September 29, 2021

In the U.S., it’s easy to look at overseas privacy legislation like GDPR and conclude it’s a reaction to worrying data practices from today’s tech giants.

In reality, European privacy legislation can trace its roots back to the nightmarish authoritarian regimes of postwar Europe — and the necessity of securing a future free from repeating these governmental abuses.

That’s just one of the many privacy insights my latest guest, Jason Powell, GRC and Privacy Consultant at Pivot Point Security, opened my eyes to. He joins the show to share more than just the history of privacy — he brings a ton of useful ways you can begin preparing for the future of privacy, too.

In this episode, we discuss:

  • Why GDPR is the granddaddy of privacy legislation
  • What you need to know to handle privacy — whether it’s for compliance or just good business practice
  • Why, despite some overlap, privacy and security are really their own domains and should be (ideally) treated as such 

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (Intro/Outro) (00:00):

You’re listening to The Virtual Ciso Podcast. A frank discussion, providing the best information, security, advice, and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive. Welcome to the show.

John Verry (00:25):

Hey there and welcome to yet another episode of The Virtual Ciso Podcast. With you as always John Verry, your host. And with me today, Jason Powell. Hey, Jason.

Jason Powell (00:37):

Hey, how’s it going, John?

John Verry (00:39):

Well, hey folks, we’re off to a bad start with this guy. I mean, he’s like I say, hey Jason, and it’s just dead air. All right. So, this is a podcast. You understand that principle behind this? I ask you questions and then you answer them.

Jason Powell (00:51):

I do.

John Verry (00:52):

Okay, good. So, Hey Jason.

Jason Powell (00:53):

I do. Yes. Hey John, how’s it going?

John Verry (00:56):

There you go. Wow. You know what?

Jason Powell (01:00):

A little better already.

John Verry (01:00):

You’re getting better already. So, thanks for coming on today. I’m definitely looking forward to this conversation. I think it’s going to be a fun one. So, to start simple, tell us a little bit about who you are and what it is that you do every day.

Jason Powell (01:15):

Okay. So, I’m a GRC consultant with Pivot Point Security. I’m a fairly new addition. I’m to the point now where I’m not calling it PowerPoint security. So, I think that’s a big accomplishment for a new consultant. I was brought on, as I said to do GRC and I was also brought on to be a privacy SME. And I come from probably a background that’s not dissimilar to many of my peers. I’ve got 28 years on IT and I just hit my 20th year mark being a full-time assurance practitioner. I started out building white box PCs in the 386 days, remember those? And did some desktop and Telco supports. I became a Certified Novell Engineer, remember that? Did some mail administration. [crosstalk 00:02:01].

John Verry (02:02):

Jason, are you looking at this?

Jason Powell (02:04):

Lots and lots of crazy stuff?

John Verry (02:07):

[crosstalk 00:02:07]. Are you’re looking at this? I mean, look at this. I couldn’t be old enough to understand what a Novell Engineering is. Come on.

Jason Powell (02:16):

Lots of old school stuff. I do a large variety of stuff. Mostly, I think, because I was bored all the time. I’d learn one skill and then I want to learn something else. So, I just grabbed on to every new thing that I got exposed to. And at some point around the year 2000, somebody handed me a book like Cliff Stall called the Cuckoo’s Egg. And I read it, but with wrapped attention. It was about a Unix administrator at a university who tracked down a group of German hackers based on a 75 cent time-sharing accounting error. And from then on, it was off to the races with governance and security.

John Verry (02:59):

Cool. Well, this is going to be good. So, before we get down to business, I always ask what’s your drink of choice?

Jason Powell (03:05):

I’m a scotch guy.

John Verry (03:08):

[crosstalk 00:03:08] forget it. Podcasts is over folks.

Jason Powell (03:11):

It’s over, it’s done.

John Verry (03:13):

It’s a good whiskey wasted.

Jason Powell (03:17):

I tried scotch about eight or nine years ago, because I had read a novel where the main character drank Famous Grouse scotch. And I was in the liquor store picking up something else. I forget what it was. But I saw this bottle of Famous Grouse scotch, I’m like, that’s actually a real thing. So, I tried it and that became my drink of choice. Famous Grouse is my go-to blend. But my real passion is for single malt and [Islay 00:03:48]. So, smokey PD stuff. My favorite brand is [inaudible 00:03:53]. So, I’m a former firefighter, paramedic. So, anything that smells like it was recently on fire is right up my alley.

John Verry (04:02):

So, I have bought Laphroaig for people. Because I know that is a very, very well-regarded scotch. That being said, anytime you take a good whiskey and you add peet to it, you’ve totally screwed it up. So, you and I will never drink together, Jason. Just so you know that. All right. So, let’s get down to business.

Jason Powell (04:19):

To further that, my… Good.

John Verry (04:23):

To further that, I’m not going to cut you off.

Jason Powell (04:23):

I was going to say my secret pleasure is Ouzo.

John Verry (04:28):

Oh yeah, Ouzo [crosstalk 00:04:29]-.

Jason Powell (04:29):

You’re really not going to drink with me.

John Verry (04:31):

No, no, no. I actually like … No, I like Ouzo. Ouzo with a couple of coffee beans in it after a meal. I like the bitters. So, I like Ouzo. I like Sambuca. I like Campari. I like Amara. I like Fernet, Bronca. I drink a lot of those digestive bitters for that reason. They’re great after a heavy meal. And Ouzo, my father-in-law is an Ouzo guy. So, it’s a great drink.

