00:00hi everyone welcome to day six in the
00:02podcast I'm sonal today's topic is
00:05something that's top of mind for so many
00:08or general data protection regulation by
00:11the EU Parliament which goes into effect
00:14since this affects so many startups and
00:16actually companies of all kinds we
00:18thought we'd share a sort of primer by
00:20podcast but be sure to also check out
00:23the show notes for links to some of the
00:24resources mentioned in this episode our
00:27special guest is Lisa hawk who is VP of
00:29security and compliance at everlaw an a6
00:32and Z portfolio company she started as
00:34an environmental scientist and lawyer
00:36but spent most of her career in
00:37regulatory compliance and joining her to
00:40host this conversation is ASIC since the
00:42board partner Steven Sinofsky so I'm
00:45super excited to have a chance to talk
00:47about a really complicated topic with a
00:48great friend and guests to join the
00:51podcast thanks Steven it's really really
00:53exciting to be here and especially to
00:56talk about this great topics on
00:57everybody's mind lately so we're gonna
00:59just dive right in to GDP are the
01:01general data protection and regulations
01:04of the European Union so first off like
01:06just who is going to be regulated by it
01:09like a bunch of people like our product
01:11managers and compliance people and
01:13engineering and ops are wondering who's
01:14Java is they're pointing at each other
01:16so like who who is regulated it by it
01:18well in legal terms there's a thing
01:22called long arm jurisdiction and this is
01:25probably one of the longest of the long
01:27arm jurisdictions and what I mean by
01:29that is a situation where a local court
01:32can actually assert jurisdiction over
01:35someone in another state another County
01:37and in this case from the European Union
01:40to other countries and companies who
01:43process personal data of EU data
01:45subjects so in a nutshell it applies to
01:48anyone so any company that processes
01:50personal data of EU data subjects which
01:53is gonna sort of end up being everybody
01:55who's listening in one way or another
01:57they just haven't realized that yet so
01:59like to put a little scope on this the
02:02actual GDP are is is 260 pages long and
02:06my favorite is is that it has 99
02:08sections and the problem ain't one of
02:13seventy-three different sort of recitals
02:15which when you read them they kind of
02:17look like the e use tweets about like
02:19what what it should be so it's a pretty
02:21big document it is and the the preamble
02:25the recitals are really interesting US
02:28law doesn't necessarily do the same
02:31thing where they explain via the recital
02:34sort of the intent behind the
02:35regulations so the thing that is
02:37interesting for me is that the European
02:39Union for by virtue of the long arm
02:42which it's hard to get the song out of
02:43my head right now but I won't sing I
02:45swear one thing that's interesting is is
02:46that they've sort of taken the global
02:48lead on on privacy and that's that's
02:52interesting because it it puts the US
02:55companies oddly under this new
02:57regulatory oversight even though they
02:59didn't elect the people who who sort of
03:02are passing it so does it sort of make
03:04it like weird that like Europe is almost
03:06harder to do business in in the US yeah
03:09and I think whether or not it's harder
03:12to do business there depends a little
03:13bit on your perspective certainly the
03:15Europeans view it as a way to make it
03:18easier to do business in the digital
03:20single market merging all the laws of
03:23the 28 member states and to sort of one
03:25data protection regime so to speak I
03:28think for US companies that are working
03:30towards compliance there are a few
03:31different there are two different ways
03:32to look at it you can either adopt the
03:35stricter standard and look at it as an
03:37opportunity to do business across Europe
03:39or you can look at it as a barrier I
03:42think that's really interesting because
03:43in a sense you know this this actually
03:46can be a differentiating opportunity for
03:48a lot of companies yeah I think so and
03:50especially for startups first of all you
03:53know it is a it is a big deal I'm not
03:55saying it's easy to do all the work that
03:58you need to do to get into compliance
03:59but start startups tend to be more
04:02nimble you may have fewer resources but
04:04it's also easier to change make changes
04:07to your infrastructure your org
04:08structure and if you're willing to put
04:11the work in and you can do it I think it
04:13could open up ton of opportunities yeah
04:15I start I really agree that because like
04:16when you're at a big company and you're
04:18hit with gdpr like you I know exactly
04:20how this is gonna work like you've got
04:21all the subsidiaries and you know - I
04:24well you're paralyzed because you have
