Simply Irresistable programs (with Ryan Boos)

Show Notes

Welcome to the Serious Privacy podcast, where Ralph O'Brien and Dr. K Royal, while Paul Breitbarth is out, meet with Ryan Boos of TrustArc. What's on the mic? Simplification of privacy programs. Ryan comes to this with the experience to back up his knowledge - he has fought in the data trenches and flown through the danger zone! Okay... he has major chops.

If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!

From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Transcript

Tim 0:04

You're listening to the award-winning Serious Privacy Podcast sponsored by TrustArc. Please welcome your hosts, Paul Breitbart, Ralph O'Brien, and Dr. K Royal.

Ralph 0:17

Hello everybody and welcome to another edition of the Serious Privacy Podcast. We've got a good one today. I know we've got a good one today, because the wonderful people at TrustArc who very kindly sponsor the Serious Privacy Podcast have sent one of their own with us. It's our pleasure today to have on the podcast Ryan Booth, who's uh a legal strategist at TrustArc and has spent quite an interesting career actually looking at the legal side of things, and I'll put aside privacy versus practitioners and lawyers versus practitioners. But looking at the school of law and a career in aerospace followed by a tech provider. So we do have a lot of varied experience to draw upon today. And also, we've got a special one because it is just K and I today. Paul is actually away at a conference. My name is Ralph O'Brien.

K 1:08

And I'm K Royal, and welcome to Sirius Privacy. Ryan, thank you for joining us. Absolutely loved meeting you last week when we set this up. I think it's awesome. We kept missing each other by phone because I was traveling or he was traveling or we were in conferences and it was just crazy. Y'all know how that goes. So thank you, Ryan. This is the first time you've been on our podcast officially recognizing Trust Arc as our sponsor or not. So we loved having you here. Thank you for being here.

Speaker 2 1:37

Yeah, thanks for having me. This is not only my first podcast with you, but my first podcast ever.

K 1:43

Props to Ryan. I don't know what it is with me and the props and the hand raises today. This is why we're not on YouTube with video. So that being said, Ryan, are you ready for the unexpected question?

Ryan 1:55

I believe so.

K 1:57

They all think they are. Okay. Your friend is leaning out the window asking you to toss him a donut. How many stories up could your friend be in order for you to still be confident in his ability to be on target with the donut?

Ryan 2:15

Am I catching it in my mouth or am I catching it with my hands? That's the question.

K 2:20

Oh, you're tossing him a donut.

Ryan 2:23

Oh, I'm tossing him a donut. Is he catching it with his mouth or his hands?

K 2:26

Doesn't say it just says be on target. I guess you could just whop them broadsided, but that is a very critical point.

Ryan 2:33

Are we doing like little bits or are we taking a whole donut here?

K 2:37

A whole donut. Not a donut hole, full-size, regular, not a little miniature Debbie donut, an American donut.

Ryan 2:46

So I think if I was doing like a frisbee toss or like a discus, I g I might be able to get it like three stories.

K 2:53

Oh, I like that. That's picturing him on the other side of the street and you're like Exactly. Like it, okay, three stories. If you were dropping it into an open mouth. I have to ask these because you're the one that brought it up. If you're dropping the donut and he has to catch it in his mouth, how many stories?

Ryan 3:11

It that's like the European versus African swallow question, right? Like now it's wind and it's blowing. Well Robin's up in my estimation.

K 3:19

Like I dispersed throw three stories. Ralph, what do you got?

Ralph 3:23

Ryan's got up in my estimation for the Holy Grail reference already. So uh we're gonna get on like a house on fire.

K 3:31

We may talk about what Ryan is doing.

Ralph 3:34

This is true. So yeah, yeah, I've got to counter like Ryan and say it depends on the friend, right? I've got friends that I could throw I could literally put it in their hand from half a meter away and then still drop it. So I I have friends I'd have no faith of catching it even a single storm.

K 3:51

Let's be honest, that that would be me. I'm the friend.

