If my 88-year-old mother ever had a LinkedIn profile, her headline would read something like “Former ingenue, entrepreneur, dreamer, and the rest is none of your business, my dear.” But to those who’ve had the privilege to know her over the decades, her mantra has always been, quite emphatically, to treat everybody with dignity. That was one of the main reasons she was receptive to opportunity.
She began working from an early age and later helped my father through chiropractic school by working long hours as a Hollywood extra during the fifties and sixties. Though never seeking stardom, she knocked on enough doors to get a lot of good work, saved some seed money, and established relationships that would eventually transform her life. Mom leveraged her positive attitude and tough shell to find opportunities, sell her strengths, and laugh off rejection. “It’s no big deal,” she always told me as a kid when the chips were down and she says the same thing to me now.
Most importantly, and by example, Mom taught me that you should never feel afraid to negotiate a deal because the absolute worst “they,” a client, customer, or possible employer can say is… no.
The following is an exclusive excerpt from the book “Tomorrow’s Jobs Today: Wisdom and Career Advice from Thought Leaders in AI, Big Data, Blockchain, the Internet of Things, Privacy, and More” available soon from John Hunt Publishing.
The convergence of technology and the rule of law is expected to intensify over the coming years. It’s a paradigm shift that will force organizations of all sizes, private and public, across all verticals, to balance a world ripe with innovation with an evolving universe of risk and regulatory pressure.Employers and their workforces will be inclined to adapt to this dynamic new digital landscape in their personal and professional lives. Like every era before it, the individuals who lead the way will separate themselves from the pack by identifying, engaging in, and fostering the right opportunities wherever they reveal themselves. They understand that identifying gaps is one key to seizing those opportunities.
One of the most amusing success stories exemplifying this point comes from the first part of the twentieth century. It involves a weary soldier returning from World War I. As the story goes, the GI was tired but also thrilled to be alive after countless friends had been killed, and so much of the world he knew destroyed. He was discharged in California and put on a Pullman train packed with other vets traveling from San Francisco to the East Coast. Like his fellow soldiers, the young man enjoyed his share of spirits in the bar car, and by the time they crossed over into New Mexico, most of the train’s passengers were quite drunk. Naturally, overconsumption can lead to brawling, and that’s what occurred by early noon. He held his own for a while, but eventually, he was thrown from the caboose about 15 miles outside of Albuquerque. In those days, that was the middle of nowhere.
If that wasn’t bad enough, he only had enough money to buy himself a bus ticket to finish the last leg of the trip and maybe half a sandwich. Slightly drunk and out of luck, he began walking down the road parallel to the railroad towards town. As he sobered up along the path, he started noticing a lot of broken-down sedans, pickup trucks, and roadsters abandoned along the highway, likely having run out of gas. Remember, this was 1918, before GPS and call boxes, let alone gas stations… in the desert! Well, this young man thought a lot about those beat-up clunkers, and in between each one, as he made his way to civilization, he began thinking about what the vehicles represented. By the time he finally made it to town, he had come up with one hell of an idea.
Despite being parched and stinking to high heaven, he abandoned his plans to purchase a bus ticket and used what was left in his pocket to put a payment down on a tow truck. The next day he filled up the tank and set back along that road he’d traversed the afternoon before. Well, wouldn’t you know it? He picked up every darn one of those lonely jalopies and dragged them back to a lot he’d rented from the same lessor who extended him credit for the tow truck.
Less than a decade later that GI was the third-largest scrap metal salesman in the Southwest United States. By the time he died, about the richest man in Albuquerque. He never quite made it home to Boston, but he did learn first-hand about how your journey is often more enjoyable, and profitable than arriving at your destination.
So, what are your broken-down jalopies? What are the business processes, products, or teams you see broken down and in need of repair or improvement around your organization or community? How can you, like that GI, turn a real crap situation into one that benefits not just you, but ultimately the world around you? Can you identify the gaps in between the stops along the way to your goals? Are you ready to seize the day? Are you thrilled to be alive like that weary soldier the day he was thrown from the train?