04:26the EU just spent four years pulling
04:28together 28 member states but you're at
04:30a big company you're gonna spend two
04:32years pulling together the 400 different
04:34groups each with their own data sets and
04:36their own vendors and their own policies
04:38and their own EULA's right right and so
04:41startups have do have a real advantage
04:42okay so let's let's dive into the the
04:44the main the body of the GDP Ark so the
04:47the first thing is it comes it comes out
04:49it just defines like two kinds of main
04:51roles in the company and they're
04:54awesomely named that are seem roughly
04:56synonymous controllers and processors
04:58and I guess this is important because
05:00you you sort of want to know which one
05:02am i or what is it what do they mean
05:03because they define everything else
05:05relative to being a controller or
05:06processor and it is really important to
05:08figure out where you fall in that and if
05:11you're processing personal data there's
05:13also a really solid chance that you're
05:15both so the terms controller and
05:17processor actually aren't any different
05:19from the 1995 directive but the
05:22obligations of a controller and a
05:24processor have changed under gdpr
05:26so there are definitely some things to
05:28be aware of in terms of what the
05:31obligations are so what's a controller
05:33so the data controller is the company
05:36that decides how and why the personal
05:40data is going to be processed and the
05:43processor is processing that data on
05:46behalf of the controller and the reason
05:48I say that there is a good chance that
05:50you will actually fall into both of
05:53those categories is because let's say
05:55you're a company with a website in
05:57Europe and you have a contact form on
05:59that website so folks are inputting
06:01their name email and phone number to go
06:05into a database at your company that you
06:07might use for marketing later then you
06:10may also have customers so if you're
06:12collecting that data through the website
06:15you're a controller of that data and
06:16then you may have a product where you're
06:18processing other personal data on behalf
06:20of your clients your customers you may
06:22be a processor for that data but a
06:24controller for the other information you
06:26collected and and so just to be clear
06:28inserting a vendor or a third party in
06:31there doesn't change any of this play
06:33know and that's something that sometimes
06:35in US law you think others the third
06:36party and liability is insulating but
06:38you can't just hire a con
06:40factor and GPR goes away no in fact if
06:42you do that they are probably the third
06:45term which is the sub processor so then
06:48you've brought a sub processor into the
06:49mix which is just another processor but
06:53you'll have to ensure that they are
06:55meeting their requirements and sort of
06:57the chain of obligations and
06:58responsibilities yeah there and I think
07:00that's sort of the key theme about about
07:03gdpr is difficult in as big as it all
07:05seems they've done a lot of work to sort
07:07of make it hard to find loopholes or
07:09excuses and there's not like an easy out
07:11so to speak no certainly not and with
07:15the data protection principles under a
07:17gdpr the one that I've heard the
07:19regulator is focusing on the most is
07:21transparency so they are putting a huge
07:24amount of work in the making sure
07:26individual citizens in Europe understand
07:29that they have the right to know what
07:32the data controllers and processors are
07:34doing with their information and who
07:35they're giving it to that's probably
07:37important because ultimately I think
07:39what's gonna happen is that when it
07:41comes time for there to be complaints or
07:43problems what I think the EU regulators
07:45are sort of counting on is that there'll
07:47be a bottom-up view and like people will
07:50sort of police this on behalf of them
07:52because there's not a giant enforcement
07:54arm for these and so it's likely that
07:56you as a company will see the first
07:59complaints coming from individuals who
08:01can simultaneously raise this to the
08:03regulators and that's just another
08:05reason to go back to what is your role
08:08here are you a controller are you a
08:10processor because when it comes to
08:12responding to data subject rights there
08:15are some differences and the controllers
08:18are likely going to be the entities that
08:20are receiving these complaints so it is
08:22important to know where you fall in that
08:25spectrum and what your obligations are
08:26in terms of responding to those kind of
08:28complaints so when it comes to these
08:30parties what is the data that we're
08:32talking about like how narrow or how
08:34broad is personal information or the
08:38privacy requirement what does it cover
08:39well it is very broad and there's a bit
08:43of a history lesson as to why it's so
