"The Data Diva" Talks Privacy Podcast

The Data Diva E56 - Peter Barbosa and Debbie Reynolds

November 30, 2021 Season 2 Episode 56
"The Data Diva" Talks Privacy Podcast
The Data Diva E56 - Peter Barbosa and Debbie Reynolds
Show Notes Transcript


Debbie Reynolds “The Data Diva” talks to Peter Barbosa, CEO of Opsware Data. We discuss the importance of digital Data Mapping, data flows in cross-functional uses, regulatory fines for data privacy breaches and misunderstandings, the importance of having a data retention plan to mitigate risk, the challenges of rapidly increasing third-party risk, the dangers of third parties who are granted excess access, GDPR and other data protection regulations attempt to determine outline shared responsibility for third-party data transfer, Covid-19 vaccine passports and the New York State Excelsior Pass in the US, the challenge of the digital divide and people without means having less data agency, lack of adoption of businesses to obtain devices to check vaccine status using the Excelsior Pass, and his hopes for Data Privacy in the future

Support the show

42:19

SUMMARY KEYWORDS

data, privacy, people, companies, business, organization, vaccine, happening, big, individual, third party, passport, speaking, understand, canada, tool, digital, building, customer, smartphones

SPEAKERS

Debbie Reynolds, Peter Barbosa


Debbie Reynolds  00:00

Personal views and opinions expressed by our podcast guests are their own, and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds," The Data Diva Talks Privacy" podcast where we discuss Data Privacy issues with industry leaders around the world with information they need to know right now. Today, I have a special guest on the show, Peter Barbosa. He is the CEO of Opsware Data. He's a Canadian. I like Canadians maybe people heard me say that a lot. And I'm really happy to have you on the show.


Peter Barbosa  00:42

Thanks for having me, Debbie. Really happy to be here as well.


Debbie Reynolds  00:46

Yeah, so I always like to tell a little backstory about how I met people. So Peter actually contacted me on LinkedIn. And we started having kind of early discussions about, you know, his tool and the things they were doing. And so we always try to touch base every couple months, right? For a while now, find out that how things are doing, you know, what's happening on your roadmap, looking at your tool and stuff like that. And I've been really impressed with how you're really thinking about the problem of data, and how people have to deal with it and privacy. So I guess, part of it to me is like, Okay, people know that these regulations are coming up. And they have to respond to that. But then also, just as kind of a housekeeping thing, they just need to get more of a better handle on what they have and be able to take action on it. So give me and some of the folks an overview  of Opsware data and what you're doing.


Peter Barbosa  01:48

Yeah, absolutely. Prior to, you know, a few weeks ago, we were known as a tool called Privacy Request. And we actually originally went to market our tool earlier this year. And we quickly found out and, you know, we even spoke with you as well, prior, Debbie, and you know, you and a lot of other folks who we connect with over LinkedIn, we're pretty integral with helping structure the roadmap, and helping prioritize what we're building next. And like who our customer focus really is. And that's one thing, you know, we benefited a lot from, initially early days. But even when we went to market, you know, our name was Private Request. But we kind of knew already that like the future of what we're focusing on. And the bigger issue a lot of companies are facing that we were speaking with, which are a lot of B to B fact companies, we managed to kind of break down certain characteristics, we look for them as well, but we quickly realize the bigger issue. And if you really want to have an effective, data-centric request program or policy behind your business, it really starts with understanding your data and where it is, and why you collect data and what data you can keep and what you can't what data you can throw away if you kind of minimize. And that's really how we kind of started this is, you know, first we'll start with the customer, let's figure out what is the highest urgency to them? What do they need to be effective, and to have proper governance of, you know, their Data, and their privacy program as well? And that's really how we started this. So we originally launched with, you know, with a deep specialization in Data Set Requests, and also the Data Mapping, as well. And we kind of quickly as soon as we got to market kind of use a lot of early stage feedback. There's a lot of piloting happening, we really kind of focus a lot on the roadmap around Data Mapping, understanding what days within there, we realized that a lot of privacy teams or professionals, they didn't have the right resources and tools in place to actually capture what was happening downstream, or what's happening within the business. And that's really what we started working on is building a really strong workflow to help scale your Privacy Operations. And that's one thing we do really well is we help companies scale speed automate their primary operations within a single workflow. And that's really been what standing up.


