SEASON 2, EPISODE 5 OUT NOW! CHECK IT OUT HERE.
Discussing Stupid
May 9, 2018

Being a HERO with your customer’s data (and understanding what you have) | Liam Cleary, SharePlicity & Rencore

Being a HERO with your customer’s data (and understanding what you have) | Liam Cleary, SharePlicity & Rencore
The player is loading ...
Discussing Stupid

Since Virgil knew you couldn’t get enough about good data practice regulations, he decided to do another episode on GDPR . . . yay! Where Episode 2 dealt with the collection of private data, this Episode focuses on how you handle your customer’s private data after you collect it. To assist him in telling this exciting story, Virgil recruited his long-time friend Liam Cleary. Liam is a well-respected data security expert. Liam applies his expertise in both his own consultancy, SharePlicity, and as the Security Product Owner for Rencore. Liam also spends a significant amount of time in the world of hacking . . . teaching people how to protect their own data from being hacked (wink, wink).

During this enlightening discussion, Virgil and Liam discuss the bigger problem in the way we handle customer data, that is, do we actually know where it goes? According to Liam, "One of the key things to focus on regarding GDPR is to make sure you understand how the data moves around and really how it integrates in other applications and systems that you might utilize it in." Take a customer's email as one example; you can forward it in an email, add it to a CRM, put it in an order tracking system, or add it to your email subscription list. But, can you find all of that customer's data and know how to remove it if you receive a request to do so? Virgil and Liam also discuss the importance of good processes and procedures and some of the realities around the effort it takes to be compliant.

If you care about your customer's private data once you have it, then you might want to give a listen.

Resources discussed:

Transcript

Intro (00:00):
Note this podcast does not discuss nor endorsed the idea of discussing stupid ideas because we all know there are no stupid ideas.

Intro (00:14):
Hello and welcome to discussing stupid, the podcast where we will tackle everything digitally stupid from stupid users and the crazy things they do to stupid practices and the people who use them. We'll explore the stupid things we all do and maybe even come up with a few ideas on how to do things better. And now that I got your attention, let's start discussing stupid.

Virgil Carroll (00:41):
Hello everybody and welcome back to the broadcast of the podcast. I'm Virgil Carroll, the principal human solutions architect at High Monkey and your host. So with GDPR starting right around the corner, I figured we would continue on with that theme as we did in episode two and kind of talk about it from a little bit different perspective. So those of you that have not had a chance to listen to episode two, we talked about it from the perspective of how you actually do things on your website and some of the things you need to think of kind of from the customer facing side. Now we're going to talk a little bit more about GDPR and how you handle that data once you receive it and some of the things you need to do in the practices behind the scenes because there's a lot of requirements out there in the GDPR and it's very important for you to understand that because if you don't, uh, that's probably where you're going to get nailed first is your mishandling of this personal data. So today, joining me is Liam Cleary. He's the associate director and solution architect at Protiviti and probably one of the foremost experts I know in the world of cybersecurity. So I thought I'd bring Liam along and we could have a little chat about GDPR and really your data.

Virgil Carroll (01:55):
Hi Liam. Thanks for joining us. Why don't we start out by introducing yourself, telling us a little bit about who you are and why you actually have any experience in the world of data privacy.

Liam Cleary (02:06):
Ok That's a good question too. So Liam Cleary originally from the UK moved to the US about eight years ago, originally worked in a large consulting firm, then moved here. I'm kind of took a job at a smaller company and then kinda grown into working at Protiviti now as one of their architects. I kind of focus really on SharePoint Office 365, but around security more than anything else. That's kind of been one of my areas that stemmed from me being in the security team and stuff in my last job and kind of working my way through there. Yeah, I blog about security all the time. I work with clients and we talk about things like that. So from the data privacy I also like to hack things too, so I kind of have to understand both sides of what should you do and then what shouldn't you do and then how do you get around there?