Jason Powell (04:58):

Okay. [crosstalk 00:04:59].

John Verry (05:01):

We can drink together. All right. We can drink together. All right. So, let’s get down to why you’re really here. And I think this should be an interesting conversation because I think Jason and I approach privacy from very different perspectives. Jason is passionate about privacy and for, I think, in protecting people’s freedoms and not only that, but super experienced, super certified practitioner in privacy. I’m not passionate about privacy at all.

John Verry (05:32):

My perspective is very much more pragmatic. I’m more of a business tech, a business approach. I think of privacy as something that we need to do. And I think when I look at it, my approach is always going to be what provides the most significant ROI. So, I think we look at this from very different perspectives. And I think that became apparent after we got off a call with a client recently and you and I chatted about, we thought the project should be done differently. And I wish we would’ve recorded that damn conversation because it was a fantastic conversation. So, let’s see if we can recreate it here. So, I’m going to ask you from a 10,000 foot perspective, just to frame the conversation. There’s a ton of these new privacy laws, GDPR, CCPA, VDPA, all of these laws. What all these privacy laws essentially say, and why did we evolve to this point? Why are all these privacy laws necessary?

Jason Powell (06:24):

Sure. So, I think it’s important to take a peek back a couple of decades and understand where some of these came from. And the primary differences between the US take on privacy and the European take and really the rest of the world as well. So, privacy from a European perspective really had its origins in post World War II, democratic Europe. And following World War II, there were quite a bit of, the authoritarian governments that were associated with Russia, then later the Soviet Union very quickly put together a structure of, there’s no other way to say it, secret police. These people were sent out to spy and track their citizens based on a number of things. Things like racial ethnic origin, political beliefs, labor union membership, or interest in labor unions, religious beliefs and practices, whether you had a mental or physical disability, sex life or sexual orientation, all sorts of things.

Jason Powell (07:26):

And these secret police had entire archives full of information about otherwise law abiding citizens. So, as a result, these people were various and systematically, they were spied upon, they were tracked, they were blackmailed, they were jailed, they were tortured. And in some cases they were murdered. So, the people in free Europe really had an interest in ensuring that nothing like this was going to happen anytime in the near future. So, those free countries in Europe started to put together national laws that forbade the unlawful collection of information, personal information. And eventually those were codified in a 1980 publication from the Organization for Economic Co-operation and Development. You’ll hear in privacy circles, they call this the OECD guidelines. Following that in 1995, there was issued the DPD, The Data Protection Directive, you’ll hear this referred to as the DPD or 95/46/EC, all sorts of names. But it’s the immediate precursor to GDPR.

Jason Powell (08:33):

The Data Protection Directive said, thou shall each of you, pre-European nations and the EU, shall embody these principles into your national law. And they did that. It took a little time. And for the most part, it was effective, but the national laws were administered a little differently from country to country. So, there was a little bit of an issue with consistency. In an effort to bring that into the modern era and to make that more consistent in 2018, we saw the emerge of GDPR, the General Data Protection Directive. I’m sorry, GDPR, General Data Protection Regulation, GDPR. So, that’s how we got to the European style privacy.

John Verry (09:19):

[crosstalk 00:09:19]-

Jason Powell (09:19):

Contrast it with-

John Verry (09:19):

Wait, wait, can we pause one second there? I want to ask you a couple of questions.

Jason Powell (09:23):

Yes.

John Verry (09:23):

So, if I went back to that … So, this is really interesting and it gives me a very interesting perspective that I’ve never had. Because I honestly, I didn’t know any of that. So, it’s interesting to me and now I understand why you’re more passionate than I am about privacy and maybe you’re going to convince me I should be more passionate, is because I looked at GDPR and CCPA as being a natural reaction to the technology companies that we work with doing bad things with our data. Using our data in ways which we did not authorize them to. And what you’re saying is that really the true genesis of this while this law does apply to that. And that’s how a lot of us see it. This goes all the way back. I mean, this is anti discriminatory. This goes back decades and it’s really truly about people’s personal freedoms. It’s not about their personal information. It’s about them not being discriminated against by governmental entities and corporations based on that personal information.

Jason Powell (10:26):

And not only that, but if you were gay in 1949 in Hungary, you might find yourself in a shallow grave on the side of the road with a bullet in the back of your head.

John Verry (10:34):

That’s really interesting.

Jason Powell (10:35):

And that’s how they track these people. That’s how they … Yeah. And so for many people in authoritarian Europe, your privacy was a matter of life and death.

John Verry (10:45):

Very interesting. So, now that we understand, let’s say the derivation, if you will, of GDPR. How did it begin its translation into let’s say APAC and other regions, CCPA in the United States?

Jason Powell (10:57):

Sure. So, I think there’s just becoming more globalized and people doing business all over the world. I think that they started to become a lot more familiarization. People became more familiar with the privacy practices around the world. And you may hear me refer to data protection, which is what they call privacy in Europe. So, it’s not intuitive data protection you would think would mean security. But it’s really privacy. So, I apologize in advance for that confusion. That’s a common term in the privacy world though. I think that there was greater socialization as globalization emerged and other regions in other countries became more and more aware of common privacy practices, especially as the European market opened up to the rest of the world. So, I think that those countries looked at what was happening in Europe and said, this probably is not a bad idea.

