We all have days where we feel truly overwhelmed with our GDPR compliance obligations. We’ve said before, eat the elephant one bite at a time, but how do you decide where to start? Today on The GDPR Series podcast, our focus is an application (and the creator) that guides you through a logical way to manage your GDPR compliance obligations, and yes, it’s mostly about you, smaller businesses. Listen up for some nuggets that will save you a lot of time and effort, especially when dealing with pressurised and complex data access requests!
Our guest today is Claude Saulnier, the man behind Bizoneo™. Claude shares his journey into data protection and the creation of Bizoneo™, which highlights his unique approach to inventory as the start of risk and data management. In the context of a client facing malicious emails sent out of their system, we discuss the absolute necessity of ensuring the applications you use provide you with the information you need in the form of logs and audit trails when you’re dealing with such incidences and data breaches, especially when you need to report back to your supervisory authorities.
If you have the pleasure of getting to know Claude, you’ll become well-acquainted with his unquestionable logic, quick wit, incessant appetite for new information and learning, and his interrogation of typical ‘GAFA’ practices, which, of course we fully support. We can only admire Claude’s deep ethical and personal sense of responsibility toward data protection (and privacy) issues that we’re faced with today in business and personally. Claude’s wisdom includes: prevention is better than cure, input the data once and use it many times in different contexts, and consider the actual cost in time, money and efficiency when you’re using your collection of ‘free’ applications.
If your interest is piqued after listening, please contact us at ProPrivacy for a demo of Bizoneo as you can only benefit from the input of Claude’s complex and layered understanding of integrated systems and data management in the context of data protection.
Learn more about Bizoneo™ Data Protection & Compliance: https://www.bizoneo.eu/
Find Claude on LinkedIn at: https://www.linkedin.com/in/claudesaulnier/
The GDPR Series: Claude Saulnier of Bizoneo
Philipa Farley: Hi, and welcome to our podcast called the GDPR Series, where we discuss data protection, privacy and cyber security matters that ordinary people in everyday businesses face. We have a series of really interesting and lovely guests, and we hope you enjoy listening. Hi Claude, thank you for joining us. It’s fantastic to have you on video instead of just the usual voice chats. I’m looking forward to chatting a bit more about GDPR and your experience with the GDPR, data protection, and your business, that services clients who need – how can I say? risk management in their business. And, you know, data management. I’ve got a screen open I’m going to share here. And while I share it, would you like to say Hi, and tell us a bit about yourself?
Claude Saulnier: Hi, so my name is Claude Saulnier. And I am French, and I live in Ireland. And, I am the founder of Bizoneo. Bizoneo is a platform to assist SMEs and, you know, businesses, organisations in general, to document their processing activity. And that’s something that’s required under the GDPR. But, even if you put the GDPR aside, the tool is there to assist the governance of any business. In order – you mentioned risk in your opening line – and the only way to manage risk is to know what you actually process. If you don’t know the environment in which you’re operating, you can’t actually assess any risk and therefore, you can’t mitigate it.
Philipa Farley: Yeah, yeah, no, I absolutely agree with that. I’m going to click through here into the features of the Bizoneo data protection and compliance application that you offer. I’ll just leave it open while we’re chatting, Claude, there is a blog there that we can click into. And, on other chats, we’ve opened up people’s social media. I, I sent you a couple of questions over before we started talking. And, we can kind of use them as a guide, but like, feel free to digress, if you want to. The aim of these chats is to really have an open discussion between professionals in the field of data protection, cyber compliance work, but also with regular business owners. So, you know, you kind of wear both hats here as a business owner, who’s aware of their compliance requirements, as well as a service provider in the industry, whom we all respect greatly. And I mean that because, I’ll say it again, I say it over and over again to people, you know, when we are talking about what applications – what management applications – to use in this space that I have yet to see. And I mean absolutely 100%; I’m not paid to say this at all. But, I have yet to see an application that has been designed from the stance of being risk aware in such a comprehensive, but easy to understand and logical way. It’s the logic of your thought that really captured me into, you know, wanting to learn more about how you did this, and wanting to get to know the application more, and I’ve really enjoyed getting to know it. So, yeah, we appreciate that. Thank you.
Claude Saulnier: Thank you, Philipa. I’m honoured. On behalf of the team, that’s great.
Philipa Farley: Okay, so my first question to you, Claude, is: Where did you first come to grips with data protection and the GDPR?