Virgil Carroll (02:48):
Yeah. So like I mentioned in the introduction, I known you for quite awhile, so this is probably the most formal discussion I've ever had

Liam Cleary (02:56):
I actually feel uncomfortable now.

Virgil Carroll (03:00):
Yeah. You know, from kind of the GDPR is literally going to be out in just a couple of weeks probably from when this episode broadcasts, you know, I spent some time talking with David Komarek from Kentico software about kind of from a public website side of what we need to think of from data privacy from that side and how the GDPR really affects that. I think one of the interesting things I'd really like to talk to you about is kind of looking at the other side, not only our internal data but kind of what happens. So we've collected all this information about people in their personas and everything about them. What are some of the things that you're seeing in, you're talking to your clients about from that kind of privacy perspective that they need to start thinking about?

Liam Cleary (03:41):
I think the first thing is seen lots of clients where they're really worried about GDPR, but then they're not quite worried. Like really what that means. They're kind of unsure as in how it's gonna Affect Him. Like what's going to happen? Well, just the data that I actually have even count and that's the first thing. One of the first things that we tend to find, these people don't know where the data is. They don't know what they have. They think that their privacy data, their PII data is in that system over there, but in reality it could be in 27 different places and so they spend a lot of time focusing on that one application and misunderstanding that the data is copied everywhere. Even your C drive because people still store stuff their so they have this data all over the place that they're worried about, but they don't know how to get to it. They don't know what to do and so most of the time people have sat on Webinars, read blog posts about technologies that can fix that, but in reality that doesn't fix that because they have to understand first where the data is, how it's been classified, how it's been used. Because GDPR requirements dictate that. You need to be able to say, for example, to you, I have your data, Virgil. This is where I have it. This is where it's gone, that's why we use it and that's how we use it. And then am I okay to use there? It's that kind of process.

Liam Cleary (05:00):
So what kind of data does Protiviti have of mine? Well, I'm not talking on behalf of Protiviti. I may have lots of information about you, but GDPR doesn't cover that.

Virgil Carroll (05:09):
You know when you say that? It's such a mind boggling thing when we think about how data is out there. I mean, you know, how many times have you received something about somebody, a client or a person or whatever like that, and, and you know, you forwarded it to somebody else and now that's a data chain. So the big question is, is is whether you're doing this out in the public world or you're doing this as some type of internal customer process or whatever it is. How do you even start that? You say find where your data is. How do people even do that?

Liam Cleary (05:39):
That's the hardest task. The hardest task is how do you find everything that you've got and so will you rely on the fact that the other vendors of those applications provide you a mechanism to be able to find data so you know if you're using SAP or ServiceNow or something else, you expect that there's a service you can use and say I need to find everything about Liam, show me where it is. But then the internal processes that is the much more complicated, you know. How do you find the data on Liam that was sent, like you said, through emails. How do you find the stuff that's been stored in the shadow it dropbox account that no one knows you have or how do you find that? And so there were tools available. It becomes a technology story. It means you're able to use things like data loss prevention tools that you can kind of plug in and say, I want to scan this, this, this, this, and find all that information because you can't 100 percent comply with any of the GDPR rulings unless you know where it is. First. Just pleading ignorance and going, I don't know. It could be anywhere that won't help you because in the event of something happening, they will mandate that you have to find that information in the first place.

Virgil Carroll (06:44):
Yeah, I think that's one of the big things I see as I mean it. People just in general probably don't know where data is now. You start taking up to the business level and these people just push things all the time and collect and move and all that kind of stuff. What's on our crm, what's in our, you know, websites, what's in all these different pieces there. And I think that's kind of the real big challenge and I think that's going to be, in my opinion, if somebody actually gets gone after right away by one of the European Union countries, that's where they're going to fall down in there. And so let's just say the scenario that we're not really sure what are some of the other things that we should do? And one of the things I specifically want to talk about is going forward because to me, and I realized kind of how it's written, but overall you always have that question of how much can you enforce a law that you put in place for things that happened before that law was in place and they talk about how everybody needs to get up to speed for the GDPR. So can they really come back and say, well you did this 10 years ago, we're going to find you because of something you did 10 years ago versus going forward. So I think part of this is, is that next data level, what we're doing going forward and what are you kind of seeing around a lot of your clients' systems and that. And, and how are you kind of helping them prepare to be able to take that step forward that now we're actually doing things correctly.