Jason Powell (11:57):

We should look into this. Local and national legislation emerged kind of organically. But almost all of it is based primarily on GDPR and the OECD guidelines, and what came before that are really the granddaddy of all privacy legislation. And I think that most of these countries, again, Asia-Pac, Brazils got laws, South Africa’s got laws. I think they looked at GDPR and said, look, not only is this descriptive. It’s fairly prescriptive. It’s very, very well done. It’s very broad. It’s very in depth, because again, they’ve had 40, 50, 60 years of doing this to refine what the rights and freedoms should be and the processes that organizations should take to ensure those rights and freedoms. I think everybody looked at GDPR and said, it’s kind of a no brainer. Let’s model it after this.

John Verry (12:55):

Yep. I think you’re right. And maybe, unfortunately I am like the ugly picture of the American person that all my perspectives are centered around being an American. And so maybe, I do think that a lot of the inclination to bring this into the US, because we didn’t have those same discriminatory practices and we didn’t have the, someone who follows Hoover might disagree with me. But we don’t have the secret police and the special files on people and things of that nature. So, I do think that some of the reaction here was the, I think, exploitation of data by the technology sector. We know from working with some of the companies that we’ve worked with, that some people have done some pretty ugly thing with taking anonymized data, de-anonymization it and using it in ways which are fairly distasteful. So, I do think some of the reaction here is probably to the technology companies using our data in ways, which it wasn’t intended and in which we don’t agree with.

Jason Powell (13:59):

That brings up some central tenants around European style privacy that we don’t see necessarily incorporated into American style privacy. So, there’s this notion that processing of personal data should be lawful fair and transparent. So, if you translate those into common speak, it’s, don’t break the law, don’t be a jerk and don’t be creepy and hide stuff. So, that’s a very, well-known set of things in Europe and by derivative Asia-Pac and South Africa and such. We don’t get that in the United States. There’s data is worth a lot of money. Your data individually, the data about John Verry might be worth a few pennies or a fraction of a penny. But when you combine all that with 15 million other people or a 100,000 other people and offer it to the right people that want that data, that data is very, very valuable. So, it’s become commoditized.

John Verry (15:03):

Have you heard the expression if you’re not paying for the product, you are the product or your data is the product?

Jason Powell (15:11):

Yes, that’s very true. And as a privacy practitioner, people say, well, what do you use for email at home? And I say, I use Gmail. Believe it or not. But this is about risk. I’ve been using Gmail a long time and too many people know my Gmail address. I have nine or 10 years worth of calendar data in Gmail. I know that Google reads my mail. That’s a risk that I accept, because I’m not willing to try and flip it all over to some other platform. Would I use Gmail today knowing what I know now? Maybe not.

John Verry (15:49):

No. You’ll be on Proton. All right. So, let’s talk about for someone who has a passing knowledge of GDPR and CCPA and these types of frameworks, I agree with you completely. I think GDPR being the grandfather of all of them, they all are, I don’t know if you’d agree with me, it’s 90%, 90 plus percent similar to GDPR. So, I think they all have a fundamental four or five steps. The concepts of policy, the concept of data mapping, or records of processing activities, DPIs, things of that nature. Can you just talk someone through it at a very 10,000 foot level? Hey, I need to get from where I am to being GDPR, CCPA compliant. What are the four or five major blocks that they’re going to have to address?

Jason Powell (16:34):

So, I think the resource or thing that you need to think about from the start is often skipped over in lieu of the data mapping and all the other more obvious steps. There’s an old tenant in project management that says the best indicator of project success is key stakeholder involvement. So often we tack privacy onto security. And I think that they’re really two entirely separate disciplines. There’s a portion where they’re joined and they overlap. And it makes sense not to reinvent the wheel. But I’m going to go out and say something that may be very controversial to somebody who was a pure security practitioner. And that is, I believe that 90% of your security requirements can be met without PII specific controls. I also believe that 90% of your EU style privacy requirements can be met without traditional CIA resource involvement. That’s a very controversial thing to say. But I believe wholeheartedly.

John Verry (17:47):

Yeah. Quick question. So, I think what you’re saying right, is that the Venn diagram of privacy and security has a roughly 10 or 15% overlap in the middle. And then there’s things that are privacy oriented that fit outside of that on one side. And there are things that are just inherent in your security that are outside on the other. Yeah?

Jason Powell (18:08):

Yes. And this is sometimes illustrated by, I like to break things down by what’s involved in each at a very, very high level. So, I look at security and I think of security as being about 80% technology and about 20% business. And I think most of my peers would agree that’s probably pretty close. When I look at privacy, I think of privacy as about 10% technology, about 60% business, and about 30% law. That’s a very, very different skillset when you compare the two. I liken them to two very important disciplines that can be adjacent and even share some resources and concerns, but that really require separate and distinct types of program development and separate and distinct key stakeholders.

John Verry (19:09):

Hmm. So, I think I agree with you. I think privacy consumes security. I mean, in order for us to achieve privacy, we need to consume some level of that security. But very often the security practices that are there to support privacy would have been there in some logical context independent of our privacy requirement.

Jason Powell (19:36):

Yes, absolutely.

John Verry (19:37):

Cool. Yeah, that makes sense. So, again though, go through … So, I agree with what you just said. Can we go through what needs to happen in order to get from, hey, oh crap, I got a DPA in the mail and if I can’t say that I’m GDPR compliant, I’m going to lose my customer. Give me that quick journey at a 5,000, 10,000 foot view, whatever level.

