E266 - Matthew Kay, Group Data Protection Officer at Shawbrook
[00:00] Debbie Reynolds: The personal views expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.
[00:13] Hello, my name is Debbie Reynolds. They call me the Data Diva. This is the Data Diva Talks Privacy podcast where we discuss data privacy issues with industry leaders around the world with information that businesses need to know.
[00:25] Now I have a very special guest on the show all the way from the United Kingdom,
[00:30] Matthew Kay. He is the group Data Protection Officer at Shawbrook. Welcome.
[00:36] Matthew Kay: Thank you.
[00:38] Debbie Reynolds: Well, I'm happy to have you here.
[00:41] We've been connected on LinkedIn for quite some time.
[00:44] As always,
[00:46] I always look to people who have very interesting backgrounds and also the do a lot of good comments and put a lot of good information out there on LinkedIn and so called you up and like, hey, you want to be on the podcast?
[01:01] You said yes, so I'm really happy about that.
[01:04] Why don't you tell me a bit about yourself and your journey and how you became the group Data Protection Officer at Shawbrook.
[01:14] Sure.
[01:16] Matthew Kay: So I've worked in data Privacy for about 13 years now and I started my career with the UK regulator, so the Information Commissioner's office that was advising organizations across the board on data privacy and then I moved into their audit department.
[01:36] So I used to lead teams auditing data protection compliance.
[01:41] Also sort of model a best practice,
[01:44] middle of the road and worst case scenario.
[01:47] And then that experience has sort of informed my knowledge base, if you like, in terms of how I've advised organizations to date, really. So after sort of approximately three years with the UK regulator, I moved into a role with local government.
[02:07] So I was a DPO for a borough council in London.
[02:11] And then after sort of setting their program up, sort of GDPR readiness program,
[02:17] I opted to move into the private sector.
[02:20] So that's where I've spent the last few years,
[02:23] worked across a variety of industries,
[02:26] sort of construction,
[02:28] media and tech.
[02:29] And then latterly I've spent my career in financial services.
[02:35] So I've worked for two Challenger banks. So I was DPO for Metro bank, led a lot of team of individuals and respected our data protection gumbs.
[02:47] And then I've been with Shawbuck approximately, just almost sort of 18 months now.
[02:52] Debbie Reynolds: That's really cool.
[02:54] Tell me a little bit about being right now you're in the private sector, but just being at a regulator and how that's very different for you.
[03:05] Yeah.
[03:05] Matthew Kay: So I think when you work for the regulator and I guess collectively you're seen as the model of best practice, you're there to sort of provide guidance. I guess both in an informal and formal capacity, they have the mechanism to sort of email in or call up the helpline.
[03:27] I think laterally they've had that chat service. And then I guess more formally in terms of their audit function, they'd make sort of listed recommendations to organizations and hold them to account after seeing data privacy processes.
[03:45] So ultimately to make them improve and handle people's personal information better.
[03:51] And then I guess as a last resort, if organizations don't step up after those kind of interventions,
[03:58] you can obviously see the enforcement arm of the regulator. So you might see fines or enforcement notice issued where organizations have failed to comply.
[04:08] I think when you move over to sort of the other side of the fence, whether it be public or private sector,
[04:14] each organization has kind of, I guess their pinch points in terms of what information they hold. So I think, you know, for a borough council,
[04:24] you know, they'll process a lot of special categories of information in respect to say like social services records, which, you know, provides a high degree of risk.
[04:33] And then I guess,
[04:35] you know, in say like financial services, where I've spent latterly, you know, you've got a lot of financial information, customer information,
[04:42] so there's sort of a big reputational impact. And in the uk, I think what's interesting with the financial services sector is it's dual regulated. So as well as the ico,
[04:54] you've also got the Financial Conduct Authority.
[04:58] So you will see the FCA sometimes taking forcement action in respect of where there's been personal data issues as well as the ico. And that can be quite hard hitting in terms of the action they take.
[05:11] So I think it makes organizations really sort of sit up,
[05:15] take note and make sure they're taking handling people's information seriously. So I think the key differentiator between working for the regulator and working on the other side of the fence is that when you're a data protection professional within an organization,
[05:34] you have to take a risk based approach in terms of ensuring the organization can operate effectively in terms of their business processes. So I guess you have to sort of take note that the guidance that the regulator is distilling out and how you interpret that and what that means for your organization.