08:45broad which is that the European
08:47Convention on Human Rights talks about
08:49respect for private and family life as a
08:53the definition is broad and the
08:56definition really hasn't changed that
08:58much from the 1995 directive there's a
09:00few important updates one of those
09:02important updates is the inclusion of an
09:05identifier including online identifiers
09:08like location data so the original
09:12definition says that personal data is
09:14any information that relates to an
09:16identified or an identifiable living
09:18individual so add on to that things like
09:21the online identifier and genetic
09:24information those are the two key
09:25updates to the definition but it was
09:28meant to be very broad and it was meant
09:30to apply to a large swath of information
09:34and and I think that the the key thing
09:37is is that they're very aware of taking
09:39one piece of data like your genetic
09:41information like a the equivalent of a
09:43social security number driver's license
09:45number a tax number and then a whole
09:48bunch of other data that might be
09:49innocuous but triangulating it into one
09:53giant thing and so the list of like
09:55things that are other types of data that
09:58matter is very long it just doesn't stop
10:00as far as I can tell yeah and I'm glad
10:02you pointed that out because in addition
10:04to the things that are listed and as
10:06examples there is a statement in there
10:08that says different pieces of
10:09information which collected together can
10:12lead to the identification of a
10:13particular person counts so certainly
10:15the triangulation of different
10:17information which you might not think
10:18actually would identify a person but
10:22taken together or taken in parts and
10:25pieces can that certainly would qualify
10:28you know people in in startups they want
10:30to look for like okay is there a
10:32scalable technology solution such that
10:34it can like reduce my overall sort of
10:37surface area that I have to worry and so
10:38one question is like what if a startup
10:40from the very beginning has a clear uh
10:43gnana mised identify our mechanism and
10:45then and then encrypts and anonymizes
10:49somehow all of this other kinds of data
10:51where does encryption and an anonymous
10:54ation fit into all of this it's really
10:55important because there is one escape
10:59route from gdpr which is the provision
11:03in the regulation which is also the same
11:0695 directive which says that data that
11:09are fully anonymized meaning that no
11:11individuals can be identified are
11:13outside outside the scope of GDP our so
11:16if you if a company is start-up can
11:18truly anonymize data then that data
11:20wouldn't be subject to the regulation
11:22but I have to say I I think that the
11:25concept of anonymization will be tested
11:28sort of what actually qualifies and I
11:30know there's a lot of security
11:31enthusiasts and mathematics enthusiasts
11:34out there thinking about you know what
11:36what this is gonna look like when
11:38applied what is a big research topic
11:40over whether or not you can truly
11:41anonymize anything because the ability
11:43for machine learning to triangulate and
11:46find patterns that you can't readily see
11:49is is so extreme and even when the Apple
11:52announced that that's the kind of thing
11:53that they do there was a lot of pushback
11:54saying well it's not really proven and
11:57six degrees of separation or ever in
11:59fact that goes way way back to a very
12:01famous case in the u.s. over a product
12:03called Lotus marketplace which came out
12:05in the early 1990s and it was anonymized
12:07census data but the problem was it was
12:10so granular at the city block and
12:12building level that basically you knew
12:15how much a person made in salary just
12:17because they lived in a certain house I
12:19think there's a stat out there that says
12:21that over 80 or 85 percent of the US
12:24population can be identified with three
12:26pieces of data so it's is certainly a
12:29challenge the regulation also introduced
12:32another concept pseudonymous ation so
12:34pseudonymous ation is when information
12:37is obscured but there is a key that can
12:40tie it back to an individual's and the
12:42regulation talks about pseudonym i's
12:44data as a way to meet data protection by
12:48default and by design but i think your
12:50your non legal advice is anonymization
12:53is good but we should probably be aware
12:55that someone is gonna find themselves
12:58having that tested in front of the
12:59regulators or in court as to whether or
13:02not it went far enough and the state of
13:04the art isn't even clear yet if it's far
13:06enough and I think the even more
13:08practical advice is just know what
13:10personal data you have why you have it
13:12and what you're doing with it okay so
13:14this is the European Union so what does
13:17this have to do with the US well
