The Data Diva E289 - Ross Saunders and Debbie Reynolds

Show Notes

Ross Saunders, Head of Ross G. Saunders Consulting

In this episode of The Data Diva Talks Privacy, Debbie Reynolds, The Data Diva speaks with Ross Saunders, Head of Ross G. Saunders Consulting, about privacy engineering and the challenges organizations face when translating legal requirements into technical implementation. Ross shares his background in infrastructure, DevOps, and software architecture, explaining how his experience working with SaaS environments and data breaches led him to focus on bridging the gap between legal, security, and development teams.

The conversation explores how privacy is often treated as a legal or compliance exercise, while in practice it requires integration into system design and development workflows. Debbie and Ross discuss how developers frequently receive requirements that do not align with legal intent, leading to inconsistencies in implementation and increased risk for organizations.

They examine real-world challenges in applying privacy regulations, including age verification requirements and the classification of IP addresses, where technical realities may conflict with regulatory expectations. The discussion also addresses the limitations of focusing on specific technologies, such as cookies, rather than addressing broader issues related to data sharing and potential harm.

The episode highlights practical examples of risk, including loyalty applications that collect extensive financial transaction data and the potential consequences if that data is exposed or misused. Debbie and Ross emphasize the importance of shifting toward harm-based approaches to privacy and ensuring that organizations understand the real-world impact of their data practices.

The conversation also explores emerging risks associated with agentic AI and autonomous systems, including scenarios where systems are granted excessive access and cause unintended damage or data loss. Organizations must implement governance, oversight, and clear controls to ensure that innovation in AI does not introduce unnecessary risk.

By popular demand, Debbie Reynolds Consulting is now offering executive briefings on emerging data privacy risks and how companies can avoid them. To learn more, visit the Executive briefings page on my website.

Support the show

Become an insider, join Data Diva Confidential for data strategy and data privacy insights delivered to your inbox.

 💡 Receive expert briefings, practical guidance, and exclusive resources designed for leaders shaping the future of data and AI.

 👉 Join here: http://bit.ly/3Jb8S5p

Debbie Reynolds Consulting, LLC

Transcript

[00:00] Debbie Reynolds: The personal views expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.

[00:11] Hello, my name is Debbie Reynolds. They call me the Data Diva. This is the Data Diva Talks Privacy podcast where we discuss data privacy issues with industry leaders around the world with information that businesses need to know.

[00:24] Now,

[00:25] I have a very special guest on the show, Ross Saunders. He is all the way from Canada and he is the head of Ross G. Saunders Consulting. Well, we met a number of years ago.

[00:39] I think we collaborated together on some projects up in Canada.

[00:44] Ross Saunders: I think I was in South Africa at the time.

[00:46] Debbie Reynolds: I think you were transitioning, right? You were in South Africa.

[00:48] Ross Saunders: I was about to move over to Canada.

[00:50] Debbie Reynolds: Yeah,

[00:51] exactly. So you were in South Africa and then you came to Canada. So we were kind of in that little bridge school,

[00:57] so. That is so cool.

[00:58] Oh, that's so cool.

[01:00] Well, you're incredibly smart. I love the fact that you bridge your technology knowledge with privacy.

[01:09] And so I feel like that's a lens that we don't get to talk through a lot. And so to me, it's very fascinating because I'm a data person, I'm a geek, I'm a data geek person.

[01:19] So I always love to talk to other data people about their perspectives or privacy. But to tell me, so how did you get from South Africa to here?

[01:29] How did you decide to get into this field of privacy and technology?

[01:34] Ross Saunders: Yeah, so it's been an interesting journey. I started out straight out of school into call desks and help desks.

[01:42] So working for various companies in the tech support space. When I was in high school, I did tech support for local businesses and things like that,

[01:51] some extra pocket money and moved into networking, infrastructure architecture, that side of things. Decided I wanted a little bit more. Studied programming,

[02:02] did programming in college. Loved it. Did it in practice, Absolutely hated it. It was really not for me in practice,

[02:09] but that kind of opened the doors to getting involved with things like DevOps and working in sort of that bridge between code and technical.