Claude Saulnier: Well, it goes back to a long time ago. So um, I set up the conference on my background, I ran before I suppose, started, once starting Bizoneo, and Wandsoft, and the other parent company, if you want. I worked, I, actually in fact spent my whole career in using integrated systems. And for, I suppose, the uninitiated, the integrated system is great because you enter the information once and you reuse the information. And I was very fortunate, like, you know, back in ‘91, when I started working, that it’s all I’ve ever known. And, but there was a certain level of frustration in that a lot of those systems, like sometimes you hear about SAP and all that; they’re extremely complex and to implement, and I still not sure why the cost of implementation, I mean, if any management system takes three years to implement, I think there’s something wrong, because after three years, your business is going to be different and it just this is not right. And this is basically the foundation of the initial business, like Wandsoft as well. So, prior to doing that, I also have to mention that I had a career in internal auditing as well; a part of my career also in internal auditing. So, governance has always been at the heart of everything I’ve done really. So when the company started, so initially, we started the software company, to provide integrated systems to the SME market. And I could see at the time, the cloud or I suppose, yeah, the cloud, if you can call it like that, although back in 2001, we weren’t talking too much about the cloud. Then, what I realized very quickly, I thought, well, we have a lot of responsibility in terms of, we’re actually hosting data that doesn’t belong to us. Our clients are paying us for that. And it’s very important to have a very strong, very strong security and really, we’re responsible for that. And, if something goes wrong, you know, you can have all the insurance in the world, but if something goes wrong, we could actually go out of business and some clients that actually trusted us could actually go out of business, and that can actually happen very easily. And we’ve actually seen that. So really, we really focused, a lot of work we did was always trying to protect our clients’ data. And, in many cases, prior to the GDPR, there was already some data protection law that existed. And we always tried as much as possible to be aligned with that, you know. And so, when came GDPR, we read the text -the initial part was a moment of panic and thinking, okay, that’s the end of it. We’re a small organisation and there’s a lot of responsibility. You obviously, people talk about the fines, you only look at the fines. You look at data processing agreements and all that, and think, “My God, that’s the end of it.” And then you actually start stepping back and say: “Okay, well in the length of time we’ve been in business, how many breaches have we suffered?” And you start counting… zero. And then you say: “Well how many data breaches did we actually stop?” And, it’s a lot! And we basically had put in infrastructure, and you have to revisit everything every time somebody strikes. You, basically, have to be vigilant and monitor that. And that’s what any software company and any hosting company should be doing. So, at that stage, we thought, okay, actually, maybe we shouldn’t actually worry too much about that, because we’ve got a very solid infrastructure. And let’s focus more now on the rights and the transparency, and different elements and all that. And I thought, well, actually, we have nothing to hide really in this because our clients trust us. And we kind of really like this transparency. And then we then added a number of tools into what was our CRM and ERP system. We added tools so that our clients would have, would be able to fulfill data subject access requests and elements like that. And one thing leading to the rest, Bizoneo, we added a number of modules again to help the clients on the CRM side. And then, we kind of decided, well, there’s probably a market for a tool like that. We looked at the various tools that were available on the market. And they were either very expensive, or we realised very quickly that they were not really addressing, they didn’t actually understand the problem to solve. And going back to the fact, I think, people are actually overcomplicating, GDPR.
Philipa Farley: Yes. Absolutely.
Claude Saulnier: And I suppose the order in which you will read the GDPR I think will matter. And people are underestimating Article 30. And, Article 30 being the key I suppose, and what you have on the screen here; to be proactive in terms of, again, your records of processing. If you don’t know what you’re processing, there’s no way you know, you’re going to know whether it’s lawful, if it’s minimised, if it’s secure, etc, etc, etc. So you start by the inventory, and I think that was the true meaning; the rationale behind Article 30 was really to help organisations focus on this, you know, inventory. And then once this is actually sorted, there’s so many things you can actually deal with. Again, we’re talking about data subject access requests. If you don’t know where your data is held, you know, you’ve got 30 days to do that. If you have a data breach, you have got 72 hours. You better actually know where the data is.
Philipa Farley: On the data breach side of things, if a data subject is involved, it’s immediately. You know, forget the 72 hours if there’s if, sorry, if there’s risk to the data subject involved, you know, you have to inform them immediately. So you have to know what data was taken. You have to know what data was, say a server, an asset is attacked. Data is taken, what was on there, so you’re talking about an inventory, so bring it back to that. If you assess that, there is a real risk to a data subject, you have to inform them immediately. You know, if it’s data that can result in identity theft, or some kind of financial fraud, they should be told immediately, not in 72 hours. And, a lot of people are not getting that message. So, to back your point up of the inventory. Immediately, you can see, and you can make that risk assessment as to whether or not the data subject needs to be told.
