Play

Today on The GDPR Series podcast, our focus is bringing the GDPR back down to earth.  I chat with a rare woman in cyber (and data) who presents her GDPR message to businesses through the lens of real life cyber security issues.  With a very interesting background in the hotel, travel and leisure industry, we are treated to a discussion with somebody who knows all about taking care of masses of far and fast moving data!  Listen to find out more.

Our guest today is Andrea Manning.  Andrea set up Data Influence with the intent to influence how we think about data. She is on a mission to change some of the negative perceptions and scaremongering that sprung up around GDPR.  An eternal optimist she highlights the benefits of doing GDPR and likens it getting a full health check for your business.  She talks about how we all now have a duty around cyber security and that it should become more user-focused.  A passionate champion for small business which often gets left behind, her focus is on plain speaking and practical solutions.  In her own business, she advocates training for everyone in the organisation and creating a culture of curiosity.  In her words, make your staff part of the solution, not the problem.

It’s clear from listening to Andrea that she also has another agenda.  And this is to attract more women into cyber security and data protection.  A natural mentor and a diverse role model herself, Andrea is keen to highlight how women bring varied backgrounds, mindsets, challenges, world views and family dynamics to the table making them natural problem solvers and an ideal fit for the world of cyber security.

Drawing on an extensive career in Information Systems and Marketing, Andrea brings a fresh approach to Data Protection.

Andrea’s Links:
Read more and contact: https://www.datainfluence.ie
Free training resources: https://www.datainfluence.ie/resources

Interview transcription:

Philipa Farley 0:01
Hi, and welcome to our podcast called The GDPR Series, where we discuss data protection, privacy, and cyber security matters that ordinary people in everyday businesses face. We have a series of really interesting and lovely guests, and we hope you enjoy listening along with us.

Good morning, Andrea. It is fantastic to have you here. Thank you for joining us.

Andrea Manning 0:26
Hi, Philipa. Thank you for having me. Very excited.

Philipa Farley 0:30
Okay, so as you know, we’ve been doing a series called The GDPR Series. In my head, I keep thinking the GDPR issue, which it really is, but anyway, it’s The GDPR Series. And we’re talking to people across business, SME owners, as well as people who work in the industry, and you are actually both. Your focus is not entirely on the GDPR and Data Protection. You have an extended focus. I will leave you to introduce yourself. Okay, while I go over and find your website on a screen, so go for it. Give us your pitch Andrea.

Andrea Manning 1:16
Okay, so I have a very varied background and the best way to describe me is: I am a square peg that does not want to fit into a round hole. I set up life in the hospitality industry, but I’ve always been in marketing and in sales, but I was that child who could programme the video recorder, and I’ve always loved tech. And, with everything I do in life, I always start at the position of “yes!” and then I go and figure out how. And that’s tech, that’s business, that’s everything. So I went back to college and did a degree in Business Information Systems. Same thing, I just said yes, and then kind of figured it out. I had no idea what I was taking on, and the next thing, there I was doing programming and data modeling and financial accounting, thinking: “Oh my god, how did I land up here?” But, somehow, sort of that one step at a time approach, I got to the end, and I finished my degree. And, during my degree, I got to do an internship, which is the most valuable part of the degree, and I would recommend this to anyone. And I landed up at the tech startup, One Page CRM. And, same thing, he looked at me and he was kind of seeing the square peg and couldn’t find a hole for me. And I mentioned that I love anything legal, and, if I’d had a second life, I would have done a legal degree. And then he went: “I’ve got just the job for you!” And it was GDPR, because this was prior to May 2018. And I hated it, but I’m an optimist. So I took it and I kind of consumed GDPR. There was nothing I didn’t know about GDPR and I was determined to find the positive in it. And I did find the positive in it! And that is what I did. So, my job was to kind of map the data, figure it all out, see what the competitors were doing, and then be the communicator back to the company, to explain what GDPR was. And that was another side that I realised I loved, was the training. I mean, they made me do the training for the developers. And I was like: “You can’t make me tell, you know, software engineers about password protection?” Well, you can, because there was one who had their passwords on a post-it – so, everybody needs training! And you must never assume! So it was through that internship, they kind of planted this love for GDPR. And one of the funniest things was – the whole way through – everybody was sending out these re-permissioning emails. So, I was dealing with them at One Page CRM, but I was also dealing with them in my own company. And, every time somebody got one of them, they’d forward it on to me. So, while the average person was getting 10 a day, I was getting a hundred a day. That is my lasting memory of GDPR, and I was seeing them from people, saying: “But, my solicitor sent me this one, so it has to be right!” or “But, my doctor sent me this one, so it has to be like that!” No.

