Today on The GDPR Series podcast, we talk generally about life as a DPO and a few of the challenges that can arise, particularly independence and having to give the medicine when it’s needed! Our guest today values relationships and lives his motto – your partner for compliance. Need a DPO or thinking about becoming one? Listen to find out more.
Our guest today is Stuart Anderson the multifaceted and talented man behind XpertDPO! Stuart shares some real life experience around getting to know clients intimately, giving difficult advice and dealing with data subjects exercising rights. We discuss how an expert can save you time and money especially when dealing with subject access requests. Stuart has been instrumental in putting together and delivering Ireland’s first QQI accredited data protection course. We take on board his advice to keep the training budget in as a line item – upskilling and keeping current is so important! Stuart’s services cover data protection (GDPR) and cyber security and he offers practical, tailor-made solutions for your organisation.
If you need a DPO, EU Rep or some consulting or an audit done, give Stuart a call or drop him an email!
Philipa Farley: Hi, and welcome to our podcast called the GDPR Series, where we discuss data protection, privacy and cyber security matters that ordinary people in everyday businesses face. We have a series of really interesting and lovely guests, and we hope you enjoy listening. Thank you so much Stuart Anderson, from XpertDPO, for joining us today for a small chat on GDPR and data protection.
Stuart Anderson: Super, it’s great to be here.
Philipa Farley: I know, it’s fantastic! We met on LinkedIn, and for those of you who don’t know us, we, it’s kind of like, I suppose, we are an unofficial support group, professionally and personally, because this work is not easy. You know, it’s kind of what I was saying yesterday on Twitter, we absorb a lot of what humanity has to offer, and some days can get quite difficult. So, it’s great to have friends in this space. And, I really do consider you to be a good friend at this stage. So, thank you. Yeah, thanks for the chats and the time. Okay, so we have got your website open here, and you go under XpertDPO.com: your data protection partner. You do consultancy and outsourced DPO services. But I do know that you are in-house, in some places, we won’t sort of talk about clients on this chat. We have said to just keep it general. But yeah, do you want to give a brief introduction?
Stuart Anderson: Yeah. So yeah, I’m Stuart. It’s great to be here. And before we get into that, I mean, I think it’s really important the point that you just made, you know, that there’s a few of us that talk in the group chat on LinkedIn. And I think that’s really important because, you know, we’ll go into a little bit about what we do on the outsourced stuff, but I’m in the peculiar position that I do work in-house for some clients, a number of days per month and we also do outsourced things. So, we see both sides of that and really, at this stage, my opinion is that, whether you work internally inside a client or externally, it can be pretty lonely sometimes. And, you know, we don’t always deal with the nice, you know, rose-tinted view of the world. Sometimes, we have to make decisions that aren’t easy. Sometimes, we have to give advice that we know the client isn’t going to like, but we have to do that anyway. We, you know, a big part of being a DPO is always independence, whether internal or external. And, we have to, you know, we have to give them medicine sometimes, that is better to swallow. And, that’s just part of the job, but that doesn’t make it easy. And it’s tough. And it’s really, you know, it’s really great to have that kind of virtual shoulder to cry on, or to moan, or to vent, and it’s all done in a very, you know, we’re all very professional about it. And all that kind of thing. But you know, and again, that using the sounding board because, you know, if you’re in the middle of a situation, and you know that the answer is x. And, you’ve arrived at the answer by using your experience and your knowledge and logic. If you’re in thick of it, you can’t see the wood for the trees and sometimes it’s, you know, “I think it’s that, what do you guys think?” And, to have that is worth its weight in gold. It really is. So yeah, I do consider you a great friend, you know, on a personal and professional level, and it’s just great to have that. But, about us. Yeah. So, I run a digital Data Protection consultancy, I won’t say GDPR consultancy because we’re, we’re past that now. Data Protection existed before GDPR. You know, a lot of the things that people think are new in the GDPR, were already there. What GDPR has done is put it on the radar, it’s the sexy new thing. There is big growth in terms of people requiring Data Protection Officers, which is great. So we do the consultancy bit. We do a lot of gap analyses. We do a lot of internal audits. We do those on behalf of our clients. Our consultants also do some white labeled consultancy for bigger management consultancy firms. And a big and a very much growing part of our business, is the outsourced DPO service that we have. So, that’s how we act. Either one of our guys, or me, will sit at a client number of days per month and work with them in terms of managing their compliance programmes. And listening to any incidents that might happen, you know, on a reactionary basis.