[02:18] And I moved into managing teams for that, managing the full architecture of products and things like that over the years. And part of that being in software as a service and being in those industries was really working between the law firms that we were engaged with for privacy and getting those technical requirements that were coming from the law firms and the Information security committee into the actual technical implementation.

[02:43] How did we build it into the tools? How did we build it into the software? How did we get the tech support desk working with this? How did we get the actual systems aligned with what the law was requiring for security safeguards.

[02:56] So that's kind of the space I got into. They were,

[02:59] during the course of my career, lived through a couple of breaches, which got me very interested in the space as well.

[03:06] And then, yeah, started consulting after I left corporate, like a good 10, 12 years ago, I guess. 10 years ago,

[03:13] consulting on my own for software as a service. I was working in SA at the time, then kind of was working with some companies in Canada,

[03:21] working with Bamboo in Canada. Sharon, who's been a guest of yours as well,

[03:25] and we were kind of collaborating in a lot of spaces. I eventually joined the consultancy there, came over to Canada, and I've since wanted to specialize and focus a little bit more in the dev space and really working in the privacy engineering scope.

[03:39] So that's what I've been doing now for the last almost a year now.

[03:43] Debbie Reynolds: I do want to talk about, since you decided to specialize in this space,

[03:47] tell me, what does that encompass that people may not understand? It's so different than. Maybe because I feel like.

[03:55] I don't know what you think, but I feel like privacy has so many different areas or domains that people practice in. And for people who don't understand that, maybe they think everybody does the same thing.

[04:07] So what is your specific specialty and how is it different than what people imagine in other parts of privacy?

[04:15] Ross Saunders: Yeah, I think that's something that comes through a lot, and people think privacy is just the privacy office and that's kind of where it sits, and it's maybe lumped in legal and compliance and that's the end of it.

[04:24] But I think, as you've said, over the last few years, we've seen privacy kind of bridging into different sub genres of privacy within it. If you look at cybersecurity,

[04:35] what CyberSecurity was like 15 years ago is now completely different. And you've got so many different ranges inside cybersecurity, so many entrance points and things like that. I think the same is privacy.

[04:47] So from my side, I think having been in that technical space of working with dev, being in the code,

[04:54] I call myself the nerd with trust issues. I mean, I'm absolutely a nerd. I've got servers running in my house, like behind the camera here that you can't see.

[05:03] And I'm always tinkering with that.

[05:05] But part of that is seeing the amount of data that just gets used, even in hobbying and having worked with software companies and things like that, I think there's the business side of Privacy where we are concerned about the privacy programs, we are concerned about the policies, the notices,

[05:21] the consent side of things, the public facing side of things. But then you get into dev,

[05:27] where there are features that need to be delivered. Dev gets a spec that is removed from what's happening on the client facing side.

[05:37] It's a feature to be developed, deliver a tested, put it out there.

[05:41] And sometimes privacy gets kind of lost in the communications in that space. So a lot of what I do is kind of working with those dev teams, making sure that there's education for the dev teams and you know, this is what privacy is.

[05:53] There's a tendency because a lot of companies are security mature to kind of look at data classification and say that, well, we've got the classifications of public, restricted, secret, confidential and internal.

[06:05] Those must be the data classifications that everything runs off.

[06:09] But people don't understand PII or health information,

[06:12] things like that. So bringing in education component for dev and then seeing how those features translate because I think the legalese that can come through as to what's required by an act or a regulation or a guidance or something like that often doesn't relate to what the specification that a developer will look at says.

[06:32] So it's doing that translation and putting it through and also sometimes pushing back on the privacy office.

[06:37] As much as I'm in privacy, there are certain things that are technically very impractical to do and might be better as a manual process even in some cases.

[06:47] So it's a lot of that bridging

[06:48] Debbie Reynolds: the gap between those impractical and sometimes impossible.

[06:52] Right?

[06:54] Yeah, it's so funny because it's like, I think especially people who don't understand technology,

[07:01] when certain laws get passed,

[07:04] it's like, oh, you should just do this, whatever X is.

[07:08] I'll give an example around age verification. So as you can see around the world, different jurisdictions, they're trying to pass all these age regulation,

[07:18] age appropriate or age verification laws,

[07:22] but they don't give a lot of clarity about how to do it. And some of it is like the thing you ask, the thing you want us to do is like it really can't be done in that way.