Ralph 3:54

Yeah. I'm gonna give the typical data protection answer of it depends.

K 3:59

Oh, you stink. I have a very simple answer. I can't. I can't throw a discus throw, I can't drop it. Although you would like to think that if you drop it in a perfectly straight line, it does not matter whether or not you're one, two, five, fifteen, or thirty stories up. Gravity should take it down with no alteration of the trajectory whatsoever. However, I have zero faith in my ability to have a perfect draw.

Ralph 4:25

Drop it like it's hot, okay.

K 4:27

I'm taking the donut. Y'all can throw them. I'm taking the donut. Of course, it has to be a gluten-free one, but there we go. And there aren't any really good gluten-free donuts. Let's just be honest. I'm so happy when I get a gluten-free donut that's edible.

Speaker 2 4:41

You're a big fan of emotions.

K 4:44

Not a big fan, but a fan. I've had it once and I liked it.

Ralph 4:48

Ryan, let's donuts aside.

K 4:51

You're gonna have privacy, aren't you?

Ralph 4:54

We always have to. I always have to bring us back to topic. I'm sorry, gay. And the topic today is actually Ryan. So before I ask the first question, I normally actually just give people a little bit of a chance to tell us about themselves. Our listeners might not know you. You said it's your first podcast, so you haven't been out there a lot. So, Ryan, let's give us the is it the 411?

Ryan 5:17

It's wit whichever analogy you want to use.

K 5:20

There we go. Seguys are getting worse, let's just be honest. He didn't even try anymore. He didn't even try. Hey, shut up. Okay, let's move to the next stop. Anyway, no, tell us a little bit about yourself, Ryan.

Ryan 5:32

Yeah, I think if you ask my friends, they'll say I've held pretty much every job imaginable. If you ask, hey Ryan, have you done that? The answer's probably yes.

K 5:41

Okay, you're like 22 years old, so I don't want to hear it. Shush.

Ryan 5:44

I I wish I was 22 years old. My listeners can't see it, but my hair is receding at this point. But yeah, so I started as a tech recruiter where I had to fudge my way through sounding like I knew new technology. But that got me into that translation space. I have to understand developers, I have to understand the sales aspect, the business aspect, that sort of thing. And before I started earning a bunch of money, more than like $25,000 as a young adult, I said I want to go to law school.

K 6:17

You know that pretty early on.

Ryan 6:20

I was in recruiting for about three, four years, something like that, out of the bachelor's. I also sold cell phones and cars and like a whole bunch of other like miscellaneous jobs in that time.

K 6:32

Ooh, like it.

Ryan 6:34

I went to law school and I went to UD and University of Dayton in Ohio, and they had a technology program. So I started getting into the technology program there. I got really interested in privacy and data protection at that point.

K 6:51

Okay. We're at the point where people are in law school learning about privacy and data protection. All right.

Ryan 6:57

Yeah. So we were right next to the Wright Patterson Air Force base. So the Air Force was big into really pushing people into cybersecurity in the area. Little did I know I was in the middle of Ohio. So the job prospects for a lawyer in data protection and privacy, not so great.

K 7:15

Yeah, they didn't tell you about that part, right?

Ryan 7:17

Yeah. So I got out of law school in 2019 and I started looking around. So I worked in one of those shops that did HIPAA breaches and looked in redacting data, that sort of stuff for a bit. And then I it was like right before COVID, I started going around and talking to anyone who would meet me on LinkedIn, essentially. I was like, hey, you want to grab some coffee? Just literally anyone in a company that was large enough to have a privacy program. And I got a meeting with a guy who worked at GE Aerospace, and they said, Hey, there's this thing called GDPR coming up. Never heard of it. What's that? Yeah.

K 7:56

Yeah. In 2019, me and Ralph were drowning GDPR. Let's just be honest.

