especially from the bigger companies, pressing down to maybe their third party companies to say, hey, we have complied with this. And then I need you to do X what do you think?
Kashta Graham 21:19
I agree it will have a ripple effect, and even if a particular state doesn't have as robust a policy that the mere fact that business happening in across state lines constantly and based on what is happening with globalization, I believe every data control or invariably will have to comply with the fundamental eight data protection standards and observe the rights of the data subject, regardless of what legislation they are directly adhering to and complying with. So that is why, as I had mentioned, we are very encouraged with what we're seeing with us is leader in many instances. So to see the traction picking up is quite, quite encouraging and inspiring.
Debbie reynolds 22:19
Yeah, I think it is. I think what is going to happen, or what is already happening, is that businesses are going to have to change the way that they operate in order to comply with these laws. So I think whenever I hear a new law, comes out, New Jersey or something, I kind of roll my eyes. I'm like, well, that's like another log thrown onto a fire. Yeah, I think businesses need to really think more around what is their business goal and what is their business stance on privacy in general, and try to create a culture where people understand the importance of data privacy, data protection, so that when a new law comes out, maybe there'll be some minor adjustments that they make, but it isn't going to be a major overhaul of everything that they do. What do you think
Kashta Graham 23:14
absolutely when we work with our clients, we when we're looking at third party transfers and international transfers, we do look at the overall legislation for the state that the particular third party is based in, but what we emphasize is that they look mainly At the practices of third party themselves. And so that is of significance, because, yes, you can be in a state like California that has a pretty robust data privacy law, but you can also very much be non compliant, or, as you said, just have the window dressings and not be practicing sound data privacy and data protection principles on a day to day basis in your organization, which is really why we emphasize the importance of assessments and we're coming full circle, because you have to go in the weeds. You really have to. There's no way around it go, you know, really do a deep dive to understand what is happening in your own organization, as well as organizations that you do business with, as a data controller. And so it's going to take a while. It's a culture shift, a paradigm shift, that we are having to work through. One of the things that we do as a business before we send a proposal or start having any conversations around budget and cost, we spend the time there. Be to educate our prospective clients, because if they are not fully grasping the importance of the scope and the technicality and the level of commitment that will be required for the data protection and data privacy programs work, then it really doesn't make much sense to be proceeding with that client at all. And so we reassure them. At the same time, you don't want to be intimidating the client, and, you know, turn them off. We reassure them that this is the work that we do. We come to make your headache go away. As it relates to data privacy and data protection, we are the ones that will be in the weeds and helping to streamline processes to ensure that you achieve compliance, but we have to get that level of commitment and dedication to the program before we decide to proceed with a client, because especially if we are going to be serving as a data protection officer, you want to ensure that the client that you're working with is actually taking their responsibility seriously, and so that's really it, that commitment has to be there in order for success to be realized.
Debbie reynolds 26:20
I think that's true. I've met with people who just didn't understand why it was important data protection, and for them it really wasn't a vital part of the way that they thought they needed to do business. They thought, well, that has great products, people like us, we're gonna just keep doing what we're doing, but not really understanding how the world is changing, how regulators are looking very closely at how companies handle business and how consumers are not happy when their data is being misused, because they take the risk so their data is breached or something, the pain is felt really by The individual. So what are your thoughts about that?