Philipa Farley: Yeah. So can I ask you a question here, because I had to do this calculation, like my work could be sort of slightly different to yours. The opposite cliff face as such, you know, doing the actual compliance work more than the management, some advisory. I suppose we cross over there. But, when I go in, people kind of go, “Oh, why should? Why should we pay for this? Why should we do it?” You know, those are the regular questions that come up, and I come from a background in IT management for some part, I’ve got very used to doing cost calculations for people. Like, rather, pay for that service or provide this too, because this is how much time it’s going to save for your employees. You know, and this is actually the cost saving or the profitability in it for you, if you do it this way. So, that’s kind of how we approach GDPR data protection services too. I have my own personal little calculation that I’ve done on time. And, this question to you specifically relates to your services and time, because we know, like not every organisation actually has to appoint a DPO, however, if you don’t appoint a DPO, that work gets farmed out either to one person, or many. And, often there’s confusion, you know as to what’s going on and who should be doing what. So, very, very briefly, have you ever done a time calculation for an organisation where you’ve worked out how much extra time regular employees spend on data protection compliance, vs. you coming in and doing it for them?
Stuart Anderson: Yeah. So in terms of that, we haven’t done any sort of dedicated calculations. But, what we do have is real world experience. Yeah. So, for example, I came across an organisation before Christmas. They’re not a client, but they had to deal with a subject access request. They were a small business, and the cost of dealing with that to them was in and around 10,000 Euros.
Philipa Farley: Yeah. Yeah.
Stuart Anderson: A sizable value, I don’t know how many days but we have, for a client dealt with a particularly contentious subject access request.
Philipa Farley: Yes, yes.
Stuart Anderson: We made certain suggestions to the client, and the client decided to deal with the subject access request. There was a lot of data, there were a lot of redactions. Our estimate is that it cost them, because they had external legal counsel, it cost them in the region of 30 to 40,000 Euros. In terms of redactions, we stopped counting at 100 man hours. So, if you translate that 100 man hours of redaction, there are 8 hours in a day. So, if you’d given this role to somebody internal – and that’s okay! What I would say to people that want to appoint somebody internally is make sure there is sufficient budget to get them some decent training.
Philipa Farley: That’s exactly what I was going to say.
Stuart Anderson: By decent training, I mean, you know, not one of these 5 days, 40 multiple choice answers at the end of it, courses. You need something where you’re going to be challenged. Something like you’re given a task to do, a DPA, for example, and case studies from across the world, because when you are thrown in at the deep end, you just need that really good grounding, where 40 multiple choice questions and, you know, maybe a 35% pass rate is not going to stand you in good stead. So, if you’re being offered to transition into a role or do it part-time, make sure that your employer is gonna put a budget in place for you to go and get some real, really good, training.
Philipa Farley: Yeah, and you know what, Stuart, I’ll back that up as well because, and just so that anybody listening knows, we did not script this or discuss really anything beforehand. I’ll totally back that up, because practically every single client I’ve had where I’ve gone in and there’s been a reactionary situation where we’ve had to get compliance documentation, you know, up to scratch or work on supply chain relationships. Usually, there and, it’s usually a lady, a woman in the position; the stats are kind of skewed in my experience. You know, maybe they just come to a woman for help because they feel more comfortable. I don’t know. You know, stats are fascinating, but anyway, usually it’s a woman, and usually she hasn’t had the kind of training you’re talking about. And, one of the recommendations I would make high upon the list for each of these clients is budget for training, exactly what you’re saying, the exact type of training, you’re saying there. Please send one if not two people on that training, so they have support for each other. And, you have the peace of mind knowing that they’ve got that challenging experience, as you say. And, honestly, the only two courses that I’ve come across that have that depth of experience would be the UCD course. I don’t know exactly which one it is Dennis Kelleher, I’ve worked with the company assistant who has gone through that, yeah. And then, the Maastricht European DPO certification course they have that kind of experience. And those would be the two that I would say to people to have a look at. You know, I don’t know if you’ve got any to add to the list there.
Stuart Anderson: Yeah, I mean, I don’t have any in particular, in terms of, you know, we as you know, Philipa, we worked on Ireland’s QQI course, which I’m going to be delivering, you know. It goes into a lot of detail and there’s going to be a lot of work for those guys to do over the five weeks. But again, you know, in terms of,you know, established courses, the UCD courses, the one I did with Dennis Kelleher, and it was absolutely fantastic. I hadn’t done any real kind of formal education since leaving University, you know, decades ago. And it was, it was a bit of a culture shock, but I, I absolutely loved it. And Dennis is an amazing lecturer to have. It was, it was challenging, you know, you had to think. And, you know, having come from, you know, having done data protection for a while, and coming into that there was something that you could take away from each lecture, that makes you think or that, you know, changed your opinion on something. And the Maastricht course is very good as well. Lots of lots of people do that. So, you know, one thing, one point I want to make about the budget is to make sure that it’s there, year on year, because we’re talking recently about the next steps for each of us. Not what I’m going to do, I’m currently finishing up the King’s Law course. And I chose that, because I wanted to do a more law sort of orientated course, for personal reasons. So, I did that and it’s important that you do keep up that knowledge and keep current because, you know, the, the market in my opinion, both for consultancy and software solutions is still very immature. You know, we’re just under two years into the GDPR. Things are settling down, we’re only – I was having a conversation yesterday where the first GDPR case went through the courts in Dublin. So, we’re only now almost two years down the line seeing the litigation. Once those go through a due process, things will get a little bit clearer every time, and the grey areas will be cleared up. You’ve got to keep current, you’ve got to keep your knowledge current, you’ve got to do a lot of reading. Which is good, which is great, you know, but make sure the budget is there year on year to support your professional development.