Ryan 8:00

And they're like, yeah, this audit came through, and we've got deficiencies. We got to figure this one out. And so I came in to help set up the operational program for GDPR at GE Aerospace. And it was a lean team. I didn't have a manager at that point. There was one data protection officer. And so we really came in and we're like, what even is a robot at this point? So we're working off of IT schematics on what they used to tag PII as all this fun stuff. And so then I spent six years doing that, building it up from within IT, and then switching over to legal and doing it from the legal aspect and working everything from like complex DSARs in the UK tied to employment litigation and then like doing training for people who didn't understand that first name and last name and email is personal information. They still exist.

K 8:56

This reminds me that when we spoke last week, we joked about the repermissioning emails.

Ryan 9:02

Oh, absolutely.

K 9:04

Companies were sending out bo which made no sense whatsoever. From a legal perspective, if you have to get repermission or permission, that means you never had permission or consent or business reason beforehand. So it's a volatile omission of omission, admission of guilt. It's a volatile. And it and it just means volatile because it literally blew up on companies, right? That they did this. And I had one client that we had no intention of doing that. Then the day after the GDPR went live, they went, Oh, by the way, K, we did catch yesterday that we had never done the repermissioning email, so we sent them out last night. And I'm like, now you just lost 95% of your email base.

Ryan 9:47

But that was that scary time when everyone was still thinking they needed consent for everything, right? And legitimate interests, like it was like a far-off thought of filling out an LIA.

K 9:58

Yeah, exactly. So good. And an interesting thing that I will share that we don't have viewers, we have listeners, but this might throw Ryan. Maybe I'll start putting this in the introduction to their speakers beforehand. I don't always look at the camera when we had guests because my ADHD is so far off the chart, I can only focus if I'm doing something else. Right? So my thing is I file my nails. So there you go. There's a little tidbit about hey, you never needed to know, but now you do.

Ralph 10:31

It's not we it's not it's not that she's not listening at all.

K 10:33

That's the that's how I do it and listen because the brain's going everywhere, right?

Ryan 10:38

That's a fun tidbit for your listeners, though. It's like inside baseball. They can't see you doing any of this. Nobody knows.

K 10:44

Oh, we have jokes, we'll start doing the video on YouTube. We'll start first with a static image and thing things, see if people listen, and then maybe we'll go to actually doing recorded on YouTube. Paul says it's my fault we don't because I don't have the makeup and the hair done.

Ryan 10:57

And you could do those like VR avatars. You guys could be like bears and pandas, and you can be whatever you want nowadays.

K 11:05

I like the way you say online, no one knows if you're a panda.

Ralph 11:08

Exactly. On the internet, I want to show we're going back to the New York cartoon again, aren't we?

K 11:16

Or I'll get online and nobody knows I'm a human. So, Ryan, tell us about the topic that we events that you wanted to talk about today was the simplification of privacy programs. Now, there's also the simplification of privacy, and we might move into that as well because basically we're starting to distill it down to the key element. But talk to us about the simplification of a privacy program. And this is not a sales tool for TrustArc. We all know that. But should there be a tool that actually leans into that, please don't hesitate to mention it. I'm a raving fan of TrustArc. They wouldn't be our fa sponsor if I wasn't. But let's talk more about the simplification of privacy programs because for the first time ever, I have a team and I love my team, and my team is fabulous. But before this, no. So privacy programs would have to be simple in order to be operational. Again, just stop there. In order to be operational and adequate and functional and just actually doing their job.

Ryan 12:19

Yeah, it this is a topic that I a pet project for me, because I think when everybody got got the scare in them around 2018, GDPR, they all got audited. And the auditors came by and said, here's your 47 pages of remediations that need to be done, and they need to be done now. And most people who were operationalizing those programs, those audits, really just kind of used them as a checklist and created these massive programs and didn't really do the risk analysis that was required to go, do we really care about this specific piece of the audit? Is if we don't do it, what's the harm? Because you can't do everything. You know, privacy program is ever 100%. You're always striving for better, but you can't let perfect be the enemy of good.