Debbie Reynolds  03:53

Yeah, the thing of privacy-enhancing tech, you know, obviously, it's a newer market, and people are kind of source for sorting themselves out and trying to figure out how to distinguish and position themselves. But I wouldn't say it's two different groups. I think it's more than two groups. But a lot of times people confuse especially the word Data Mapping. So Data Mapping can mean many things. It can mean, I have a napkin, and I jot things down and put charts together and stuff or it can mean that I touch Data. So for me, when I'm thinking about Data Mapping, I ask people, does your application touch Data or not? So you touch Data or you don't touch data and the apps that don't touch Data? It's more of kind of a paper exercise. So it was documentation and information about what happens with data kind of explaining that story as opposed to getting the actual tangible insights from what's truly happening within the business with data. What are your thoughts? Yeah, 100%


Peter Barbosa  05:00

I agree, the terminology is like its entity-relationship loosely used, right? I think it depends, you're speaking with this career professional, versus an engineer versus, you know, someone who's more in legal on the legal side of privacy, I think what that output of a data map looks like could be drastically different. Really, kind of, if you break it down, though, and you look at the individual elements, you start to see a lot of commonalities between them. For example, you know, watching the flow of like, from a technical standpoint, you know, a data map could be like a Data Flow Diagram, or it could be something similar to an entity relationship diagram ERD. But you can even use those diagrams to build out more what I call like the, you know, an Article 30 GDPR, directive processing, or that's what we often refer to as data map as well, in a legal context, you can still kind of extract particular pieces of a Data Flow Diagram, and use that for your actual, you know, record processing ROP, often what's referred to, but I wonder percent agree with you, there is a lot of, you know, terminology, it's thrown around, around that word Data Mapping. And really, it can be confusing sometimes around the audience, as far as what type of Data Map they're gonna be getting out of it. We try to sit on both sides of the fences. You know, we really focus on we think privacy can only be accomplished at a business when it's cross-functional cross-functional, to really the cross-functional paths. So we try to build tool that's fair and more inclusive of everyone kind of speaks all languages. 


Debbie Reynolds  06:24

Yeah, I like the fact that there's talking about it being cross functional, because data is everywhere, and enterprises, especially when you're thinking about privacy, touch everyone. So having people in place that can help kind of bridge those gaps and sort of, you know, get people out of those silos, or some ways and understand how, you know, what parts that different people play within the organization, and how they can kind of come together to like, achieve a common goal. 


Peter Barbosa  06:55

Yeah absolutely? I think otherwise, there's just a lot of assumptions that are made on either side, which is what we've seen in reality, that, you know, you get these typical questionnaires being sent around, and either the person receiving it doesn't have the right context, or the person sending it knows they're not going to get the right information back. And they tend to assume a lot sometimes. So you really see things got to go both sides. And that was really one of the big issues that we are on the pain points we focus on is, you know, what's like the highest risk, like what's the highest risk when during this process? And can we automate that, and we'll automate as much as we can, but you can't automate everything. And I think that's something that we see a lot of other tools do so they can automate everything. But really, there are still some manual steps involved to get that end result that they're looking for, especially now, I'm speaking context of that, no more than records processing that that Legal Data Map that we're speaking of.


Debbie Reynolds  07:50

So, I think, when you're thinking when I think about when I look at, like the fine, so companies that have been fined for Data Privacy things, they're almost always, like,  literally not seen one that in this case hasn't been true. They get fined for what they do, and not what they say they do. So understanding operationally, what's happening with your Data is really important. Especially if, let's say, for example, let's say legal say you do one thing, based on kind of what their map is, or record processing is, but the actuality is that the Data was handled in some different way, then it makes you look not great to regulators, because it you know, in some ways, it makes it seem like you're, you know, not being truthful, when really it can be a deep misunderstanding within organizations, not like something that's intentional, or malicious in any way. What are your thoughts?


