Serious Privacy
The PICCASO award winning Podcast, for those who are interested in the hottest field of human rights and laws on the digital frontier. Whether you are a professional who wants to learn more about privacy and privacy laws, data protection, GDPR or cyber law or someone who just finds this fascinating, we have topics for you from data management to cybersecurity, from social justice to data ethics and AI and digital identity protection. In-depth information on serious privacy topics including interviews with privacy leadership, privacy culture, serious discussions, and more.
This podcast, hosted by Dr. K Royal, Paul Breitbarth and Ralph O'Brien, features open, unscripted discussions with global privacy professionals (those kitchen table or back porch conversations) where you hear the opinions and thoughts of those who are on the front lines working on the newest issues in handling personal data. Real information on your schedule - because the world needs serious privacy.
Follow us on BlueSky (@seriousprivacy.eu) or LinkedIn
Serious Privacy
Pilot - 50 years of Privacy. Why did you get into Privacy?
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In celebration of Global Data Privacy / Protection Day, TrustArc is launching its Serious Privacy podcast. Real information on your schedule. Tune in to hear our plans, why we got into privacy and what keeps us here.
If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!
From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.
So I'm recording.
KMe too.
PaulOkay. So you know, Kay, I've always I've always liked podcasts since they uh since they came out, since they came into being, what now ten years ago? But I think in the past couple of years, they have really taken off to make sure that uh that that people can be well talking about every single niche there is out there.
KI agree. And uh I actually don't have any favorite podcasts that I listen to, and um I hate that because as a privacy professional, and I'll say this this is where my interest is. As a privacy professional, I'm in my job because I love it, and I think that's true for most privacy people. But one of the things I hate is the commute time. I always think that there has to be a way to get some work done during commute time. And until everybody starts using driverless cars where I can continue to work on my computer, I'm thinking podcasts are the way to work during commute time.
PaulOh, absolutely. Although it's much more dangerous in the Netherlands. My commute is just a 15-minute bike ride, and you don't always want to listen to podcasts while you're on your bike.
KOh, that is awesome. I love it. So I'm actually thinking that it would make perfect sense if we helped all the privacy professionals out there and people who want to be privacy professionals by creating our own podcast.
PaulYou mean just giving them some basics, explaining what it is that that brought us into privacy and explaining some of the core issues privacy professionals are challenged with around the world?
KAbsolutely. Give them something for serious privacy focus.
PaulOh, I like that. I like that. Um while we're at it, then maybe we can also release some of those conference sessions that that only occur once and that nobody ever hears again and that a lot of people miss if they haven't been able to attend the conference or because there were seven other interesting sessions at the same time in the same track.
KAnd the same thing for webinars. If they can't get on the computer and watch a webinar, maybe they could listen to it.
unknownOkay.
PaulOkay, so so what about guests? Do you want to have guests on a webinar on the podcast?
KI think we almost have to have guests, but I don't want it to go like an interview format. I would actually love it if we could just get some good privacy on and just have a conversation. I call it a back porch conversation.
PaulYeah, that would be a kitchen table conversation here in Europe. Back porches are not always a good idea with the cold up north.
KI don't do cold. So I'm thinking this sounds like we have a wonderful idea and a wonderful premise. I say we go for it.
PaulOkay, let's just record a pilot episode and see where we end.
KBeautiful. And I think it should launch on what we call data privacy day.
PaulYou mean data protection day.
KI think across the ocean we we call it different names, but it all means the same thing.
PaulOkay, let's get started.
KAll right, so how about you welcome if we have some listeners out there, Paul? Would you like to welcome everyone to our launch broadcast?
PaulAbsolutely. Welcome everybody. This is the pilot episode of Serious Privacy, a new privacy and data protection podcast from TrustTark. My name is Paul Breckbert.
KAnd I'm Kay Royal. Together, Paul and I will host this podcast series, as you heard, discussing all kinds of topics as long as they have some sort of a link with privacy and data protection. Uh, we're will release new episodes every week on Tuesday, although it may take us a few weeks to get fully up and running and start hitting our stride for recording.