Rafael Moscatel, CIPM, CRM, IGP, is the Managing Director of Compliance and Privacy Partners. He has developed large-scale information management, privacy and digital transformation programs for Fortune 500 companies such as Paramount Pictures and Farmers Insurance. Contact him at www.capp-llc.com or follow him on Twitter @rafael_moscatel.
There is increasing recognition that the data scientist ‘unicorn’—one who can master all the necessary skills of data science required by businesses—exists only rarely, if at all. Successful data science teams in business organizations, then, need to assemble people with a variety of different skills. This is only possible at scale with clear classification and certification of skills. While such certifications and classifications are in their early days, some firms are beginning to create them, and they are beginning to emerge in professional associations as well. Ideally, universities and other education providers and certifiers of data science skills would also employ standard skill classifications to communicate the skills they intend to inculcate.
Earlier this month I had the honor and privilege of speaking at the MERv conference with Dr. Gregory S. Hunter, Dr. Tao Jin, Dr. Patricia Franks, Rae Lynn Haliday, Cheryl Pederson, and Wendy McLain on the topic of Meeting Evolving Business Needs – A Conversation Between RIM Educators and Thought Leaders. In response to requests, below are some excerpts from my transcribed remarks.
Session Description: This special, two-part panel discussion facilitated by the ICRM will compare current academic curricula with the existing ICRM exam to identify gaps and areas of improvement for both academia and the ICRM. University Professors will discuss their programs and IG industry leaders will add perspective from the business world.
ON THE QUESTION OF WHAT DO MANY JOB SEEKERS STUDENTS WANT TO KNOW?…
It’s really a surreal time to be having a discussion about meeting evolving business needs don’t you think? Of course, we’re doing this conference virtually for the first time, and pivoting towards presenting in this fashion is kind of representative of that evolution we’re here to talk about. You know one thing I think Records and Information Governance professionals excel at though is supporting organizations through digital transformation initiatives, and I imagine the reason that so many companies are able to move forward at such an accelerated pace today, despite COVID, is because they’ve already experienced in getting their records and information online. And I see more of that demand in the days and years ahead but also see significant risks.
But first I want to start this discussion with a sampling of questions shared with me by Tao Jin at LSU…. And I would assume it’s similar to the questions asked by students at some of the other schools with curriculums like LSU. Because I think part of framing this discussion is, you know, trying to understand what students and job seekers are actually asking as they consider these programs and navigating the job marketplace. And I’m not surprised that a majority of the questions shared here are related to emerging technologies.
One thing I think Records and Information Governance professionals excel is supporting organizations through digital transformation initiatives, and I imagine the reason that so many companies are able to move forward at such an accelerated pace today, despite COVID, is because they’ve already experienced in getting their records and information online.
I’ve had my own CRM designation about 7 years now and I can tell you the exam, and these University offerings go well beyond my original training which, at the time still focused primarily on micrographics, if you can imagine that. The exam has changed since then to address new technology and innovation. But that’s not entirely the role of the Records and Information Governance professional, is it? There are other important areas of course like management…. And I think the next panel will discuss that… But the one thing I want us ALL to think about today is this…. Are we generalists? Or are we specialists? I think it’s maybe a little bit of both…
And I think whatever direction individuals take, businesses are going to want their candidates to be well versed in emerging technologies as well as core ones, which we’re going to ask you about in just a moment.
ON LATEST TRENDS – INCREASED DIVERSIFICATION AND DEMAND…
We’ve all heard about job losses post-COVID, but I wanted to diverge from that headline for a moment and bring up what I see as some good news. And that is, from a career standpoint we are witnessing professionals with IG skillsets increasingly being tapped to lead technology upgrades, digital transformation projects, and cross-functional teams in a number of sectors. I think we’re seeing this trend for a lot of reasons. I’ve put an image up here from LinkedIN. It’s essentially a snapshot of a job search query. And I encourage you all to do this yourselves so you can see how diverse roles have become in just in a short amount of time. It’s not surprising how much of today’s work and technology now requires a solid foundation in good recordkeeping, database, and systems design. And recruiters are looking for that education and experience.
ON LEADERSHIP OPPORTUNITIES AMIDST THE CONVERGENCE OF TECHNOLOGY AND REGULATORY PRESSURES…
Although it’s not yet mainstream in every business, we do know that Big Data, IoT, and other emerging technologies are certainly driving some of the need for IG professionals. But it’s also a desire to find talent that can integrate privacy, data governance, and other best practices into those technologies, isn’t it?