Peter Barbosa  09:04

Yeah, I mean, again, something I run into a lot. You know, I often start with reading a privacy policy on the website, when speaking with someone. And then you know, when you kind of start to understand downstream what's happening, or we put in our tool, we start to see there are actually some differences with what they're saying they're doing versus what they're actually doing. I think that's a bigger gap we see in the space, you know, everyone wants, everyone wants to say they're transparent, they want to be transparent. But what they're actually doing is often very different. So it's actually verifying what they're doing, which is the biggest gap and my biggest irk that, you know, I'd like to call my big fish I'd like to solve because I have that same hesitation myself as an individual or a data subject as we need being a Data Subject. You know, maybe I lack some trust in some of these random online companies. I find, I always read the price policy and ask, is this actually why, you know, are they disclosing all the reasons why they collect or process my Data or all the uses they have with my Data? You know, are there promises to list actually accurate. Are there any other third parties here? I think that's an ongoing issue. And I think having an automated  Data Mapping Tool that can actually plugin and tell you that is super beneficial to a lot of companies, especially once you hit a certain size, I mean, certainly, you know, a startup under 100 employees, I think they can, you know, get by, they might be able to get by students and more manual out of Excel, provide a, you know, have some good practices or has a good culture around Data Collection, and Data Minimization. But certainly, I think, you know, once you hit a certain size, and there's a lot of silos happen within the organization, and putting in a tool to actually validate what you're saying you're doing is critical. And again, to your point, I think goes beyond fines and penalties. You know, we speak with a lot of, we're starting to break down understand companies a bit different than we did in the past, where we're looking at individual characteristics of these companies to understand where they're at with the material privacy, I think that's, that's a big indicator, as far as you know, what's the like, once you understand the maturity of their privacy program, you start to see different drivers, you start to see commonalities amongst them, if they have those characteristics, as far as what their drivers are for pushing for, you know, enhancing a privacy program or implementing privacy programs as well.


Debbie Reynolds  11:10

Yeah, I agree with that. I agree with that. Yeah, your walk and your talk need to match.  so that's very important. So don't say you delete stuff every 30 days. And you don't do that, like that's so bad. It's so so bad. Let's talk a little bit about Data Retention. This is a topic that I like to talk about a lot, mostly because it's the most unsexy thing that you can discuss, like, no one was talking about that. So it's like, you know, you think about digital transformation, people love that, because it's like, oh, we have this new thing. And then the new product process, you know, in within organization is, these are the products to get the most attention, because, you know, you put your best people on it, you roll it out, it's kind of the new hot thing, but then let's say, this application ages out, maybe your company has changed in some way that the application doesn't like meet your needs anymore, or you want to go out to marketing something else do you have his data does Legacy Data this sort of lingering around, and a lot of times, you know, it's put on a server in a back room somewhere, and no one really cares about it. So that Data, you know, what I've noticed is that Data that has lagging or lower business value, over time can be the highest risk to organizations and parents with Data Breach and stuff like that they don't get, they don't put that stuff on the best systems, they don't put it on, like the most secure locations, you know, the knowledge about the data leaves the organization over years. So, you know, typically some, you know, Jasper down the hall, he's the only one that knows about this data or something like that. So these are huge risks. And we're seeing big, big Data Breaches happening with organizations where this exactly what happened is like, this is not like high value data to them at this point, because they've used it and done whatever. But it's still sticking around within the organization. So talk to me a little bit, by your thoughts about kind of that, you know, the afterglow digital transformation, and what happens at the end?


Peter Barbosa  13:24

Yeah, I think, you said a lot of very great points there, there is a cost around holding Legacy Data and retaining it for a long time, right. And more times than not, I think companies are starting to find that they cost a lot more than what the benefit actually is. And I think naturally, you know, I used to be back in my day, I used to be an IT service provider, I still had businesses and help them set up their infrastructure and, you know, their racks of servers, all that kind of stuff, and there's ever back then there is such a, you know, keeping all the emails you can and you know, sometimes you see, you know, these PST email files are like 20 or 30 gigs, and like, it's going years back, you're really wondering why they're really retaining all this data, it's more of a comfort thing, I think that individuals need to get over and kind of, you know, reflect that kind of afford server company. But there is a high cost that, you know, you don't maintain that as much not going to migrate over to a newer platform. And it's probably not going to work at that point. But I strongly believe that companies do need a strong retention policy. But even beyond that, I think, even bigger than just having retention policy is minimizing the places that collect data. Right, like when I think you know, when I think about an important part of that of digital transformation, it is like an important piece that is minimizing data and where you're storing data, and going through and auditing, you know, who that shared with what countries, etc. I think, you know, Data Minimization is often overlooked. For companies, I think that's something that a lot of companies should do before they even start to consider perhaps programs. Because there's been a lot that we run into where, you know, there may be a 200 person business. You know, they've grown fast, they have different departments and different silos that are starting to develop, and they kind of let them go free range for a while, and they started bringing in a legal person or someone who has conduct privacy. And there's often a lot of, you know, we'll call it, you know, debt, like a third-party kind of like tech debt, that to go back and fix up. By fine, you know, if you're going to do that if you're trying to be if you're a founder, or you know, you're operating business, it's gonna be a lot easier to have that mindset over the gate of actually, you know, minimizing the data you collect, and they retain as well where you do that. And if you look at Data Breaches to like, you know, all these Data Breaches are not from the company's Data Controller itself, it's almost third party processes. And if you can minimize that rescue, you know, or if you can minimize how many processes there are within your ecosystem, then you're probably gonna minimize your risk overall.