Philipa Farley: Yes, Stuart. And, I’ll add to that and say like for people looking to budget for the GDPR because that’s another question I get asked quite often: “How do we budget for compliance in this space?” You know, cyber compliance budgets can go through the roof very quickly, when you look at all the cool tools out there that can help you with your cyber security and management in that space. But data protection is a bit different. Because, you know, we could talk about tools for another 10 hours, I’m sure. And that’s not the point of the discussion here. But you’re going to have to budget something for some kind of software management. And what you use depends on your stance, you know, within an organisation tools have different philosophical starting points. Shall we call it that, to be diplomatic about it, but with the budgets. And I’m not saying this because it’s you on the call, you know, I would say to people, also budget for the external assistance when you need it. And if you’re not going to have somebody regularly, like on a retainer, you know, that’s available to your employees to just pick up the phone or email, you know, budget for once a quarter or once every two months, at the beginning to have somebody come in for a couple of hours in the month, to just do the spot checks on you. You know, you have to have that in your budget.
Stuart Anderson: Yeah, we have a number of clients that are really great to work with actually, they don’t need us there every day. They don’t need us every two weeks, because we’ve worked with them to put in what we believe is a robust privacy programme or compliance programme. And they do things properly. They understand a bit, because, especially one of them, the space they work in is, you know, they have to deal with compliance in other areas of their industry. They’re a regulated industry, so they have to be compliant with all the regulations. So yeah, being GDPR compliant was challenging. They were used to having people audit them. They were used to having to comply with regulations, rather than somebody who’s completely unregulated. I embraced it and those clients are great because they get it. They know they have to do it. It’s just a cost of doing business. Whatever. The same as health and safety, where health and safety applies to people as a cost of doing business. Now, way back when, you know, the European Union brought in this concept of health and safety and everybody out to, you know, everything was brought in. People moan about it, in much the same way as people moan about GDPR. And this is why I’m saying that it’s still an immature market because people haven’t grasped the concept yet that it’s just the cost of doing business. And, you know, our clients that we see quarterly have that budget in place, we’re going to and see them once a quarter, we check everything, we check the Article 30 records, we check all documentation, and have any new processing operations…
Philipa Farley: And you check the logs, the incident management logs, the rights requests logs, you know, things like that, that should be kept up to date.
Stuart Anderson: Yeah. Yeah. Yeah. It’s, we’re in maintenance mode with them and it’s great and they have the satisfaction or the security that, if anything out of the ordinary happens, they can pick up the phone and talk to us and we’ll help them out. Yeah,
Philipa Farley: Yeah. If they’re starting a new project, Stuart, or like doing a bit of research into something and they need to DPIA done, you know, I’m just throwing in the things here that we land up doing because you do the same, you know. And people need to know, kind of, what’s going on out there. People are very sort of tied to their chests about data protection compliance, because it is a reputational thing, too. So we’re well aware of that. But this is what people are spending money on, you know, the professional help to come in and do the sessions and to maintain as you say. And, I do like your tagline ‘your data protection partner’, you know, that’s the message that needs to go out there. Personally, I’ll quickly say, before I start asking you the questions here, otherwise, we’re going to have a super long recording and people are going to fall asleep, I think. So don’t think everybody loves compliance as much as we do. My business mentor says I’m very sad. I love compliance. But anyway, he probably ever forgot what he’s going to say about the partner, or whatever. Anyway, yeah. Should I ask you? Should I? Oh, yes, that’s what I was gonna say no, I’m gonna actually say it. When we came to Ireland, because lots of people might not know we only arrived in September 2017. We’d been planning for quite a long time to come here. A lot of my work would have been being a translator between lawyers and high-end IT departments, particularly in the contract space where substance was, you know, on the table like exactly what services were going on, what data flows, etc, etc, security practices. That was the large part of my work before I came here, and then we arrived here and there was a gap in the market, obviously, and there were skills needed. There still are skills needed in this space because it’s quite a complex set of skills that’s needed to do your job. Particularly IT management does help a huge part. You see, our culture in South Africa is very much based, I suppose, the ,like most people wouldn’t know the drill here is based on Ubuntu, you know. Generally like I’m not going to give you the good translation, but generally like in business, it will kind of translate into “your success is my success.” Yeah. You know, where there is healthy competition, definitely. But we understand that, you know, by putting handouts and pulling each other up, we’re only making better everybody else. So when I came across this phrase of fear mongering, and a lot of people would put online: “Oh, you’re just what scaremongering or fear mongering”. It wasn’t a phrase that I was familiar with, and I’ve watched it from a distance for the last two and a half years now. And honestly, like, this is my personal opinion. That phrase has done nothing for the industry here because, what it did was, it psychologically attached to GDPR. So, anytime people look at GDPR, there’s this message that has gone out, it’s very negative of GDPR. There’s fear or scaremongering attached to it. And actually, I’m just gonna put my hands up in the air and walk away because people are just trying to take my money, you know, for nothing. And we have to break down that stereotype that’s being created in an immature market, and it’s quite difficult sometimes getting the message out that you’re getting here that you’re a positive partner. You save people time, you save people money, and actually in a crisis, you’re the lynchpin of the operation a lot of the time, you know, and you’re keeping everybody stable. That is, that is fact and it’s happening time and time again, you know, I’ll say it for you.