K 13:15

Yeah, it's like the AI CPA privacy maturity model, which is still one of my absolute favorites. Hardly any companies in the world aim for five optimized, right? You just can't get there. So the best score is usually a four, which, frankly enough, early on is what translated into the what is now privacy central and measuring of a control would only go up to 80%, a four, because unless you have an audit that has proven that control is in place and effective over time, you can't be 100%.

Ralph 13:48

Exactly. Ryan's onto something there, actually. When I I've seen a lot of organizations that got those reports from consultants, and they were always like red, amber green. Red amber green. And then their goal at the time was let's get to green by the 25th of May 2018. And then they were like, that's done. The amount of data protection professionals that was on the market during the summer of 2025, sorry, 2025, twelve eighteen, and set themselves up at consultants was incredible, really. But yeah, I'm always a fan. My own personal methodology is to split data protection up into 50 different buckets and do the one-to-five maturity scoring. Because as you say, not everyone wants to be a five. There might be areas where you might be happy being a one. If you've never had a subject access request, why do you need a world-class mature process? So, Ryan, how'd you go about making that determination? How much is good enough? Where do you focus your time?

Ryan 14:46

Yeah. So we first took so it started with looking at how I was spending my hours, right?

K 14:54

Did you actually document your time for a certain time period of what you were doing in every hour of the day? Because that's brutal.

Ryan 15:01

It was pretty brutal at first. Because so where I was working, it was very we were very big into lean methodology, right?

Speaker 4 15:08

Okay.

Ryan 15:08

So we were looking at implementing KPIs and KRIs and all this fun stuff. And that starts with looking at how you spend your time. And so I was looking at it and going, okay, I'm sitting on a lot of calls in our software development lifecycle, going, what data do you have? Why should I care? And what are we doing about it? And so 90% of what we were intaking was first name, last name, email, SSO, those sort of things, which yes, is personal information, but what do I do with that? I don't, I'm not changing my security schema based on that information. The only time we really changed what our schema was when there was sensitive personal information or some huge difference in why we were processing it, right? So we said, okay, we're B2B. We're not really collecting consumer data. I'm spending a lot of time writing PIAs and doing assessments for information that we're really not ever going to have a regulator look at it. And we're never going to change what our posture is on, right? I'm not going to change that it it needs this security package because we have a baseline security package for everything. So that really started the campaign to look at, okay, I'm sitting on all these calls, I'm spending hours a week doing that. Where else could I be spending my time? I know I've got subject access requests that are tied to litigation that I need to action as well. And there's only so much time in the day. So we started looking at that. We looked at a bunch of the different frameworks, and we actually settled on looking at the TrustArc privacy management accountability framework.

K 17:00

Every privacy professional in the world, if they were in existence before TrustArc bought Nimity, had the Nimity framework.

Ralph 17:07

I've got to say it's good.

Ryan 17:10

Yeah. I know your listeners can't see it, but it's the poster on my desk.

K 17:16

Yes. Where we matched the Nymity framework to the TrustArc framework, and that way you could either go by the accountability mechanisms or you could go by the controls that they had, but we had to do that because and Ralph and I were both there when TrustArc bought Nymity. And that's where Paul came from, was Nimity. And that's how he and I kicked off the whole podcast was on his trip into TrustArc. He was in Europe, of course, but we brought in most of the Nimity team into TrustArc back when it was acquired. Was it 2019? I think there was like 2019. And he had mentioned to Hillary Wendell, who was our general counsel at the time, that he always wanted to do a podcast. She goes, honey, and uh Kenny's always wanted to do a podcast. Y'all should do a podcast.

Ryan 18:06

Yeah, I started with Nmity. What was the Nymity ROPA product? That's where I started my career.

K 18:13

I didn't use the rope product because I like TrustArc's, even before I worked for TrustArc. What I mainly liked about Nimity was the research and the accountability framework, basically, was how to set up a program. I don't remember what now if Paul was here, Paul would be fussing at us and rolling his eyes. We got it, Paul. We hear you virtually.