Debbie Reynolds  15:46

Yeah, I think third parties get a little bit of a bad rap, though. People kind of, you know, there is third party risks, right? And so, but it's, it's a handshake thing. So it's, you know, takes two to tango, in my opinion. So it's like, okay, I get this third party this data, you know, what do they do with it, you know, and most of those promises,are maintained via contracts, okay, the third partyfirst-partyparty firstparty partyfirst-party do this, they need to have the security thing or whatever. But  you know, that also means there's a responsibility for the first party data holder as well. So, you know, like, I know, some of the past bigger breaches, you know, the story was, okay, I gave this third party, my data, they had like a login to my system. And then, once they were in the system, they were able to kind of run ragged, and just run all over system, but it's like, in their access was limited to begin with, there'll be limited damage that they can do. So what are your thoughts about that?


Peter Barbosa  16:54

Yeah, absolutely. I think, you know, to your point, like the party first who's initially collecting the data, like they still have an obligation as well, to make sure that that third party is me if the expectation is me in that contract. And I think that's one thing that probably an area where a lot of folks, I wouldn't say they fall short on maybe sort of bandwidth constrained from my understanding within the company itself. And that, you know, that privacy team, where, you know, you should go back and you should review these contracts, you should know, audit your vendors and your third parties to make sure they are holding up to what they say they are. So yeah, I think you're right, it does take two to tango, it is a handshake that has once-a-year on both sides. And also, I don't know if there's really currently a good way of you know, effectively doing that audit other than being a very manual process. And, you know, that's probably what we hear anyways. And we see companies do internal reviews, it's a once a year thing, sometimes. Certainly, they can have a tighter loop between that. But no, I think you're I think you're bang on it does take both, which is, which is a bit of a challenge. I think maybe there's not. Yeah, I think that there's a struggle there currently, that we see with a lot of companies we speak to, right now. Too much of a set it and forget it I think.


Debbie Reynolds  18:07

Yes, too much it's set and forget it. And then, you know, I think what happens a lot of times is that people give third parties too much access. So in order to give, you know, if you give someone granular access, that takes more time than to give them broad access. So if someone is on your case, and they're like, hey, we need this person to have access, this person is really important, and they need to have access right away, maybe that the person was given them access to make it faster, give them you know, a lot of access. They don't spend time making it more granular as it should be. And then if those credentials get out of hand, or someone else, you know, takes a look at it makes it easy for them to get to the organization because you know, didn't really secure your organization in a way to minimize the damage that a third party could do to your operation.


Peter Barbosa  19:08

Yeah, I 100% agree there as well. It does come down to Yes, yeah, like saving time being efficient. And that individual stakeholder, you know, as a privacy officer, or someone who champions privacy in the organization. You know, when you're going off and you put an app up to your team, you know, perhaps someone in DevOps in this case, or someone from security team needs to give access to a firewall, we're have you think a lot of times, it's just like, I'm just gonna complete this task as fast as I can, and move on to the next thing, because you know, we have a million other things going on in my mind. You know, you know, as a security professional, you're focusing you're probably prioritizing your tasks around business value. And you're probably not think about the big picture here. And it comes down to to this bigger challenge that we hear all the time, which is like Privacy Awareness, right? The mindset of privacy, the culture of privacy, is often a kind of a good area to start and focus on to actually kind of You know, build a lot of protection around tasks and ask like this, that someone from privacy might have to the team? Yeah, I think that's, that's another , major issue here, a lot of just like privacy, awareness, privacy, I mean, just you don't need necessarily, I don't think training would really enhance that. It's having the mindset of privacy, and the maturity around, like having the mindset of that and like, understanding, I guess, building in that, that that culture across your business of why it's important to collect data, and why it's important to use those safeguards, right. To secure professionals those professionals, those kinds, you probably know, it's better to have more granular controls are an individual to have more granular access versus more proper access. But time is, but at the time, probably, you know, the individual might be thinking, hey, you know, like, this is a trusted vendor, they've gone through a vetting process, they're held liable. I'm not too concerned this time. I think that changes as the company grows as well, and it becomes more challenging to deploy.