An additional layer of assurance just makes good business sense and that layer is made possible by the talent that understands and can implement IG, especially around data governance.
Specifically, with the convergence of technology and regulatory pressures, we are seeing a specialized need for the RIM or IG professional to come in and ensure that operations, risk, and long-range planning value data governance, and that decisions about data protect the organization and prepare it for the next wave of innovation…. That’s how we make the most impact, by tying together stakeholders, prioritizing goals, and helping the corporate culture as a whole recognize the value of these data-driven initiatives and our individual contributions to them. IG reflects the thirty-thousand-foot view of the business with the experience of having been in the weeds with risk, compliance, and internal audit of its moving parts.
Employers. Their executives… and their attorneys, they all realize this. And the headlines around ransomware, GDPR fines, they’ve all prompted companies to revisit and invest in the way they tackle their biggest challenges. They know that an additional layer of assurance just makes good business sense and that layer is made possible by the talent that understands and can implement IG, especially around data governance, right?
That’s how we make the most impact, by tying together stakeholders, prioritizing goals, and helping the corporate culture as a whole recognize the value of these data-driven initiatives and our individual contributions to them.
So, I think those that succeed are those that try in earnest to gain the respect of their IT counterparts. They demonstrate adequate knowledge of the toolsets they’re working with. It’s not that you need to know how to program or code per se, but you do need to know the vocabulary, the big concepts behind what is going on to get buy-in for your portion, and to exchange ideas efficiently.
ON MOVING FROM GATEKEEPER TO CHANGE AGENT…
My colleagues and I are convinced more each day that closely aligned with these new opportunities created by technology is the personnel function of change. And I don’t think that means IG pros give up their methodologies or best practices or risk-averse perspectives, but they do need to embrace the demands thrust upon them. They have to move from defense to offense.
Ultimately, our role is no longer gatekeeper. Our role is part diplomat, part subject matter expert, part change agent. And I’d like to see educators start shaping those expectations with students and businesses as well.
I talk a lot about this in my new book, Tomorrow’s Jobs Today. Take a look at some of the job openings being put out there on LinkedIn, that I referenced earlier. In each job description, although it might not say Records Manager, you can pretty easily identify that recruiters and companies are looking to fill that type of role, or support the function in one way or another. Privacy Manager, Enterprise Project Lead, Risk Analyst, GRC consultant, etc.
And actually, groups like the ICRM, they play a critical role in communicating to employers exactly how their membership and certification programs deliver the competencies they need to drive new projects forward. But they need to understand. Ultimately, our role is no longer gatekeeper. Our role is part diplomat, part subject matter expert, part change agent. And I’d like to see educators start shaping those expectations with students and businesses as well.
Technology is the main driver of our evolving profession. And it’s not simply about document management and enterprise content management infrastructures, but now about AI, Blockchain, IoT. This is a direction that the MER conference has illustrated for years now. So, I think it’s imperative for educators and curriculums to offer primers on what a distributed ledger is, the basics of natural language processing, technical requirements of the GDPR, and similar topics.
Rafael Moscatel, CIPM, CRM, IGP, is the Managing Director of Compliance and Privacy Partners. He has developed large-scale information management, privacy, and digital transformation programs for Fortune 500 companies such as Paramount Pictures and Farmers Insurance. His latest book, Tomorrow’s Jobs Today, is available soon from John Hunt Publishing. Contact him at www.capp-llc.com or follow him on Twitter @rafael_moscatel.
Welcome to the AIIM 2020 Keynote Session Tomorrow’s Jobs Today, thinking beyond information management.
I’m Rafael Moscatel, I’m an AIIM member, and I’ve had the distinct pleasure of attending several of its thought leadership events over the past few years and had the opportunity to meet and become friends with many of you.
There isn’t much that could keep me away from an event like this, and I’m disappointed that I can’t be with you in Dallas, but I just became a father again, and it’s my first few weeks on the job. So I’m kind of afraid to ask for any time off yet!