Liam Cleary (08:10):
I mean, the first thing that's going to be interesting to see is like you said, what happens on that deadline? Like on May the 25th, what's going to happen? Well, nothing. It'll be enforced, but nothing's going to happen. You're not suddenly going to wake up and you suddenly get landed with a fine because how are they going to know? Nobody would ever know, but what's going to happen is there will be some instances where that will happen. Like for example, kind of my personal opinion is one of the big boys will get hit with something just to show that GDPR can be enforced, but realistically for someone like me and you as a smaller company for example, it's not going to happen, but we still need to be prepared for it. For that instance. And it's not that the European Union or any of those commissions would come after you. It would be a regular joe blogs. It would be me. So I'm one of these GDPR people because I'm not a US citizen. I'm a European Union citizen, so a UK citizen. So GDPR is for me, is to protect my privacy and my data and so I could, if I wanted to come and say, you know, in six months time when GDPR kicks in, I could come back and say, hey Protiviti, I want you to show me everything that you have on me because that's my right as part of this process I can ask and then if it wasn't satisfactory or they couldn't provide me with the information, then I can make that GDPR filing a complaint. So that's the bit you're not going to be able to cater for because you don't know what's going to happen. But to cater for it and plan for it, you have to at least as a minimum have policies and procedures defined for those things. So Microsoft has done a great job for this. So in the compliance manager piece that they've now released for their Office 365 and Azure stack, they have all of the controls that Microsoft have done to become GDPR compliant. And then you have the section that's your responsibility because just because you're using somebody else's service doesn't mean you become GDPR compliant just because you're using that and the Microsoft cloud is one of those things that often people think they just are, but there's not. But when you look at the policies and the controls that are left, they require you to do something. It doesn't necessarily mean you have to buy a new platform or put new security policies in place or whatever else it means you have to document what's in scope and what's out of scope. So we require this information legitimately. So this is what will happen when somebody requests that information. So in the event of something happening, you have documentation and a policy and procedure to present back to say, we don't have technology in place because we didn't have anything, but we have a policy and procedure that determines that us as a business, this is how we use that data and that's the key. Policies and procedures of how you handle something is really what's needed. That's the key thing right now. By all means, go and buy all the technology to do whatever you want, but if you don't have a policy and procedure wrapped around that in the event of something happening, the technology is not going to help you.

Virgil Carroll (11:05):
Yeah, and I think you bring up a good point because one of the things I see, especially when you look at this from a business side, is really the fact that so many organizations use third party providers, third party tools, third party applications, systems like 365 and that kind of stuff to provide them some type of something for their business. You know, you look at the traditional marketing world and you look at the Marketos of the world and all these marketing automation systems. You know, you look at more of content aggregation systems. You look at maybe I'm running my server up inside an Azure VM instance or something like that. You have all these different pieces that kind of go through there and you look at it and say, well, it's not only about where your data is it, it's also who has access to it because let's be honest that there is a truth in that, you know, if you have something Azure, technically anybody in Azure or anybody who works for the Azure team could, if they wanted to gain some level of access to that, but that's kind of the fact. I mean if you go with a Marketo and you need support from Marketo, they don't give you support by saying, well, we can't see any of your stuff. We can't work with. The system is just sitting there. They can actually know to a certain extent, gain access. So when you do their terms of service, you're giving them permission basically say, Hey, we trust you, but GDPR is actually taking that up another level. When we start working with a third party systems, we actually have to manage them as a data partner and actually make sure that whatever compliance we have, they need to be following as well or doing better.