Ralph 18:32

So Ryan, so you came in with the idea of rope and you said you were finding you were finding uh struggling to operationalize it. Is that the right way to say? Were you finding that it was too much too soon?

Ryan 18:43

Or so it was not right-sized for our organization. Right. So going back to how it started on the back of that audit that said you need to have this, you need to have X, Y, and Z. But we didn't look at the framework and go, okay, if we cut this piece that doesn't apply to our business, is a regulator going to care? Or are we ever going to see any action from that? So we looked at that framework and basically said, okay, what are this? We came up with six pillars essentially, six areas that we said, this is key. We blended some, we cut out others, we added some, and we said, these items are key to a privacy program. If you don't have them, you're in trouble. And then we went through, and because our privacy program was set up in 2018-2019, we and sorry, Ralph, but we de-GDPRized it.

K 19:41

Well, you had to with the C CPA coming out. Yeah, you had to. You couldn't go by GDPR.

Ryan 19:46

Yeah. So all of our terms were European focused. And so we tried to come up with new terms that would blanket everything.

K 19:53

And then 19 U.S. states passed GDPR terminology.

Ryan 19:58

It's all cyclical. It'll all come around one day. But yeah, so that was our basic approach was looking at the risk and looking at where we thought our business was right-sized for what sort of operations we were conducting.

K 20:11

Aaron Powell Quick question. In the assessment of risk, what factors you you've talked about whether or not your business did it, would you be exposed for this? Would a regulator care? Did you factor in the potential fine?

Ryan 20:25

We did look at the fine, and luckily we had been gathering, or I had been gathering enough information that we were actually able to base it on some statistics. So I had going back to 2019, every single PIA that I had conducted thousands of vendor intake and software intake and contracts and all this fun stuff, and looked at where we actually had action, where where I actually had to do something, or where we had actually seen complaints. So I it was, and Ralph, again, sorry, it was all out of the UK. We are troublesome over here.

Ralph 21:07

And that's actually a good point. I keep hearing risk to the organization, I keep hearing compliance, I keep hearing risk of regulatory action. What about risk to the individual?

Ryan 21:17

So that's where individual rights comes in, right? So that that's really our our individual rights section. So handling those D SARS, making sure that we're handling them correctly, that we're not handing them off to too many people in the review process, that we're not being too invasive there. But we also built individual rights into the security posture itself, right? Data minimization, that sort of thing, was done at the very beginning of the process. So making sure that HR doesn't have access to security footage because, oh man, they would love access to that. But what do they need access to it for? They could never really tell me. Yeah. Yeah. It's like adding VPS trackers to everyone's phone. Yeah, it would be really great to note that Joe Smith had spent all day at the amusement park, but why? Yeah.

Ralph 22:12

Proportionality, necessity, legal justification, of course. Yeah, it's really interesting. I put out a blog the other week actually about the fact that actually as data protection professionals were employed by the organization in a defensive capacity to generate compliance documentation that will save them for a regulator. But the point of data protection law was actions in the design process, as you just said, to protect the individual. So there is almost a sort of a dichotomy there in the amount of DPIAs I see that really characterize the data processing very well. When it comes to what controls are you putting in to protect people at the end, there's actually very little there. Oh, I've done the DPIA. Let's put it on the shelf in case the regulator wants to look at it. But I always say, when did the means become the end?

Ryan 22:59

And I think it depends on who owns your privacy program, right? So if you're talking to IT, they're going to know what those controls are. But if you're talking to legal, hopefully. If you're talking to legal, they're talking from that defensive position. They're talking about the proportionality, they're talking about minimization, they're talking about all that stuff, but they don't really generally understand the data transfer implications or what it means for a server to be in Ireland versus in Tasmania, that sort of thing. So I I think it also is how cross-functional your privacy program is.

K 23:35

Which is critical. Your program needs to be cross-functional. Let's just be clear there. It needs to be. Has to take all of this into account. So you're looking at your risk, you're looking at your exposure, you're looking at the individuals whose data you collect, you're looking at the rights and freedoms of are we impacting people, employees as well as consumers, as well as B2B? How did how does that simplify it?