Luckily, it’s a detail-oriented role, which is perfect because my background is in Compliance and Privacy, and I’ve spent most of my career building data governance programs for recognized brands like Paramount Pictures and Farmers Insurance.
But whether it’s a classic motion picture company or a premiere insurance group, I’ve learned that my ultimate goal isn’t just managing risk but rather elevating Information Governance and being an integral part of the “mission” of whatever organization I’m a part of. For a film studio, that’s producing content, and entertaining your audience. For an insurance carrier, the goal is to protect people’s livelihoods and helping us get back on our feet after a disaster.
So, whatever our organization’s mission might be, it’s imperative to connect “the what we do” to “the why we do it.” And that’s one of the wisest lessons I’ve learned from colleagues here at AIIM, like Michael Jay Moon, Dux Raymond Sy and some of the other leaders you have on the stage today.
It’s a big reason I wrote the book Tomorrow’s Jobs Today….
I interviewed almost two dozen trailblazing information management leaders in fields like AI, Blockchain, Big Data and Privacy from world-renowned organizations like Price Waterhouse Coopers, the International Criminal Court, and Iron Mountain to understand what their mission was and how they applied their unique skillsets in pursuit of that greater good.
The lessons I picked up in speaking with these folks should resonate with an information management professional. Despite their industry and diverse roles, three things stood out. First, they knew how to recognize an opportunity.
Take Ashish Gadnis of BanQu. Ashish grew up dirt poor on the streets of India, and following a life-changing experience in Africa, he developed a fantastic app that leverages the same technology behind Cryptocurrency, blockchain, to help the most deprived people and farmers in the world. By using his app, even if you’re in the last mile of a supply chain, you can establish your economic identity, better assert your value in society, and escape poverty. He saw the unequal gaps between significant brands, middle-men, and farmers on a supply chain and decided to transform those gaps into opportunities.
The second lesson I learned is also a timeless one but also speaks directly to the challenges the information age and our digital deluge. It’s Less is More. We learned from pioneers like George Socha of BDO and the EDRM that particular strategy is relevant not merely in disciplines and concepts like eDiscovery, and privacy-by-design, but how you approach your career. To be strategically selective with our words, our actions and our expectations runs contrary to the human nature of a large segment of the workforce and consumers. It’s also what makes you stand out.
Finally, coming full circle, the most important lesson I learned from all of the individuals I interviewed, and that was that Relationships Matter. Enjoying and being enriched by professional relationships is above and beyond the greatest gift you can give your career. Relationship building is, has always been and will always be, the most critical skill and strategy we should practice and master.
Now, I know it’s going to be many years before my youngest enters the workforce, and jobs are going to look a lot different, but I know the valuable lessons and wisdom that have guided me in my career and exemplified by the biographies in my book will still be around.
Because although the set decorations can be changed, and the actors, and the price of insuring your most valuable assets, what stays the same is the power you have over your destiny. I know that statement’s true because I just spent a year documenting the success stories of those who swear by it.
As working professionals in the Information Age, we must strive to recognize and even anticipate emerging technological trends. But seizing upon those opportunities is possible when we choose to partner with change agents who share our vision and can work with us to transform our enterprises. We must reach beyond our teams or spheres of influence and work closely with the legal, regulatory, and ethical communities that study, measure, and moderate the impact of our technology and products on our respective fields. We need to plan and develop ourselves with a deep respect for the world that our products and services impact.
By absorbing the perspectives, challenges, and solutions of those deeply in love with and accomplished in these new careers, we can help ourselves, our friends, and our employees transform anxiety over a job search, job loss, or just the winds of change into hope, understanding, and opportunity.
As you look ahead to your career over the next year, think back to the dreams you had as a kid. And think about how every one of us is in the business of making new dreams and opportunities come true for the next generation. Because if we don’t, they’ll never leave the house.
Thanks to each of you at AIIM for inspiring me in my own career. You can find out more about your colleagues in this book by going to tomorrow’s jobs today dot om where we’ll be publishing excerpts and updates about the book, and now I’ll turn it back to you Peggy and four visionaries who exemplify some of the best qualities our AIIM community has to offer.
This year’s conference takes place May 4-6th in Chicago and features Information Governance sessions on Privacy, eDiscovery, Data Remediation, emerging technologies, and operational best practices from the industry’s leading experts, along with the experiences of knowledgeable practitioners.