Jason Powell (20:02):

So, from the ground up and what I was really getting to with that previous discussion was the thing that most people, I think, don’t think about or they don’t start with is you’ve got to have a champion in your organization who is preferably a designated, qualified and dedicated privacy stakeholder. That would mostly be in the form of somebody who is a dedicated chief privacy officer or just privacy officer. So, often that privacy function, especially in a smaller organization, is tossed over to the chief security or chief information security officer, which I think is the wrong way to go. But it happens, because sometimes people have to wear multiple hats. So, that’s the first thing. The second thing is you need to understand what your obligations are. It all comes down to requirements just like a project. So, what are you required to do?

Jason Powell (20:58):

And that can be, what are you required to do under law, as an example. Do you market products or services to people in the European union? If that’s the case, you are obligated to comply with GDPR as law. If you do business in California, you may have obligations under CCPA or Virginia or Colorado, any of these states in the US that have new privacy laws. You’ve got to figure out what you were absolutely required to do under law. The next thing is, what are you required to do as part of your contractual obligations? If you are some mid-sized company that makes widgets and you supply them to a large international company, and they state in their contract with you, we have to be GDPR compliant. You’re going to comply with GDPR as well. If you want that business, you’re going to have to comply.

Jason Powell (21:56):

Then beyond that, what do you, as an organization, feel like you’re obligated to do, whether it’s the CEO or the board of directors or common understanding by senior management, what’s the right thing for our company to do with regard to security and or privacy? That’s where you start. After that, now you have that your obligations are clear, fairly clear hopefully. Now you have an opportunity to look at a framework or law that you have to comply with. ISO 27001 is a great framework if you want to have a good basic privacy program, but you don’t necessarily have legal contractual obligations. You’re doing it because it’s the right thing to do. People expect it, what have you. You have already referenced to start building that program, using an established framework. That’s a great way to do it. If you’re required, for instance, to do business compliant with GDPR, then get GDPR out.

Jason Powell (23:04):

You’re going to have to read. Somebody is going to have to read all 99 articles and preferably all 173 recitals to understand what’s involved. ISO 27001, the clause seven and clause eight specific controls. These are controls that talk about what you have to do if you are a controller, if you determine the means and purposes of processing of personal data. These are the things that you have to do. Clause eight talks about your obligations as a processor if some other organization pays you money to do something special with personal data that they provide, and you send it back to them, or you send onward. So, that’s a total of 49 controls. GDPR has 99 articles. Each of which sometimes have two, three, and four controls in them. So, it’s a much, much bigger lift if you will. So, you need to determine the framework or law that you’re operating under.

Jason Powell (24:03):

And then you need to start by figuring out what you have. So, doing a data mapping exercise. Where do we get our data from that’s personal data? Who do we get it from? How do we receive it? How do we process it? How do we store it? How do we treat it? How do we securely dispose of it? How do we ensure that we, if we are a processor, how do we ensure that we are meeting our obligations to the controller? And that can be a very, even in a small company, that can be a tedious exercise, because you’re collecting data from the website, from prospective customers, from prospective employees. If you have offered white papers about your product, you might require people to provide their personal information. If you have even a single employee, you are by definition a controller, because you hold data about an employee.

Jason Powell (25:05):

It might be yourself if you’re the CEO and sole member of that company, but everybody is a controller. And we typically collect lots more personal data than most people realize. So, we’ve got to find out where that data comes from, the purposes of us processing it. And then we have to figure out, are we processing special category data? In other words, is there data that we collect that’s very, very sensitive, like super, super sensitive that we need to apply an even higher level of control to. So, this would be things like health data, data about sexual orientation. If you collect lots and lots of data that track lots and lots of people like the phone company can tract people using the GPS data in their phones. Tracking people through the use of web technology and advertising technologies. You have to determine, do we do any of that?

Jason Powell (26:07):

If we think we do, then you need to engage in a process called a DPIA or a PIA, depending on the framework. It’s called different things. But it’s a privacy impact assessment. You need to look at what you’re processing, how you’re processing, how you’re protecting it and determine if you, and this will be done on anything that you consider to be data that you’ve collected that sensitive in nature. Again, the health data, sexual orientation, that sort of stuff. And then you need to figure out, can you manage the risks around processing that data. In the European union, if you determine through a PIA that the processing of sensitive data or special category data is what it’s called there is still a high risk. You have to go to a supervisory authority to get the okay to continue processing that data.

Jason Powell (27:00):

So, that’s just, we’re only on step three. That’s a fairly big lift. At some point, you also need to determine what data subject access rights you’re going to afford people who might contact you about their personal data. Under GDPR there’s a long list of data subject access rights and that’s rights like, hey, John, I want to know, do you have any personal data that relates to me? If so, I’d like to know what it is and how you’re using it. Or I might say, I would like to having seen that data or having seen it someplace else, I can say I would like it corrected, because the data that you have about me is not accurate. It could be as simple as you spelled my name wrong. Or something of that sort. I want it redacted. I don’t think you have any reason to have it anymore.

Jason Powell (28:06):

And I want you to remove it from your records. These are all data subject access rights. Under GDPR, again, you have a laundry list of these things that you have to comply with. If you’ve decided to extend those rights to other people outside of the EU, or if you’re a US company and you just want to do the right thing, and you want to follow GDPR, you need to decide which of those rights you’re going to afford your users. And then you need to figure out how you’re going to actually get that done. And that’s an operational issue. Now you have a privacy office with administrators that are doing data subject, access requests, and responses. Now the program is suddenly much bigger. So, those are the initial steps.