Philipa Farley 4:12
Yeah, I think everybody completely damaged their domain reputation scores during those couple of months, because I think people were just like, deleting, and most of them just landed up in spam anyway.

Andrea Manning 4:25
Oh, gosh. And they just followed like sheep and you know what it reminds me of? I lived in the UK for a long time. And there was this whole thing with Brexit, they kind of analysed why the EU had such a bad name. And it was because the newspapers every day, were printing stupid stories like: “The EU says we must have straight bananas. The EU says this. The EU says this.” And it was actually nonsense, when it was that drip feed, and then people believed that the EU was a bad thing. And, I almost feel like the same thing happened to GDPR – this drip feed of nonsense that wasn’t even true. And now, everybody has this completely wrong perception of GDPR. Which brings me to how I set up Data Influence: I needed to change the perception of GDPR.

Philipa Farley 5:10
Yes, absolutely, Andrea, I’ll add to that. And I think I might have said it to somebody else; it will probably come up in one of the other podcasts. But, if it wasn’t one with Liam, that I was very surprised, coming from South Africa, where our sort of culture, for the most part, has worked together, you know, give somebody a hand up. Because if you succeed, I succeed, you know, and it’s better for everybody instead of just sort of shoving each other down. When I sort of started looking at social media, you know, and talk around data protection and GDPR specifically, this phrase “scare mongering” came up over and over and over again: “Oh, don’t pay attention to that, that person is a scaremonger. Don’t pay attention to that, that is just scare mongering.” And I think that the industry did itself no favours by entrenching that phrase into everyday language and attaching it to GDPR, because we’re now in a space where people’s kind of automatic reaction to you saying: “Have you, you know, how’s your compliance going? How’s your data protection compliance? You know, have you dealt with your GDPR obligations?” They – the triggers – are “Oh, I don’t need to she’s just scare mongering.” And it’s just like this wall up in a lot of people; they don’t want to deal with it. So, I don’t know what you have to say about that. Because, like talking about getting a fine… yeah, I know, it’s extreme to say everybody’s going to get a 4% whatever global annual turnover fine, but talking about it, and saying “That’s the potential.” The potential is also that the Commission comes in and says: “Oh, sorry, you can’t do this” – like they did with Facebook last week and the dating app. “Sorry, you can’t do this. You have to stop while we investigate.” And while we do the correct, you know, compliance assessments, the documentation assessments. Okay, so, is that scare mongering? Or is that actually creating awareness around the reality of what this law has the potential to do?

Andrea Manning 7:27
Well, there’s a lot to unpack there. So, my background has always been in small business, and I understand small business. And I do think the GDPR puts a really unfair burden on the small business. It’s one regulation that Facebook and the man with four employees needs to still, you know, do together. So I just say… I start off and I say people, and they are quite shocked. I mean, you know what, let’s just put GDPR in the bin for now. Let’s just put it over there. And let’s not even talk about it. And let’s just talk about your business, and then, I start just in an almost conversational form, saying: “You know, does everything – when you send your guys out? Do they have all your customer data on their mobile phones?” And, and I know every I always know the answer to this question. I’m like, lawyer, don’t ask a question until you know the answer. I’ll also ask “You got all your passwords on an Excel spreadsheet on your computer?” They’re like, yeah, because everybody does the same thing. But, once I start explaining to them, like, what the repercussions of that are and how easy it would be to gain access to all their passwords, and then imagine if they lost all their customer data, and they kind of woke up in the morning and they came in and he there were no customer records, there was no details, there was nothing, then what do they do? And then, you start to build and you say: “Okay, this is all you know, this is cyber security.” And cyber security is a lot more sexy than GDPR. So we go through this and it’s, it’s real life stuff. We all have millions of apps. You know, the typical small company, and that is Ireland – yes, there’s the big enterprises – but it’s actually small businesses.

Philipa Farley 8:58
250 000 SMEs.

Andrea Manning 9:01
Yep. So you’re using things like Monday.com and using Gmail, and you using, you know, all these little products. You probably don’t even have an IT department.

Philipa Farley 9:11
Nobody does, Andrea.