Ryan 23:59

So it simplifies it by really just I'm trying to define the right words there. What's that?

K 24:08

Focusing?

Ryan 24:10

Yeah, it f it focuses it, but it it I hate to use this term again, it right sizes it.

K 24:15

No, that's a perfect term to use. A lot of our listeners are not very familiar with actually running a program.

Ralph 24:22

Yeah.

K 24:22

They've come in as privacy professionals in a very focused area and they haven't had to actually look at the program strategically. So right sizing is a good term to use, right?

Ryan 24:33

Yeah. Because you can very easily have a huge, massive privacy program with very little privacy risk. Very little outcome.

K 24:45

I'm sorry. That was me scoffing at a really big privacy.

Ryan 24:49

Okay. Yeah. If your CEO is also your CPO, you've got that massive privacy.

K 24:54

Ah, there you go. That could be. Yes.

Ralph 24:56

Yeah, it is blow. I always talk about using a resource wisely and effectively, right? You can't boil the ocean. You've got to look at risk, but you can't do a vendor assessment on every vendor. You can't do a DPAA on everything. You can't do data protection by design on every system. You've only got so many hours in the day. So the key is how do you use risk to focus your time to make sure that you're getting the most impact for the amount you're being paid, right?

Ryan 25:23

Yeah.

K 25:23

Now to throw in here, we have a good friend, I will not call him out by name, that scoffs at the idea that you should do anything in privacy and data protection on a risk basis. You should do it all. There should be no risk-based approach. Yeah. Okay.

Ralph 25:42

If I had a million dollars, that would be great.

K 25:45

I don't I know early on I'll I'll tell this little war story. Sorry, and then we'll segue good back. That people would be like, oh, do you have experience running a $420 million privacy program? No, but I've got experience running a very effective global program with zero budget other than my salary. Does that count?

Ryan 26:05

That's how many of us are. So part of my new role at TrustArc, rather than as a practitioner, is teaching people how to fish rather than eating the fish themselves.

K 26:19

I love it.

Ryan 26:20

Right. So a lot of them come to us and they're like, I just don't have resources. I need to do all of these PIAs and I need to do all these vendor assessments and I need to do this and I need to do that. And I say, okay, let's take a step back. What's your risk? What are we looking at here? I can absolutely get you a contractor out there that will do all those things for you, but they're going to be very expensive for filling out forms. Let's get you in a place where your current resources are enough to satisfy what you need. And if they're not enough, let's build a justification for how you get more resources.

K 26:55

That and come up with a plan that's reasonable. You're not going to be fully compliant in three months. Let's risk base that as well. If we need to stack them on top of each other, that we're not going to do them all simultaneously. We're going to do them con, you know, what's the word? Not concurrent.

Ryan 27:12

Parallel series. Systematically.

K 27:15

They don't know what the word is anyway. Anyway, they they you do them one right after the sequentially. There you go. You do them one right after the other rather than all of them concurrently. And usually that means you wind up doing some that overlap, but not everything overlaps if you don't have the budget and the resources and the time and the risk, basically. And then you might have a multi-year plan. You might say, you know what, this isn't a big risk for us, but it might become a risk. So you want to build into your plan the ability to move and shift things based on priorities and resources should the time come, because you might lose half your team. You might have a big enforcement that says you need to triple your team, and your executives understand that and they give you a heck of a lot more resources. So build into your plan the ability to shift and pivot the way you need to do in order to address the ecosystem and the environment as it changes, because trying to do a strategic plan, even for a program more than three years is crazy.

Ryan 28:23

How many you talk to a lot of people in the industry? How many of your privacy programs do you see that are also now AI programs?

Ralph 28:33

No, even wider than that. I would say this term information governance or data governance has now kicked off, where we start business continuity, security, data protection, information governance, data taxonomies, data labeling, data sovereignty, data hosting, all thrown in the same bucket as what's our data strategy?