[07:34] So people are trying to figure out like how to navigate that. But like, what are your thoughts about this? Because I'm sure you see this all the time.

[07:41] Ross Saunders: Yeah, I mean my example that comes to mind is, and I can understand it is around IP addresses. And this is a long held argument that everyone has had and everyone is probably rolling their eyes, listening and thinking at the term IP address coming up again.

[07:55] But there was that case where someone was using Google fonts on their website and they didn't have it in their privacy notice. And because Google got the IP address, it was a sharing of information,

[08:07] et cetera.

[08:08] The thing is that's how the protocol itself works.

[08:12] IP and TCP in particular is that handshake where yes, we have two addresses that link to each other to transfer the data. Therefore we will absolutely have that information.

[08:21] And I think there's a little bit of a. And I don't disagree that the IP address is personal because you can link it to someone, but I think that technical component of well,

[08:31] it's always going to be the case. It's not not going to be the case in any situation. So. So I think yeah, there's a lot of, like I said, impracticalities.

[08:39] I don't like going down the impossibilities route. Sometimes things are impossible and that's normally because it's like blatantly against the law. But there's generally a few ways to do it, which is the approach I like to take.

[08:51] Debbie Reynolds: I want your thoughts about cookies.

[08:53] So this is something I think I've like been shaking my fist at the sky for years about the whole cookie thing. And so to me cookies just really took off obviously because of e privacy and then GDPR in the US we just gone cookie crazy.

[09:10] So cookies are everything, right?

[09:12] But my issue with cookies is that cookies are to me or a mode of transportation.

[09:21] It moves something,

[09:22] data from one place to the other,

[09:25] but it doesn't stop the what people thought it will stop, which was the data sharing that people weren't aware of.

[09:33] So that data sharing can still happen.

[09:36] Like people thought that was the only way that that data sharing can happen through cookies.

[09:41] And it's like. But no, that's not what the issue is. So people are like, well let's outlaw cookies. And then, then we don't have this data sharing problem. It's like, no, the data sharing problem still exists.

[09:51] It just is going into different ways to do it. So that's one thing that frustrates me about when people try to regulate technology.

[10:00] Cause it's like if you think okay, we'll call this cookies and then, then we'll do fingerprinting on someone's, someone's computer, which is worse.

[10:10] Ross Saunders: There's always another way of doing it.

[10:12] Debbie Reynolds: Right.

[10:13] Ross Saunders: You know, I think that there is a tendency or has been a tendency I think to try and overregulate in some cases or it's regulated to A specific term like cookies.

[10:23] And I think that was a bit of a misnomer. And I think the ICO in the UK is kind of changing that around a little bit. Where it's now cookies, it's always been all related technologies, but now it's.

[10:33] They're more focusing on the related technologies than the word cookie. Because, I mean, in the software space as well, this is something that I see where folks are like, well, our tool doesn't use cookies, but they are using the cache on the phone or something like that for the app.

[10:46] And it's like, oh, there's a little gotcha in there that actually does still apply to you.

[10:52] So I think cookies aren't inherently bad.

[10:57] I think they're there for purpose. They are there for persistence. And I think they've been misused in some cases though.

[11:04] And I do think this is such a big thing to unpack the whole episode.

[11:09] Debbie Reynolds: It is.

[11:10] Ross Saunders: I think it's.

[11:11] Yes, there should be some transparency, there should be some management around it. I think there is so much management around it that it doesn't really mean much anymore because you've got plugins that just blatantly disallow all cookies for any site that you go to and that ends up breaking some of the sites.

[11:26] There are some folks that just are the allow all type all the time because you know what, they're going to track me anyway. So just allow all. I get full functionality and we go.

[11:36] I feel like I'm somewhere on the fence between the two.

[11:40] I'm happy to have performance cookies, I'm happy to have analytics cookies because I support the business understanding what's happening on their website. They should be able to diagnose what's happening.

[11:49] I perhaps just take exception to that last bit of sharing with third parties and marketing and that side of things.