PaulBut because today is International Data Protection Day, Data Privacy Day, we did not want to hold back on our plans any longer. And you know, Kate, on January 28, 1981, the Convention 108 on the Protection of Individuals with regard to automatic processing of personal data from the Council of Europe, the very first binding instrument on privacy and data protection, opened for signatures. And they thought that was a good reason to celebrate and give some more attention to privacy and data protection all over the world. It was launched in 2006, but by now it has truly gone global. And there is more to celebrate this year. Did you know that in 2020 we are celebrating 50 years of data protection laws around the world? In 1970? Yep. Privacy law is almost as old as as you are, because in 1970, the German federal state of Hessen passed the first data protection law ever, albeit at regional level. And three years later, Sweden followed with their National Data Act, the first national data protection law.
KSo I think it's hilarious that I was born and the world decided they needed some privacy out there.
PaulBut I it was meant to be for you to be in privacy, I'm sure.
KExactly. Create the career for me. But the US was actually not far behind Europe, which surprises most people when they hear about it, because the US had its first privacy law in 1974. And that was the US Privacy Act, which applies to data held by the US government. But unlike Europe, we didn't celebrate our first uh data privacy day until around 2007, I believe it was. Or no, y'all did it in 2007 when you created it in 06. But around 2010-2011, I think our Congress decided to recognize the day. And now it's just a global day on January 28th, which actually happens to be my youngest daughter's birthday, too.
PaulWell, congratulations. But um enough with the history lesson, at least for now. Uh maybe we can we can get back to that in in later episodes. What I would like to know is how you ended up in privacy. I mean, I said it was meant to be uh for you to to go into privacy, but was it really? I mean, we can claim that all of us know a lot about the topic, but maybe we should establish also some of our credentials for the listeners that we have.
KOh, I love it. Um, I'm a square peg in a square hole, and this question actually comes up a lot, especially now with so many people trying to get into privacy as a career. And I always look back over it, and I think a lot of privacy professionals resonate with this that I didn't go into privacy deliberately. I kind of fell into it accidentally. With my uh history, I started out in health regulatory law. I was a registered nurse before I became an attorney. And so I gravitated to health regulatory law and with that took on HIPAA, which is the Health Insurance Portability and Accountability Act in the US. It was passed in 1996. And I happened to be a nurse when HIPAA was actually made a thing. So I grew up with this and grew into doing HIPAA, but that quickly multiplied into global data privacy, doing Europe, Canada, Asia Pacific, Latin America with medical devices and all things related to healthcare, and of course, then grew beyond that. And so I fell into it accidentally, but it was also kind of natural for me given my past career. What about you? Did you go into privacy deliberately, or was it a series of fortunate events?
PaulOh, very much the letter, Kate. Very much the latter. Um, I'm a lawyer by training, I'm a constitutional lawyer. And when I when I applied for my first job, I ended up as a deputy committee clerk at the Senate of the Netherlands, uh, supporting the Sandy Committees on Justice and European affairs. And one of the very first files, if not the very first file, that was thrown on my desk to write an analysis was the discussion on EU data retention. So the record keeping of telecommunications data um for uh uh for for security purposes, so for law enforcement and uh the national security. And uh at the time, this is 2005 that we're talking, this was just after the Al-Qaeda attacks in Madrid and in London. So the EU legislators said we need to make sure that we can safeguard telecoms data for future investigations should something like this happen again. Um so I wrote the analysis for the Senate, and over time there were more and more data protection files that they put on my desk for further analysis, and I liked the topic, so I had good relations with the Dutch Data Protection Authority at the time to also get more acquainted with what was happening in privacy and data protection, gaining understanding of how these laws work. Um, and when it was time to move on to a second job, um I applied to the Dutch EPA, uh, ended up there, spent seven years in their international departments, sat on the so-called Article 29 Working Party, the group of EU DPAs, uh, co-wrote many of their opinions, chaired some subgroups, um, wrote uh a lot about uh surveillance still, about international transfers, um, but also about the data protection reform that led to the GDPR, and later on also the uh the police uh and uh and justice uh directive, um which came in parallel with GDPR. Um and I organized the Amsterdam Privacy Conference in 2015. And then it was time to move on uh again, um, and that's how I ended up when I ended up at Nimity. Uh and as you know, since November uh Nimity is part of Trust Arc. So it was a lot of coincidence. Um when I when I started at the Dutch DPA, I thought, well, maybe maybe two years, this is nice, but I don't want to be the expert of the square circle. Um, but here I am, 10 years later, and I'm still in privacy and loving it.