K 28:55

Record management, retention, deletion. We all have a retention policy. Do we have a deletion policy? Especially if you're in America. Let's talk about that. No, it is. And the problem is people hear the word privacy. I don't think it's quite as much with data protection, but they hear the word privacy, and what comes to mind is compliance. Compliance, compliance, oh my God, don't talk to me. Now is compliance again. No, think of it as managing personal data. And when you reframe it as managing personal data, then you realize that it comes to all of these other areas. There's probably not hardly any area of the company that doesn't touch personal data at some level, even if it's just the one person in the one area, their name. And the fact that they're in that role and they work for that company and they're based out of this, yeah, it's all a personal data. It might not be personal data you need to protect, but it's all personal data.

Ralph 29:52

It's also about getting the benefit as well as the risks, minimizing the harms when you're processing using data for good. Now, Ryan, on that point, we are you talked about being a practitioner. You've now come to trust Arc in that sort of legal strategy. So how's that changed your view? How has that changed your role? What does your job look like now that you've moved into this sort of new role? And how are you changing your approach when you've gone from being a sort of a customer or a practitioner into an advisory role?

Ryan 30:25

I really like the advisory role that they've put me in. First of all, I'm not tied to commission or anything, which is great.

K 30:34

It would be really nice if you could get commission for the things that clients buy, but it's nice that you don't have a base salary that relies on commission.

Ryan 30:42

And I think it it helps the customers to understand that I'm coming from a place of let's help you, right? It doesn't matter if I sell you a so-and-so piece of software. I came from where you are, and I'm here to try to make your program better.

K 30:57

And it's very important. I think you just said something that's critical. You've been where they are.

Ryan 31:02

Yes.

K 31:03

You're not just someone that's come in with no experience and you're just trying to tell them what to do because you work for a company that specializes in this area. You've been where they are. You felt the pain.

Ryan 31:14

You see, I think people and generally what I've seen is they come in and everyone's got the same issues, right? It's all lack of resources, not enough time, not enough this, not enough that. But everyone feels like they're alone struggling in that space, right? Yeah. And it really helps to go, no. Every privacy program, no matter where you're at in the maturity scale, has these similar issues. So let's look at what the root causes are and unpack it and see if we can get some efficiency built in there to make your day a little bit better.

Ralph 31:52

Every time a group of data protection professionals get together, it's it's more like a therapy session than it is a group of professionals. They're all commiserating with each other and saying, I'm not alone. Am I the only person to feel this way? Am I the only person that wants to protect people? What's going on around me? And so whenever I get a group of data protection professionals in a room, it's always so lovely that he ends up in that group session. And if you found that right, what's your experience of the community like now that you're at Trust Arc and you're telling people you're not on your own? What's your experience of the sort of the community like now that you're out of that internal role?

Ryan 32:30

No, I I so I think the community is very interesting. I think every legal community has their own quirks and eccentricities, right? If you go talk to the intellectual property people, they're all very dry.

K 32:43

And they think they don't process personal data.

Ryan 32:47

Never. Never. Intellectual property doesn't touch it, it's only engineering, right? But they'll tell you a joke about triangles or something like that. Data protection and privacy individuals, I feel, are almost always very grounded. Uh, but they're all very accommodating, right? Because we have to work in this space. Unless you're flexible in privacy or in data protection, you're not going to make it very long. So almost everyone that I talk to is very much just, I'm rolling with the punches. I'm trying to find what I can do to with what I have.

Speaker 4 33:21

Yeah.

Ralph 33:22

That makes sense. On that note, we'll say thank you to Ryan for joining us today and look forward to the special episode in the future. But until then, it's goodbye from me.

K 33:32

Bye, y'all.

Tim 33:33

Now that was serious privacy. Please subscribe on your favorite podcast app and leave us a review. You can find us on LinkedIn, Instagram, and Blue Sky at Sirius Privacy. Feel free to drop us a question or a comment. We'd love to hear from you.