Debbie Reynolds  20:56

Yeah, I agree with that. So I think, you know, I guess I'm throwing it back into third party again. So this is what I'm saying. I feel like there's kind of this way this happening, that people aren't really understanding what's going to happen. So we saw with the GDPR, and they've probably done it best so far, is tried to determine what is the responsibility for a like a Data Controller, who's the company that has the data, the First Party Data, and then the processor is going to do this task on behalf of a company. So I feel like the GDPR did it best so far, in terms of trying to determine what are the obligations of those kind of two groups. So what I'm seeing that people really aren't paying attention to now is, there are a lot of other laws since the GDPR came out that are replicating that framework where they're saying, Okay, first-party data holders, you have this responsibility, Third-Party Data Holders, you have a responsibility. So they can't be decoupled from one another. So it's like, again, this handshake thing where you have to work together. So in the US, what we're having now is the states passing these laws or regulations, and they're putting more onus on third parties, so it can't be this is how things were in the past.  Okay so a company, a First Party Data company, gives data to a third party, and third party like, well, we just did what the company told us to do. And it's like, that's not  sufficient. So you still have obligations, even if that data was given to you by the first party. And this is, you know, I talked to developers constantly. So people develop your software, stuff like that. And so this has, in the past been a very prevalent way of thinking, and just like you said, people were thinking about the business, right? They're thinking, Okay, this is the job that I have to do to do the business that I've been asked to do. But now this is extra layer and privacy regulation. We're like, Okay, you have these other obligations that you maybe didn't know, that you have before. And now we're putting you on notice that you have it.


Peter Barbosa  23:17

Yeah, I mean, like, exactly that, like, most folks that organizations like I've been part of, you know, companies of, you know, very small size, where I'm employee number one, we scale it up, or employs 500 employees, to even 23,000 employees, and it's at Every Size of business, the constant is we're always trying to move fast and push above our weight. And I think that's part of the challenge. And I feel the same feeling as well being part of startup is that companies are always trying to move fast and push above their weight. Now, there's extra step structure, precautions that need to be considered are taken, those are often overlooked. And you often prioritize that with everything else that you have in motion, currently. But it isn't, I see the United States put more of an onus on you know, but more of a focus, I guess, I should say, on sharing data and how it shared interest of the organization. And I'm very thrilled to see that. I think it's it's a positive step forward. But I still think it comes down to a mindset and a culture change across businesses, which I feel it's just going to take some time. And again, I think, you know, it'll be at a point where companies where, you know, it might be, maybe it's not so much the regulation that's driving that,  and, you know, concerning folks within a business, but perhaps is it's the mindset of the individuals in the business, where they would think, you know, as a consumer, as a user of this business, you know, how would I want my data handled? Or how do I want my data protected? I think that might be the shift, you start to see and that's why you think you see in Europe and I think, you know, the US is starting to follow suit on that. Here in Canada, I think we kind of see a happy medium of both. Were kind of hybrid, I think, you know, for the most part, I would say privacy is a human right over here. But I still think you know, people's maturity of that is still, you know, least understanding that it is still being still evolving. I think the consumers can are still ahead of the businesses in that regard.


Debbie Reynolds  25:08

I agree. Oh what's happening? Now I know that you keep up with the news stories, and you're very plugged into what's happening around the world of privacy. But what in the Data Privacy universe right now is kind of concerning you about the future, like, what's down the pipe that's concerning.