13:20you're probably using personal data from
13:23use data subjects they could live in the
13:26u.s. I'm I'm married to one so ok this
13:29is personal information so let's be
13:30careful as being a little bit facetious
13:32but you know if you have if you have a
13:35software product you're probably you're
13:37probably marketing to people in the EU
13:39just because you have a u.s. website if
13:41you offer it to the folks in the EU this
13:45is a good chance that you're collecting
13:46personal data it's a big place
13:48so the key is that that these
13:50regulations cover European Union
13:53citizens no matter where they happen to
13:55be at a given time regardless of where
13:57the product resides that yeah are
14:01covered by that's true and so if you
14:03look at the scope there's two different
14:06areas of coverage one is offering goods
14:08and services to the EU and there are
14:11things like you know even if you have a
14:13u.s. website do you offer translation do
14:16you have a contact number in the EU you
14:18know do you have employees in the EU and
14:20then there is another aspect which is a
14:22little bit less clear but around you
14:24know monitoring and profiling so
14:26targeted ads are you collecting Fitness
14:30data from people in the EU on a wearable
14:32device so it's it's very very broad and
14:36also can your customers even if they're
14:38in the US can they bring EU people in in
14:40a viral networks kind of way yeah maybe
14:43you have a company that has an office in
14:46California as your client but they also
14:49have an office in London and some of
14:51their London folks want to use your
14:52product guess what yeah the u.s. just
14:55chose not to make laws and regulations
14:56that are nearly as all-encompassing as
14:59these EU ones but often what happens is
15:01it's just better to just pick that as
15:04the standard by which to do because it's
15:06it's the higher bar to the higher
15:08threshold yeah that's true I mean right
15:10now in the US there are some verticals
15:13that have their own privacy regulations
15:15typically we think of protected health
15:17information and HIPAA so certainly there
15:21in my view there's a benefit to just
15:23adopting privacy by design and adopting
15:26the stricter standard because by doing
15:28so you will sensibly be able to comply
15:34more regulations and more jurisdictions
15:36and so once once you in your company or
15:39have this personal Dania I've identified
15:41one of the things that's that I found
15:43the most interesting in the gdpr is that
15:45and it's in the very beginning and the
15:47recitals is that citizens in the EU they
15:50have like reverie very clear rights
15:52about their data like your product just
15:54has to do these things so why don't we
15:57just walk through like what what these
15:58rights are sure and like I said before
16:01it it definitely matters what role your
16:04company is as to how you respond to
16:06these rights which is why it's really
16:08important that you start there and
16:09understand where you fit in to GDP are
16:12what information you have because like
16:14you you point it out if you have to
16:16comply with these data subject rights
16:18you have to be able to do it and you may
16:21need to build that into the product that
16:23you're building well let's go through
16:24them all so first you have to get access
16:26to your personal data what does that
16:27mean yes so you have the right to
16:30request basic information about the
16:33nature of the processing about you know
16:36what the company is actually doing with
16:37your data you have that right to
16:39information you also have the right to
16:41access it so then all of this actually
16:44to me sounds a lot like if you have ever
16:46like gotten your own credit report yeah
16:48in the US law they've actually done a
16:50very similar thing but it for this very
16:52narrow case for credit reports and
16:54honestly it's kind of adversarial yeah
16:57and it's not really designed for
16:59consumers and I think the European
17:00Union's learned from that because
17:02they've been iterating since 1995 on
17:04this so I think they're gonna look at
17:07the implementation of these as well as
17:09whether or not they you have them yes
17:12but in fact one of the top regulators
17:14from Europe was in the Bay Area just a
17:16Helen Dixon who is the Irish Data
17:19Protection Authority and she actually
17:23said that transparency and how companies
17:26respond to the data subject access
17:30rights when asked is going to be a big
17:32focus so certainly the how companies
17:34operationalize this will be in okay so
17:36we you have access to the data you can
17:38fix it what else can do you have to be
17:40able to do you have to be able to object
17:43to the use of your information for
17:47you have to be able to request that your
17:51data be erased when it's no longer
17:53needed you can also request the portable
17:57version of your data request that