Andrea Manning 9:13
Yeah. So who’s managing these? Who’s making sure that they’re all secure? Who’s making sure that who’s got access to them or like the interns left and now she’s got all the passwords to everything? They don’t have an IT department. So I’m their IT department. I’m coming in. I’m saying: “Okay, let’s draw a picture of what’s happening, what you’ve got, where it’s going.” And then they’re sorted out – let’s just make it a little bit safer. And, if I explained how easy it is to crack a password with a great story? And, by the time I’m finished, they’re like “Okay, how do I sign up for a password manager? Then, moving on to the next stage and I just say it’s just about getting your GDPR ducks in a row, document everything, just have all the paperwork to prove what you’re doing. And then your GDPR is done, but you’re also in a great position that your company is not going to fold, because with like, ransomware, they say that if a small company is hit with ransomware, within six months, they fold.

Philipa Farley 10:08
Yeah, yeah, no, we got those figures at the breakfast briefing I was at last week. And, for some companies, it’s as soon as three months Andrea, it does not even extend to six months. Like it’s done.

Andrea Manning 10:28
Just before Christmas; and it really kind of sticks with me. They were based in Arkansas and they were a tech marketing company, and they were doing so well, that they were giving away a cruise, as like a prize to their top employee. And they were hit with ransomware and, this was just before Christmas. Second of January, they had to let the 300 staff go and that was a family firm that had been in business for years and that; it honestly it just breaks my heart. So, when I want to help people that is it is truly from that position that you’re a small company. And if you just had a little bit of GDPR, which is just some housekeeping, that company would have been fine. They would have been able to recover, they would have had a backup, they would have had a plan. You know, it’s just prevention.

Philipa Farley 11:13
Yeah, yeah. But, having said that, it’s just prevention. Do you not think that most people just don’t think about this stuff? It doesn’t cross their mind to think about ransomware and the effect on their business?

Andrea Manning 11:31
Do you know what? There are two parts: first of all, a lot of people just don’t care. Like, they don’t even get to the point where they want to find out whether they should think about it. But, a lot of people, we live in our filter bubble so we’re we’re on Twitter in that community. We’re on LinkedIn in that community

Philipa Farley 11:47
And on that note, before you carry on, I’m so aware of that because it’s like if you get into a group think state and you create blind spots.

Andrea Manning 11:55
Look, I know what malware is, but there’s people who don’t know what malware is. I know that you should – like we were talking about this yesterday – you know how many people, they go to a web developer they give their website is built on WordPress, web developer signs off, who does the update? Nobody.

Philipa Farley 12:14
And they don’t even know how to log in, Andrea. Most people don’t know how to log in to those websites. And so, here we see like a bit of a sort of a conundrum coming in, where, like, you would have a lawyer saying that kind of oversight should be built into law, and then translated into systems. So by oversight, I mean, web developers are kind of an unregulated, profession, right? Anybody can put up a website. Anybody can put up a website and just be a web developer. Okay, but in all seriousness, like they obviously have a skill set that is sorely needed and they are very much appreciated. This is nuts, you know, condemning web developers by any means. We’ve all done it in our past, I suppose, as a bit of our jobs. I’m sure you have made websites for people at one stage. But like, is there a code of conduct? Is there a standard way of handing over a site? Is there, you know, a recognised checklist of security measures? And here we go into data protection by design and default. They’re bound by these things as well. And I think that they don’t even realise, Andrea, that they’re bound by them as service providers to people, you know.

Andrea Manning 13:37
That’s it. And, I mean, sometimes their contract is just to hand over a website, and there’s no further contact. And then, somebody in marketing looks after the website, but then they leave. And, whose job is it to do the updates? And that’s why I’ve just where it’s always said it’s like, if you go to the GP once a year and have your sort of NCT, have all your bloods taken, have the whole thing, you probably never need to see them again until the following year. And you could just do it for every company, go in and have a 24 point check or probably a few more points than that, and just go through all these things and do a check for their sort of health. But that’s what GDPR is, and people need that, so you’re getting a free health check where your company,

Philipa Farley 14:19
Yeah, and you know what, most of the time, I would say, nearly every single one of my clients has discovered some kind of cost saving along the way. You know, so they might be spending money on your consulting or your you know, your implementation of a system to manage data and manage their compliance. But, if you do the cost analysis over even a year or two, they’ll land up saving money somewhere, be it in subscription fees for software, they didn’t need, be it in time saving, be it in whatever. So we see those positives, you know, and trying to get the message out, is a challenge. But that’s why exactly why we’re we’re here talking, very obviously.

Andrea Manning 15:06
Hopefully, it will get there. Like you, automatically now, you bring an accountant in for that same reason: just pay a professional that knows their stuff. And actually, you know that they’ll save you time and then, more than likely, save you money. And you put money in your budget and you pay for a professional. And I just think that the data privacy person, or the GDPR person, or whatever you want to call them, is going to become that professional. That’s what we have to set ourselves up as, within that suite of professionals that . We have to set ourselves up at is that that in your your your suite of professionals that you get in when you need to do stuff.