Using Information Governance with a Privacy Compliance Plan as the Fulcrum for Data Privacy and Compliance – Monday, May 4, 2020⋅2:10 – 3:00pm
Tackling data privacy and maintaining consumer trust is harder than ever, especially with the sheer amount of information you need to manage and with constantly evolving privacy laws (CCPA, GDPR, etc) moving the goalposts. The usual checkbox compliance, ad-hoc governance, and reactive information security policies will fail, if they haven’t already, and create too much organizational risk. To achieve a state of consistent compliance and minimize corporate risk you must provide three things to your business: transparent governance, frictionless security, and continuous validation. To provide these things, you must build a strong information governance framework and privacy compliance plan to succeed.
Meeting Evolving Business Needs – A Conversation Between RIM Educators and Thought Leaders – Tuesday, May 5, 2020⋅11:45am – 12:35pm
This special, two-part panel discussion facilitated by the ICRM will compare current academic curricula with the existing ICRM exam to identify gaps and areas of improvements for both academia and the ICRM. University Professors will discuss their programs and IG industry leaders will add perspective from the business world. There will be ample time for members of the audience to share their thoughts as well. It is time to close any gaps between what is taught at the university level and what is needed in the world of business. More effective preparation of the next generation of IG professionals will benefit all organizations that depend on these practitioners to address the business opportunities and challenges of the future and it will provide more fulfilling careers for those emerging from school into the world of business.
GDPR – Two Years On -Monday, May 4, 2020⋅12:50 – 1:40pm
The GDPR will celebrate its second anniversary on 25 May 2020 – a good time for US companies impacted by this regulation to understand what they should expect in the coming months. In this presentation, Legal professionals working in Europe will discuss how the GDPR has been enforced so far in Europe, what the regulators’ future direction might be, and the key areas US organizations will need to focus on in the coming months. Is there a higher risk of enforcement on the horizon? What is the level of privacy awareness among Internet users, consumers and individuals in Europe? Should US organizations that collect and process personal data of EU data subjects be worried about these regulatory trends?
ICRM will not only conduct their spring Board and Business meetings at the MER Conference next May in Chicago, but will also facilitate a panel discussion “Meeting Evolving Business Needs: A Conversation Between RIM Educators and Thought Leaders.”
The panel of experts include: John Isaza, Esq, FAI, Rafael Moscatel, CRM, IGP, CIPM, and Wendy McLain, MLIS, CRM. The panel of Academic Partners include: Patricia Franks, Ph.D, CRM, CA, IGP – San Jose State University; Gregory S. Hunter, Ph.D, CA, CRM, FSAA – Long Island University, Palmer School of Library and Information Science, and Tao Jin, Ph.D – Louisiana State University, School of Library and Information Science.
The desired outcome is to expand and nurture an ongoing and productive dialogue between our profession and academic institutions to ensure graduates are well prepared to fill current and future positions in key areas of Records and Information Management (RIM) and Information Governance (IG). If interested in joining us at the MER Conference – go to their website and register for conference. https://www.merconference.com/
Compliance & Privacy Partners provides smart and affordable privacy compliance, data governance and risk-management solutions designed to help organizations build privacy programs, assess, manage and remediate risks and demonstrate defensible compliance. We offer and support a variety of data privacy management platforms which include data subject fulfillment workflows, records and PI inventory management, vendor assessment and policy adherence tools, privacy impact assessments, file analysis projects and records retention enforcement.
A Records Retention Schedule is a TOOL that EMPOWERS organizations to GOVERN and DEFENSIBLY DISPOSE of their information.
Records retention is first and foremost about complying with laws and regulations. However, a retention schedule, when properly developed and utilized, is not simply a tool that tells you how long you must keep (or when to destroy) your records, it is a blueprint that provides powerful insight into the information lifecycle and knowledge management capabilities of your company as a whole. It saves you money on storage and helps shape the way you curate your information enterprise-wide.
Records retention is first and foremost about complying with laws and regulations. However, a retention schedule, when properly developed and utilized, is not simply a tool that tells you how long you must keep (or when to destroy) your records, it is a blueprint that provides powerful insight into the information lifecycle and knowledge management capabilities of your company as a whole. It saves you money on storage and helps shape the way you curate your information enterprise-wide.