Stuart Anderson: Yeah, I mean, we we, the reason that I chose ‘partner’, is because, when I set the business up, we can talk about that was one of the questions that you sent across. And that was one of the responses about how I arrived at setting up XpertDPO. But when I did, I made a conscious decision that, look, we’ve all come across people that give out bad advice, that give out rotten advice. You know, you know, we’ve walked into potential clients, and we’ve said, “Well, you know, where is all your data?” And they say well, “We had a guy three months ago tell us to shred everything and delete it.” And so, we’ve all come across those people and I made a conscious decision that you know, I really love nurturing relationships, whether it be friendships, whether that be business relationships, because the real value for any organisation is having a trusted advisor, the bit, you know that you can pick up the phone at three in the morning.
Philipa Farley: Exactly.
Stuart Anderson: And they’re going to answer that phone, and they’re going to help you. And yeah, we provide service that we get paid for. Okay? That’s the same as any business, but, and again, and it might sound corny to some people, but I started the business to give out the right advice, all of the time to people that we partner with. And let me tell you, Philipa, we’ve actually walked away from business that I have decided that if we did business with this, this client or that client or whatever, it was too much of a risk to our reputation. Yes, our name, it’s my name over the door. I ultimately make the decisions. And, you know, the reason that I’m saying that is but you know, we’re all in business to do business and make money but sometimes, you have to realise that this might not be good business to do and and that’s because it’s too high risk or they just don’t have they don’t have, they just see it as a box ticking exercise to get papered up or whatever you know that it’s because it doesn’t work like that, it’s a living breathing thing. So, we are really enthusiastic about building relationships with people that we can work with so that both sides, so both sides of the deal are successful. And you know, so that’s why that’s primarily why we chose ‘partner’ because I thought well, you know, you don’t want somebody you’re not, you don’t want and you’re not going to get somebody to hire us that comes in and tells you what to do, and then sends you an invoice and then that’s it, and you never see us again. It doesn’t work like that. You’ve got to build a relationship. And again, because if you’re going in and you’ll notice as well doing the consultancy, and whether it’s cyber security, or its GDPR, data protection. You know, you need to know what that business does. You need an intimate knowledge of how they, where they process data, how they, what their businesses, where our clients, from pharma clients, to health providers, to software clients. So there’s a whole range of people and we have to take that time to get an intimate knowledge of what they do and how they do it. So, you can translate that and build a compliance programme around how they do things.
Philipa Farley: Exactly. That’s that way without friction. I mean, there is a bit of friction obviously and that’s, that’s natural, but it should slide into the daily running of things and become natural for them to do. I think we’re very much on the same page there. I’ll just say one quickly before we go to the questions. Like, a huge thing for me, Stuart, was not socialising with clients but realising that going for a cup of coffee, or if somebody said let’s go for lunch, that it is good to say yes, because they’re trusting you so much, with such absolutely confidential documents, and happenings, and data, that they need to get to know you as a person as well. And working in the space, inherently we’re all very private people, with very little of our lives online, you know, so it’s quite difficult for them to get to know us as well. And it’s quite hard for us sometimes to open up and show them the kinds of people we are, so it’s a two way street as well you know, for them to understand that we are actually there for them, we have their best interests at heart and we are available. You know, it’s and that’s where ‘partner’ comes in because it’s a journey and it’s a road we walked down together. So absolutely, no, you’re not going to invest that kind of time into relationships, to dump an invoice on somebody’s desk, and walk away and be done with it. You know, it’s just as simple as that. It’s ongoing. You know, I’ll get calls, like, more than a year, two years later, sometimes put up a piece quickly, we need, you know, we haven’t seen you in a while, can you come in please? You know, and you do you just do because you do have that kind of relationship with somebody. Okay, I’m aware of the fact that it’s half an hour in and you’re very valuable with your time so quickly, quickly, Stuart. I sent some questions over. And the first one is: where did you first come to grips with data protection? We don’t even say that GDPR, but data protection, like where did it first dawn on you that this mattered?