[11:56] But I think somewhere out there between the view of total lack of regulation and just put like a we use cookies, okay,

[12:06] Versus the Do you want any one of these seven different categories of cookies at any time? And you must configure this before you can see the site. I think somewhere between there we've got a happy medium that would actually work.

[12:18] Debbie Reynolds: I think the thing that concerns me and I think the cookie debate is an exemplar of this. And to me,

[12:28] I think is better to talk about the harm that the data sharing can have as opposed to trying to focus on technology.

[12:40] And so I'm still on the fence about that a little bit.

[12:43] But like, just like cookies, like, I feel like if the whole cookie Thing was about unauthorized data sharing.

[12:51] You know, that covers almost every type of way that companies can do it. Right. And so I feel like we're having the same debate in AI now because it's like, oh, let's regulate AI.

[13:03] So what's the next thing,

[13:05] you know, the next technology people get super excited about? It's like, okay, well let's regulate that technology now. It's like, but you're still at the core of it is about managing data.

[13:15] Ross Saunders: But what do you think Cookies is such a scratch on the surface. You talk about that and the harms. Like I look at other things. I wrote an article recently like loyalty apps and card linked loyalty and things like that.

[13:28] I feel like there's so much more harm that could come from that.

[13:31] And people aren't aware of what is actually happening with these loyalty apps, like getting and not saying that this is the case for all of them. There are ones that do it responsibly, but there are ones that just take your entire bank statement and then filter through it after the fact and keep a copy of the whole thing.

[13:46] So that's a lot of personal transactions in there that have nothing to do with the loyalty app. And that could be so damaging if it gets out.

[13:55] That's far more dangerous, I think. And I think you're absolutely right and I think there's a joint responsibility on implementation, doing that correctly and being transparent. But then also I think there is an ownership component for individuals but it needs to be made clear that they can take ownership of it,

[14:12] which I think gets buried a lot in T's and C's.

[14:15] Debbie Reynolds: I want to talk a little bit about agentic AI and the sprawl of that. So first of all, like I know totally total terror when I heard like Open Claw had come out and there were people were literally putting agents on their computer and giving it admin access.

[14:36] Like I could have fallen out. I was like, what? Like we knew this was a bad idea like 30 years ago. So everybody like, yeah, let's get this agent. We don't know what it's doing, like access to everything.

[14:46] And we saw that example of the lady, I don't know if she's at Google where she had put this thing on her computer and started like deleting her inbox or something like that.

[14:55] She was trying to stop it or whatever.

[14:57] Ross Saunders: It's like I have a couple of friends who did the YOLO approach with openclaw and ended up with their Apple keychain being erased, with their home folder being erased with The AI misbehaving, not following instructions.

[15:13] Yeah.

[15:15] Debbie Reynolds: Yeah.

[15:15] Ross Saunders: I'm very hesitant for the YOLO approach there.

[15:21] Debbie Reynolds: I think people,

[15:23] especially if you have something that you put into your environment and you give it all this access,

[15:30] what people don't understand is that when you give it all this access, it can do whatever it wants to do. Right.

[15:36] Ross Saunders: And it does it quickly.

[15:40] Debbie Reynolds: Right? It does it very quickly. But I think people,

[15:43] they think, okay, well, if I tell it to do this, that's all it's gonna do, or it's all it's gonna look at. It's like, no, it's not thinking about what you told it to do.

[15:51] It's thinking about what it can do.

[15:53] It has the ability to do beyond what you said.

[15:58] Right?

[15:58] Ross Saunders: Yeah. You need to think about what it shouldn't be doing and give those instructions, too. Yeah, it needs to get its job done.

[16:07] Debbie Reynolds: Exactly. So there was a one. Oh, there was another story about this. It was so funny. So someone else, they had put an agent on their servers or something like that, and I bet they gave the agent, like, a goal or something that they wanted it to do.

[16:24] Right? So they kind of. It was very soft in terms of instruction and thing. It was in a sandbox, and it literally broke out of the sandbox,

[16:33] got into the other environment,

[16:35] and it started mining bitcoin on, like, the extra space on the servers or whatever.

[16:41] Like, what are your thoughts about this in general? Like, the AI agent.

[16:44] Ross Saunders: Oh. Oh, man.