OUR RETENTION SCHEDULES:
Serve as a primary tool for ensuring records compliance with federal, state, local laws, regulations and business requirements
Identify business continuity records
Document all records categories, records formats, systems of record, retention requirements and data classifications
Can be updated automatically and integrate with IT infrastructure
Reach out to us today to schedule a free consultation at 323-413-7432
By Rafael Moscatel, Certified Information Privacy Manager (CIPM)
HEY BOSS, LOOKS LIKE PRIVACY IS KIND OF A BIG DEAL NOW
IAPP’s Privacy.Security.Risk. Conference 2019took place in Las Vegas over four days at the end of September and was attended by more than 2000 attendees hailing from all over the United States as well as a number of countries. The Fortune 500 was well represented but I also met a number of other astute organizations and took a tour of the industry’s big vendors on the showroom floor. Although I live tweeted the event I’d been waiting to share my complete thoughts until after I passed my CIPM exam, which I did just a couple days ago. More on that later…
THE FIELD OF INFORMATION MANAGEMENT CONFERENCES GROWS MORE CROWDED
First, as a Certified Records Manager (CRM) and Information Governance Professional (IGP), I’ve been to and spoke at my share of conferences touching on best practices for information management, privacy, security and content. What made this one different? Well, besides how well the conference was organized and the venue, The Cosmopolitan, almost all of the workshops were just first rate, chalk full of real take home targeted content and timely. The vast majority of the presenters were seasoned and even the first-timers made the grade. Here we are on the heels of one of the biggest new privacy laws, the California Consumer Privacy Act, and these sessions were speaking directly to its attendees on how to take specific action and plan for additional state directives. The education aspect and sales piece blended well, with technology complementing best practices and not the other way around. And the conference also left me with a lot of questions…
DO WE HAVE THE RIGHT TO BE FORGOTTEN?
I didn’t attend the training sessions on the first two days but made it to the opening keynote by Former Chairman of the FCC, Tom Wheeler who gave the audience a 30,000 foot view and shared thoughts from his new book, From Gutenberg to Google. A great way to set the tone for the conference and then it was followed up by Janelle Shane who focused on rudimentary examples of AI but didn’t really connect her topic that well to Privacy. Nonetheless, it was an interesting takeaway. However, my favorite keynote came in the form of a play by Sharyn Rothstein and directed by Seema Sueko entitled The Right To Be Forgotten. The play examined a concept that we find in Europe but which still hasn’t taken hold in the States. It follows the impact of a young man’s juvenile mistakes and how they follow him around as he gets older, impacting his reputation and his life.
IS THERE A PLACE FOR DIGITAL ETHICS?
I know a number of people who have been personally affected by the internet, both by their own doing and also unfairly, and so this was a terrific way of introducing these challenges to the audience. The problem was that the rest of the conference didn’t really touch on this topic because it was more focused on CCPA and the corporate aspects of privacy program implementation. That’s fine but it left me wondering if in the United States we’re really where we need to be on the privacy front. We seem to only be focused on the issue from a data protection standpoint rather than an ethical one, whereas GDPR and other parts of the world take a more holistic view. Yes, we have HIPAA and the Children’s Online Privacy Protection Act (COPPA) but it feels like many of our laws are still really about breaches and liability and not about the value of privacy.
The conundrum seems to be that while we’re moving, as industries, toward a business culture of privacy, our culture as a whole is moving in the opposite direction, away from arms length communication and behavior and towards oversharing and a lack of discrepancy. How do these two worlds exist? We know that hackers are now using personal information voluntarily shared with the world to design more sophisticated phishing attacks and deep fakes. We know that thieves use location and vacation information shared through social media to know when you’re home and plan robberies. And despite all of these controls supposedly put in place around the world, we continue to give more of our personal information away which ends up being held as ransome against our companies. Yes, we know we have to share this information to enjoy convenience and in many cases now, to simply survive and get daily errands completed, but it still feels like digital sisyphus. In the age of the personal brand, are there even any private people around anymore? What good is all of this data protection if society as a whole has given up on the ethics of privacy? Besides the play at the conference and some of the discussions around children’s privacy, I didn’t see much of a discussion here, but perhaps it wasn’t the venue. I recently had a discussion with noted Data Privacy Professor Anita Allen, who wrote the first casebook on privacy law, on these ethical aspects of privacy that will soon be available in my book, Tomorrow’s Jobs Today.