Philipa Farley 15:44
When we think about it, we would like to see and, and again, I said because I’ve said it before, this is not kind of a money making promotion, not at all. It’s really like, very deeply, trying to create that sense of awareness for the need for that check, and the need for that partner, and the need for that expertise. So, we would like to see compliance, cyber security compliance, because it will become that, we’re leading that way. Where we’ll have like a GDPR for cyber, if you want to say it. It’s kind of written in any way: your security measures are needed. But I believe that, very soon, we’ll start seeing the recognised set of regulations for cyber for businesses. The cost is too high at the moment for cyber non-compliance. So, we would see cyber compliance and data protection compliance as a core pillar in the business. You know, compliance should be a core pillar for everybody just like a marketing, your whatever. You know, if you don’t do it, the cost to your business is so high. You know, you can hear I really, like I really battle to process the mindset of a business owner that doesn’t want to have their ducks in a row. That’s just me personally.

Andrea Manning 17:15
But then, there’s another side of it. And we are all guilty of this. I mean, have you ever been to your GP and told them that you Googled your symptoms?

Philipa Farley 17:21
Oh, every single time and I say to him, I know what you’re going to say. Oh, yeah, I know. Because Yeah, exactly.

Andrea Manning 17:29
We’re all kind of gatekeepers of our domain and we’re all guilty of this. We do it, and unfortunately, the cyber community and the privacy community are just the same. And it’s like “Oh, we know so much! Article 99 and Article 17 and Article…” And we’re like: “Listen, you have to have us because we’re, you know, we’re the experts, but we are not prepared to share it.” And I think – where I want to make the difference and I know you make the difference – and it’s a bit like, when you build WordPress websites for them, it was to empower them that when you left them, they could go make their own edits. So, when we go in and do GDPR, if we train them and teach them and said: “Okay, now, you know it!” – knowledge is empowerment. Yeah, and you know this stuff, you can manage this yourself because you haven’t got a huge budget. I’ll just come back in a year’s time and give you another health check and give you another list of to do’s and that way, you know, like an app that tells you what you need to do with the fixes that you can manage your data yourself. We have to, as privacy people, empower everybody and not be the gatekeepers and not use things like Article 17 and Article 19. Because really, who actually knows what that is, other than us?

Philipa Farley 18:37
Yeah, exactly. Andrea. And that was precisely what I said to a couple of the SME owners that we’re chatting to; to please come and talk to me, because they’ve done their data protection compliance, and a couple did it themselves; entirely themselves. And I said to them, I think we speak a different language to what people need to hear. So, part of this discussion is exactly what you’re saying there: that we need to find the middle ground, or we actually need to go as, as professionals in this field, we need to go further than the middle ground, and we need to meet people where they’re at. And it’s quite, not a scary thing. But people battle with this idea of giving knowledge, because then nobody’s ever going to pay you for it. But like, I know, myself, we give so much information out. Like I I’m very aware, you know, as a lawyer, even though I’m not really allowed to say that whatever in Ireland, like, but I’m very aware as a lawyer, that you have to give information responsibly. So I’m not going to chuck out a bunch of templates and policies and whatever and say to people go wild, because there is the potential for error there. If I do say: “Here’s a starting point to do your documentation. You will please refer it back to me to check for you, to make sure you haven’t made A mistake, you know.”

Andrea Manning 20:07
But that’s the perfect solution. So it’s a little bit of DIY. It’s understanding the budget. It’s understanding very limited resources. But it’s also teaching them and empowering them. Yeah. And then they’re not that, you know, the consultant sometimes gets a bad name, you know, come and do this. He has my bill.

Philipa Farley 20:28
I sent you some questions, Andrea, that we are talking about, with everybody who comes on the chat. And we have covered a couple of them. You know, we’ve spoken about opportunities for your own business and opportunities for clients. But, I think what I would like to ask you is: the GDPR personally, okay, because, I say it every time and I say it again to you. I get asked often when I’m interviewed, or if I’m talking to people in management: do you think the GDPR is a good thing or a bad thing? And my response is instantly, it’s definitely a good thing. And these are the reasons why. And I have my reasons. So, when I’m talking to people like you – you know where it’s your life; cyber and data protection is your life, really – we all have our own personal stories to tell. So, has it impacted on you personally, in a positive way? You know, have you had a good experience where the GDPR was kind of central to that good experience?