Liam Cleary (12:38):
Yeah, that's right. And so, and that's where it comes into the controller and the processor idea, which is part of GDPR that, you know, Microsoft, uh, the controller because they still have the information but it's so you, but then Microsoft is also the processor and so especially when you have subcontractors, kind of other vendors in that space too, you kind of have to make sure that you guys have to have your bit, we have to have Abbott and then you as the owner of the content need to know exactly what that other part partner that other vendor is doing with the data because when I request that and say where's my data gone, you need to be able to prove to me and show me where that went and how that data was used. So you know, the whole idea of, you know, somebody buys a mailing list of email addresses and sells it on and sells it on like this will hopefully mitigate some of that because there's an auditable trail and there should be an auditable trail of what took place. So I did this, I gave my consent to give that to Virgil, Virgil then passed it onto whatever and this is what happened and as long as we have that trail and the audit to go with it and you can prove that this is what happened, then you'll be fine. But it's when you can't, which is right now. Like now we have no idea. Like I have no idea what stuff's been used, what's not. We have no idea. So that's one of the key things to focus on GDPR is that making sure you understand how that data moves around and really how it integrates in other applications and systems that you might utilize to.

Virgil Carroll (14:04):
Yeah, and I think one of the things that a lot of people have to consider from that side is not only about knowing the path, but why would you maybe be called up because of the compliance in the first place. And I think you kind of brought it up, you said about one of the big boys and I realized you didn't want to say any names, but to clarify for everybody listening, you know, we're talking about the microsofts, the googles, the facebooks, the snapchats, all these ones that are massive content aggregators and have tons of information about us and that's really what we're talking about. But from that side you kind of look at it, why is somebody an EU citizen going to go to their country GDPR office and file a request for that information or go to you and file it and then do file a on that. It's probably not because I love you and think you're awesome. It's going to be because I have some kind of issue and I think facebook, I'm unbelievably curious to see what happens in May with facebook.

Liam Cleary (15:03):
They may be the first one.

Virgil Carroll (15:04):
They may be the first one

Liam Cleary (15:05):
just may we don't know for sure,

Virgil Carroll (15:07):
we, we've had this big thing, but even from a company standpoint, if you're a company that has a public image and you're a company that had this customer that's disgruntled or anything like that, you really do have this opportunity where somebody is going to say, hey, I want to see all my data and what are you going to do from that? So and, and you look at the nature of our world today and frankly, you know, we use technology to get back at other people on a very regular basis. And so one of the things I think is going to also be interesting about the GDPR is going to be how many challenges it gets right up front as well because people are using it to try and damage the reputation of somebody else. The other thing that I think is very interesting from that, and I'd be kind of curious of your opinion on this is I feel like the one thing that GDPR does is it does a lot of protections, but it's also taking away anybody's personal responsibility. It's basically saying, do what you want with your own data. Everybody else has to worry about it once you give it to them.