[16:48] You know,

[16:49] I started seeing it, I think,

[16:52] working from the security aspect.

[16:55] So, I mean,

[16:56] privacy and security are intertwined, and I attend a lot of the security events and things like that. And I was at owasp, one of their events,

[17:04] and we went through a lot of the agentic stuff that can happen, but particularly like agents spawning other agents and trying to reach goals and things like that.

[17:14] And the thing that worries me, I think, the most, is that I feel like if I look at my LinkedIn and what privacy professionals are speaking about, a lot of.

[17:24] We're still kind of sitting in that marketing space, and I feel like folks are worried about using an LLM for marketing copy and don't put client data in it and all of that, which is fine, and that's great.

[17:35] But agentic, I think, has taken us to five years in the future, since November last year,

[17:41] and we now have dev teams who are perhaps removed from these offices that have deployed this and are running with it. And I've been interviewing a few dev teams now as to how they run it.

[17:51] And there's Dev developers working during the day and in the evening they have dedicated code machines that are agents that run and they start those when they leave the office, those run through to morning and then they, the devs carry on in the morning with what the output is.

[18:07] And that's a very,

[18:09] I would even say, risk averse way of doing things, even though you're giving it that autonomy in the evening.

[18:15] There are other companies out there that are, that really do have agents spawning agents spawning agents.

[18:22] And there are so many invisible risks that we don't see necessarily as humans with these things operating. And it ties into what you were saying there about it needs to accomplish what it needs to do and it'll go broader than what you've instructed it to go and do.

[18:37] That when you start handing it off to other agents and you've got agents talking to each other,

[18:44] things like your authentication,

[18:47] your credentials to certain things. You might have one agent with access to an API, you have another agent that's got access to a logging system, you've got another agent that's got access to a ticketing system.

[19:00] The three of them start talking together. It's effectively like one individual that suddenly has access to all three, the APIs, the ticketing system and the logs. And suddenly your segregation of duty is gone.

[19:12] So if you're trying to split those things out,

[19:15] suddenly it's disappeared and it's happened in seconds of these things responding to each other.

[19:20] So there's so much to unpack with these things.

[19:24] And I think we're at the space where we're seeing a lot of the risks and we don't necessarily have the answers yet. I mean, that's one of the things I'm researching now is I'm seeing these risks, but I don't have the answers for.

[19:35] Debbie Reynolds: Right. And I think the way agents operate, they're so diametrically opposed to the way that we've set up systems within organizations or the way we thought systems are supposed to be protected.

[19:48] So to me, I liken it a little bit to when companies went from having like servers and things on premise to moving into the cloud and then they thought,

[20:00] oh well, we just protect the stuff on the cloud like we do when it's on premise. It's like, well, no, it's almost like a house with no walls in the cloud.

[20:10] So. Right. So it may have given you an advantage that you didn't have to make a huge capital expense up.

[20:17] But then the disadvantage is that you have to create your own walls in the cloud and try to Find a way to protect it. And I feel like a lot of the risk that people have in that area is because they don't understand the difference.

[20:31] So now we are moving into AI agents where it's like it's not about walls, right?

[20:37] Ross Saunders: Yeah.

[20:38] Debbie Reynolds: Because these agents can get into almost anything. If you give them access to anything, they can go into anything and do all. And take action and do things.

[20:47] Ross Saunders: Yeah, and the action as well. Just while you're talking about that, I see it. I mean, I use Claude code. I've got stuff that it's doing for me here to like speed up my day.

[20:57] Risk assessments, things like that. It helps,

[21:00] but I watch it working.

[21:02] And you know, the third party risk scares me too because again,

[21:05] like you say, that old lift and shift into the cloud, there's new guardrails that have to be there that we haven't really thought of looking at.

[21:13] Even my little agent running here. And I wanted to go do something. Oh, let me open this package manager, this package manager and this package manager. I'm going to download these libraries.

[21:22] These libraries, these libraries. Grab this open source library here implemented.

[21:27] And that's 20 seconds gone by.

[21:29] But we are now dealing with third parties. And what are those libraries doing? Do we have a bill of materials as to what third parties we're using in our tool all of a sudden?

[21:39] And boom.