Andrea Manning 21:39
I’m a parent. So I can tell you something: that I read privacy policies for fun, as a parent. And the other thing, that when I was in college – I was with, you know, the sort of 18 to 20 year olds – and I had a whole insight into a different generation, which was so valuable. But, they are the ‘sharing generation’ – they do not care about sharing anything. They are the most risky ones when it comes to sharing passwords. They grew up in a in a world where you share everything: you wake up in the morning and you feeling hung over, you take a selfie…

Philipa Farley 22:16
Yeah, yeah. Their entire life is documented.

Andrea Manning 22:19
So, you know, certainly for me, as a parent, I I look to that privacy policy and, I do, I feel like it’s a little bit of insurance. If something goes wrong, or if I need reassurance, so I want to know that actually, when my daughter is signing up to stuff and doing stuff, that it is regulated, and that if something happens, I have powers that can take things back.

Philipa Farley 22:43
Yeah, that’s a good way of saying it, Andrea, it’s like an insurance policy. You know, it’s not a silver bullet. It definitely is an insurance policy because it’s, it’s that trust. You know, do we live in a constant state of fear over the risk? Or, do we trust, with our insurance policy, and use tools that enrich our life? Because I’d say this again, for us personally, I have a Fitbit on. There we go. There’s, there’s the Fitbit, everybody can see it. And most people would go, what the actual hell are you doing with that thing on your arm? And I say, reminding myself to actually get up off chair during the day. Because without it, you know, I know I can set an alarm, and I can do all sorts of other things to monitor my health and to get moving and to do whatever, but this is everything in one, and I need that right now. You know, so I’m prepared to forego on my absolute, you know, private identity, and hope that they fulfill their data protection obligations in a way that they should.

Andrea Manning 23:52
That’s it I mean, I love tech. I don’t want to go back to the year of the ox wagon.

Philipa Farley 23:56
That’s a South African reference!

Andrea Manning 24:02
Haha, okay, a horse and cart. You know, I love the fact that we’ve got an Alexa in the house. Yes, we’ve turned the camera off, but I love arguing with her. Oh, yeah. And either one like the smart lightbulb. And I like talking to Siri, when I’m driving and arguing with Siri. I love tech, but I also want to be protected by it. And, the GDPR is the best we’ve got at the moment. We need to make it work. There needs to be some more test cases. I’d say my favourite one which I’m following, is the man who wants to leave the Catholic Church and he’s using GDPR.

Philipa Farley 24:35
Yeah, I’d like to read the full report.

Andrea Manning 24:38
You need to look him up. He is Marty Meany, and his website is goose.ie. And, it’s an ongoing story, but you know, it was sent to me by somebody who can’t stand GDPR and I went: “You see, I’ve got you living and loving GDPR.”

Philipa Farley 24:54
Yeah, yeah.

Andrea Manning 24:56
And it’s a good test case. We can see where it’s going to go. We can look at the good and the bad. And, it’s a brilliant one because it’s bringing it into the mainstream and is making people think.

Philipa Farley 25:06
That’s a very, very personal one. That’s a highly personal one, you know? And, it does, It goes to the extremes of private life, really, that case does. So I I’m really interested to see how far it goes, sort of more so than the, you know, like as an immigrant, I don’t have I can’t keep anything to myself. Like, that’s just how it is. My life is an open book. So, when I see like the PSC card cases, you know, the public services card cases, I’m just like: “Hah, well some of us didn’t have a choice, you know, at all like we had to register for those. When we arrived here, there was literally no choice, like, you have to have it whether you like it or not, you know.” So, for me those cases, I kind of, I sit on the sidelines personally and watch it happening for the legal principle. But, this one with the Church must forget me like that’s, you know, that’s like, going right into the soul of this matter.

Andrea Manning 26:09
Well, yesterday, on Twitter, there was a huge debate and all with the, you know, Caroline flack and her suicide. So if you want to be on Twitter, you must give them your passport number, and you must be registered and verified. And, obviously, it came from the heart It came from a really good place, but they didn’t see it from the privacy side. And it was a good debate. It was very respectful, and people were saying: “Hold on a second, will you trust Twitter with your passport number? Does everybody even have a passport number? What about the people that it’s not safe to be visible on social media?”

Philipa Farley 26:43
Exactly. That was gonna be my opinion. Exactly.

Andrea Manning 26:46
Yeah, but it was a great debate because it brought – you didn’t have to use words GDPR – but it brought GDPR into a conversation that affects everybody, and everybody wants the same outcome, which is, you know, better behaviour online.