KWow. I am really, really impressed by that. Um, and I agree, when you said that you're loving it, I think that's the same thing. To me, privacy is a helping profession, which most people don't think of as attorneys, but as privacy, we're out there to protect the data of the average person around the world.
PaulOh, I agree. Everybody sees it as an obstacle, but it is it is so much more than just an administrative burden for organizations to deal with.
KAnd that makes me think, Paul, because you and I have been sitting here talking about how we got into privacy, but I'm pretty sure our audience would also love to hear from others. And Hillary has been patiently waiting, and I'm sure it has to be really difficult to do that when she has so much she can share with others as well. So Hillary is our senior vice president of privacy intelligence and our general counsel. She's been in privacy for a long time. So, Hillary, thank you so much for waiting. Would you mind sharing with us your story of how you got into privacy?
HilaryWell, it is true that had I not been in the pharmaceutical industry, I likely would never have gotten into privacy. It just so happened I was sitting at a dinner with a guy from our legislative affairs department who happened to be working on uh some legislation that had been proposed in New Jersey all the way back in 1997. It was around genetic privacy, and he had a question for me about whether it was going to affect or could affect what I was working on in the lab at the time, which actually happened to be a genetic and cellular toxicology lab. We were actually looking at molecular mechanisms of cancer. Long story short, that particular conversation definitely piqued my interest in my what I was thinking about at the time of my interest in going to law school. And I did go to law school and happened to be in the marketing departments two years later while I was in law school, and the Direct Marketing Association was actually asking many of its member companies to make sure that it had a they had ways to deal with some of the changing regulations at the time. There's much more of a focus by the Federal Trade Commission on internet privacy. There had been some hearings that had happened around that point in time. The Direct Marketing Association was looking for organizations to be able to show that they had some form of privacy policy and the ability to get consent and to process opt-outs. We also were looking at the Children's Online Privacy Protection Act, otherwise known as COPA at the time, too. And my boss said to me, Well, hey Hillary, you're in law school. Why don't you go figure out what we need to do here? So I ended up doing a research project, and I brought that back to my boss, who then asked me to meet with some folks that he had been working with, so some of the members of the legal departments, and that ended up turning into a whole series of activities around developing our first internet privacy policy, and the rest is history. That led about a year or so later to me being asked to join the setup of our Global Privacy Office, otherwise known as the Merc Privacy Office in 2001. And I've been doing privacy ever since.
PaulThat was a really nice mix. Pharmaceutical, law school, marketing, and being at the right dinner next to the right person at the right time. Another story how people end up uh in privacy and data protection by sheer coincidence, by indeed being at the right place at the right time. And thank you very much for sharing that with us, Hilary. I think all of us are still from the generation privacy professionals that entered indeed as a coincidence into the domain. Uh whereas today I see more and more young people, students, uh already choosing privacy as their specialty. And that is, of course, really exciting. But now that we know how you ended up in privacy, Hillary, what I would also like to know is why do you say? What makes that you keep around, that you stick around? What keeps you in privacy?