Stuart Anderson: Yeah. So again, it was around just before 2016, and GDPR was coming onto the radar. So, you know, I was working in a software company. I worked at a software company. I was spending all of my time flying between Ireland, all over Ireland, to Cologne, to Milan, and back. And we had a piece of software that became more of a platform on which people could build workflows. And, you know, the GDPR started to come on the radar. So I read about the GDPR. I’d heard about data protection beforehand, and you know, had had some subject access requests to deal with, as part of working with a software company. And we were going to take that piece of software and build something to handle subject access requests. And that’s when I really started reading. I did the, you know, couple of day courses, and the 40 you know, multiple choice answer questions. Yeah. Yeah. And that’s how I really got into it. It was around 2015, we were going to make this great piece of software, that all kind of fell apart. And that’s how I ended up setting up XpertDPO. But I didn’t stop there. I went to do the UCD course with Dennis. And I’m probably going to do the CIPM later this year. That’s still 50/50 but it was around 2015, 16 when we knew GDPR was coming in, we, you know, anybody that was kind of working in a semi techie or a techie business, knew that this was going to be a game changer. You know, everybody was going to have to comply. It wasn’t just legislation, it was a regulation. So it was going to level the playing field. So, you know, considering myself to be you know, big tech savvy and things like that. I knew that this was going to be a big thing.
Philipa Farley: Yeah. Yeah.
Stuart Anderson: And you know, with hindsight, I made the right decision.
Philipa Farley: Absolutely. Like, when people hear what I studied, you know that the 90s and early 2000s they like, how did you know that is going to happen? And I was like, I didn’t, I just loved it. You know, I’m not some kind of, like, whatever. psychic,
Stuart Anderson: I think as well, you know, I’ve always been into tech. Yeah. Part of that, originally as a musician, but I’d always had a computer when I was a kid.
Philipa Farley: Yeah. And it’s actual curiosity that leads you to this space, you know,
Stuart Anderson: And, you know, having become aware of, you know, you see these things called data breaches. Yeah. Then when you, you realise, well, actually, that’s my data. And now my data is on the dark web.
Philipa Farley: Yeah. You know, that’s my next question. What is the impact on you personally, of the GDPR?
Stuart Anderson: Well, I mean, personally, I mean, I’ve had emails that my email address is on, you know, “you’ve been pwned.” So, I’ve had my data stolen, the LinkedIn breach, Yahoo breach, my data was taken in that. I’ve actually been breached on my, we had an unsuccessful phishing attempt on our corporate email, from a legal firm actually. And that was very sophisticated, but we didn’t fall for it, but we get lots of spam. You know, and we just don’t respond to it. So the impact of that, but the impact of GDPR I mean, my wife, my long suffering wife would tell you that I’m
Philipa Farley: Has she given you her consent to discuss this, Stuart?
Stuart Anderson: Well, I haven’t mentioned her name so we’re not processing under consent. I signed a marriage certificate. So I’d say.
Philipa Farley: Yeah.
Philipa Farley: And I don’t want your newsletter either for special offers, five times a day.
Stuart Anderson: I don’t mind sharing my data. I have an iPhone. I have a Facebook account. I have LinkedIn. Yeah, like the majority of people. But I want to know where my data is being shared. So I use a number of burner emails to see who’s, which organisation is selling my data without being…
Philipa Farley: Exactly, yeah. And this is a great tip for people to hear. So if you want to just quickly explain what a burner email is, and how you use that practice because I would know a couple of other privacy and data protection professionals and I see privacy because privacy advocates that we do this specifically that the people don’t know what you’re talking about.
Stuart Anderson: So I have a number of email accounts that you can use, I personally use protonmail. You can get a free protonmail, encrypted email account. Yes, I have a number of those that I don’t use for anything else. So for example, if I go into a retailer, and I decide that I’m going to get my receipt, emailed to me, I will use one of those burner emails. And I only use a particular burner email for a particular retailer, or group of retailers or for Facebook or for Twitter or ever. And if I start getting spam, into that particular email account or unsolicited emails from people that I’ve never done any business with, then I have a pretty good idea of who is selling my data and to whom they are selling it.
Philipa Farley: Exactly, exactly. So that’s it, that’s a fantastic tip to take out for people to use is to tie, tie your service providers back to that email address to hold them accountable. And this kind of goes to a point that came up in the AIB Network Ireland panel discussion. Last week, there in Dublin, Stuart, where the representative said that it’s really a war between good and evil. You know, that’s how they’ve kind of tried to sort of humanise the cyber security practices. When they explain to people you’ve got to understand it like that. And, and at some point, we have to start fighting back with the small things that we can do, to look after our identities. You know, we don’t have to accept the fact that we’re being profiled, and these things are happening online and there’s nothing we can do. We have to fight back.
Stuart Anderson: Absolutely. And it’s astonishing. The amount of data that we process on a daily basis is astonishing. And lots of people are just unaware of that. And that’s not to be, that’s not to denigrate them or anything like that. It’s because the people are unaware. And it’s, it’s great. I can use a free Gmail account, and that’s great. But have you read the Terms and Conditions?