John Verry (28:51):

Good. All right. That was cool. So, tell me if I captured this right from a simplistic perspective from people like me. So, we need to do what we say and say what we do. So, we need to document what it is that we do, what information we collect, how we collect it. And we need to make sure that we comply with that. That’s that, I think, what you called to be a good guy. Or whatever. Okay, good. That gets documented in a privacy policy, in a cookie policy rights that we communicate to the world. That data mapping, that’s the same thing as a ROPA, a record of processing activity, or it’s a ROPA is the GDPR version of a data map. Is that a fair statement? Over simplified [crosstalk 00:29:28]-

Jason Powell (29:28):

Yes and no.

John Verry (29:28):

Stay in the simple. [crosstalk 00:29:29]. Remember, I try to simplify here. [crosstalk 00:29:34].

Jason Powell (29:36):

This’ll be real simple actually. Under GDPR, a data mapping and a ROPA are actually two separate things, but they’re very closely related. And for discussion purposes, you can more or less think of them as the same blob.

John Verry (29:51):

Okay, cool. So, we build this ROPA, this data map. The data map is, the way I think of it is what personal information are we getting, what processes act on it, where does that data end up? Because that’s going to give us the map, if you will, to deal with these data subject access requests. Somebody calls up and says, hey, what information do you have about me? I can present it. Somebody says, hey, I want you to change this. I can change it. Somebody says, I want you to delete this. I can delete it. That a good summary.

Jason Powell (30:19):

Exactly.

John Verry (30:20):

Cool. All right.

Jason Powell (30:21):

Yeah.

John Verry (30:22):

Excellent. So, you’re educating me here. All right. We’re getting there. All right. So, let’s go to the next thing here. So, and this was really where it got fun in our conversation. So, I think many of the clients that we deal with are either ISO 27,000 … So, most of our clients need to prove they’re secure and compliant to somebody. Many of them do it with 27,001 or SOC 2, or one of these frameworks. In this case, 27001 is the one when we blend in privacy tends to be the more common conversation. So, 27001 is a certifiable means of saying, I have a good information security program. You can trust me. We agree that ISO 27701 is a way of telling people I’ve got a good privacy program. You can trust me. I think what you differentiated, which was interesting. And I agree with this is that I can be ISO 27701 compliant and certified, but not necessarily achieve the requirements of GDPR or CCPA. Agree?

Jason Powell (31:22):

That is absolutely correct. Yes. And I would go so far as to take a wild guess and say that the majority of 27701 certified entities who are not obligated to follow GDPR under law are probably not even close to being GDPR compliant. And that’s because it’s so much more comprehensive. It’s so much more in depth, which is why so many other countries use GDPR as their foundation, for their privacy legislation.

John Verry (31:57):

Okay. So, a good analogy might be, see if you agree with me on this. So, I can be ISO 27001 certified from an information security perspective and not be payment card industry data security standard compliant. So, much like 27001 is a generic framework for information security. And in order for you to be compliant with a specific, more prescriptive regulation, that has to be an input into your implementation of ISO 27001. If I knew that I had to legally comply with GDPR and I wanted to use 27701, not I have to, but I want to. Then I could become both GDPR compliant and 27701 certified if I fed GDPR in those additional requirements in and filtered it through the 27701 framework?

Jason Powell (32:53):

Yes, you could. I’m going to go say, I’m going to go out on a limb and suggest that it’s not necessarily the best idea, depending on the resources you have available to you. If you have a customer who is pursuing 27001, they want to pursue GDPR and 27701 at the same time. And they have a common, largely merged security and privacy program in a single security stakeholder that also oversees privacy. Everything’s going to get muddied, first of all. The terminology between GDPR and 27701 is slightly different, it’s enough to be confusing. And I think that it’s possible in especially in some smaller organizations that the 27701 framework is going to get in the way of getting GDPR done. It’s an extra thing you have to continually distinguish between. Are we talking about GDPR when we talk about this control? We talk about 701, which one are we working on?

Jason Powell (34:01):

And I think for organizations that have a hard requirement to do GDPR, I think the best of both worlds would be, get GDPR compliant, maybe referring to 701 occasionally, if you need a little bit more context of how privacy works. But I think that the best way to do that would be nail GDPR down. And if you want to demonstrate additionally to other people that you are in fact compliant beyond GDPR, you’ve got 98% of what you need to get 701 compliant. This is assuming you’re 27001 certified. It’s just laid over top and go, yeah, we’re like 98% there. Do this, this and this. Get an internal audit. You’re probably there.

John Verry (34:52):

Gotcha. And I agree with you. So, I think we talked about this the other day that there’s probably four or five, call them key decision points. Where you end up with this conversation about, should I align with GDPR? Should I align now? Should I go to CCPA? Excuse me, GDPR and 27701 at the same time. Should I do GDPR first, then go to 27701. Should I do 27701 first, then go to GDPR? And I think you’re coming down to some fundamental stuff. If it’s a legal compliance issue and time to being legally compliant is important, then going straight to GDPR is going to be the most direct path to getting there. If I need, if I-

Jason Powell (35:40):

It’s the best use of your resources.