[05:54] So looking at your business processes,
[05:57] identifying the key risks and then how you ultimately address and mitigate those.
[06:02] Debbie Reynolds: I like that you mentioned the risk based approach because I think some people see some of these regulations as somewhat cookie cutter,
[06:13] but it really depends on what your organization is doing and what their appetite for risk is, I feel in some ways. But what's your thoughts?
[06:25] Matthew Kay: Yeah, I think our sort of legislation provides a framework and risk based approach. I mean certainly in terms of a lot of privacy legislation,
[06:36] it's often principle based.
[06:38] So it kind of sets out the key requirements and it's how you then interpret that and what that means for your organization. So there'll be guidance that sits behind it from the regulators.
[06:52] But you yourself, if you're the figurehead of the organization,
[06:57] you've got to look at those requirements and how your organization aligns to them. And I think particularly that can be more complex when you're in a global role like so my organization at the minute is predominantly UK based but we do contract with organizations that are in foreign countries and I have held global roles before that have been sort of region specific.
[07:24] So often you can see sort of conflicts and nuances between the different types of legislations and the different expectations of the regulators. And it's how you kind of dovetail between those to effectively ensure your organization meets its obligations.
[07:42] Debbie Reynolds: Very good.
[07:44] Tell me where do you think organizations either go wrong or misunderstand their obligations?
[07:55] Like for example, when you were with a regulator,
[07:58] where are some of those bigger pain points where organizations maybe they didn't understand the best way to implement the guidance or the principles or it's maybe a common thing that a lot of people misunderstand.
[08:14] Matthew Kay: So I think a natural challenge for sort of privacy professionals and information security professionals is you're often asking organizations to invest in an area which is largely preventative.
[08:32] So your setting your stall out and trying to highlight the risk to, to your organization.
[08:42] But they may not always have an understanding of what those risks look like in,
[08:48] in, in sort of a real life scenario. So I think recently you, you've seen quite a lot of high profile cyber attacks. So I think that really brings it to life for organizations in terms of the business disruption.
[09:04] It can sort of trying to think of the word contribute, that's the word looking for. So by nature of those attacks, what's then the implication and impact on the organizations and then that can have a direct impact on sort of their profit and business sort of making activities.
[09:22] So there I think is an obvious indicator for organizations as to why they should be investing in infrastructure that helps protect your information and your assets. But I don't always think in the past that's been immediately obvious.
[09:37] So I think sometimes maybe organizations haven't been as alert to the, the risks. I think they're becoming more,
[09:45] more aware now in like, in like these attacks. But I don't always think that has jumped out in front of sort of boards and executive committees as being a real priority.
[09:57] Think on the flip side, you know, the introduction of the GDPR and seeing all the sort of associated legislation come on the back of that is has increased the profile in terms of the level of enforcement action that the regulators can take.
[10:11] So I think that's helped somewhat and I think user awareness has increased as well. I think we've saw the involvement of kind of the Internet,
[10:23] social media, et cetera. I think a lot more individuals have an interest now in terms of their data,
[10:29] what's being done with it, the potential implications.
[10:33] But I think still because it's not a commercial revenue generating sector of the organization,
[10:42] if you don't have senior people who've worked in risk sectors then that can be difficult to get the message across. And I think that's where the real sort of skill and art in a privacy professional and comes is how to get that message across in a simple form.
[11:01] How do you bring it to life?
[11:03] How do you sort of draw on the theory,
[11:06] the legislation and the guidance put out by the regulator and how do you show organizations what the real detriment is? And I guess as well being,
[11:16] being pragmatic, I think often you can see people speak to the legislation. You can see them potentially boil the ocean in terms of what they need to do.
[11:26] I always think of it as kind of like you know, a king settling, setting his soldiers out in a castle. Where, where do you position your, your infantry to effectively defend the castle?
[11:38] You know, you can't have a soldier at every single point. Different organizations will have different resource and infrastructure. How do you position that in such a way that it can fend off the, the attacks in unless I think it's difficult.
[11:52] Debbie Reynolds: I think you're right and that it is incumbent upon the person who's the data protection person to be able to not only champion data protection within the organization but also find a way to communicate it.
[12:11] Like you said, it's not because it's not necessarily revenue generating. You definitely don't want companies definitely don't want to lose money.
[12:20] But how do you from your personal perspective,
[12:24] how do you go about getting the type of buy in that you need not only with senior people within the organization, but just the just everyone within the organization so that they know like what they need to do or how they need to reach out to you or how do you get that message across?