Peter Barbosa  25:29

So I'm gonna speak about in Canada, right now, they're talking a lot about digital identification, we have a lot of vaccine passport software rolling out, a lot of it seems to be unorganized off the cuff one-off companies are newer, you know, founders coming in and building this very fast to meet these, you know, timelines being put out by the government as far as when they want this in place. And there's a there's an example up here in Canada, there's a vendor rider that just launched on the App Store. And, you know, they outsource all their developments. You know, there's, there's a lot of development, which, you know, I'm not against any way, but I don't think it was the most, you know, they essentially, they didn't put any proper screening measures in place. And a publisher, or a major news publisher, apparently actually managed to breach all the information on that. And I think that's the big concerning thing to me is, you know, although I, I appreciate the shift to going more digital, you know, I appreciate the shift going more digital. But when we start talking about, you know, implementing driver's license and health IDs, or social security numbers through a digital application, it really concerns me about the amount of Data Collection that's going to be happening more so from the government right? Now, I think more and more people are starting to not trust the government, although we have seen that historically, in certain depending where your base of and we're starting to have more precise, the precise that more across the globe. And that's kind of what comes down to my mind is okay, when does this turn to a social score? And, you know, what's the impact of all this data being collected? And the use of this, and, you know, the accessibility of these of these new tools? Well, that really, I find a lot of governments are now trying to push to be more digital, at least in Canada, they are, and I'm scared with the repercussions of that the data collected and how they use and handled and even potentially used against the individuals or the data subjects is my biggest concern. And, and that's what's kind of running through my mind a lot. When I see a lot is privacy using it's not really, I don't think there's a lot of focus. You know, there's a lot of protests, sometimes we see around, you know, folks don't want the vaccine passport. But I think the other reason why it's not one is for privacy is your rights. And being able to consent of you know, if your information if they can collect your information or not. I think, you know, we're seeing that in Canada being whittled away slowly.


Debbie Reynolds  27:47

Yeah. So just to your point, there was an article. But there was an article that was talking about from New York, Excelsior Pass. So that's literally like a vaccine passport where you can say that you had your COVID vaccine. And then they actually have a partnership. I don’t know Excelsior, I think Clear has a partnership with Open Table. So like you book a reservation for a restaurant, they'll say, oh, you know, fine your vaccine passport to this will, you know, we'll let you in. So one thing that was really interesting was that I read the article about the Excelsior Pass that I guess in their contact me IBM did the app, but in their contract, they want to be able to do other things with that data, right? So we know that's going to happen. And if this goes again, back to this kind of third party risk thing, where well actually goes back to kind of consent of how people are using these tools, because it's like, okay, I gave you this data for one purpose, and now you want to use it for some other purpose, you know, because now that the capability exists, you know, it say, Okay, well, we can do this for a lot of stuff we can do, you know, for school lunches, or for your driver's license, or, you know, and then just having that combination of data collected, you know, can can create risk for the individual, especially as the data has been used to gift the person like maybe, maybe you have a risk or something you don't like if you don't get the pet the vaccine or something like that. I don't know. What do you think?


Peter Barbosa  29:30

I'm 100% You know, yeah, it's, I understand the purpose of it and the objective of it and 100% You know, I'm all for safety. So you know, and I'm all for that. No, I would it seems like I prefer there's more of an opt in mechanism you know, if you want to use your paper like in Canada, we have these no paper slips and things that you should be able to use that they do phasing that out for a digital option. But you don't really have much of a choice to access certain things, you know, whether it's, you know, social settings, such as movie theaters or restaurants, you know, you're kind I'm limiting people's rights a lot. They're having to force us. Right. I understand, you know, businesses have the right to protect themselves and protect their employees. People have been vaccinated I'm all for that 100%. But the concept of a digital passport, and that haven't that being mandatory is disconcerting, I think, again, you just don't know where that's going. And, and historically speaking, the government is known for surveillance, and you know, going above, going beyond what they're saying they're doing. And I think that's, that's where a lot of the concern is, I would hope, no protests we're seeing in Canada anyways, I hope that's why they're progressing as well. I haven't looked too deep into it. But you know, in the fastball on that began, they're talking about digital identities here as well, which I think is another interesting concept. You know my father just got an Android phone for the first time four years ago, let alone I'm concerned about him getting having a digital ID pulling that up each time. So just also the accessibility issues, right. Like, it seems kind of odd to me to move away from that, but again, you know, maybe if you're speaking to the, you know, Peter if maybe you're speaking to Peter, 15 years ago, I would have maybe had a different mindset. But I think a lot has changed and technology, the amount of Data Collection that technology has now is through the roof so yeah.