HilarySo I have to laugh at that question because what's kept me in privacy is I think maybe I haven't actually been able to get out, or at least maybe that would have been my response. About a decade or so ago, I actually am still in privacy at this point because I'm truly intrigued by the problem of how to do privacy effectively within organizations. I think there are a few who have figured out how to really embed privacy values into how they operate as a business and have figured out along with that how to embed processes around managing data really effectively into how they design their products, how they manage data across the product development lifecycle and across their business processes, such that they're really truly realizing the value from that data at the same time respecting the rights and interests of individuals. And I think it's a really hard problem given that data is so pervasive within organizations, and it's not one that can be solved by traditional means of doing privacy on paper. And I think technology is really the only way to do it effectively, and the technology that many of us have been working on and trying to build to help solve these problems have enabled progress, but have not truly progressed that technology to the point where it has enabled organizations to embed privacy perhaps as effectively as it could be in the future. So I'm still in it, and what's keep me kept me in it is figuring out the I guess the goal and desire to figure out how we can use technology to truly embed privacy effectively within organizations so that it's done right and well and in a way that is respectful of individuals but actually truly drives value for society as a whole. So that's why I'm still here.
KYeah, that is very nice. Well, I'm glad you're staying in privacy because uh TrustArk is, you know, we're the 800-pound gorilla in the room when it comes to privacy around the world. And as Paul mentioned earlier, the fact that we acquired Nimity is, you know, Nimity was always my favorite. I was a client of Nimity many, many years ago, and I really hated the fact that we were competitors of a sort. We were the two, you know, longest running privacy companies out there, and so I love it. So, Paul, I'm gonna turn the question back to you then. Why are you still in privacy?
PaulWell, of course, because it pays my salary. No, with with without kidding. Um I as I mentioned, I love the topic. It is it is exciting to be working in a field of law that is so new. Um and because I have been been working in it now for about 10 years, just over 10 years, um, I also feel that I have something that I can contribute to the privacy community in the comparison and the understanding of what's going on in Europe and in the United States and in Asia. Um, I love to share uh uh also in in the webinars that I did before for Nimity at conferences. Uh I teach privacy law here in the Netherlands at Maastricht University uh on a regular basis as well. Um and I love sharing the knowledge on privacy and data protection, but at the same time also continue to learn myself and see all the developments. It is going so fast at the moment, um, it's almost impossible to keep track with the dozens and dozens of states in the U in the US keeping uh discussions on whether or not they need privacy legislation. Um and I want to stay on top of that. That so, what about you, Kate? Do you are you going anywhere anytime soon or are you staying soon?
KOh no. Um this square peg is in the square hole of Trust Arc, and uh that's exactly where I intend to stay. But years ago, Angelique with IAPP did uh an interview with me on their podcast when they started. I think I was one of the first ones that they did, and she had asked me a question on there that made me think back to when I was a very young adult, I was working in a state psychiatric hospital. And so at this point I wasn't even a nurse yet. And I noticed that when people would call in to the front office or call into the hospital, there were only three hospitals in Mississippi. Yes, I'm from Mississippi, and I noticed that if people said, Well, uh, is K Royal on your alcoholic ward, the operator would say, I'm sorry, we can't give out patient information. But if they said, Please connect me to K Royal on the alcoholic ward, disclaimer, I've never been on an alcoholic ward. But if they said, please connect me to K Royal on the alcoholic ward, she'd say, Please hold. So if you had an issue going on with someone in your life and there was a lawsuit or you were looking to dig up some dirt on someone, you'd only have to call three hospitals and ask for them if you had your suspicions. And so to me, that violated patient privacy. And so I actually wrote a program of assigning to patients on intake particular code numbers, and they had to share those code numbers with any family or friends that they wanted to talk to while they were hospitalized. Wrote out the processes and the policies for all the different departments, the business office, the medical staff, everything, trained everyone, and I never thought about that actually being perhaps my start into privacy law, that maybe I was actually meant to be here because apparently it was a top-of-mind topic for me. But that highlights why I'm still in privacy. As I touched on earlier, I think privacy is a helping profession, and that's kind of what I've migrated to through my life is helping other people. And being able to stay in a profession where you bring the academic and the scholarly aspect to privacy. I actually love bringing the practical aspect to privacy. So you have to implement or you have to maintain a global privacy program. How do you do that? What are the practical steps that you put in place in order to abide by the dozens of state laws that might be passing or the global laws that you research that may conflict with each other? So, how does a company actually wrap their arms around that and put it into practice for everyday use, not just for the privacy program or the compliance or the legal department, but for the people who are boots on the ground. How do they get them to And that's exactly what we will be discussing? Exactly. That's what this entire podcast is gonna be about. Is not now that you know a little bit about us, but it's it's not gonna be about us, it's gonna be about the listeners. It's gonna be about helping them be able to actually get a hand on some serious privacy.