Claude Saulnier And the benefit as well is this, because I would tend to work more on the prevention than the cure. Because I think sometimes, I mean, I’m not saying like, you know, breaches don’t occur, they do occur and sometimes they are, it’s not exactly the way you would expect certain you know, breaches, you know, would actually occur. There’s probably more risk of an accidental, yeah, human error that could actually lead to that. But again then, if you don’t have anything to back up and know, okay, what measures did we take ahead of that, to secure the data, then that’s where you’re in trouble. And again, your inventory allows you to mitigate all of this. And, yeah, and then the policy, I suppose elements. Yeah, the risk assessment is obviously, you know, the next stage as well. And with that as well, so people, I mean, risk management, people, again, tend to think, well, this is this, this is complicated, like, you know, what are the risks? And one of the things I’ve actually done, you know, in the platform is, as you actually start entering assets, there’s different types of risk in GDPR. And ultimately, you’ve got the risks on, I suppose, you know, the rights and freedom of the individual, but different things in terms of assets can actually have an impact. Even a supplier can actually have an impact because if your supplier doesn’t do what they have to do to protect the data, there are risks. So you have to actually look at those three pillars there. So, what we did, we actually built in a number of preset risks, and a very, very exhaustive list, you know, following like some what some, you know, security standards would recommend. And businesses, organisations using the system have the ability to add their own risk as well, and maybe remove some that may not be relevant. But the key thing is to get your organisation to think of what they have. And, if you start putting that sometimes you start bringing a few pieces of the jigsaw and the organisation concerned says, “Oh, actually, we hadn’t thought of this”. And then they find something else that – and that’s all you want. Ultimately, you know, you want organisations to think: “What are we processing? What are the risks?”
Philipa Farley: Ask the questions and be a bit curious about it. You know, I was talking to the students this morning and just chatting about natural curiosity. Ask questions. Why, you know, the thing; ask why five times, and you’ll find out why. Why are we doing this? What do we need this for? What is this for? Ask questions and ask the hard questions. We have to do that. So basically, we can sew it up, Claude, and say that you’ve got a very rich history in this space, and an incredible understanding of systems, you know. And, it’s very valuable for people to have access to that knowledge. I was saying to one of the guys I was chatting with, you know, if you go and get a job, or if I go and take a job, or if you go and take a job, Claude, access to your amazing bank of knowledge is lost to businesses. So, you know, we really appreciate independent consultants, vendors like you, staying in the market. So that SMEs and smaller businesses, you know, sole traders, individuals have access to that expertise. And I would like to get that message out to people. Okay, the second question I had here was, and this is really personal. I’ve been asking everybody this question: the impact on you personally. Has the GDPR impacted on you personally? I get asked the question when I’m interviewed sometimes: do I think the GDPR is good or bad? And my response is always I come from, you know, a jurisdiction in law where privacy and dignity are paramount, like in our constitutional foundational principles, and everything else comes out of that. So absolutely, yes, I do believe the GDPR is very important. Coming from the history of privacy, through to data protection being recognised as a right, and the GDPR kind of really landing down, boom, on people. You can’t ignore it. You know, we had data protection law before here, and I’ve lived in other spaces where there’s been some form of privacy law or cyber law, electronic law that protects people’s rights, but not In the way that the GDPR does. So, personally for you, has it had an impact on you? You know, have you enjoyed your rights?
Claude Saulnier: It certainly has a huge impact. And in many, in many ways, I suppose where, prior to that, prior to the GDPR, where we focused solely on security, certainly trying to minimise data, you know, as much and being very conscious of this, maybe we didn’t actually, you know, minimise data, you know, as much as maybe we should have added maybe some of our clients there. And maybe, certain elements of privacy is not something we had fully considered. And I have to, I have to admit, see, I have to admit to that. And when, again, because we didn’t actually have to worry about the security elements. And then, I certainly focused far more on the, I suppose, the privacy, the fundamental rights of people, and to actually understand and I think we’re very fortunate in Europe in terms of its data protection, regulation. Not just privacy, it goes beyond that, It goes beyond just privacy. And I think, yeah, we’re fortunate from that point of view. And, I’ve done a lot of research as a result of that. In terms of: What is the true meaning of personal data? How far does it go, and the consequences it can actually have? And going back, I suppose to, going back to, you know, post World War Two, and that’s the history of that. So, from that point of view, I think, yeah, it certainly has made me think very differently. And then, when you actually start seeing how some organisations that have been, are currently harvesting data, with no legal basis on people’s back, it’s just it’s not very ethical. And so, if nothing else, I think that’s what I appreciate, what certainly well, the GDPR has brought. And, I’ve also met, I suppose, on a separate note as well, some incredible people, like yourself, Phillipa, that certainly have a very strong interest in protecting data, and make sure that suppose that processing is fair and transparent. And there’s some amazing, amazing people, out there in many countries and if nothing else, I suppose the GDPR introduced me to a number of amazing professionals that I would never probably have met otherwise, you know, prior to that, so.
Philipa Farley: Yeah, absolutely. And going to your point on the amazing people around the world who work in this space. There are some incredible personalities out there who are activists that we, well, I personally would definitely admire. I’m not going to name names here. But I think, just a short little piece on that. We were talking this morning about Cambridge Analytica, and the influence that they exerted on people politically with the Brexit referendum. And, I’m going to say this without any emotion, because it’s fact, it’s out there, it’s known. It’s my personal opinion that that entire referendum should have been canceled on the basis that psychological warfare was waged on the people who voted. It’s that simple. So, you know, if somebody says to me, do you care about GDPR? Yes, absolutely, I do. Because, without it, without these kinds of laws, without these kinds of regulations, it’s open gates, you know. And people don’t understand that that information is going straight into the most private space of all and that is your mind, you know, directly into your mind, without a filter. So, without being mindful, and without being present in your life in this moment, now, you’re absorbing so much and you’re being influenced in ways that you don’t even realise. So yes. Yeah, it’s absolutely vital.