John Verry (35:43):

Yes, I would agree. I would agree. Now if we’ve got to get to 27001 at the same time, I think you could make the same argument. Getting to 27001 and 27701 will take more time than getting to 27001 and GDPR compliant using just GDPR as your framework, right?

Jason Powell (36:04):

Restate that question again, just so I make sure I understood it correctly.

John Verry (36:08):

Sure. So, a lot of our clients need to get 27001 certified, 27001 certified, not 27701. And they have a choice of, I got to get to 27001, but GDPR or CCPA compliance with the law is a legal requirement for me. It’s quicker if I have to get 27001. It would definitely still be faster to do 27001 plus GDPR or CCPA or both. And then move to 27701 later than it would be to try to do all of those at the same time. I think your argument would be, that’s a heavy lift and it’s a resource consumptive lift. And there’s definitely some danger to doing that in terms of extending timelines and cost structure, right?

Jason Powell (36:46):

Yes. Absolutely. There’s always a, like any project, there’s a balance between budget quality and timeline. So, you’ve got to figure out, if you’re being told for 2022, we’re going to give you a great big budget, but it’s all got to be done in 2022. Then I would say, okay, bite the bullet and do it all at one time, because you’re not going to get money in 2023. If you have an organization that says, look, we want to do this right. We’re willing to take the time. We’ve got to get 27001 certified, GDPR is upcoming, 701 would be nice. And you have the luxury of time and you’ve got the resources. I would say, do them in that order for perhaps 27001 and GDPR concurrently. And as you said, pick up 701 is the icing on the cake.

John Verry (37:42):

Yeah. So, and here’s where it gets really, these conversations get so fun. So, we haven’t talked yet … We talked about cost and the more you add on the more expensive it gets. But it also, the cost structure will change depending upon how you do it. Because if you get 27001 and 27701 at the same time, your initial cost goes up a lot. But your long-term cost over two or three years goes down because if you do 27001 and GDPR, then you come back into 27701 the next year or the year after we have to rework some of the artifacts of the information security management system. So, that dollar and cents thing, I think the way you said it is really good. You’ve got to look at the money that’s available over a multi-year period sometimes to figure out what’s the best way for me to get to where I need to get to from a dollars and cents perspective as well.

Jason Powell (38:35):

Yes. It’s like a three-way balance. It’s pretty easy to balance something when you’ve got a marble on a little wooden track. But if you’ve got a triangular tray and try to keep that marble in the center, that’s a really difficult thing to do. And to do that over a period of three years, try to get it all optimized and on time and the quality that you want. That’s tough in any project.

John Verry (38:59):

Yeah. And now I’m going to add like two more domains. So, this is going to be like, we went from chess to that, you ever play, do you remember the old days where they sold the three-dimensional chess sets and you were playing on the … Yeah.

Jason Powell (39:08):

Yeah, the Star Trek one, yeah.

John Verry (39:12):

But I think we’re about to go there. Because you just talked about focus, speed and cost as being like three, and quality four domains. And I’m going to throw two more domains on there that’ll be interesting to get your perspective on. So, we also have to balance in what is the value of having the attestation. So, I can be, if I build a perfect GDPR compliant privacy system, how do I prove that to somebody? So, having 27701 and I know 27701 is not GDPR compliance. But perception is reality. And when you hand a 27701 certificate to somebody and it says GDPR in the scope statement, they perceive that as being GDPR compliant. So, we have to balance in, is there a marketing value or is there a client acquisition value to getting to 27701?

John Verry (40:04):

And then I think we also have to manage in, and I think this is interesting. I don’t know if you would agree with me or not. But actually you said something really fascinating before. So, I think this is really interesting because you said, and I agree with you, that in a perfect world, you would have a dedicated privacy officer or someone who’s responsible for privacy that’s independent of security. I think we both know in the SMB, SME space, that’s not likely. We don’t see it as often as you would ideally like to see. So, now we have a guy that’s an information security guy that’s trying to manage my privacy system.

John Verry (40:36):

And I think having 27701, what it does is it consolidates my information security management system into an information security privacy management system. And I may build the GDPR compliant program, but if it isn’t operationalized, if I don’t have any way of making sure that we’re doing the things we want, and if I have only an information security guy running it, it might not happen. So, you might also have some value about adding 27701, just because it makes sure that the management system will ensure that people are looking at it, that the risk assessments are being updated. You know what I mean? I think it provides some compliance operationalization value.

Jason Powell (41:16):

I think that the benefit of a 27701 certified personal information management system depends on the organization implementing it. There are some organizations that will implement 27701. And they do it because, well, we need to check the boxes. It’s good for marketing or somebody wanted us to do it. There are also … So, let me give you an example of if you’re a mom and pap auto insurance broker outside of St. Louis, Missouri, I’m not aware of any state privacy laws on the books in Missouri. And you don’t do business in Virginia or Colorado or California. You don’t collect PHI, so you’re not under HIPAA. But you want to give your clients and customers and partners a high degree of assurance that you can manage the personal information that you collect and process, and you go, we’re really going to do this right.

Jason Powell (42:19):

And maybe the junior person, the son of the business owner says, I’ll do it dad. And they dig in and they really learn the real purpose of the framework. And they believe in what the framework is supposed to represent. They’re going to get a lot more value out of that than a company that says, eh, it’s good for marketing. Let’s tick the boxes. Like everything else in this world. It’s what you put into it, right? There’s a very famous quote from Beverly Sills, the well-known singer. And she said, “There are no shortcuts to anywhere worth going.” And I believe that strongly. I think the power of the framework is in the organization that implements it.