Philipa Farley 27:02
Yeah. And then I had a listen to Emerald de Leeuw’s TED Talk.

Andrea Manning 27:09
Yes, I did too, yeah.

Philipa Farley 27:10
Yeah, it’s really good. And I’ve kind of been, and if Ems ever listens to this, this is absolutely not a criticism at all. This is like my introspection on the conclusion: where Ems poses a solution to mismanagement of privacy. Now, we’re sort of digressing off the path GDPR a little bit, but it does relate; the mismanagement of our privacy by the solution is to pay for services. And I kind of listened to that. And I was like, yeah, I pay for YouTube premium and I still get tracked. I know that, I still get profiled. I know that. So like, paying for services, to make it worthwhile for service providers to provide a service is actually it’s not, that doesn’t make them behave better. No, it doesn’t make them behave better.

Andrea Manning 28:06
To be honest, the trolls are only feeding off some of the very sort of outspoken public figures and public media. They were just feeding off them, who got loads of money who could be verified, who could pay for a premium service, so it doesn’t solve the problem. I mean, nobody has a solution. But I love the fact that it is bringing GDPR or privacy…

Philipa Farley 28:28
It’s getting people talking about it.

Andrea Manning 28:30
Yeah. And making people think and making them look at all sides of the argument. And I think, you know, that’s where our duty is: to help that informed debate. Yeah, in simple terms to, you know, try and come up with a solution.

Philipa Farley 28:47
Yeah, and you know, what, like, if you do a bit of reading on Systems Theory and complexity and wicked problems, and that, like, there’s a language around what we’re saying, and we possibly need to also all go and dip into that, and be trained in that, because it’s not a solution to the problem, really. And I would say it myself, we need to find a solution to the problem. It’s a problem. It’s a this. It’s not. This is life. This is life, like how we negotiate our way through it is, it’s just a nudge here and an edge there, and we’ll get there. But I think, like really, the short term focus for me, and you can disagree for yourself, is making sure that people stay in business. You know, like that. The bottom line is like, making sure that people stay in business, because without the safeguards that this law, or without respecting safeguards, or without acknowledging, without living the safeguards, that this law is requiring, you’re exposing your business. And, I’m not talking about a 4% fine. I’m talking simply about the non-awareness of the measures that you should have in place over your data, and other people’s data, in your business, over the data you care for. That is going to cost you your business.

Andrea Manning 30:00
But you know what I do when I go into companies? It’s so overwhelming, and I just say to them: “Okay, let’s start with, where are you visible? And where are you vulnerable”? So, where are you visible? You’re visible on the website. You’re visible if you’re sending out a newsletter. You’re visible if you’re running a competition. People are can see what you’re doing. And, if you’re not doing it right with regards to GDPR, they can come after you, because they can see it. Where are you vulnerable? Well, you’re vulnerable if you’re using the same password in lots of different places; if you haven’t got a policy for, you know, movers and leavers, and they’re going to run off with your client list. And you know, just break it down. Where are you visible? Where are you vulnerable? There’s a whole bunch of other stuff you need to do, but just begin there. And it’s a really simple strategy.

Philipa Farley 30:49
Yeah, it’s a good one, Andrea. I really love that, it’s here on your website as well. I’ve been forgetting to scroll through for the video section.

Andrea Manning 30:57
And then I’ve got another one, which is my African roots. Where we have that saying: “How do you eat an elephant?” And, it’s one bite at a time because it’s so overwhelming. Even me, when I started GDPR, I was like: “Oh my god, just take it one bite at a time!” You’re not going to do your GDPR, tick it off, and be fully done. It’s an ongoing thing, maybe five years. If you worked at it every day, and then maybe you could say your GDPR is perfect.

Philipa Farley 31:24
Yeah, but in three to five years.

Andrea Manning 31:24
It’s ongoing.

Philipa Farley 31:26
Yeah, in three years, if you’re absolutely dedicated to it. And, every single time you make a business change – you know, if you decide to introduce a new product or solution, or you going after a new market, you know, a different jurisdiction, you’re exporting whatever – like, as much as people do their tax preparation, they need to do their data protection and preparation for that as well.

Okay. Andrea, I am going to ask you here to share a positive story. One positive story, where somebody had a lightbulb moment, and it really made a real difference to them. Your inputs on data protection.

Andrea Manning 32:13
Oh my god, I had one, now I can’t remember what it is. You might have to edit this out.

Philipa Farley 32:19
That’s fine.