Philipa Farley: What further is happening?
Stuart Anderson: It’s free. You have to understand that it is free for a reason. And the reason is that you are the product, they’re going to take your data and they’re going to slice it and dice it and share it with people and do whatever the hell they want with it.
Philipa Farley: And influence you, turn you into the perfect consumer for their purposes. Turn you into the perfect citizen for their purposes. And it goes very deep because our children, if you don’t have children, the next generation, is growing up in this world that is completely controlled through information that’s going directly into their minds. Yeah, no filter. Yeah.
Stuart Anderson: You know, it’s, it’s, you know, I’m not a conspiracy theorist, but I see people on social media advocating for a fully digital economy. Yeah. And that’s great. But I know people in Milan who do not have a bank account.
Philipa Farley: Yeah, I know.
Stuart Anderson: It is like forcing people into our predetermined pattern of behaviour. The other side of that is that you know, if I have to use a card and have electronic transactions, my bank has a very intimate knowledge of what where I’m spending what I’m spending it on. So if I decide you know if I’m if I’m in the takeaway every evening using my…
Philipa Farley: Your health insurance is going to phone you up and tell you to go to the gym!
Stuart Anderson: Well, and then I’m gonna get a ton of spam saying ‘go to the gym’ and the next time I come to get some health insurance I’m not going to be able to get it because I don’t exercise and I don’t diet. So that’s one of my concerns around this probably political economy and, again, the example I use is I think a while back in London before Christmas, the card machines went down and nobody could use their Oyster cards. So they had to use this thing called cash.
Philipa Farley: It must have been a nightmare in London, must have been a nightmare. Oh, God, no. Yeah. Yeah. Okay, so, let’s see the next question: where have you seen opportunities for your own business in the context of GDPR? We spoke quite a lot about your ‘partner’ there.
Stuart Anderson: So, yeah. I mean, I set up XpertDPO in June 2018. So we would be just after GDPR. But as luck would have it, I finished work with the software company on the 23rd of May 2018. And I was kind of kicking around the house thinking: “What do I do? At this time, our second baby was due. And I actually set up the company on the Xero website, whilst I was sat in Hollis street, and my long suffering wife was in labour. So yeah. I wanted to run a business. I knew I was good enough. I knew that I knew my stuff. I knew that I wanted the principles of the business to be founded on reputation, and being good at what we do, and being reliable and knowing our stuff. And, you know, I met with a couple of people that I used to work with, I have a mentor who is absolutely fantastic. I, you know, if I paid him all the money in the world, it still wouldn’t be enough because he’s just, he’s been brilliant. I have to say, and, and, you know, so GDPR is, as I said earlier, is on the radar now. But, by the time I was up and running, we kind of lost all of the guys that were in it to make a quick buck.
Philipa Farley: Yes, yeah.
Stuart Anderson: And to kind of half ruin organisations. So it really is on the map. I think it was a LinkedIn survey last week. And the Data Protection Officer is the second biggest growth last year.
Philipa Farley: So yeah, I think like, if I can say, that the opportunity for your business in Ireland particularly, and you’ve said this point several times over and it’s a very salient point for people to take home, is that you don’t need you all the time, every day, hour by hour. So a lot of businesses in Ireland particularly don’t need somebody full time. They don’t. It’s an unnecessary expense. And I would say this over and over again to people. Yes, you do need to do it, you need that voice of reason. You need the voice of impartiality. You need to take your medicine as you said, absolutely you do, but you don’t need it every day. So I would see that as a huge opportunity for you in Ireland.
Stuart Anderson: And what we’re saying, and that is the opportunity because what we are seeing, I mean, obviously I keep an eye on the employment market. We saw salaries at the 100,000 plus scale around the time of the GDPR, two years ago, because everybody was panicking. And they’ve realised now that…
Philipa Farley: You’re lucky if you can get 40 now.
Stuart Anderson: Yeah. So, you know, between 40 and 60, I think it is the going rate now. But, people who appointed staff now have this expensive asset, sitting there, doing data protection stuff, one, maybe two, days a week. So they’re not fully utilised. So that’s where the opportunity is for us.
Philipa Farley: Well, some are. Some are overworked.
Stuart Anderson: Yeah, it’s a lot less than employing somebody full time. You don’t have the overheads of, you know, all the HR related costs.
Philipa Farley: Absolutely.
Stuart Anderson: And it’s a formalised arrangement. You know, there are contracts in place. Yes, both parties know from the outset what is expected of them, what is included and what is not included. So it’s a formal arrangement, but they don’t have to take on an extra member of staff. And that allows them to concentrate on what is important to them, like growing their business.