Debbie Reynolds  29:30

I know, we're, we're tech-savvy, and we're very plugged in. But also, I'm concerned that, you know, not everyone has a smartphone. So all these things, presume that you have it. So there are a lot of people who are going to be shut out of these things, especially they're mandatory, if they can't, you know if things are made in such a way that people can't operate and do things in life without smartphones that can be a problem. So like, you know, I think the difference is, let's say Apple, so Apple, they have a thing now, I think in their iOS 15 update, where you can store your vaccine card and that's great, if you want to do that, okay. But they're a private company, or a public company, within the US. And I mean, all over the world. And they can do that for their customer, right. So they're not everybody has iPhone, not everyone is a customer of Apple, but then when you talk about the government, so everybody within your jurisdiction is your customer. So if you're not thinking about solutions, that for people who have smartphones, or people who don't have smartphones, you're gonna leave a lot of people out, because not everybody, I think, the last statistic, I saw that in the world, I think smartphone usage is about 45%. So 45% of the population has smartphones, so the majority of people in the world don't have smartphones.


Peter Barbosa  32:45

Yeah. And then you also like in Canada, the system they've introduced is a QR code. So that QR code needs to be scanned by a smart device. And so those businesses need a mobile phone. I went to the movie theaters a couple of nights ago to watch Dune, which is a great movie, by the way. But you know, they have all these, you know, young kids working and they'll have to have smartphones, what's the cost on that for, you know, a smaller business, you know, movie theaters is it's a different levelold-fashioned because you know, you have a bunch of people coming in at once go see a movie, and you know, there's there's laptops to get in to, you know, get this scanner QR, your QR code. But just the the cost of that new for a small mom, pop shop downtown Toronto, where, you know, you probably hardly even had a point of sale system. Right, you might be using an old fashioned cash register till we see them all the time, you know, let alone you have to get, you know, get a smartphone and scan that make sure to interact like it's a bit of a mess in that regards. And I don't think there was a lot of, you know, sometimes I wonder how much thought was put into some of these to some of these in these scenarios that we're seeing kind of come into place. Now.


Debbie Reynolds  33:53

You know, that not to pick on the Excelsior Pass again in New York, I just read this article. But they were saying that they were surprised that very few companies were actually had bought the device to scan the QR code. So they saw a lot of the majority of people, businesses that were using it, if they use it, they just let the person show them that they had it. And that's it. So they didn't spend the money to buy the device to scan the code. Because the way that their system works is when you scan a code it is not only so you can store your vaccine passport on phone, right? But what it's supposed to do is hook up to a database in the state of New York to actually validate whether it's true or not that you had your vaccine. So that is I think that was a very expensive data build into the application. And that's the thing that is not getting really used. So people are really looking at that really closely.


Peter Barbosa  34:56

Yeah, I mean, there are costs involved to building this tech especially You know, when you try to put in such a short period of time, right, you're gonna pay even more. Because you know you're working against time. And that's typically soft vendors tend to do that. But there's also the comfort level of the individual to put their data into the system. You know, I'm certainly not comfortable, you know, inputting my health card information onto a website before I go, and before I go into a restaurant, purely, you know, can be a matter of if you like it, maybe I'm not a Wi Fi network, I don't trust you know, maybe I didn't read the privacy policy fully time. Just know what's happening with it. Things like that. I think he's just, that's why I feel the most, that's what I feel the worst about is individuals who are purely just not comfortable with this data being collected about them. Even when I went to get my COVID vaccine here, you know, they said, you know, they kind of looked off some of our privacy rights like, hey, well, the kind of list off like very high-level goals, those, privacy notes in person, right? They verbalize it saying, Hey, we're gonna share information we can share with whoever you can send it. And I said, Do I have any other offer? Like, no, you have to a consensus like, well, I guess I got to get this right, like, so it's kind of weird to me sometimes. And understand the reason why. The reason why some of these controls have been put in place and some of these mandates we'll call them. But the human rights aspect being stripped away is significant, and I think more focusing folks on that part of it, versus some of the weird conspiracy theories to hear about onlineis  because that's the bigger concern to me with all this.


Debbie Reynolds  36:26

I keep my vaccine card with my passport is basically a passport. Like so if you can call it that.


Peter Barbosa  36:32

Yeah, the actual passport like your national passport.  Nice. Bags, passports. 


Debbie Reynolds  36:39

Yeah it's literally a passport. So you can't get into places unless you have it. So I keep it with my passport. Yes absolutely.