Liam Cleary (16:04):
Yeah, I mean it Kinda does do that. I mean it's kind of. I suppose if you flip it the other way around, the purpose of the GDPR is for the protection of privacy of the individual, so it's you, it's you and me. It's my protection and that's based on the risk that's associated to that information. If it was to be leaked or used in some other way, that's what it comes down to and it's very specific language around risk, especially if it's children for example. They have very specific language around content that's children's and the risk that's associated to that and so when it comes to that, it is really about us. It's not meant to be nice and pleasant to the organizations that have to store that information because in the past, as we know, I mean just based on the news right now, you can see that the privacy of the individual is always been left as the last thing. That by the very nature of you wanting to use the service, it's what we've got access to everything now and whether you like it or not, that's what happens. And so you know that from the European Union and if we take some specific countries in there, so take Germany for example, their policies and procedures and rulings are very, very strict and so there had to be a change because no longer do people in Germany just work with people in Germany. They work with countries all over the place and so now it becomes much more complicated to say, well, if I am storing that information then you know, you have to make sure it's done. But there are still, there's still wiggle room in the GDPR. So for example, I used a real world example the other day on a Webinar that I gave with Fitz (Mike Fitzmaurice - a friend of Liams) and we talked about GDPR and I said, think of the logic here. You apply for a credit card. So you call up the bank and you say, I would like a credit card. And they say yes. And they say we need to do a check on you. And you say, no, where does that leave you where you can kind of get a credit card now, and then you're like, well, because you declined your consent and you're like, well no, that's, that's really silly because I wanted the credit card so that consent is no longer yours because under what's called a legitimate interest in GDPR, I can overrule that as the bank and say, well, in legitimate interest of our business and for what you wanted, I don't need your consent to do something with that data which is handed off to the next place to Experian or whatever else to get a credit check and then make a decision because it's legitimate interest of you and me as the organization, as the end user. So there's still wiggle room in there to be able to not necessarily circumvent it, but to make sure that somebody isn't just being a bit of a Turd really and saying, no, you can't do anything. I mean think of the logic I want. I want to be forgotten, but I still want access fundamentally flawed in that logic. So there's still provisions in there for you as a company, as an organization, as a global entity to have some control over what happens and you just need to provide a mechanism to say, this is what's going to happen.

Virgil Carroll (19:00):
Yeah, I just did a report for one of my educational clients and part of that was about like a contact form. So you have a contact form. Somebody fills out that contact form. The purpose for that is so you can contact me, not so that you can market to me, not so that you can do all those other stuff, but one of the things they were concerned about, well what happens if that contact turns into a prospective student who actually starts filling out an application and all that kind of stuff. That's kind of when that legitimate business reason comes into play. And as I interpreted their no longer really required by the GDPR to be as responsible per se. But the other thing I think that brought up too, that was one of the things is, you know, this is an educational institution that's funded by the US government or by a state government in that particular thing, but it's a US based government entity being held to task by another government entity in another country or in the entire European Union. And I think that to me is going to be one of the more interesting scenarios because I actually did a lot of research and I tried to find one instance about where had ever sued a US based government entity and besides maybe some of the things that the federal government that just doesn't happen. And so where I kind of went to that client as I said, okay, the chances at anybody's ever going to come after you is probably nailed the nun. The chances that the GDPR could actually enforce anything against you. That could just be in my mind, sheer entertainment to watch and say, we're going to hold you to our stuff over here accountable. Because we have a kid from the Netherlands that decided to apply to school at your college, but at the same time I said take it as a good practice if you want to show yourself as being a responsible member of society. This is things that you can do is to actually help people understand your data. But overall from that side it is. To me, I feel like where you're hearing a lot of it in the in the US especially is it's this really significant change that maybe doesn't have a lot of impact on us, but there's a lot of organizations that want to make money off it. Therefore they send you these emails and they have all these webinars where it's like, if you don't get that done, you are doomed. And I get a lot of clients that come and say, are we doomed? Then I say, well, you actually sell only to the state of Minnesota. So no in that, but if you happen to start selling over there, you're going to have to comply with those. But I also have clients that have headquarters, you know, near me that have offices all around the world and that's very different and I think that's going to be one of the bigger things to see and, and one of the more interesting things is when frankly some country based organization actually comes after somebody in another country and to see how that place. Because the US obviously doesn't have a lot of data privacy rules, but we do have,

Liam Cleary (21:48):
yeah, privacy. I mean you have your own. We have our own privacy rules

Virgil Carroll (21:51):
so it's gonna be interesting to see how that all goes from there. But I think, you know, kind of circling back to what you can do about it, we kind of talked about where you start, but once you kind of understand that path, where do you go from there? So now I understand where all this data is and now I need to set up something where somebody wants to be forgotten and I need to forget them or somebody wants all their data in that. Again, you got your scenario of 27 systems, you know, how do you even think about that without needing to hire a team of developers that works for the next six months to do that kind of stuff have. Have you kind of found things that you can help that you've been able to help your clients are kind of saying start thinking of it like this and how to do something about it?