Jason Powell (43:08):

And that’s true of any framework or legislation. There are probably organizations in Europe that may be technically compliant, but probably don’t do a great job at all the stuff they should be doing. There are probably multinational companies that are based in the US. I’ve done work for one that even though they’re not obligated to extend GDPR rights and processes to all of their worldwide customers and employees, they do it because it’s the right thing to do. It makes it easier for them. And they’ve just said, this is what we’re going to obligate ourselves to. And it’s a really meaningful well-run program.

John Verry (43:49):

Yeah. What you’re saying holds true. And you’re not just a privacy guy. You are an information security guy at the same time. And it’s the same thing with information security. We go into some organizations, an ISO 27001 is a compliance exercise. It’s not a security exercise. And I think what you’re saying is that you can turn GDPR or you can turn ISO 27701 and 27701 is more likely to be turned into a compliance exercise where the purpose is to produce a certificate, not to protect personal information. And so it is about the intent.

Jason Powell (44:23):

Always.

John Verry (44:24):

I agree. So, I think we did a pretty good job here of talking this through. So, I guess we landed as it depends. And isn’t that always the answer in privacy and security.

Jason Powell (44:38):

That’s the legal answer. Yeah. And I would like to throw out a tip, John, for smaller organizations that really want to take a good, meaningful run at a privacy program. You do not need somebody with a JD behind their name. For those that aren’t in the US, that means they’re an attorney. You do not need an attorney to be your privacy officer. In fact, probably a good percentage of my data protection peers in Europe who are literally at the DPO level, the Data Protection Officer level, are not attorneys. They are people who came from, some from technology, many from business who have a passion for this. Or they got handed this and they said, you’re going to do this. And they go, hey, this looks pretty cool. And they dove into it and they did a bang up job.

Jason Powell (45:32):

What you need is somebody that’s got passion and is willing to learn and is willing to try out new things, willing to make connections all around the globe. And in fact, a good place to start if you can’t afford a JD is somebody who’s got paralegal experience. So, lots of opportunities out there to pick up somebody who can do the job, who is passionate, who can learn the job. But it’s really, really hard to turn your average security practitioner into a passionate and effective privacy stakeholder or practitioner. I’ll be the first to admit I’m a weirdo. I’m really the oddball among all of my peers in Europe. This is not the usual path that one takes to become a security practitioner. I happened to be a policy and governance walk by nature. So, privacy suits me really well. But I’m kind of an outlier. But there’s a real opportunity for people that do want to hire somebody that that is, or can be very passionate about this discipline.

John Verry (46:39):

Good. I have to, you just tweaked two questions in my mind here. So, the first is, does an organization, if they don’t have a JD as their DPO, are they well-advised or do they require an external counsel? Because there is a definite legal interpretation component to all of the privacy laws. And then the second question would be, what are your feelings on the concept of a virtual Data Privacy Officer for smaller organizations that can’t afford a privacy officer?

Jason Powell (47:11):

Right. It’s what we call a fractional DPO or our virtual DPO. And that’s very workable. There are organizations probably in the US, but definitely in Europe that that’s what they do. Their virtual DPS. And let me toss an important thing out here about the term DPO or Data Protection Officer. Under GDPR, that is a very, very special protected position. Articles, 37, 38 and 39 of the GDPR talk all about the designation and roles and tasks of the data protection officer. They have to be independent. They have to be able to walk into the C-suite whenever they want, or attend board meetings and represent the, in a conflict free way, the privacy risks and issues of the organization. And really they’re the last stop gap for the rights and freedoms of the data subjects that they represent.

Jason Powell (48:16):

So, in the US if you’re billing a privacy program, and you’re not having to comply with GDPR, do not call yourself a DPO if you were the Chief Privacy Officer. That has a very specific and unique meaning. That said, so there are people that act as fractional DPOs. And there are probably people that act as fractional or virtual, just privacy officers. The more generic flavor of that. So, that’s available. With regard to having a JD. If you are simply complying with 27701, that’s a framework. That’s not law.

John Verry (48:57):

Yeah, I would agree.

Jason Powell (49:00):

I don’t really think it’s terribly important that you have somebody who’s a JD running that program. Be great if you can afford it, or you have somebody. They can wear two hats, but I don’t think it’s required. If you are putting together a program and your intent is to comply with a law, no matter where it is, that requires at least a little bit of legal examination and legal interpretation. I am not an attorney. I don’t play one on TV. I’m married to one, but she doesn’t do privacy. I can, for instance, provide a client or a customer with a reasonable explanation of a control. I can talk to them about how they may or may not be meeting that control.

Jason Powell (49:48):

I cannot tell them whether or not they are compliant with CCPA or GDPR. I can probably tell them when they’re not, because they’re doing really dumb things. But for the most part, I don’t have any standing legally to say, yes, you are complying with GDPR or CCPA, whatever the, UK has their own version of GDPR, or what have you. It’s always good if you want to develop a really robust, capable, and continually improving privacy program to have availability, to reach out to somebody who is an attorney that does understand privacy. Even if it’s not their specialty, if they can look at what you’re trying to comply with, and they can offer a reasonable and legal opinion, that’s important. And I would make sure that a customer has that.