Claude Saulnier: And when you’ve got, certainly, like, you know, people like, like, Mark Zuckerberg and his vision of the world. I think it’s very, it should be very worrying. I mean, I find that I find him scary, really? And it’s, like, like his little toy.
Philipa Farley: Yeah. I think like, what, what is the next generation. This is the start of their war, you know? It’s frightening. But yeah, so that’s the personal effect. And that’s, I think it gives us a reason to kind of wake up in the morning and carry on doing what we do. Because, you know, like any type of business, I suppose, there’s days where you kind of ask yourself: Why, why am I doing this? You know, you could revert back to your tech background, I could easily revert back to my tech background, and kind of go, “Okay, well, you know, if nobody else cares about it, why should I?” But yeah, we really do. I really do.
Claude Saulnier: Well, you see, I think one thing that’s important to me. and certainly in terms of the processing we do, is that I sleep at night. When I see what certain providers of services would be doing and sometimes, through clients, we come across, you know, different types of enterprises, that I wonder how some people can actually sleep at night, given how careless they are. And so, I think from that point of view, it might be, you know, giving trouble sometimes in terms of, yeah, we might be, people might just say, we will be too strict about certain things and data protection, but I don’t think we are ever too strict. I think again, I sleep at night and I think that’s important. So yeah.
Philipa Farley: I think…I think…I win the prize for being reported to the Data Protection Commission for being over the top about telling people how to conduct their marketing activities in a compliant manner. One marketing company, in a town that shall remain unnamed, because this country’s very small, actually picked up the telephone and reported me to the Data Protection Commission. So, yeah, I do sleep at night. You know, I, if people want to say it’s over the top, that’s that’s grand, you know, it’s, it’s not. Okay so, you touched on this a little bit where have you seen opportunities for your own business in the context of GDPR? I think you explained it a little bit there, you kind of, your business evolved and grew in a really lovely way, you know, alongside the understanding that you found.
Claude Saulnier: Yeah, so I suppose, now we’ve got that, kind of, for us, it’s like we started a new product range, I suppose, from what the traditional, you know, CRM. Initially, again, we didn’t actually intend to do this. We actually spoke to, even some people in the markets and some organisations that are now our competitors, and said: “Well, you know, with your CRM, you said, you were too small for us.” You know, we just want to deal with all organisations and all that so yeah, which we haven’t enjoyed access to, you know, massive US corporations. So, you have a, you know, a system that could respect, you know, data protection, all that, and they said “No, no.” You know, so, as a result of that, I suppose we created our own product line. And it’s interesting again, as well, you know, I suppose in the market, we’re a software company. We’ve got a lot of experience in that. And there were many well, competitors, if you can call them like that, that actually, don’t actually have the experience of software development. And, you know, there are a number of things, I suppose, we are very glad that we have many, many years…
Philipa Farley: I think I’m going to speak specifically now, Claude, and we can cut anything out that you don’t want on here. I’ll try not to be too specific. But, I’m going to say it, because your background in development and understanding of systems and internal auditing has given you a fantastic appreciation of the need for audit trails within the software and logging of actions within the software. Because, when we come from the other side, and we get a phone call: “I think I’ve got a data breach going on”. You know, the first thing that we say is: “Okay, what vendors, etc, etc.” Let’s get the vendors on, you’ve got to your personal contact there, we’ve got to contain this as fast as possible. The next step is looking at the logs, you know, and the amount of applications that people are using that cannot provide them with that vital information is actually frightening.
Claude Saulnier: It’s interesting, back in 2005 or 2006, on our application, one of our one clients that at the time rang, or emailed us, I can’t really remember, and said: “Claude, Hi. Somebody hacked into your system and sent a nasty email to all our members, all our clients or whatever they are, and all that. And I said “Well, this is a very grave accusation….” And they said, well, now let’s, let’s go and investigate. So the first thing we did was getting our logs and saying, well, first of all, this is the list of everyone who logged in your back office. Us, I can guarantee for my system, it’s not us, as only looking at the data and all that, they could see that any way. I said: “Look, we have certainly extremely strict procedures and internal policies. And, you know, we could find out straight away if something wasn’t if it wasn’t, you know, meant to be. And then, it turned out that, and then we looked at the file with the information that was actually sent, we did a bit of forensic of their own thing, of their own their own data and then said: “Well, actually, that email, in fact, wasn’t actually sent from our system. And now you need to conduct a different line of investigation.” So again, the fact we had those logs, we had that and again, way, way before the GDPR; we’ve always been a data processor. If you can’t, you know, get the, I suppose, the basics, you know, things right, I think, you know, there’s a problem. And it turned out that they had, in the organisation in question, I can’t say too much there, but they had…there was a room with computers with no security whatsoever and they were Excel spreadsheets with all the clients and members and all that…it was actually a sports organisation. And everybody could actually go there, retrieve the files and do whatever they wanted. And that that was the issue they had, it was an internal problem, nothing to do with us. And I’m so glad again, that having all these audit trails and and, and I’ve seen, actually some of our competitors, you know, and on the fields that can’t even manage access rights properly. And it’s good for us, I suppose, because we’ve actually managed rights, the right access rights, I suppose for forever. And having logs when certain things are happening, different user levels may change and all that. It’s just so important to be able to actually trace what could have gone wrong, you know, in all of this so, yeah.