[12:45] The.
[12:46] Matthew Kay: I've got a starting point in terms of I've got that regulatory exposure. So whilst you know the ICO will have evolved and changed since I was there. I have a level of understanding of what the regulator expects.
[13:02] I've worked in a variety of different industries and I try and be very pragmatic and output focused in terms of getting scripts with what the organization wants to do and putting in place suitable mitigation.
[13:19] So data protection isn't seen as a blocker.
[13:23] So I've always thought of kind of like my USP as being someone who can sign off 9 out of 10 processes because I can effectively identify what mitigations you can put in place to ensure a business can thrive.
[13:37] So what, I guess a fundamentalist see myself as an enabler.
[13:42] And what I say is on, on the processes that I won't sign off,
[13:46] the business will hopefully take focus and take note of why they can't do those because it's the exception rather than the norm. So I'd hope there's not appetite for any organizations that work for to kind of circumvent the process because they can see that privacy is an enabler and a cornerstone and we can use it as a model of best practice and show to our customers that we're taking the handling of their personal information seriously.
[14:16] And I think I always try and be clear and concise in terms of the message that I'm giving as to why we can't do certain processes.
[14:28] I make sure the audience understands the implications associated with what's being proposed.
[14:35] So I actively encourage the people I work with to challenge if, if they're unsure or put forward objections if, if they're not clear or they feel there should be a way to do things.
[14:49] And then I guess as you spoke to you,
[14:52] we've been connected on LinkedIn for a number of years. I have a good network that I don't profess to know everything, but I have sort of levers that I can pull on if I want to get a second second opinion, whether it be, you know, in an informal capacity or in an official capacity through external counsel input.
[15:12] Debbie Reynolds: You spoke a bit about pragmatism. And so this is a point I want to talk to you about,
[15:18] which is very important.
[15:19] So I feel like,
[15:23] and I want your thoughts. I feel like some people think about data protection almost religiously.
[15:34] I don't know. I don't know if that's the right word, but I feel like when you're in an organization,
[15:42] you really need to understand how they're using data and figure out what's the best way to be able to do it. Right. So one Is here's the regulation, here are the principles, here's the guidance.
[15:55] But I think like for example, and I want your thoughts.
[15:59] For example, you can't march into an organization and be like, oh, I'm in charge and you're going to change everything about your business process because of data protection. But I want your thoughts.
[16:10] How do you strike that balance between them understanding what the laws, the regulation, the guidance is,
[16:18] and try to do it in a pragmatic way where it's not what you really want people is to, to be able to comply right.
[16:29] With whatever it is you're doing, but without being religious or preachy about it.
[16:37] Matthew Kay: So I kind of think of my approach as a bit like a butter approaching the crease in, in a cricket match. So I think when you see cricketers first approach decrease,
[16:53] certainly say in a test match where it's more conservative over a number of days, that they're very conservative in their approach to start with, they focus on bedding in not getting out.
[17:04] And then I guess as they become more established, they start increasing their shots in, in terms of their risk.
[17:12] And I think it's very similar in terms of how I would go into an organization.
[17:19] So I'm not afraid to kind of challenge or point out failings in a constructive way and show how improvements can be made. But I think timing is key.
[17:30] So I guess if I'm brought into an organization,
[17:33] you've gone through a process in meeting key stakeholders within the business, so you've got their validation through,
[17:40] you know, that sort of interview process if you like. But other than what they've seen in that sort of snapshot of interactions and what's on your CV and experience, they don't really know much about you as a person.
[17:54] So I think not early sort of tenure in, in your organization is really key in terms of building relationships,
[18:05] increasing trust and demonstrating your credentials to get the level of credibility you need to implement and drive change.
[18:16] So I think the early parties are usually about meeting key people within the business,
[18:24] understanding the concerns they have,
[18:26] understanding the key gaps.
[18:28] And then I guess I typically look to sort of analyze that against my own frameworks that I've sort of developed over my career. And then I guess you've got the kind of external reference point in the UK now with the ICOS accountability framework and mapping out a clear vision in terms of where the organization is and where you want to take them to.
[18:52] I often observed that when I was sort of working at the ico, you would go in and you'd audit the organizations, but the actual internal audit function could be a key reference point as well in terms of they may have already identified issues, they may want you to spot them.