PaulThat sounds all good. Um, and and just to be sure, Kay, this is not a podcast about pushing product, right? It is not about selling stuff.
KOh, I don't even think I've Mentioned a single one of our products. Sorry about that. No.
PaulNo, okay, just to make sure that people don't expect sales pitches during these podcasts. That is not what we're trying to do. We really want to make sure that that whether you are a starting privacy professional or somebody with dozens of years of experience, that you are up to date on what is happening in the community, that you know what's coming next and how to deal with it.
KAbsolutely. And I think if we work off with the different things that we've been talking about, so some things what we'll be able to do is help you make some use of that commute time you may have. You're sitting on an airplane or you're sitting in a car, and you want to, you know that there was a webinar that you wanted to take part in, but you missed it, or you didn't take notes on what the people said, and all you have are the slides. We'll actually be turning our webinars into podcasts so you'll be able to use your time. And Paul, you mentioned earlier also at conferences where we're speaking.
PaulYes, that is at least my hope. I mean, that always requires permission from the conference host. But I've I've been at so many conferences where I thought, okay, I can go to this discussion or to the other discussion. I actually want to see both of them. But many conferences don't record anything. So once the discussion is finished, it's gone forever. So yes, that is one of the things that we hope to do.
KI'm sorry, you haven't yet learned how to split yourself into eight different personalities so you can go attend all the conferences.
PaulNo, I don't. But if you know the trick, then uh feel free to teach all of our listeners because I think there is a that would be in high demand.
KAbsolutely. We all need to be about eight different people, don't we? And then I love your idea of the privacy unscripted sections.
PaulMy idea, that was your idea.
KOkay, it was our idea. We're going to have our kitchen table back porch conversations with people in privacy, and these might be names you know. We're going to try to get some big names in here, but it's also going to be with privacy people that are doing exactly what Paul and I are talking about running their programs, their boots on the ground, running their programs with the resources they have available. And we'll talk to them about the best ideas they have, what are some of the challenges they have, and I think that will help inform all of us to be better privacy people.
PaulAbsolutely. Indeed, I'm also looking forward to those uh privacy unscripted sessions. And that will just be chats about relevant, interesting, controversial, inspiring, or exciting topics, just as you might do with friends or in the corridors of a conference or even at one of those lengthy conference dinners. Um of course, suggestions from our listeners are more than welcome. And who knows, maybe we even invite you to be part in our conversations. Why don't you just reach out to us via podcast at truststark.com and let us know what you think we should discuss.
KOh, I absolutely agree. And listeners, please do let us know what you think and what you want to hear discussed. We would love all your suggestions. We'd love to have you uh on our show. We would love to be able to talk about the topics that you want to hear discussed, especially maybe if they're controversial. So thank you for tuning in on what is Global Data Privacy Day. Data Protection Day and for our launch of our truly unscripted, as you could tell, but serious privacy podcast.
PaulThanks, Kate. I'm looking forward to do this.
KMe too, Paul. Take care. Bye, y'all.
PaulBye for now.
KYay, now we play lots of music.
PaulAnd stop the recording.
KLet's see, where is stop?