Andrea Manning 32:21
The one I have helped, and I have helped a company now who have twice been hit. They were sending out PDF invoices to clients with big fat deposits like $20,000. And, when the invoice was reaching the client, who were a couple in their 70s, they happily paid the deposit into the bank details they put on the invoice. And, nobody, everybody thinks PDFs are unchangeable. And so, I’m sharing this story far and wide. Because, if I can just get everybody to move over to a system where you’re encrypting your emails or encrypting your PDFs, we’ve saved everybody a lot of money. Because the same thing is – and I keep saying to them, don’t don’t be embarrassed – because a Dutch Museum, an Art Gallery, – the same thing happened to them. And, it’s going to court and who’s liable? Then the guy who’s got the painting, he’s not going to give it up. The museum’s paid the money, but they’ve not got the painting for the money. The guy never got the money. He’s never going to give up the painting. It’s a terrible conundrum. And it’s happening more and more and more.

Philipa Farley 33:30
Yeah. And it’s very, very simple things like that. That, you know, we can write a checklist and email it out to people, but when you’re standing in front of the group of people and training them and telling them these stories, like, the impact on somebody to hear about that is that the information lasts much longer with them, you know

Andrea Manning 33:52
And we put in a simple fix with Mike, with his Rmail. And, he trained everybody and within a week, they were 100% better off. They put in a password manager; they were, I don’t know, I can’t even count the percentage of how much better off they were,because everybody was using simple passwords. Yeah, so do just simple fixes. And, that company now is so much better off.

Philipa Farley 34:16
Yeah. And it reduces the risk immensely. And, that’s what we’re aiming to do. Okay, so we’ve spoken about a lot. And we’ve, kind of, discussed the challenges of working in the field and the challenges that business owners face, people and organisations, I can add to the pool of challenges and say that the stress and anxiety on people in larger organisations, you know, that are tasked with data protection, compliance is huge. So, I think what we want people to know and to understand is that there is help out there, and we do want to share our knowledge. We really do. And, we do online; you post stuff, you write articles, you know, we’re doing a series of podcasts. And, we would encourage people to set aside a small amount of time in their week, even once a month, a couple of hours, to sit and just try and absorb a bit of it, and to start planning for their compliance. And, I am going to say to everybody listening, Andrea is one of our Serity support consultants; we only have a small handful. There are three others, besides myself and Andrea would be the first, that signed on with us to do security audits. And, I would really encourage people to phone you for either an audit, or for training, because if you’re not quite ready to commit to a consulting process, training is definitely a great way to start exploring what your responsibilities are. So, please, everybody just engage with Andrea and what, where can they follow you, Andrea? where’s the best place to find you?

Andrea Manning 36:08
Well, I’m very active on my favorite place, which is Twitter.

Philipa Farley 36:11
Yes. Yeah.

Andrea Manning 36:14
My Twitter is @andrea_data, and my website is datainfluence.ie. Yeah, yeah. And honestly, I’m happy to just have a conversation, everything begins with a conversation, and there’s no cost to a conversation.

Philipa Farley 36:29
Exactly. And I love your word search. There it is. You’re on LinkedIn as well, but I think you chat more in Twitter. Okay, so if you could give one of your potential clients a piece of advice, Andrea, what would that piece of advice be?

Andrea Manning 36:46
I always tell them: do the surprise test. If I buy a new car from you, and you email me a year later and say your car is due for a service, I’m not surprised. If you email me six months later, after buying a car and telling me that you’ve got tyres on special, I’d be like: “Seriously, dude?!” If it doesn’t pass the surprise test, then it fails GDPR – it’s as simple as that.

Philipa Farley 37:12
Yeah, that is a good piece of advice and the surprise test, to be technically correct were the product of your legitimate interest assessment, the three step test. So, if you want to go and Google “legitimate interest assessment”, you will see that Andrea has summed it up very, very well, in the surprise test and I love that.

Andrea Manning 37:30
And, in plain, simple language. You know, I, I’ve made a commitment that I will stay away from jargon as much as I can, because we have to be we have to be relatable. We have to be understandable.

Philipa Farley 37:42
Absolutely. Okay. Is there anything else that you would like to add, Andrea?

Andrea Manning 37:49
Um, no, I just think that, Philipa, these podcasts are wonderful, and I think you’re doing a great service and just getting the word out there, and getting more women into the cyber sphere which we need. And, you know, and the reason I set up my business was the whole thing of “be the change you want to see.” And yes, yeah, that was my, my fundamental reason for setting this up.