Philipa Farley: It’s vitally important when you’re doing your reports into whatever supervisory authority you need to report into, when you’ve uncovered a data breach or an incident, you know, your internal reporting, too. So, from that perspective, I just say, again, you know, it’s an amazing application and your knowledge there is only of huge benefit to people. So, I do hope that people get in touch and ask you for a demo, and have a look through. I am going to ask you the question here. And again, don’t name clients. None of us do, or we don’t expect you to. So where, where have you seen opportunities with the GDPR? And again, I say, Claude, like, I get asked often, why should we bother? It’s too much. It’s over the top. I’m a small business, I don’t need to do this. You know, and you can sit me down in the chair and throw all of this at me. I can very quickly tell you where the opportunities lie in your context, whatever business you are, but where have you seen the opportunities for your clients that do their compliance?
Claude Saulnier: Well, what’s interesting in this is so I think if you’re, if the organisation has less than 10 staff in just generally speaking, I think you can probably work, you probably don’t have too many systems. And you could probably work with a consultant, work with somebody like yourself, and get a picture of how you will be processing, whether you need tools like ours, how much governance do you need, like as a small business? How much do you need? That’ll depend, again, on the type of business, the type of business you’re in. But, past that stage there, and when you actually start looking at, I suppose, doing these inventories, looking at policies, I mean, the human factor is very, very, very important. And what you would actually see is that, by actually looking at the policies and looking and training people there, and that your business, you might you should actually question well, why are we doing this? Is this a bit of a mess? And let’s try to put things in a more structured way, right? And some people say: “Yeah, but you know, we’re, you know, we’re a small organisation and we don’t need this, whatever.” And then, the accident actually happened, just because people haven’t been following policies and all that. So, even if you’re small and want to grow, I think, having embedded a number of policies, and things and things don’t have to be very, very complicated, you know, initially there are certain elements you can bring to that and, certainly in Bizoneo, we’ve also brought in a number of like, you know, template policies, so that for smaller businesses you can just go click its preset, and you could just adjust for your own needs, I suppose. You know, I’m not necessarily a big fan of templates, but you need a bit of a guideline. Just a starting point. What again, do we need this? Do we not need this? And trying to think of that. And then, you realise then that by putting this governance looking at, okay, who’s doing what, are we? When you are looking at procurement, for instance, which is actually key in GDPR, and I’m a bit…I don’t understand why organisations are not necessarily looking at that in enough detail there. Your supply chain is very important. So, by putting certain things in your, at the procurement stage, you will by spending a little bit more time trying to find a supplier that certainly will comply with the GDPR. And, it’s not just “Oh yeah, I will comply”… you kind of need to do a bit of due diligence, you know, on this, you will actually eliminate a problem down the line, because you’ve actually done that piece of work. So, again, for small businesses, I think, you know, there’s a lot to gain in terms of the general organisation. So, you may forget a little bit about the personal data element and the GDPR if you want, but by looking at that, the organisation normally should become you know, better. And we; that’s something we’ve actually experienced ourselves, because although again, with the, I suppose, prior to GDPR we had a number of new policies and a number of procedures in place, even we had that prior to this. But, in the context of GDPR, we actually reviewed some of that. And then we decided then to even like, you know, improve certain elements. And we said, we get beyond that, to the extent now that, when we engage with a new client, we’re usually the ones to say what, like, we’re actually going to send, you know, a nondisclosure agreement before we actually start talking. And many organisations are actually surprised to say, “Well, what’s this?” And that’s us saying: “Well, look, we basically care about, I suppose you, even if you’re not yet a client”. But it’s important and goes to show that, I suppose, from an early stage, we well, we don’t just take things seriously. We actually do things seriously. And it’d be so easy, I think, for smaller organisations to benefit from that.
Philipa Farley Yeah. The housekeeping alone, Claude, because, you touched on that, and said, you know, things are a mess and to tidy them up. Like, people say to me, sometimes what do you think happened? My first response is the app, the app era. You know, apps on phones, little apps that do things did nobody any favours, you know, it’s just these sort of disintegrated systems all over the place. But besides that, in business, we’ve lost – and I think I’ve said this to you before – we’ve lost the office manager. You know, the person who was in charge of filing, you know, and sorting and just making sure that systems are in place and systems were adhered to. So, I would personally love to see that position come back into smaller businesses, because I think it would benefit everybody but a real impact that cleaning up the mess has for smaller businesses, and assessing suppliers and vendors is that you actually may very well save yourself a lot of money on unnecessary software subscriptions, that you’ve just sort of let that happen, that you don’t really need so you’ll land up kind of consolidating, like debt review, you know, everything gets well filed.