[21:41] The sprawl,

[21:42] the word we were using earlier,

[21:44] that's where it comes in.

[21:45] Yeah,

[21:48] Debbie Reynolds: I know.

[21:49] Ross Saunders: So much risk.

[21:50] Debbie Reynolds: So I feel like the way that we dealt with governance needs to change now because of agentic AI. So I felt like we thought governance was a linear process.

[22:03] Right.

[22:04] Especially in a development situation. Right. So when you're developing something, you're looking at the tool or what you're trying to develop in its initial states and they figure out what guardrails you need.

[22:15] And then it's, it's kind of off to the races. You kind of send it out into the company and does what it's supposed to do. But what these agents are doing, maybe that isn't the starting line.

[22:25] Right. So these tools, like you say, agents spawning agents spawning agents,

[22:30] you've gotten out of maybe that linear way of looking at governance where now how do you govern something that creates something new that you didn't look at before?

[22:43] Ross Saunders: Yeah.

[22:44] Debbie Reynolds: What do you think?

[22:45] Ross Saunders: You know, I think for me a lot of it comes into sort of building into the process as well.

[22:51] And if you think of the development life cycle and how that's done, and just as you were speaking, I was thinking back to like, well, this sounds like the next iteration of waterfall to Agile that's now kind of all over the place.

[23:05] But I think if we build into the process and the dev process is defined, the product process is defined, you've got the governance sections of the process, you've got your design phases, your implementation, your operational phases, things like that, These are all defined spots that we can build in some of these checks and balances and guardrails.

[23:26] And maybe it is kind of in my little visual brain, I'm seeing almost like bubbles of compliance that you have,

[23:35] and your AI agents and any agents will work within prompts and things like that. And part of our prompts and projects and perhaps constitutions of projects that are using Vibe coding and things like that,

[23:47] build in a governance component to it. So having it for every thing that it calls building out a bit more of a bill of materials for what third parties are in use, or having it that, you know, there is only two handoffs that can happen until a human intervention needs to come in and say,

[24:06] yes, well, this is still on the right track, or no,

[24:08] don't do that, don't respond like that.

[24:11] So I think that there, I think there are ways we can build it into the process.

[24:15] I think there will likely be more risk before there's less in that kind of space where,

[24:22] you know, I think it's just an accelerated version of what we've seen where people overstep their balance and then that's where a policy comes from and we've got to step it back.

[24:30] But maybe it's in a much more accelerated situation now,

[24:35] and perhaps the stakes are higher as well. In some of the cases, if you don't put the better guardrails up front.

[24:41] Debbie Reynolds: I guess it reminds me of like those old movies where, you know, someone,

[24:46] let's say they were a submarine and they didn't want anybody to. To launch a missile, but the.

[24:52] Someone had the key and the buttons were separate and people had to agree and all this other type of stuff. It's like we've like thrown all that out the window by letting agents kind of do everything.

[25:02] But what else is happening in the world right now, this in your world that's concerning you about privacy, either something that's happening now or something that's coming up that you're thinking about, like, oh my gosh, this is going to be bananas.

[25:18] Ross Saunders: You know, I think a lot of it is just these agents. It's a lot that I'm, I'm thinking of. And it's something you Know that as much as I am concerned about it, I think there are folks doing really good work in the space, like looking at banks and financial institutions seem to have like really good guardrails that I think a lot of that can be applied outside.

[25:40] So that's something I'm also looking at is, you know, what are these related practices that can work really well. And I think that's, I'm kind of very interested there. I'm also, you know, interested in how this plays out with things like the AI act in the EU and,

[25:55] and you know, if there's regulation coming in other spaces,

[26:00] it's just such a big thing right now and so broad and it touches so many things. I think that this is,

[26:07] it's an exciting and terrifying time to be in privacy because it's also this, I think is forcing things to branch out from only privacy.

[26:16] And the current landscape is, you know, yes, we've got privacy laws and we've got state privacy laws in the US and we've got federal and provincial in Canada and we've got eu,

[26:27] but we're also,

[26:29] I think we're seeing a lot more play of industry specific guidelines and codes of conduct and things like that coming into things. So it's becoming a very, very exciting space for,

[26:39] for broadening what we do.