Philipa Farley 38:11
Yeah. And and I’ll add to that, Andrea, and say that, you know, my inbox is always open. And I mean that! I might like schedule you for a week’s time, if I have to, but my inbox is always open to somebody who wants some advice on, you know, where they can fit in, in this space, you know, if they do want to break into cyber work or data protection work. I am always happy, especially girls growing up into the field or women wanting to make a change, or, you know what, even if you’re in the industry and you’re battling, like, please reach out and have a chat, because we all know how difficult and how lonely it can be, sometimes. And you know, there are people, there are support groups, there are shoulders to cry on, and, you know, sounding boards to bounce things off. So, I think that you would be similar, Andrea – I don’t want to offer your time up for nothing.

Andrea Manning 39:02
I am the same – it’s that mentorship, that is something practical. Everybody can talk about diversity. But, you know, inclusion is a verb. Yeah, that’s my other one that I keep saying – what are you going to do? We can all say “Oh, you know, we practice diversity.” But, what are you actually doing? Are you offering mentorship? How are you reaching out to people that maybe don’t fit the mould? Who are the square pegs in a round hole? That’s how you make a difference.

Philipa Farley 39:28
Yeah. That when when I was chatting on the AIB panel, the network Ireland AIB, Network, Dublin AIB panel there, one of the questions they asked, and I wasn’t asked directly this question, but one of the questions put to us was: How do we encourage more girls to enter the field? You know, because it’s, I suppose, it was a network event that it was it was phrased that way, so we can broaden that and say diversity, and it would also boil down to breaking down the stereotypes. You know, I think the South African stereotype of like “cyber people” was somebody in a hoodie, you know, in a dark room, not, you know, in, like mingling with the outside world at all. So, I think when you’re sort of a bright student in high school and you look at that you kind of go like, you know, I don’t want to be that person. So, whatever stereotypes have been created, we need to break those down, and actually show our faces and go, yeah, like, I’m a mom of two kids, and I have too many dogs. And, you know, we grow potatoes in our backyard, and we live out in the country, but I’m pretty damn good at what I do.

Andrea Manning 40:41
But, you know what, that just sums you up. It says you’re resourceful. And there was a thing I read today, the guy who kind of turned Porsche around and he said: “Employ for character, teach for skill.”

Philipa Farley 40:52
Exactly. Exactly. And that’s it. So, you know, I think that’s your journey as well, Andrea, is you’ve found a space where you can shine, and we most certainly need to value your unique skills in absolutely simplifying and making this relatable. Like, if I have to say one thing about you, is you absolutely make this whole space relatable to people, and that’s a huge skill and a huge plus. So thank you for bringing that.

Andrea Manning 41:21
Well, thank you for bringing me into the fold.

Philipa Farley 41:24
No, you did that yourself. You really did that yourself, with a lot of hard work and dedication. Thank you so much for for chatting with with us today, Andrea. It’s been a pleasure. It always is a pleasure to talk to you, and I hope, even though our discussion was somewhat general, there’s there’s some real nuggets inside there. And, there are resources on your website, datainfluence.ie/resources, for people to have a look at their some questionnaires, and a lovely word search and Andrea’s contact details. So, for people not looking on video, you’re listening to the podcast, Andrea’s website again is datainfluence.ie. Go and have a look. And she’s @andrea_data on Twitter. So find her there and have a chat.

Andrea Manning 42:07
Thank you so much, Philipa.

Philipa Farley 42:12
We hope you enjoyed that episode of The GDPR Series. If you do, please subscribe. Find us on social media. We love to have a chat!

Philipa Jane Farley
Written By Philipa Jane Farley

Philipa is the lead consultant and auditor at ProPrivacy.  With clients as far afield as Canada, South Africa, Kenya, Germany, Spain and other such exotic locations, besides Cork and elsewhere in Ireland, Philipa enjoys a broad view of the state of data protection, privacy and cyber security worldwide.  Philipa’s passion is manageable data compliance for SMEs.

Philipa is a qualified teacher besides holding a computer science (Bachelor of Science in Artificial Intelligence Programming) and electronic and intellectual property law (LLB) qualified. She is trained in constitutional (fundamental) rights litigation and enjoys a good debate.

Philipa has over twenty years of experience working in different sized organisations and sectors on operational, governance, risk management and compliance matters. She is an analytical and focused person that enjoys a challenge in the workplace. She loves technology, systems and people and has a passion for showing people how technology can make life easier and better. She understands that the world is driven by data today but privacy is paramount. Responsibly developed AI excites Philipa for the future.