Philipa Farley: Exactly their business, it takes the stress away, saves them time and saves them money. Absolutely. I’ll tell you what my calculation was on time, Stuart, we worked it out on a case study and interesting one, where employees in 2018 2019, were spending 20 to 30% of their day, trying to get to grips with data protection in their space, doing it the right way, do like filling in forms the right way. Re-sorting data, archiving, you know, minimising data mostly took up the time, but 20 to 30% of their day was taken up on data protection related things that they were doing and that’s the last thing: productivity. So, really like having somebody like you around, I deeply believe, really can only benefit an organisation, really, because people would have to do that in their jobs every day, but they would find the most streamlined, efficient way of doing it from you and not waste time. It’s as simple as that. Yeah. Yeah. Okay, sorry.
Stuart Anderson: Our service, it depends on what we agree on in terms of engagement. Whether that’s days per week, or days per month, it really does differ from client to client, based on that. If we’re in there one day, per month, for example, the client knows that anytime they can email us or call us and, and that’s, you know, that’s an important part. And again, that brings us back to the ‘partner’ bit, you know, they know they have that security that we’re going to be there for them if something happens.
Philipa Farley: Yeah, absolutely. Okay. So the opportunities for your business are there and we hope people recognise that. That that you’re there too, to be that partner and that assistance. Just, very briefly, because we can’t really speak about clients’ business, obviously, that’s confidential. But just one small point, Stuart. The opportunities for your clients, like just if you have one small story to share, to show people that this isn’t a waste of expense, and it’s not a waste of time. Yeah, how has it benefited one of your clients?
Philipa Farley: Training Records. Yeah.
Stuart Anderson: Yeah. We got a document that was a copy pasted boilerplate policy. The thing that set alarm bells off for us was it was very good. It had document version control. It was all this kind of stuff. And we looked at it, I was reading it over the weekend. And it said, you know, the author of this document is our Data Protection Officer. And we got further down the document and it said, you know, x organization has analysed deeply the requirements for the GDPR and we have come to the conclusion that we don’t need a Data Protection Officer, so I’m like “Er, who wrote this?” And so we put some of the text in that through a search engine and got about 2000 hits from people using the exact same policy. None of the other policies came forward. So we, you know, had to go back to the client, because the very sensitive nature of the work that they did was with a key supplier. So, you know, they had to have a conversation with that, that we ended up getting a little bit of work out of it as well, which was great, so positive for us. And look, it’s not just about finding problems with people, you know, we never use this as a finger pointing exercise, but we do say, look, you have an issue with one of your suppliers. Generally, it comes around DPAs and the data processing agreements, and, you know, again, being the outsourced person, we can be the piggy in the middle.
Philipa Farley: Yeah, exactly.
Stuart Anderson: We can do the good cop, bad cop. But, you know, that was a risk. That was a huge risk for my client. And we were able to highlight that they were able to resolve it really quickly and get it done. And they actually have a better business relationship now, because we got it out in the open, you know, we just got on with it, we fixed it. And that was that. So, it, you know, you don’t always get stories like that, you get people that won’t play ball with you. But luckily, we were able to resolve it and it was grand. But that business now is able to stand over the fact that they’ve done a full audit of their supply chain, and they have a comfortable level of assurance that people, you know, that they deal with doing things properly.
Philipa Farley: Exactly. And money can’t buy that really. You know, knowing that there’s trust relationships in place. Okay, positive story, that was a positive story. So shall we skip that and just ask for it? I will ask you for one piece of advice to potential clients of yours. Yeah, one piece of it. So?
Stuart Anderson: Ask the hard questions when you are choosing your DPO. So, again, if you’re going to appoint from within, give them a budget, support them. Okay? Let them go and do courses, let them go and get qualified. If you’re going to appoint from outside, ask for references, talk to people who they’ve worked with, and ask what the service includes, ask what it doesn’t include. Anything that’s not included, what is it going to cost me if the roof falls in?
Philipa Farley: Exactly.
Stuart Anderson: You know, DPO, the level of expertise is not defined within the GDPR. The same as the definition of personal data is this great paragraph that it doesn’t list out first name, surname, email address, all this kind of stuff. It’s a catch-all, but, you know, the level of expertise must be proportionate to the sensitivity and complexity and the amount of data that an organisation is processing. Yes. You know, you might have an organisation that processes a million email addresses, but you might have an organisation that processes 50,000 health records.
Philipa Farley: Exactly.
Stuart Anderson: You have to look at it subjectively, you have to know you know, where is the risk in my daily practice and operations? And rate that risk and you know, so, you know, you’ve got to again, your DPO, ask them, you know: Where is their expertise? Do they know about European laws? Do they know about local laws? derogations? Do they understand the GDPR? When I say understand, have they done this role with anyone else? Or have they? Yes. Yeah. So ask, ask questions, probe the unknown. And, look, if they push back, then that tells you everything you need to know. If they’re open with you, and now and they’ll talk to you and, you know, honestly, is, is paramount.
Philipa Farley: It’s just a relationship. Yeah, it’s a trust relationship.