17:59decisions based on algorithms made by
18:02humans I think oh I know the one you're
18:04about is that this really interesting
18:06one where it's that you if they make a
18:08decision based on your data in us in
18:10software like you have this is crazy you
18:13actually have the right to make humans
18:16do the same look at your data and make
18:17the same choice if I read it correctly
18:19is that what they meant yes now you
18:21reminded me and there's actually a
18:22really good there's a few sort of
18:24dueling journal articles around the
18:26right to be forgotten and around the
18:28automated data processing so what you're
18:30algorithms how gdpr will affect data
18:32science and the types of automated
18:35decisions you know such as machine
18:37learning that affect the outcome as it
18:39relates to an individual so like a
18:41credit report alone and so forth and the
18:44right to have a human actually look at
18:48the output of that algorithm and say and
18:52explain how the decision was made so Wow
18:55so the GPR offers up a whole bunch of
18:58things to worry about like you have to
19:00support all these features in your
19:02product you have to do all these things
19:03but it doesn't really tell you what to
19:07do one area that that it does is it that
19:10I think is super interesting is that it
19:12tells you about privacy by design that
19:15sounds familiar to me having lived
19:16through the security world of secure by
19:18design but privacy by design what does
19:21that really mean doctor and coo Qian
19:23wrote a paper back in the 90s called
19:25privacy by design so the concept has
19:27been around for a while
19:28the gdpr discusses it in the context of
19:32requiring data controllers to meet the
19:35principles of data protection by design
19:37and data protection by default which is
19:39very similar to the privacy by design
19:41and it essentially just boils down to
19:43privacy being taken into account
19:46throughout the whole engineering
19:47development process and it sounds kind
19:50of complicated but it boils down to some
19:52really straightforward concepts like for
19:54example privacy as a default setting
19:56privacy embedded into the design so if
19:59you have a choice to
20:01design a function where you can make it
20:06easier to delete data later down the
20:08road or harder to delete delete data
20:10down the road you want to go down the
20:13road where it will make it easier for
20:14you to delete that personal data
20:16visibility and transparency and keeping
20:19it user centric around privacy it's not
20:22it's not a user design thing necessarily
20:25order it obviously has implications but
20:26this feels much different in terms of
20:29the overall engineering design process
20:30so you've integrated that yourself into
20:33everlaw yeah we've been talking about
20:35security for a long time and certainly
20:38the concept of privacy once you start
20:40talking about how it actually applies in
20:43practice with the engineers it makes a
20:44lot of sense to them and I when we were
20:47talking about this you know the example
20:49I gave just a second ago look we're
20:51gonna design this thing and we can
20:53either do it so that it's easier to
20:54delete data later or it's harder the
20:58privacy by design way is to make it
21:00easier and the lightbulb goes off and
21:02they just get it so certainly if you're
21:05working on implementing this with your
21:08engineering team it may require a little
21:10bit of explanation upfront but it it's
21:13common sense just some people who don't
21:15know whatever law does it happens to be
21:17software for lawyers but that doesn't
21:20the domain doesn't really change
21:21anything they have a massive amount of
21:22very very sensitive information and also
21:26identifying information about attorneys
21:28and what they're working on and it's no
21:30different than any other product for
21:32collaboration and so it's to me it's
21:34been very interesting to watch this
21:36notion of of gdpr get baked into the
21:39engineering cycle but what area that is
21:41just fascinating to me is that as vague
21:44as the GTR might appear to an engineer
21:46in some places it got very specific very
21:48quickly on penalties I think that is
21:51just the huge focus because the numbers
21:53are so large and frankly that's what the
21:56reporters are writing about they're
21:57doing the whole thing look at these
21:59giant fines you know 4% of global
22:02turnover that's right over that's my
22:04favorite I love reading things because
22:05they talk about turnover and I don't
22:06know what that means but it's just
22:07revenue like top-line revenue yeah it's
22:10and I think I think what scares a lot of
22:12people and it scares smaller companies
22:15it's just you know too much of a hot
22:17potato but if you actually read article
22:2083 which is the part in GDP are where
22:22they're talking about I have to say I do