THE RISE OF THE MACHINES
So, full disclosure, I work with a few vendors in the privacy space but my thoughts on privacy vendors are not influenced by those relationships. I saw some amazing products at P.S.C.19. The products seem to be maturing and there is a lot of venture funding going into developing large enterprise scale platforms that do an A to Z job in addressing GDPR and CCPA. There are a couple big players in the business and the industry should be grateful for their sponsorship of conferences like this and generally moving the ball forward in terms of conversations around privacy.
What I’m seeing is a lot of enterprise product that is designed specifically for large organizations and a lot of file analysis, enterprise architecture and other similar companies trying to adapt their solutions to solve the problem. The problem is that the problem is constantly evolving and despite a pretty clear prescription in the CCPA legislation, I just don’t think one size fits all. Especially if you’re looking at a capital investment to check a compliance box that might be covered in a more strategic manner. Let me explain…
I had the pleasure of sitting with a team of folks from a major multinational and a peer and I questioned them about their approach to CCPA. It was pretty impressive. They had half a dozen folks attending the conference from a number of their offices. They had hired an industry leader to implement their program. So lots of investment, lots of buy in and it was proportional because their size makes them a natural target for a regulator. One of the more amusing partners in the group casually replied to me after I asked if they were ready by saying, “Yeah, but I’m going to be really pissed if we did all this work and don’t even get one request!” That’s of course what a lot of organizations realized following the GDPR where the flood of data subject requests turned out to be a trickle. So, despite their aversion to risk and likely thorough, appropriate strategy, I still wonder it it’s right for everybody. What about the companies with a smaller footprint and much smaller budget? Does it make sense to have an omnibus-like enterprise product, with dozens of API’s and infrastructure demands take over a section of your IT department?
WHAT ABOUT STRATEGY?
Here’s the truth about privacy programs and tools. There’s no silver bullet. Dumping a ton of money into an existing IT or Records Management program or hiring a team of half a dozen twenty-six year old MBA’s from one of the big four to turn your enterprise upside down (yes I’ve seen that) is not even close to a smart information governance strategy. Unfortunately this is the first time many organizations have had to take a close look at their information and records management programs. In many cases, especially with regulated industries, information management has played a role in meeting regulatory and audit demands but it wasn’t necessarily center stage the way it is now. Many companies have a retention schedule or policy but were probably over-retaining a lot of their data and not taking action on some of the other aspects of it like data classification until the privacy movement came along.
Data Protection Impact Assessment with CAPP using LogicGate
Privacy-centric records management is basically the ideal Information Governance project or initiative. That’s because to accomplish privacy goals, companies need to not simply revise policies, they need to holistically understand how those policies work with other areas of their business like data security and records management. Fortunately, a lot of the groundwork has already been in place at many organizations, specifically in Finance and Health, in order to integrate a privacy-centric framework. If it has been performed you should also complement it with a DPIA or Privacy Impact Assessment.
That said, how do you get the most value of the technology you implement? I think you do that by having the types of conversations that allow the best minds in your organization to become stakeIholders in the ultimate solution. Before you buy product, you need to survey your landscape. It may be that you need a privacy program and privacy protections for your consumers, employees and vendors but your data subject requests are not so cumbersome that you require an overhaul of your inventory and integrations.
Can you use an Enterprise Architecture and data mapping tool in concert with a separate data subject request tools instead of automating everything? Maybe. Consider the investment and time that might go into continuously monitoring a complicated, heavily API dependent and seldom-used privacy tool. Might that effort be better put into maintaining an EA tool that not only supports the mapping requirements of data privacy legislation but also supports other areas of the IT business? Don’t we want our organizations to be agile and be able to swap-in and swap-out tools as needed? Do we really want to tie an entire business process to one solution? Haven’t we learned anything from our legacy mainframe days? Remember how hard it was, and is, to untangle ourselves from those.