Kashta Graham 27:03
Absolutely. One other reason why I decided to make this transition and go this route is because there were two scenarios, or two situations. I had traveled to the UK on vacation, and my account was compromised, so I just started seeing all these random transactions on my bank statement, and was on vacation, and so clearly it put me in a very vulnerable position. I mean, Thank God my bank responded quickly to resolve the matter, but it really came home. You hear about breaches, you hear about cyber attacks, but it doesn't really hit home until it happens to you. And there was another incident where I participated in a workshop at an event. And the event coordinators had a paper based registration, so they there was a paper going around, and we had to sign the paper, provide or email address, telephone number or date of birth and so much information. Debbie, it was absolutely ridiculous, and I refused. I refused to put my information, and this was before I understood about data protection and data privacy and so on, and I told the event coordinators that I was not going to provide that information in that way, because this paper was going around to every participant, and just one picture with a smartphone would be able to a quick mal actor with all of this goodness. And so I said, these are the things that are happening to people on a day to day basis, and they are becoming customers. Are becoming very vigilant about how they share their information, and are watching very closely to see how it is that businesses data controllers are managing their personal data. So this is also something that we underscore when we are making our presentations to our prospective clients, is to help them to understand that the paradigm has shifted. It has shifted significantly, and so the the customers are becoming more watchful of how businesses handle and protect their personal data, and so from that standpoint, it's good to check the boxes and ensure that you don't get into any issues with the regulators. But rest assured, the customers are becoming more vigilant and will start. To put more demands on businesses to manage their personal data in a very responsible way. So this is also something that impacting the way the data protection and data privacy compliance landscape is being shaped. It's very good, because the world is changing. Technology is affecting every aspect of our lives. There are people who are off the grid, but average person who is doing life, they have to rely very heavily on technology. And so especially with what is happening in AI, with AI, it's it's incumbent on data controllers to steward personal data in such a way that they can really build that trust with their customers, both external and internal.
Debbie reynolds 30:56
I think that there is a growing wave of people who are reconsidering the data that they're being asked to give as they should, because we see, like you say, with breaches identity theft, all that risk comes to the person. So when someone's asking you for your personally identifiable information, you do think you're like, well, first of all, this is necessary, and do I trust this company?
31:22
Absolutely?
Debbie reynolds 31:23
Those are all good questions to ask, and it's not a crime for a company to ask for that, but companies, I think, need to really think through or rethink the type of data that they ask for, and I think it's going to become a huge issue around the world as we see more age verification laws come up, and they're asking for even more identity information. So I think it's going to be really big issue.
Kashta Graham 31:49
I was listening to a podcast online, and the instructor was speaking about just the importance of data minimization, and even in a presentation that I was making yesterday with prospective clients, the issue came up about the importance of minimizing the because the more data you collect is the more responsibility you have to protect the data and to steward it well. And so that will also affect your bottom line, the cost that is associated with just the general maintenance of your data protection and data privacy program. And so it's important I know for sure that I am very, I don't know, I guess, become as a practitioner, because this is something that we do on a daily basis. We are even more aware of the importance of being very careful about how much information you divulge and who you divulge your information to. But absolutely, data minimization is critical, because from a business sustainability and profitability and efficiency standpoint, it affects cost. So it's important to highlight that as well.
Debbie reynolds 33:07
I agree completely. So if it were the world, according to you, Kasha and we did everything you said, What would be your wish for privacy or data protection anywhere in the world, whether that be regulation human behavior or technology.
Kashta Graham 33:24
Human behavior, absolutely human behavior, because privacy is about people. It's about educating people and empowering people so that they can safeguard the information belonging to people. And so I a very big advocate for engaging at all levels to help people to understand really what the principles are and the concepts are, what the rights of the data subject are, and the role that they play in ensuring that those rights are observed. And so that would be my message to everyone, from business leaders to data subjects themselves. People are at the center of data privacy and data protection, and so it's important to prioritize education and employment aspect along those lines.
Debbie reynolds 34:36
Very good, very good. Thank you so much. I'm so happy that we were able to do this session, and I'm sure a lot of people would be very interested in what's happening in Jamaica. I'm sure they'd be afraid if the US ever went to a situation where annual data assessments need to be sent to a regulator. That's scary.
Kashta Graham 34:59
It is quite. It's quite a responsibility for data controllers, but as we know it's it's important to keep data controllers on their toes, especially in light of what is happening on the technology front. So we definitely salute the regulators and encourage other regulators to adopt a similar approach to ensure that compliance is actually being achieved in the organizations.
Debbie reynolds 35:25
Very good well. Thank you so much. It's been a pleasure to have you on the show, and I'm sure we'll talk soon, for sure.
Kashta Graham 35:34
Thanks for having me. Debbie, take care. All right. Thank you.