22:27recommend that folks take a look at it
22:29because working backwards from there
22:31they actually tell you what they care
22:34about when they're going to potentially
22:37assess a fine which is you know is their
22:39negligence was it intentional so if
22:42you're worried about mitigating this
22:45kind of risk it helps to see what is
22:48listed in there as the factors are round
22:51around the penalties and also keeping in
22:54mind that the fine is is a bit of the
22:56last resort and they certainly have the
22:58authority to impose a fine but they also
23:00have a whole section in there on
23:02corrective actions so there's a lot of
23:05things that will happen you know in
23:07terms of an investigation you're gonna
23:09hear from them way before a fine is
23:11coming your way they don't just show up
23:12yeah now the reason that this all got
23:16started was the problem of breaches and
23:18that what was happening was these giant
23:20data sets were being collected and then
23:22they were leaking so what what does gdpr
23:26say about breaches well there is some
23:28specificity there around time frames for
23:31response and notification so people kind
23:35of gravitate to the 72-hour language
23:37which talks about the obligation of data
23:39controllers notifying the Supervisory
23:42authorities so the regulator's within 72
23:45hours of you know becoming aware of a
23:48breach and a lot of the discussion has
23:50been around companies thinking okay
23:53seventy-two hour is not a lot of time
23:55what do we how do we respond in that
23:57timeframe so I think that you know for
24:00any startup a key thing is there's
24:03probably a good chance that that the
24:05company has a process around the service
24:08going down and the reality is they need
24:10the same kind of checklist process call
24:13list pagers alerts in case of being
24:17notified by a breach which might
24:19actually not be a systems notification
24:21it might actually just be you know it
24:23might it actually might show up on some
24:25some reddit forum somewhere or it might
24:28people sending threatening mail that
24:30they have the data but they need to have
24:32like a action plan yeah absolutely and I
24:35mean and it could be something as simple
24:36as an employee hitting send on an email
24:41containing some personal data so it
24:43doesn't have to necessarily be a hack
24:45but absolutely you need to have a
24:48process in place with the knowledge that
24:50nothing is ever going to go as planned
24:52but you'd still need to have laid out
24:55some plans even if it's very basic and
24:57then I also recommend testing those
24:59plans because testing them and doing
25:02scenario planning and actually running
25:04scenarios is the best way to find out
25:07okay actually I don't have Joe's phone
25:09number and how do I get it without my
25:12computer well and I think and I also
25:14think that part of this gets also to the
25:17kind of company culture that gets
25:19created around the information that that
25:21the company has like how many people
25:23have a password that enables them to see
25:25it and just even these little things
25:27right exactly you know culture is so
25:31important for a lot of reasons but
25:33around a speak-up culture for everyone
25:35in the company feeling like hey
25:38something over here looks weird and
25:40having the ability to raise that and
25:42knowing that they will be supported when
25:45the issue is raised and that it will be
25:47responded to and that folks on the team
25:49take it seriously I think from a
25:51compliance security privacy perspective
25:53having a culture where it is common and
25:57it's accepted and is it encouraged to
25:59bring up issues is where you want to be
26:02because if something goes wrong and you
26:04don't have that you're already gonna be
26:06on the backfoot I've been on the
26:08receiving end of a deferred prosecution
26:10agreement largely relating to a cultural
26:14issue around not reporting things and
26:17sort of being scared to report things
26:20and I can absolutely say you know
26:22without reservation that that is not
26:24where you want to be and anything you
26:25can do to encourage your team to raise
26:27issues and be supportive of them when
26:30they raise them is super important I
26:32think that's one of the neat things
26:33about because everlaw is in the
26:36regulatory space and the legal space I
26:38can see it when I visit that that they
26:40view compliance with things like GE PR
26:42like a weird training exercise glued on
26:46the side that you have to worry about on
26:47one day a year but it has it is a thing
26:50that gets baked in sort of how the
26:52company functions and then when new air
26:54show up they don't see it as weird or
26:56the weird training thing they have to go
26:57to they just see it as oh this company
26:59cares a lot about this topic
27:01yeah and that was how security was you
27:03know when I started in the software