[19:10] And I think again,
[19:12] I've seen that in organizations I've worked for, I've tried to view internal audit as the friend rather than the enemy. Yes, they will identify gaps that will hold you to account in terms of what you need to deliver.
[19:24] And ultimately that will often go to the audit and risk committee if you've not hit those obligations. But if you're given that as a reference point and a map as to what you want to deliver and you work with them in a collaborative sense, so the action is reasonable and fair,
[19:40] you can use that as a real lever to drive change within your organization. So I think a lot of it goes back to what I was saying earlier being clear, being concise,
[19:50] and really ensuring the audience you're speaking to, whatever level in the organization you are ensuring they understand your strategy and approach.
[20:02] Debbie Reynolds: Very good. Well, what's happening in the world today that's concerning you as it relates to data protection or technology or regulation? What's happening?
[20:17] Matthew Kay: So I think sort of not giving any secrets away when we've probably seen a very sort of volatile space for a number of years in terms of the geopolitics and I think that has spun up a range of risk.
[20:31] I often hear people reference now that the modern day war would be fought through sort of computer systems and tech rather than visible military attacks. And I think you've seen that at a localized level in terms of disruption to big organizations through cyber attacks that they've devised.
[20:53] And I think at a more localized level, I think there's been, I guess you're looking right back to sort of the recession for a long time and I guess more recently in terms of we've been seeing in terms of interest rates, increases for people due to sort of inflated cost of living.
[21:13] People have found, I guess certainly since on the back of the pandemic, you know, challenges in terms of job security,
[21:20] being able to meet their bills. And I think unfortunately that can bring a level of disenchantment. So I think you have to be alert not only to the threats on the outside, but also the insider threat as well.
[21:35] You know, making sure your culture is strong in terms of your organization and making sure the appropriate checks are in,
[21:45] are in place. And you touched on it earlier, I think, and I didn't sort of speak to it, but where organizations fall down,
[21:54] I've often seen organizations when say they're getting Supplies through the boss when they are going through sort of an onboarding process. In terms of onboarding, a third party supplier, even individuals, I think the checks are really good.
[22:09] But I think sometimes organizations,
[22:12] you know, they, they miss a beat in terms of their ongoing monitoring and checks. So that is where they can sometimes fall down because both in terms of,
[22:22] I guess, management of people and management of tech, if you don't keep on top of it, then things start to slip through the gaps.
[22:29] So I think that is kind of,
[22:33] I guess a key challenge for sort of data privacy professionals and,
[22:38] and infosec professionals as well is keeping at the front of the park in terms of what's going on, you know, making sure your horizons, kind of making sure you're alert to the risk and making sure you build in the right, the right mitigations.
[22:52] Debbie Reynolds: I think,
[22:53] I feel that organizations are very good at intaking information,
[22:58] but I think that life cycle of data is where they have a challenge.
[23:05] So whether,
[23:07] you know, like I say, a lot of times data and data systems,
[23:11] sometimes organizations lose control of that data and where it goes and who's responsible. Especially like for example, the organization,
[23:20] maybe they don't have a data privacy or data protection officer or maybe some, some of those roles or some of those responsibilities within organizations may be naturally split up right,
[23:34] between different people and different stakeholders.
[23:37] And you have to make sure,
[23:38] let's say for instance,
[23:40] there are certain tasks that a certain person is supposed to do. Like if that person leaves the organization,
[23:46] does that task get transferred to the other person?
[23:49] Or what is your end of life strategy for data? But I want your thoughts.
[23:54] Matthew Kay: Yeah, I think sort of handyman and continuity is key and I think you can do that localized level in terms of your own function you oversee. I mean, I think right back to when I worked for the London Borough,
[24:14] my number two at the time, I kind of trained them up so they were in a position to take over from me. When I left, I left the organization.
[24:22] So I take sort of succession planning,
[24:25] development of individuals seriously and then in terms of management of information and a data life cycle,
[24:35] try and map it out in a dotted journey to organizations in terms of once the information has been obtained, how long do you need it for, what are you using it for, how do you ensure individuals are aware of that and then I guess ultimately at the end of the cycle,
[24:52] once there's no longer use, ensuring you're keeping up on your retention policies and making sure information is deleted in a timely fashion. And I think that's a real challenge for Organizations that perhaps are not always on top of that as they should be,
[25:12] particularly when data might not be in a sort of structured or managed fashion.