Stuart Anderson: And somebody who does things properly and who is a true professional, will not mind you asking those questions.
Philipa Farley: Absolutely. Yeah. Because we expect to be asked those questions, Stuart. We expect to be asked for references, or examples more, you know, crisis situations that we’ve dealt with, we expect to be asked how we integrate into an internal team, you know, how we deal with the board? You know, what is our level of expertise there from the ground, right up to the top and to partners even, you know. So get to know, get to know somebody. And I think that’s the point of this as well because like I say, we’re very private online, you know, you might catch us being, I like to think very witty, but probably terribly annoying on Twitter. You know, and you just see kind of on the face of it. You know, I personally have had people meet me at professional events and say, “Oh, we get a very different picture of you online.” And I never say, “Okay, what picture is that?” Because I’m very sensitive, so I don’t want to know, you know, but I think it’s time to sort of chill out a bit more and help the market mature a bit in their decision making. I think that’s really important.
Stuart Anderson: Yeah. Yeah. So that that will be it, you know, talk to people you know, and I would have no problem. I have many clients that are more than willing to provide references.
Philipa Farley: Yes, absolutely.
Stuart Anderson: Answer the phone to people and do that, and one on one. And, you know, I would even encourage it, you know. If we have a client, I would say, you know, you’re a software company, go and talk to this guy. He was customer number one. He’s a great guy. And, you know, in a general sense in terms of running the business and things, it is very lonely, go out there and expand your network. Because, you know, we still get calls from people that we spoke to, or maybe connected with two years ago, when we set the business up. And they’re only coming around now and talking to us, but that’s great. It’s great.
Philipa Farley: It’s long term, Stuart, like it’s pretty much like farming. You know, you sow the seeds, you know, to them, walk away, watch them grow. You know, some making some downs. This is how we cultivate our relationships. And we hope to, to have, you know, many productive ones in the future. But yeah, like, Is there anything else you want to add to what we said?
Stuart Anderson: No, I mean, just share a positive story. Yeah. Okay. So, this is my positive story. And this is to give hope to people that are only just coming into the industry now, or starting a business in general. So when I set the business up, I got a little bit of support from the local Enterprise Office. Yeah. And I had to go on a “start your own business course”. And I trot along…
Philipa Farley: I did too, they were lovely.
Stuart Anderson: Yeah. And the gentleman that ran that course, asked me what I did. And I said, Look, I’m in data protection. This is what I want to do. And, he said, “Oh, well, I have a trading company and we’re trying to get this data protection course off the ground. You know, is it alright if I contact you in a few months or whatever?” And he did contact me. But we were up and running. I’ve since designed the course content for that and we’re about to start the first one, this Friday. Yeah. So, you know, I started this business, I didn’t know anybody. I didn’t know really, I knew what I wanted to do. I didn’t really know how to do it. And it was just this, kind of the stars, aligned. And, you know, I’ve done more business. I’ve done more work with this crowd. They’ve done a bit of work for me. And it’s those relationships that will count if you nurture them.
Philipa Farley: Yes.
Stuart Anderson: That will, you know, be fruitful. So my little positive thing you know, it’s the first QQI certified one in the country.
Philipa Farley: Yeah.
Stuart Anderson: And, it’s astonishing when I look back, you know, the chance meetings or you just, you feel like you don’t want to go to something but you’re doing it. And you end up meeting somebody where you can connect and things like that. The best of the best relationships, I think, because they’re the most fruitful, I think as well.
Philipa Farley: Absolutely. You’ve got to get out there. You have got to talk and you got to tell people what you do. And, you know, don’t don’t fear criticism or negativity. There are fantastic people working in this industry, and they’re huge supporters. You know, I think there’s a lot of us who want to give back a little bit of what we’ve benefited over time, and we’re happy to put up that hand. Give a piece of advice here and there to two people joining.
Stuart Anderson: Absolutely.
Philipa Farley: We hope you enjoyed that episode of the GDPR series. If you do, please subscribe. Find us on social media. We’d love to have a chat.
Philipa is the lead consultant and auditor at ProPrivacy. With clients as far afield as Canada, South Africa, Kenya, Germany, Spain and other such exotic locations, besides Cork and elsewhere in Ireland, Philipa enjoys a broad view of the state of data protection, privacy and cyber security worldwide. Philipa’s passion is manageable data compliance for SMEs.
Philipa is a qualified teacher besides holding a computer science (Bachelor of Science in Artificial Intelligence Programming) and electronic and intellectual property law (LLB) qualified. She is trained in constitutional (fundamental) rights litigation and enjoys a good debate.
Philipa has over twenty years of experience working in different sized organisations and sectors on operational, governance, risk management and compliance matters. She is an analytical and focused person that enjoys a challenge in the workplace. She loves technology, systems and people and has a passion for showing people how technology can make life easier and better. She understands that the world is driven by data today but privacy is paramount. Responsibly developed AI excites Philipa for the future.