Mapping Data for GDPR with CAPP in Ardoq
I’m not saying that an enterprise-wide product isn’t right for large organizations with a lot of risk and endpoint exposure. I just believe that companies need to consider the process as a whole and take their time building these programs. Although California may serve as the baseline, we still don’t know what the rest of the States will do or what the future brings.
BEING A NEWLY MINTED CIPM
I can’t comment on the substance of the exam as I’m prohibited to by the agreement I signed. What I can say is that like most designations the value I find is not necessarily in the certification as much as the legwork and study necessary to achieve it. The reward is in the knowledge you acquire along the way, not just the medal you get at the finish line. If you check out the publicly available study materials and Body of Knowledge (BOK) available on the IAPP site you’ll see that it looks very much like the protocol of other information management organizations.
My belief though is that this BOK is evolved precisely because it’s privacy-centric. It covers many areas familiar to IG and Data Privacy disciplines but it is much more a holistic model and prescription than I’ve ever seen. It’s one of the reasons I’m so impressed with the IAPP.
THE RACE JOURNEY BEGINS
I came back from meeting with data privacy officials and business people in Brussels in 2018 knowing that Privacy was going to change the world. It’s one of the reasons I decided to engage more fully in it professionally. I’ll be spending more time talking about my journey towards privacy and speaking about the CCPA and related issues over the coming months and in my new book which should be available early next year. The concept of privacy is not just important for data protection and to check a compliance box, it’s important because it affects the lives of our colleagues, our friends, our children, our parents and pretty much everything around us. We need to not only protect our data but we need to value it and teach others to value theirs and that’s what I’m dedicated to.
I’m available for consulting opportunities and interviews and would love to discuss your corporate challenges. Feel free to contact me at rafael@capp-llc.com to schedule a free two-hour workshop or just give me a buzz at 323-413-7432.
LEVERAGING A GDPR COMPLIANCE INVESTMENT FOR CCPA / PRIVACY BY DESIGN WORKSHOP
Part I – Join European attorneys and privacy compliance experts from Brussels based law firm Ethikos to learn how to leverage GDPR compliance investments for California’s new Consumer Privacy Act. In this presentation they’ll review key data protection concepts and privacy by design strategies already in place across the EU and explain how they’re now spreading throughout the United States. Find out what you need to know about the rules of transferring data and records internationally, PII records retention requirements, rules for managing content on customer facing websites and the impact of these new records management guidelines in contract negotiations.
SELECT THE LINK BELOW TO VIEW THE WHOLE PRESENTATION.
Part II – Meet solutions engineers from Active Navigation who will show you real world examples of how state of the art privacy software helps apply concepts and rules from GDPR and CCPA directly into an information lifecycle program. Learn about machine learning classification, consent validation, uncovering dark data and many more intricacies of implementing a privacy framework as part of your Information Governance roadmap.
Presenters
Miguel Mairlot, Ethikos Law Firm, Brussels
Miguel Mairlot is a trusted compliance expert, with significant breadth of experience across Europe. He provides clients with advice and support on all aspects of their compliance program. His areas of expertise include Asset Management, Wealth and Insurance businesses to cover cross-border regulatory issues, risk management, contractual documentation and product development, advising and influencing senior stakeholders at executive committee level, enabling them to meet their responsibilities across a range of group policies and local requirements, including MiFID II, GDPR, AML, ABC and Sanctions. Before Ethikos, Miguel has worked for prestigious international law firms and financial institutions as Head of Compliance. Miguel speaks English, French, Dutch and is a Certified Compliance Officer (Febelfin Academy) since 2013 and a Data Protection Officer. He has written and spoken widely on compliance and financial law topics and teaches at the Cooremans Institute. He also serves on the Editorial Board of “la Revue de Droit Bancaire et Financier”.
I can’t comment on the substance of the exam as I’m prohibited to by the agreement I signed. What I can say is that like most designations the value I find is not necessarily in the certification as much as the legwork and study necessary to achieve it. The reward is in the knowledge you acquire along the way, not just the medal you get at the finish line. If you check out the publicly available study materials and Body of Knowledge (BOK) available on the IAPP site you’ll see that it looks very much like the protocol of other information management organizations.