27:05industry nobody talked about security it
27:07was sort of funny that they were viruses
27:08not like oh the world is gonna end and
27:10then one day the world is gonna end and
27:13then all of a sudden all the new hires
27:14learn by the way what you work on can
27:16cause the world to end if you don't do a
27:17good job and they're like cool so how do
27:20I fix that I don't want to be the person
27:21who makes the world end yeah I would
27:23just encourage other people to think
27:24about it as a culture not as a not as
27:27compliance as sort of feature design so
27:30we talked about that this applies to
27:33sort of everybody is there anything
27:34unique or special about being cloud or
27:37being on-prem because you know sometimes
27:39people think that like if you're on Prem
27:41then you sort of escape all of the stuff
27:43because it's all just stuck on a server
27:45somewhere but I don't I'm not sure where
27:47does that fit in with with these
27:49regulations well of course I think cloud
27:50is special but when it comes to gdpr I
27:53don't think there's a huge difference
27:54because I just can't imagine how any
27:58company can run a business without
27:59collecting personal data I mean whether
28:02you are a b2b SAS company whether you're
28:06a social media company whether you're
28:08selling on-premise software you're still
28:10billing people you're collecting names
28:12you're collecting emails phone numbers
28:14probably you have user accounts well
28:17telemetry those apps have telemetry in
28:19them going back all this stuff yeah so I
28:21just I'm not sure there's a huge
28:23difference so a good rule of thumb is if
28:25you can sign on to your product then
28:27you're collecting private information
28:29because you have that key and then
28:30everything associated with it is private
28:32so let's assume you want to be GDR
28:35compliant you know is it is it like
28:37getting like FedRAMP certified or FISMA
28:40or HIPAA or any of these other acronyms
28:42that not everybody is clear on there is
28:44an alphabet soup of potential
28:47certifications around privacy and
28:50security certainly gdpr is a regulation
28:54right now there is no certification for
28:57it the regulation does have language
28:59around certification in it but nothing's
29:01actually been developed it's reference
29:03but it's not developed so there are a
29:05lot of advisors out there consultants
29:07that may you know try to sell you on
29:08some kind of certification but at the
29:11end of the day it's a law so it's your
29:14job as a company to figure out how does
29:16this law apply to me how can I take a
29:18risk-based approach to meeting my
29:20obligations and then how can I document
29:24my rationale and what I've done to
29:26comply if I'm ever asked if my door is
29:28ever the one that it's not that so you
29:30were being super polite I think what
29:32you're really saying is make sure you
29:34don't go pay a consultant a bunch of
29:36money to become gdpr compliant well if
29:39you have money burning a hole in your
29:40wallet I'm gonna tell you not to do that
29:43but I take a little bit of a more
29:45practical approach and that I think that
29:47I think you know startups can do it
29:50themselves I think they have a lot of
29:53smart people there our tools out there
29:55that you can use eventually you will
29:57need a lawyer to draft some contracts
29:58but I do think there are practical
30:00things you can do without engaging a
30:03really expensive consultant when you say
30:05you have to have a lawyer to draft some
30:06language that's because eventually like
30:08gdpr is gonna either be in your sales
30:10contracts or in your EULA in some form
30:14there are controller and process our
30:16obligations which need to be clearly
30:18laid out in a contract and if you
30:21transfer data you will have to have
30:24probably at least right now people that
30:26a lot of companies are using the
30:28standard contractual clauses so in a
30:30nutshell yes so you're now a product
30:32manager on the team trying to figure out
30:34what to do like one of the things you
30:36did was pull together a tool it's it's
30:39just a spreadsheet not just it is
30:40spreadsheet but it's the way that we
30:42started in security - it's a checklist
30:43of what you have to do for a bunch of
30:45stuff there's a lot of free resources
30:46out there but I couldn't find anything
30:49that was free and that put all of the
30:51information where I wanted it in one
30:53place and yes it's a spreadsheet it's
30:56actually a Google Doc it's really easy
30:57for a lot of people to be in there
30:59working on it at once and what it does
31:01is it lays out all of the things that
31:04you need to document to do your own risk
31:08of what day did you have where is it
31:10what are you doing with it why do you
31:12have it do you really need it how are
31:14you securing it so it's it's a one-stop