Claude Saulnier: Yeah, and another thing is well, part of this, and you mentioned about the apps and all that. And one thing that also fascinates me is the number of organisations that will take one, two or three or four pieces of software because they’re free. And they’re creating different problems. And okay, if it’s free, sometimes you again, you have to think, okay, what are the impacts in terms of, you know, how do they leave, and you can’t run a business for free. So, the ads have to be brought into play at some, at some stage. And so you have to think, okay, well, if it’s not essential, is that right? That we actually give this information that could be sometimes sensitive, we actually give all our you know, business life to you know, this third party, what are they going to do about that? This is just not really fair, but on top of that, then the cost of it. So you may have like, no three or four applications that are free, but by again, I’m a big fan of integrated systems, the information enters once, you enter the information once, and then you can actually reuse that, it has loads of benefits. And yes, there’s a cost to that, but you’re actually saving a lot of time, in as far as management and because staff are going to be more efficient. They don’t, you don’t need to hire extra staff to do this because somebody, it’s already in the application. You could reuse that, and you’ll notice that on, I suppose, on the CRM side is the type of things that we do and encourage, you know, organisations to do this. And once again, once it’s integrated, from a data protection point of view, if you’ve got one system and okay, you need to make sure that system is very secure. But, there’s a lot less things that can go wrong that you would have if you’ve got, you know, application one talks to application two, with standard data, their application to then send it to application three, there’s two or three, you know, people there in the middle, and suddenly, oops, I sent, you know, the Excel sheet from one export to the other one, I sent that to the wrong person. Suddenly, we’ve got a data breach. So, at least when things actually stay in the system and only export when you really genuinely need it, which is sometimes actually not that often. Then you actually reduce a lot of the risks out of the equation. And certainly, I think integrated systems, I wish smaller organisations looked into that. There may be, I suppose, a slightly higher cost, but in the long run, that actually helps in your governance. It helps in so many ways.
Philipa Farley: I think what we’re seeing also, Claude, is like the larger players in the marketplace are offering a lower tier for a very reduced subscription rate, because they can. You know, they’ve got enough Bitcoins to sort of support the business model, where SMEs can access applications online. You know, I’m specifically thinking of things like SharePoint, you know, it’s accessible now online, on the cloud. Whereas before, it wasn’t, because it was very expensive to have the server that could handle the install, have the expertise to do the install, the management, the admin, etc. So, yeah, there’s a big, big case to be made for that. Yeah, and going back to what you said, with the tidying up, you know, you keep your, your records correct, you suffer a breach, you suffer an incident, you know, immediately what’s gone. But if you have an access request, you’re saving an immense amount of time, by knowing exactly, you know,
Claude Saulnier: Exactly, if the information is structured that makes things a lot easier as well, and I suppose, having an inventory, even knowing where to go and retrieve it. Now, not every subject I said, I mean, we’re dealing with clients where frankly, the subject access request is far more complex than retrieving the information from a system. There could be, you know, a lot of redaction that is needed, trying to assess what does the person want, etc, etc. Like, you know, so
Philipa Farley: Yeah, but at least you’re not wasting your time, your focus on finding it.
Claude Saulnier: Exactly, yeah.
Philipa Farley: Yeah. You’re using the time as it should be used. Yeah, yeah, you know, yeah. Okay, share a positive story, Claude. A positive story about the GDPR. A happy one.
Claude Saulnier: Mmmm, a positive story about the GDPR. Again, I think if something is, even the fact we’re talking today, I think it’s this for your positive story. Again, I think I have not necessarily I haven’t actually met all the people I have been engaging with, I suppose, through you know, since GDPR. But this certainly has been certainly through, you know, conference calls and Skype, or Teams calls and all that. I have met a lot of people who are also very passionate, I suppose, who actually care and who’ve got a sense of ethics. And so, I think that would be a very positive, you know, I’m grateful I suppose to I’ve met those those people that I suppose I have brought me again, I can maybe I’ve contributed like, you know, to it like a different way of thinking and, I suppose, it’s very reassuring, so that would be one positive story. Other positive stories? I don’t know, maybe you have to actually cut that and I have to think of something else.
Philipa Farley: No, I’m not going to cut it. It’s in the evening. And I think we both had a very long day. Yeah, I think just generally, the message that we’re trying to get out is that it’s not all bad. Like, it’s not a huge mountain that has to be climbed. You know, I’ve had people saying to me afterwards, oh, I’m really sad you’re going, because that was a lot of fun. And I don’t know if it’s my wicked and twisted sense of humour as we go along. You know, that that makes people laugh. And actually, quite honestly, that was training at law school. I did a year of Legal Aid. And we had an attorney that spent sessions with us, probably once every two weeks. And he taught us to, you know, to laugh about things that were very difficult, not laugh at them or diminish the value of what is going on, but to just lighten, or share the load.