[26:42] I know I'm working with a couple of fintechs and diving much further into kind of fintech regulation, which has been really, really interesting to relate back to the traditional just privacy that I dealt with and I'm really enjoying it.

[26:55] So I think it's exciting, I think it's terrifying and I think I'm going to be using AI to help me learn about it.

[27:02] Debbie Reynolds: I think exciting and terrifying is probably the most apt way to put it.

[27:10] Well,

[27:10] I would like to know.

[27:13] So when you work with. So I work a lot with developer teams and a lot of times for me it's good because a lot of times you can catch or minimize or reduce or mitigate a risk before things go out or before or is more upstream.

[27:36] So I feel like a lot of people, if they aren't hands on the keyboard or they're not working in that space,

[27:44] they can only see the risks after the fact or later down the downstream. But I think that's a benefit to be able to work in those,

[27:55] work with those dev teams and then also,

[27:58] you know, a lot of the dev teams, unless they have you, of course, Ross may not be very steeped in privacy, may not know the impact. So to me that always comes up because I think the difference now is that to me before I feel like companies, the way they operated,

[28:17] it was like Santa's workshop and everyone had their own little part to do.

[28:21] But because the data now is streaming through the organization,

[28:26] like you can make a change one place and then impact somewhere else. So having those discussions so that they understand the impact of the things that they do is really important.

[28:36] But what do you think?

[28:37] Ross Saunders: And you've hit the nail on the head there. I think when it comes to dev,

[28:42] there needs to be some kind of involvement in there to keep on the pulse of things.

[28:48] Dev moved quickly before this was here,

[28:52] it's now moving even quicker.

[28:55] And you're right, there is a reliance on awareness for folks to catch this. I mean, I love being involved in teams. There are other teams where I'm there, I go in and I train certain members of the team.

[29:07] So the architects or the guys like signing off the code and all of that. We will do practically a privacy officer training for these folks in the dev roles to be able to spot a lot of this stuff.

[29:18] But there distinct need for having your finger on the pulse of what's happening in dev and keeping, actually keeping track of feature development and what's coming on the roadmap.

[29:28] Because if you're only reacting after a major release comes out, or something like that, or something's live and in production,

[29:36] the cuts out of the bag in a lot of cases. Whereas if you're looking at a roadmap and working with the product managers, working with the dev teams as to what's coming, have you considered this?

[29:47] Have you done a threat model? Have you done a dpia?

[29:50] You can get a lot further down the line and know what's coming and prevent a lot of risk from happening at the end of it.

[29:57] Debbie Reynolds: One of the concerns I have,

[29:59] and I want your feedback here, is that I feel like sometimes organizations think about privacy in an aspirational way and not in an operational way. So for me, I'm like, well, what do you actually do?

[30:16] Like, instead of saying, oh, we do these magical,

[30:19] wonderful things and we're perfect in all ways,

[30:22] and that doesn't really move the ball forward in maturity. It may make you feel good to think that you have all this paperwork and stuff, and then if something bad happens, then you see the gaps and you see the cracks.

[30:33] But what do you think?

[30:35] Ross Saunders: I think there's a lot of theater in both the security and privacy side of things,

[30:41] but it has to come down to process and people as well. So I think a lot of companies See privacy and they see policy.

[30:48] And it's not necessarily only policy. It is your processes internally, it is your people. There are registers involved, there are it's actual work to be done and I've seen it with a couple of clients where you kind of show what that broader space is and there's this like oh moment.

[31:05] This is a little bigger than we anticipated.

[31:09] But yeah, I think the theater thing can only go so far.

[31:12] And relying on oh, we have a great privacy policy. We've got a trust center that we last updated three years ago.

[31:20] We designed this great marketing material that's all fine and well until you get looked at and you know,

[31:27] if you look at consumer organizations, there are now consumer rights organizations that are starting to audit privacy of publicly facing companies.

[31:37] There are lawyers that are kind of diving in now about your opt out features. Even the regulator or the commissioner in the UK looking at CO UK websites to make sure things comply and that cookies aren't set before the banner is accepted and things like that.