Peter Barbosa  36:48

Yeah, over here, they start with the slips that they hand out when you get your shots, which you know, is effective. I have myself in my wallet. But more recently started rolling out. I think some come here some private companies that started trying to get get ahead of the game and try to be first to market on developing this, even though there's no official government contract. The challenge is that, you know, scattering the population years, I don't know 13 million targets. But the more that actually probably 20 million. The challenge with that is so I share a blank MIT to cut this out. The challenge with that I was talking about the vaccine, passports eating slip, right? The challenge with that is that so you have these companies who went ahead and started building software without any government contract in place, they somehow managed to get press coverage, saying, hey, look, there's something on the app store now and get all the major news outlets, and you have all these individually of all these people going in, they just don't understand. Or they didn't know that this was an official app, it was only new. So it seems official, they put their you know, there. So we'll walk You're still so willing to share their information. And of course, there are 600,000, you know, data subjects on that, that were reached. And you know, all the information that goes around that, including their their health care information, which you know, you can log in now to the Ontario website, the you know, province of Ontario website, where I'm based out of and review your Vax status secure password. You see the year you see your first name, last name, postcode, and your health card info. And you can go into your vaccine status. You know, it works really well. But I think there's, there's there's massive repercussions with that. And I imagine, you know, people know this, and they're going to make these types of systems a big target for them. Right. I mean, like, look at all the ransomware attacks, we see a lot I see read a lot, but in the US right now. But like, you know, these are great targets for companies for ransomware.


Debbie Reynolds  38:36

Yeah, I think this summer, we're going to be watching this really closely through the years to see how this sort of pans out and what happens with this data after because we know, it could be repurposed for different things. What if it was the world according to Peter, and we had to do everything that you said, Well, be your wish for privacy anywhere in the world, anything, technology people? What are your thoughts?


Peter Barbosa  39:02

Wow, that's a good question. I would say like we were speaking to earlier, right, like any company can publish privacy, you know, as they go hire a counselor do it in-house. But like, I would like to see, like, in a perfect world, there's a way for me to go online and you know, find a company that I don't know yet just found online by like the service I'm intrigued by and one person, you know, I always my first UPS always reveals privacy policies and seeing how my data is handled, where it's located, etc. But being able to actually verify that they are doing what they say they're doing, and, you know, verify how my information is shared, not just going off legal, you know, piece of legal document,  you know, going beyond talking the talk and actually will see the walk, I think that'd be huge. I think that's like my one wish,online is. I want to go see the walk, you know, like that's what that's more important to me than talk is like asking the walk, do you just don't know. You just don't know if it's actually if their privacy was actually true to what they're actually doing. And that's my biggest like wish, in the space that and like a big center delete button where I hit delete, and I'm gone online, and all those systems, but I would say, you know, more importantly is definitely you know, being able to see the walk and actually verify that that's what they're seeing.


Debbie Reynolds  40:17

And I love it. I love what you're talking about. And in that way I agree, I think Yeah, because you serve like it's kind of like a paper promise otherwise. So it's like, yeah, we promise we pinky swear that we do this. So we want to know if it's true or not. So being able to validate that I think will be great. It will give a lot of customers a lot more comfort if they're giving their data to people. And I think it will make businesses more profitable. If they have customers that say, Okay, we really trust these people, because they really, you know, they really knit everything together really tightly.


Peter Barbosa  40:53

Yeah, like one thing we hear of all the time in the b2b space, we sell a lot of b2b companies is their customers. Awesome, right? They all of them actually make sure they have everything in place. So I think it'd be something great to have something similar for actual data subjects for actual customers to actually go to audit the business for that to do business with them. However, that tool looks like who knows, maybe we'll get there one day.


Debbie Reynolds  41:15

But yeah, well, this was so much fun. I'm so glad we were able to get this done. This is funny because you and I talk on a pretty regular basis, I will say so. It's nice to be able to do this podcast with you and be able to share kind of our secret conversations.  with the world.


Peter Barbosa  41:33

Yeah, likewise, thanks so much for having me today. Really a pleasure to be on. You know, I'm a big fan of yours. I love the content you put out. You're doing a great job on these videos, especially I like these short, simple ones. Very insightful I shared with our team. So thank you so much.


Debbie Reynolds  41:49

Thank you. I really appreciate it. All right. I'll talk to you soon. Thanks.