[25:20] And I think how you sort of govern that as an organization is key because I think ultimately if you have an incident and a breach and you lose information you shouldn't have had because you've overlapped your retention schedule,
[25:39] then you place yourself in an aggravated position of risk when a regulator's looking at it because they're going to take a dim view of your overall processes. So,
[25:50] yeah,
[25:51] I think that is a real cornerstone in terms of how to effectively govern and manage an organization. And I've seen that when I was sort of the ico,
[26:02] you'd see organizations that have pockets of good practice, but they'd often struggle with that oversight piece in terms of making sure the same levels were applied across the organization.
[26:15] Consistency wasn't always as key as it should be.
[26:19] Debbie Reynolds: I agree with that. And I think that especially around data retention or data deletion,
[26:28] I think organizations have traditionally kept as much data as possible.
[26:35] And so when we come in and we say, well,
[26:38] data that's personal data can't have, can't stay around forever, especially we don't have a good reason. And so I think a lot of it is really questioning the organization about what they're doing with data and why they need it.
[26:53] And I think also,
[26:56] you know, going back to the data retention point,
[27:00] and I've had this, this conversation a lot with clients as well,
[27:05] because a lot of times when they think about data retention, they think about this is how long we need to keep X data,
[27:12] where we're saying, you know,
[27:14] based on your purpose, not necessarily, you know, a,
[27:17] not necessarily saying, you know, delete data after three years or five years or seven years,
[27:22] we're saying once your purpose has expired for that data,
[27:27] you need to, it needs to transition to another phase. Right. And so that's, I feel like that's like a huge challenge for organizations because they really never thought of data in that way.
[27:38] Thought. And what's your thoughts?
[27:40] Matthew Kay: Yeah, I mean, it's, I think that's a really good way to look at it, of encouraging that sort of active and conscious thought in terms of the ongoing management of information, rather than letting it turn into a big exercise, which can often seem insurmountable.
[27:59] I mean, I think of it often we will look at sort of big corporate organizations and we think they're very distinct and separate from, from day to day life, but I think the same principles apply.
[28:14] It sort of a localized level as they do in big organizations. I mean it's a bit like with your. How if you don't keep, say if you've got a bookcase and you don't keep it in order and then you just keep adding books to it, eventually the book you may want a key time,
[28:33] you can't find it. Whereas if you keep on top of that bookcase and it's well ordered,
[28:40] then you can go to it straight away. And I think it's the same for organizations often particularly I think in modern day we're seeing a lot of startups sort of spin up,
[28:50] grow very quickly beyond what they may expect or anticipate.
[28:55] And I guess you see a very frontier approach in terms of growing the business at all cost. And I guess if you don't building those sort of privacy by design cornerstones at the outset, it's very, very hard to then get on top of it once the organization is layered and complex as an entity.
[29:14] Debbie Reynolds: That was a good transition.
[29:16] So let's talk about a frontier approach. I like that term. So as you see, so many organizations are either actively implementing artificial intelligence or a lot of the tools that they're using have embed that technology in.
[29:34] And I think it creates more challenge for organizations around transparency and control of their data and understanding like the flows of that data. But what challenges have you seen with organizations as they're thinking about what's the best way to approach artificial intelligence, especially as it relates to,
[29:55] you know,
[29:56] depending on how they're using it, maybe creating more risk for them.
[30:03] Matthew Kay: It's a nice segue like you said. And I'm glad you've touched on the topic of AI because I meant to reference it earlier as a topic is very much like an emerging threat whilst also seen as a big opportunity for organizations and I think it undoubtedly presents an opportunity for information to be digested and,
[30:27] and processed in a more efficient way, presents scope and opportunity for automation and that obviously appeals massively to organizations because it will present opportunities to drive down cost and drive efficiencies.
[30:44] Think on the flip side like you said, how that is then governed in a privacy sense in terms of how so the data is sort of monitored,
[30:55] captured,
[30:56] used,
[30:57] analyzed, etc, it makes it a lot more challenging. It's something that's loosely been talked about I think for a number of years, decades, but obviously you've seen real prominence in recent time in terms of how it can be used and the evolvement of offerings of different tools for organizations.
[31:21] And I guess because it's been such a new and fast evolving threat. I think it's naturally found its way into the lap of privacy professionals without, I guess, that direct identification, because it obviously probably closely aligns to that area and presents privacy style conundrums for professionals to solve.
[31:45] So it's a completely new element that needs to be sort of understood, governed where appropriate,
[31:51] aligned to the legislation that's in place.