Claude Saulnier: Yeah, again if you look at the GDPR, though, what is actually difficult? Because, first of all again you need to kind of read the GDPR and there will be a podcast soon, I will be giving some tips on that. But again, the GDPR isn’t really bad. The Article 5.1, right in terms of you know, it actually gives you you’ve got like, you know, six principles right? And then, you’ve got your, I suppose, one of the six principles is going to Article 6, and which is how lawful is your processing? And, for most businesses, you would probably find either you know, legal or contractual obligations, and that actually should be fairly straightforward in most cases there. And then you’ve got this Article 30 which says, well, why don’t, you know, well yet before you even do all of that, before you process your Article 5.1 and the lawfulness of processing. For now, let’s do an inventory. What do you actually process there? And, once you’ve actually done that, just you know bounce that against the, you know, the six principles. It’s actually not that complicated, because when you’re going to then start looking at the principles. Some of them very quickly you will realise, you don’t actually have to do too much work, you know, about them. And from that angle, it’s not very complicated and then once this is done, and you kind of know what you’re doing then you can actually write your privacy notice to put on the website and go on. Now, the other thing that should come out of that which is also frustrating is the whole thing about cookies and all that, which is the bit that really annoys me. It’s not just the cookies but, I suppose you know, placing electronic things on an electronic device. And there’s a lot of confusion around this. I suppose, initially, many people in marketing panicked and you know, I suppose mixed things and all of that. There’s an awful lot of processing that shouldn’t be taking place at the moment.
Philipa Farley: Let’s just call it what it is like, Claude, pure surveillance. You know? Yeah.
Claude Saulnier: And, marketeers are worried that it’s the end of the world. There’s been an awful lot of unlawful processing for years, that has resulted in monopolies like Google or Facebook. And I think it’s about time that some of that actually stops. So…
Philipa Farley: Yeah, no, I would hundred percent support that. And say, definitely, yeah. And and it’s interesting, Claude, because you kind of come back to like, classic principles of business. Well, how do we measure the success of this campaign? We’re running you know, not I’m not talking about like a paid whatever advertising campaign, in general, within the business marketing campaign. How do we measure the success of that? Well, you know what, like I can tell you, my phone calls have gone up 10 times in volume than what they were 3 months ago. Yes. It’s not hard. You know, for smaller businesses, I’ve yet to measure like that, well, let’s look at the figures. Let’s let’s look at the profitability. Let’s look at our management accounts and see, okay, we put the effort in for the 6 months, look at the return for the next year or 18 months, you know. We need to actually understand that there are other ways of doing things, rather than just relying on statistics by organisations that are actually horribly…what’s the diplomatic way of saying this, Claude? You know, look at your Google Analytics, you’re not getting the actual picture.
Claude Saulnier: No, I think, we conducted because we were actually working on the one part of the, on the CRM side, we’re actually looking at analytics and we’ve done an advanced prototype. Actually, we’re actually in beta testing, early testing, I suppose with some clients there and we actually compare, so we can actually process statistics, without cookies, in a very lawful manner, with high respect with respect to people’s rights. And that. And all we figure out from this is that Google Analytics, in fact, doesn’t report all the traffic, one of the reasons obviously being that they’re in the business of selling ads, so why should they report the thing? But also technically, the way things are actually embedded cannot work every time. And we’ve actually found some traffic, some sources of traffic that there’s absolutely no way I mean, we were actually surprised initially, but there’s no way Google will ever track them, and yet they could be converting now. Because we have part of the suite,where we’ve got an e-commerce suite. So, we can actually provide very comprehensive information about sales without even naming people and looking at okay, well, are the sales up and down? What products do work well etc, etc? And then also, then bringing statistics where you would have the number of visitors on a particular product, and the actual turnover for that particular product. And that’s, that’s all you need, really, in a small business.
Philipa Farley: Absolutely, I mean, when where, why target. You’re looking at it from your perspective as a business owner going, “oh, everybody went to look at that, so they’re interested but there’s something wrong with it because they’re not buying they’re, not converting to an actual customer. So how do we change the messaging? How do we change that, even the product photography, what’s going on here?” It’s not hard to to work through that one positive thing that I’ve found…
Claude Saulnier: So even some of the metrics that for instance, Google Analytics would give you are a bit flawed as well because, depending on the type of business you’re in, something like the bounce rate people say, “oh yeah, you know, people come to websites and they leave the website…” Well, if your website is actually like you find, I suppose, the product or whatever you’ve got open, like through a Search Engine, you actually find this page and then use the Contact Us page. Well, it doesn’t really matter if people have actually seen 20 pages or one page, you know, they’ve actually taken an action. And that’s it. And, and again, if you’re shopping, like we’ve got clients that use our shopping facility there, and their brief is, well, we want the minimal amount of clicks between the time they choose a product, buy the tickets and pay. So, from that point of view, then you really want to actually minimise that and make sure that people stay as little as possible on the website. You want them to buy one product and go, and that’s it. So again, so that could be very misleading. In terms of obviously, anybody in marketing will tell you a different story. So
Philipa Farley: Yeah, the one thing that I’ve seen and I’ve said it to Graeme, time and time again, is this is the first space that I’ve worked in – and I’ve worked across many different spaces – where one subject matter forces everybody in the business to talk to each other. It breaks down silos and people have to start understanding what other people in the business do, which I think is fantastic. You know, it’s great for everybody. Yeah. Okay, last one, because I have now nearly taken up an hour of your time. Thank you so much for that. Please, Claude, can you give us one piece of advice to potential clients of yours?