31:18shop where startup can just document
31:21what they're doing with personal data
31:22that will then allow them to assess
31:24their risk and decide what they need to
31:26do we have to go back and say okay where
31:28do we have a username like where do we
31:30have an address where do we have an
31:31account history where do we have other
31:33and you sort of just systematically have
31:35to go through and do that yes when it
31:37comes to privacy and personal data we're
31:39just used to using information putting
31:41it into productivity tools and doing our
31:43jobs right we're not used to thinking of
31:46how do I rely on personal data to
31:49actually perform my business function so
31:52if you take this sheet and you sit down
31:54with one of your marketing folks and you
31:56say you know what personal data do you
31:58actually use to do your job
32:00the next minute they'll be talking about
32:02okay well inbound lead generation
32:04I need contact information for that and
32:06then the next thing I'll say well what
32:09do you do with that and then I guarantee
32:10you there's at least two software
32:12programs that they put lead contact
32:14information into to actually do their
32:17jobs to generate emails and everything
32:18they pass offs and all sorts of stuff
32:21exactly you're just sitting down with
32:23your colleagues you're saying you know
32:24what do you do with personal data and
32:26going through and it will help you get
32:28all the information you need to figure
32:30out you know how much exposure you have
32:31if there's an action item for a podcast
32:34this is really gonna be it and I think
32:36everybody's gonna be shocked at just how
32:38much potential there is for risk that
32:41they weren't really thinking about so
32:43just two things to wrap up one you
32:45obviously were came with all of this
32:47experience and and that focus when you
32:50join the company but like an existing
32:53company might I have the opportunity to
32:54hire somebody like you or the budget or
32:56that's the priority but who is the right
32:58person to focus on this in a company
33:00where do you when you talk to your peers
33:02that are doing this where are they in
33:04the company are they in product and ops
33:05and marketing who is doing this work
33:07well everlaw it's a bit of all hands on
33:09deck because each of the teams everyone
33:12does something with personal data and so
33:15it's important for all the teams to be
33:16involved but if you're at a smaller
33:18company and you need somebody to lead
33:20you're a gdpr comply
33:21project then and you don't have a you
33:24know person in charge of compliance and
33:26my advice is to look for what I think of
33:29as your risk Sentinel my life before the
33:32startup life was actually in the oil
33:35industry for about nine years and I've
33:38had a bunch of different roles worn
33:39different hats around regulatory
33:40compliance from an energy trading
33:43perspective and then after that
33:45responding to Deepwater Horizon and
33:48leading environmental restoration for
33:49the company so in my career in
33:51compliance I've had colleagues that came
33:53from trading they came from engineering
33:56they came from risk not everybody in
33:57compliance as a lawyer some come from
33:59audit but you you want the people who
34:02are thinking five steps ahead you want
34:05the people who can triage issues who can
34:08spot issues who can think ahead to what
34:12the challenges might be and how you will
34:14solve them I don't think it necessarily
34:15matters what function but look for the
34:17people who have that detail-oriented
34:20nature and the ones that are just always
34:23thinking ahead awesome so if you could
34:25give people like one reference or one
34:29document that they should go read that
34:30isn't the GTR regs itself
34:32like what would you recommend I would
34:34recommend certainly the privacy by
34:36design the foundational principles it's
34:39a document you can google it doctor and
34:41kabuki and she's the former information
34:43and privacy commissioner from Canada and
34:45that talks about in a very digestible
34:48format the things you can do to
34:50incorporate privacy by design into your
34:52engineering and design process certainly
34:55well thanks a lot I just wanna I want to
34:57wrap up and remind everybody of sort of
34:59these core gdpr principles that I'm just
35:01going to read so that we we end with
35:02these but everything must be based on
35:04consent you can only collect what's
35:06adequate necessary and not excessive in
35:08relation to a specific service the right
35:11to transparency as Lisa was saying that
35:13seems to be where the main emphasis is
35:15you have the right to be forgotten and
35:17you know IP addresses email addresses
35:19genetic information all of those are are
35:22personally identifiable information
35:25thanks a lot Lisa Hawk from everlaw for
35:28educating us about GD P R thank you