[31:54] And I think how that is done is probably similar to what I've talked about in terms of other principles of sort of effective management, in terms of ongoing governance, scrutiny,
[32:08] monitoring,
[32:09] you know, if you're going to have certain use cases, how have they been reviewed? How have they been assessed?
[32:16] How's the information been scrutinized in terms of what's being done with it?
[32:20] How transparent are we being to the customers in respect to the usage of that information?
[32:26] I guess the real challenge is because it pulls on that key sort of motivational lever for organizations of dragging down costs and creating efficiencies.
[32:38] The rate organizations potentially want to move in that space compared to what privacy professionals can grapple with, I think is quite a challenge in terms of you often work with very creative entrepreneurial people who will see real opportunity and usage of those tools,
[32:59] and it's about making sure their work is not disrupted in terms of they can meet their objectives,
[33:05] but also ensuring that your organizations are adequately protected.
[33:10] Debbie Reynolds: And I also think that artificial intelligence brings in that harm element.
[33:16] So thinking about that is another reason why organizations really need to think early around data protection, because that can help to mitigate some of those downstream harms or downstream risk.
[33:32] And so for me, I'm very concerned that a lot of people, they try to adopt certain technologies, AI included, where they're like, let's just, let's be creative and let's do all these things and then if bad things happen, then we'll deal with it later.
[33:48] And so I think artificial intelligence is a different animal.
[33:52] And trying to treat it that way, I don't think it'll be successful, especially from a human element, because we let it get too out of control.
[34:02] There will be harms that cannot be mitigated or harms that for which there will be no adequate redress for them. But I want your thoughts.
[34:17] Matthew Kay: Yeah, I think like you say, because it's fast sort of evolving how you sort of pivot and address the issues, the organizations won't stay.
[34:30] There might always be the answer. There might need to be a level of testing or marking out blueprint and then making changes on an ongoing basis.
[34:43] And I don't Always think necessarily there's a problem with that. If it's in sort of a safe space,
[34:48] I think you see regulatory encouragement in respect to that. If it's done in kind of a sandbox setting,
[34:56] it can be okay if it's tested for sort of a small group of individuals. If it's done through test or dummy data,
[35:04] I think you have to allow organizations enough slack to be able to sort of thrive, but be able to rein them in. Because if you don't, like I've sort of suggested and touched on earlier,
[35:19] you can find individuals will start to circumvent the process.
[35:22] What you don't want is a lack of engagement with the privacy function because it's not seen as a pragmatic enabler for the business. Whereas if you get your message across in the right way and you focus on the key risk,
[35:38] I find the business can start to be a force for good. Like you can see people's mindsets change in terms of where they may not have been immediately alert to the potential risks.
[35:50] If they go on a journey with you through a project, through implementation of,
[35:56] of a software or onboarding of a supplier,
[35:59] you can find that when you next come to work on a project with them, they, they will act as an advocate for good because they've seen how you effectively engage with them.
[36:08] They've got a really good understanding with the risk. And you find quickly you have individuals then almost acting as, as an advocate on behalf of the privacy community within your organization.
[36:20] So it builds, it builds your impact and emphasis in terms of what you try to do.
[36:25] Debbie Reynolds: I think that's always a earmark of success for a data protection person.
[36:32] If you have people who really decide voluntarily that they want to champion what you're doing,
[36:40] to me, that's the best that you can ask for because those people will be advocates and they'll help you throughout that journey and that process.
[36:50] But Matthew, if it were the world according to you and we did everything you said, what would be your wish for data privacy, data protection,
[36:59] anywhere in the world, whether that be regulation, human behavior or technology?
[37:05] I think.
[37:08] Matthew Kay: Culture is key.
[37:10] So I think where organizations have a really strong culture in terms of wanting to do the right thing or even like we were talking about in respect to the last question you posed, if you've managed to change an organization's mindset to take an approach to people's information seriously,
[37:35] you've done a good job.
[37:36] I think you have to be respectful to the fact. You're going to get constructive challenge, you're going to get pushback.
[37:45] But I think at least if people afford your function the level of respect that it deserves,
[37:52] then you're operating in a place you want to be in. And I think equally,
[38:00] if you're not guessing that, then you should probably be asking yourself, is it the right organization for you? If you are a privacy professional, do you want to work for an organization that doesn't take privacy seriously,
[38:16] particularly if you're failing to embed the change you want? I mean, I'm lucky and fortunate in terms of I feel all the organizations I've worked for managed to effectively influence change, even if more organizations have been more learned, receptive than others.