John Verry (50:44):

Yeah. And it protects them. I mean, there’s that legal term due diligence. If you’ve done that due diligence, that you’ve had a third party, privacy knowledgeable attorney review something in the event it was ever challenged. You’ve done what you needed to do to protect your organization. So, I agree completely with that. Well, this has been fun. So, I always ask the question, what fictional character or real world person do you think would make an amazing or horrible CISO? I’m going to ask you a data privacy officer. Or now I have to be careful. I shouldn’t use DPO generically. I’m going to use privacy officer or chief privacy officers, and I’ll only use DPO when I talk to DPO.

Jason Powell (51:25):

Yeah. I think the person, the fictional person that I think would make a great privacy officer would be Barney Miller from the series Barney Miller, Hal Linden’s character. Very objective, very thoughtful, considers everything, keeps things in perspective. And I think the worst DPO in the world would be Billy blaze Koski, which is Michael Keaton’s character from Night Shift. That’s just off the wall, party dude. Can’t see beyond five minutes from now. I think he’d be the worst.

John Verry (52:00):

So, are you saying that because Barney Miller would not have been discriminatory against either Yamana, Harris or, what was his name? Bojo. [crosstalk 00:52:14].

Jason Powell (52:13):

It was Bojo.

John Verry (52:13):

Yeah. You remember that? [crosstalk 00:52:15]. And, yeah, Fish.

Jason Powell (52:18):

Don’t forget we Chana, right?

John Verry (52:19):

Yeah. Oh, that’s right. That’s right.

Jason Powell (52:21):

We all liked Fish.

John Verry (52:23):

And Fish. I know. I never really thought about that, but they had every potential discriminatory class in that squad room. You had an old guy, you had a, and I’ll be careful to say this right. Because I know that my wife always tells me, I used the wrong term, Asian person. You had a black person and you had a Polish person. So, yeah, that’s kind of interesting. So, you’re basically saying he did a good job of being non-discriminatory. Oh, that’s right. And what was the Latinos guy’s name?

Jason Powell (52:52):

[inaudible 00:52:52].

John Verry (52:53):

What was his name?

Jason Powell (52:53):

Chano Amengual. He was only in the first season.

John Verry (52:58):

I was just going to say I don’t remember him as well- [crosstalk 00:53:00].

Jason Powell (52:59):

Sierra.

John Verry (53:00):

I loved that show. That was one of those shows that I watched with my dad and my father would sit there in his rocking chair with his pipe, just laughing through the entire show. So, yeah, that was a great show.

Jason Powell (53:13):

Well, I’ve got all eight seasons on my Plex server, John. So, if you want to revisit Barney Miller, let me know. I’ll give you a log in.

John Verry (53:22):

I think that’s what Hulu’s for, is access to stuff like that. All right. So, last question, you chat with people every day about privacy. You chat with people every day about information security, any ideas on any interesting topics for future podcasts?

Jason Powell (53:38):

Yeah. There’s two that I think about quite a lot, one we touched on briefly in this podcast is how to ensure that your certifications are meaningful. And the other one would be using governance to garner resources for your programs. The gears are turning, I can see, in your head.

John Verry (54:01):

No. I literally had this conversation with someone the other day exactly about this. And it’s funny you should say that, because as we move more towards some of these governance risk and compliance programs, and you end up with these, I’ll call them task lists, if you will, that are the responsibilities of different roles in the organization. It becomes a logical way to communicate the fact that you don’t have enough resources to do things. And I think you pointed it out today. I would struggle to think of, amongst the hundreds of clients we have, an organization that has a truly, someone who truly meets the criteria of a DPO under the GDPR requirement, because one of those things that you talked about, and I think it’s so important for people to understand. That person enjoys protections against any retaliatory acts by the board or the CXO suite.

Jason Powell (54:59):

You can not be fired for [crosstalk 00:54:59].

John Verry (54:59):

And I didn’t want to say it exactly that way, but yeah. So, you’re completely right. And I do think that we are chronically under-resourced in the information security and privacy domains, which is not a surprise as to why every morning we wake up and there’s a breach somewhere. And until we solve that problem and until we get people to think of things as processes, not products, I think we’ll always have this problem. But I think part of the reason we think of things as products, not processes is because we don’t have enough time to operate and perfect the processes. So, that is a good topic. I already started our … All right. So, let’s just roll into the next one. Here we go. If someone wants to get in touch with you, Jason, how will they get in touch with you? Email?

Jason Powell (55:54):

Email’s fine. [email protected]. And I’m on LinkedIn. There are actually a couple of Jason Powells that do privacy, but if you search for Jason Powell DPO, I will be the only one that will pop up. I am not a DPO. That’s one of my certifications. But that will pop me up as the only results.

John Verry (56:16):

I was going to say, just search for the Jason Powells and pick the best looking one. But that’s just the way I think. All right, man. [crosstalk 00:56:24].

Jason Powell (56:24):

I like your way of thinking, John.

John Verry (56:25):

Yeah. You’re the only one. This has been a lot of fun.

Jason Powell (56:29):

I have really enjoyed this. This has been a great conversation and I’m looking forward to having many more in the future, I hope.

John Verry (56:37):

Yeah. You got it man. Have a great weekend.

Narrator (Intro/Outro) (56:39):

You’ve been listening to The Virtual Ciso Podcast. As you’ve probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered, or you need some help, you can reach us at infoatpivotpointsecurity.com and to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.