Claude Saulnier: Blank, haha!
Philipa Farley: So if somebody is coming along to you, Claude, and they were sort of half convinced that they needed to do something about compliance and the GDPR. And they, they knew that you saw the solution, and they knew a little bit about you, what would be one thing you would like them to take away to think about?
Claude Saulnier: Maybe that they should consider how they care about their own clients. And what, I think a large element about GDPR is about reputation. Right. So, yeah, I think reputation matters. And that’s, I think, is probably what will happen and not so much necessary because they use our software to do this, but that the action of, I suppose, taking the software to help them in – software itself doesn’t solve every problem, let’s just be clear, right? It actually provides a certain economic guidance and, and the tool to actually support that demonstration to the GDPR but not just demonstrate the GDPR to actually make their business better, right? It makes their business better and then gives a positive, and again, reduces the risk towards their, you know, their reputation. So
Philipa Farley: And build trust. Yeah, exactly. It helps build the trust. Yeah. Okay, cool. Thank you so much. I have got your contact details up here. But your website is bizoneo.eu. Where can people best find you online? Where do you prefer?
Claude Saulnier: Well, I’m usually a LinkedIn person ideally. With tweeting about it, it’s nice to think you know, people can find me. Feel free to put the link to the LinkedIn page and people can follow me. I try to put a certain angle of, of wit as well, because I have to admit that for the majority of people data protection could be a bit dull. And it could be dull. So I think we have to put a bit of fun into data protection and that’s what I would try to do, I suppose. When I’m posting on LinkedIn, I hope sometimes I try not to take it like, you know, too seriously. I try to give serious advice, but try to joke about certain things. And, and try to, I suppose, educate people; just trying to actually get people interested in it. I think if we can actually get this, I think there will be an awful lot achieved on that, you know, so yes.
Philipa Farley: Yeah, Claude, It’s a part of our life now. And it’s not going anywhere. It’s not going anywhere. So, you know, whether we like it or not, we need to absorb it and live it.
Claude Saulnier: You know, I think we’re very lucky in Europe to actually have such a law and regulation to do this.
Philipa Farley: Yeah, absolutely. We are. You know, I’ll say time and time again, like, every single person that I’ve worked with, we walk away from the job. And I’m sure that you have the same experience, where they say “thank you.” We actually feel better, so much better when it’s done. You know, I’ve had phone calls from people saying, just a quick phone call, thank you. You’ve changed our life, because now we know what to say. When our customers ask questions. We know how to do our own negotiations, and we can absolutely 100% stand on the information that we’re giving out, you know, the confidence is back there again. So, you know, I know that Bizoneo can help people with that too, and give them that, that confidence and that deep knowledge of what they’re doing is the right thing. Yeah. So,
Claude Saulnier: Yes, yeah. And again, you see this in terms of: be proactive, to be organised, and be ready, and I think that this helps us sleep better at night.
Philipa Farley: Okay, thank you, Claude, I’m going to end the recording here.
Claude Saulnier: Yeah. It’s been great chatting.
Philipa Farley: Okay, thanks. Bye.
Claude Saulnier: Bye
Philipa Farley: Hope you enjoyed that episode of The GDPR series. If you do, please subscribe. Find us on social media. We’d love to have a chat!
Philipa is the lead consultant and auditor at ProPrivacy. With clients as far afield as Canada, South Africa, Kenya, Germany, Spain and other such exotic locations, besides Cork and elsewhere in Ireland, Philipa enjoys a broad view of the state of data protection, privacy and cyber security worldwide. Philipa’s passion is manageable data compliance for SMEs.
Philipa is a qualified teacher besides holding a computer science (Bachelor of Science in Artificial Intelligence Programming) and electronic and intellectual property law (LLB) qualified. She is trained in constitutional (fundamental) rights litigation and enjoys a good debate.
Philipa has over twenty years of experience working in different sized organisations and sectors on operational, governance, risk management and compliance matters. She is an analytical and focused person that enjoys a challenge in the workplace. She loves technology, systems and people and has a passion for showing people how technology can make life easier and better. She understands that the world is driven by data today but privacy is paramount. Responsibly developed AI excites Philipa for the future.