[38:36] And I enjoy and thrive on that challenge. But I think equally, you know,
[38:41] you read in the papers about certain unethical practices in organizations, and I think those are the ones to sort of watch out for and eradicate. And I think that's often what the regulators will focus on.
[38:53] I think if again, not just being collaborative in your own organization,
[38:57] if you've worked with other privacy communities, both informal and formal, in respect to the regulator, they're not always well respected and. Well, Tom.
[39:06] Debbie Reynolds: Yeah, I love your thought about that and your approach there. I think it makes perfect sense.
[39:12] And I've heard people say that you feel like the culture and culture is very important, right? So I think having the right mindset of right culture and making sure that the organization is a fit for you, that's.
[39:28] That's something comfortable for you is very important.
[39:30] I think that's something a lot of people don't talk about, but I think it's a very important thing in terms of culture and fit and making sure that organizations know that this is a journey.
[39:41] It's not like a sprint, right, where some people feel like, oh, I'm in compliance. Like, they feel like it's almost like at a finish line and they don't have to do anything.
[39:51] But it's a continual.
[39:53] It's on a continuum. And you want to make sure that maturity is always something that organizations are marching toward and making sure that you're aligned with what that organization's ethos is and what they feel is important, and it aligns with your values and your culture.
[40:12] Very good.
[40:14] Matthew Kay: And I think you touched on it earlier in terms of what you were saying about how you get marketing and buy in. I think it's positive to kind of set your stall out.
[40:24] But if an organization's being operating,
[40:30] should say in a particular way,
[40:34] you have to be realistic that you're not necessarily going to change their way of working overnight. Like you say,
[40:42] it's organic, it takes time, and it takes sort of effective management and communication.
[40:48] And I think that's not necessarily a bad thing because a lot of the time, organizations will have good hearts. They just need to be shown the right way and be alert to the risks.
[40:59] And once they're shown a clear direction,
[41:03] then they will hopefully follow that blueprint.
[41:06] Debbie Reynolds: Very good. Well,
[41:08] thank you so much for being here today. I really enjoyed your insights because I think, and I love, I think the word pragmatism comes up for me, and that's something that's a message that a lot of us really need to hear, especially from someone who's had experience at a regulator and also in private organizations.
[41:30] So. Very good, very good. Well, thank you so much, Matthew. I really appreciate you being here today.
[41:35] Matthew Kay: Well, thank you. Thank you for having me. I've enjoyed the opportunity to speak on your podcast. I saw recently. I think you'd hit 250 episodes. So congratulations on that. It's great to be part of the next next challenge.
[41:49] Debbie Reynolds: Thank you. Thank you. Thank you so much. Yeah, this is a labor of love, for sure. And I just love to talk with people like you because you bring so much richness to the profession.
[42:02] And for people all over the world,
[42:04] they love to hear these insights because I think even regardless of the jurisdiction that you're in and what particular laws or regulations are in that jurisdiction, I think we're all grappling with the same issues.
[42:17] And I.
[42:20] Look, it's funny because a lot of people in the us we don't have the same frameworks and regulations as you do, but we look very closely at the ico.
[42:31] I love the fact that ICO has a lot of plain language guidance, which I feel like some organizations, they really need to align with. And so we look very closely at what's happening in Europe and the UK with these,
[42:47] with data protection, because it's very instructive for all of us. So thank you for your work with ICO and thank you for being able to share your thoughts with us today.
[42:58] Matthew Kay: Thank you. I think it's,
[42:59] you know, a great opportunity to sort of share best practice. And I think it's, you know, it's understated and it's value in terms of, you know, we have our day job and subjects, so your bandwidth can be challenging in terms of what you can do.
[43:16] But I always try and give a level of commitment, sort of external engagements, because I think it's. It's an opportunity to sort of collaborate,
[43:23] learn, and sort of build and you strengthen your networks and help, like you say,
[43:28] influence the sort of community and industry and positively.
[43:32] Debbie Reynolds: Yeah, well, you're doing that. Absolutely. Absolutely. Well, thank you so much. And hopefully we'll be able to find ways we can collaborate together in the future. Yeah.
[43:43] Matthew Kay: Sounds good.
[43:44] Debbie Reynolds: All right. Thank you.
[43:45] Matthew Kay: Have a great day.
[43:46] Debbie Reynolds: Okay. You too.