[31:53] It's active. Theater's only going to go that far until someone says to you okay, well we'll prove it and then you're stuck.

[32:00] So I think it's great. But don't delude yourself that because there are policies in there's not much more to do.

[32:07] You don't have to do everything.

[32:09] Compliance for a massive bank is not the same as compliance for a five person shop down the road.

[32:16] But you have to do something,

[32:17] get your obligations covered in that space and build it into process, policy, people and process. If you get the three kind of mapping over each other and working well, it kind of self polices it as well.

[32:28] I worked with a great company where the staff started self policing privacy throughout the organization. It was like one of the best things to see and something went wrong. Someone picked it up, raised it and it was fixed straight away.

[32:40] Debbie Reynolds: Right? That's the best. I think it has to be part of the companies that do it. The best in my view is part of the ethos of the way that they do things.

[32:49] So if it gets ingrained in the organization,

[32:53] I always tell people it makes it easier downstream as opposed to waiting for the inevitable. So I think when you talk about theater, people think well,

[33:03] let's just pretend like everything is okay and just pray that nothing happens. Like eventually something will happen and you need to deal with it.

[33:11] Trying to help companies to that maturity is very important.

[33:15] But if it were the world according to you Ross, and we did everything you said, what would be your wish for privacy anywhere in the world,

[33:22] whether that be regulation, human behavior, or technology.

[33:26] Ross Saunders: Wow, that is a big question.

[33:31] You know, I think if I could go with a utopian kind of aspect, there's two sides. I would, I think, like companies to actually be cognizant of the rights aspects to things.

[33:45] And, you know,

[33:46] this isn't.

[33:47] Privacy is not just there to kind of stop you doing business or regulate you into the ground. It's more about good business practice. And I think when people see that's great, and I would love it that that was kind of the starting point that folks had, like, oh, well,

[34:02] this is good business practice. We're being accountable, we're being transparent and open.

[34:07] We say what we're using data for. We're not selling your data to other people. Sadly, that's not a very big reality.

[34:14] And that side. And then on the consumer side, I would like.

[34:19] This just comes back to the other, I guess. I would like people to have more hope around privacy and more awareness of their own privacy and, you know, knowing what can happen, what can go wrong,

[34:28] and why there is a lot of this drive towards privacy because you can have horrible things happen to you when privacy goes wrong. I had my identity stolen. That's one of the ways I got into privacy.

[34:41] It's not something I would wish on my worst enemy because it was 18 months of hell just to get my credit rating back and to be able to open an account.

[34:49] And that's a light experience. I didn't have any passports cloned or anything like that.

[34:55] I think in an ideal world, I think there'd be the protection for people coming from the organizations and not having to be regulated into it and people being aware and wanting that protection and being reasonable in their rights for it.

[35:08] Debbie Reynolds: That's a good wish. That's a good one. Yeah.

[35:12] Ross Saunders: Anyone knows a genie.

[35:13] Debbie Reynolds: That's true. Very true. And, you know, I think it's interesting because I have heard a lot of stories of people who've gotten into privacy or they. They had a personal experience that really underscored for them why I was so important and so vital for other people.

[35:28] So I thank you for your contribution and I'm really happy that you're able to join me today on the show.

[35:34] Ross Saunders: That was wonderful. Thank you for having me.

[35:37] Debbie Reynolds: Very good. Well, I'm sure we'll talk soon, but this is amazing. Thank you so much.

[35:42] Ross Saunders: Thank you. This is great.

[35:45] Debbie Reynolds: All right.

[35:48] I wanted. Well, I'm going to ask you a question.

[35:51] So the question I'm asked, how should people get in touch with you? If they want to work with you.

[35:57] Ross Saunders: The easiest is probably through LinkedIn or through NerdwithTrustissues CA or dot com.

[36:04] That'll take you through to a link tree, which will give you everything I'm up to. The other side is my website, russgsaunders.coms a u N D E R S

[36:13] Debbie Reynolds: Nerd with trust issues. I love that.

[36:16] Ross Saunders: That's me. Nerd with trust issues.

[36:19] Debbie Reynolds: All right. All right. We'll talk soon. And thank you again for being on the show.

[36:23] Ross Saunders: Pleasure. Thanks for having me.