Liam Cleary (22:33):
Yeah, I mean the key here is not necessarily a technology thing gets more based around a business process, so it's an understanding of business process. It's the integration of systems and applications together and knowing and saying, well actually if we have these 27 systems like which of these are integrated together and then what can we be notified of when something happens and then those ones that can be integrated together. Then those are the ones that are governed in those manual steps that you write in those associated documents. I mean I use the example of the Microsoft compliance manager where that has that built in, but it doesn't do anything for you. It just lets you store the documentation and the notes that you did to put together, and so that's your first step. First step is that work at the process. If somebody says to you, I want to be forgotten and you have to get rid of me, then you have to do two things. You have to determine whether that's in scope for GDPR first. So is this in scope, yes or no? And if it is in scope, how do you provide that mechanism and can you truly provide the right to be forgotten? So give you another kind of example. I come to you and say, I want to be forgotten because I realized that I'd been looking at stuff that I shouldn't have. Maybe I've been dealing stuff like using electronic services or whatever else provided by a company. I want them to get rid of it. They will say no because based on that legitimate interest and legal ramifications, they then have the ability to say, well, we can't forget you because for legal reasons, we need to store that information too. So there's still going to be instances where you're not going to win that one, but what needs to happen is as an organization, I need to provide a couple of things. The first one is I need to provide the ability for someone to ask and for me to provide a mechanism of what's happening with the data and where it is and secondly you have to have to have to have to provide some mechanism of consent and now one of the article groups in the European Commission that's running, one of the articles came back and said, even though legitimate interests can be used, it's best practice to offer some kind of consent. Even if it's like a contact us form and it says, just in case you're aware, we capture this information and if it turns into something else, you give your consent to us using this information. That would be sufficient along with a policy to meet the GDPR. So there's still some things that you have to fundamentally do. You don't need teams of Devs, but if you applications don't provide consent, that does need to happen. Something that you can provide is a mechanism and say, I consent to you using my data and don't rely on the legitimate interest. It won't always stand up in court

Virgil Carroll (25:04):
And don't forget that concern in policy. I also have to be written in a way that it's easy for people to understand though if you actually go read the law that says that it's virtually impossible to understand what they mean by that, which is highly entertaining, but I think one of the things and and and the reason I wanted to. I mean besides that I wanted to do two episodes in a row right away about GDPR. Besides that GDPR is getting ready to launch. I think this is going to be a litmus test for my audience because overall I'm targeting people probably more in the marketing space, internal communications, marketing and that kind of stuff. And a lot of those people are very focused on acquisition, acquisition and people acquisition of information. Being able to disseminate it out that. And frankly, when I think about it, you even look at the facebooks, they're going to probably be the biggest violators of all in that because they have these marketing automation system, they've got it if this person responds with this, send them these five marketing messages, do all this kind of stuff there. So to me, this is kind of a litmus test. Do they really take it seriously? What they do for their job, is it to just be like, well, how do I get more tweets or how do I get more followers and that kind of stuff. That stuff is very important. But overall this is starting there and I think even though the US will probably be behind, I think we're going to catch up. I really do because I think there's going to be a trickle down effect from facebook right here that you're going to see some things go through our federal government and our state governments that are going to start to lock down what they're doing with our data and that kind of stuff. I think it is the future because the reality is there's too much data out there and we unfortunately all give it away a lot of times freely. You don't even really think about what you're doing. My new son, I probably will not have a facebook account for him for a very, very long time, you know? Yeah. But it's amazing how many people I do that do and you're basically now allowing a lot of people out there to track the life of your kid besides your friends and family. You don't really think of those kinds of things. So I think that is going to be a very significant thing. So Liam, I, I thank you very much for joining me, but if you were to leave everybody with kind of one piece of parting advice, you know, maybe we're not the largest organization. Maybe we're a smaller organization, but we want to kind of get started somewhere in figuring out our data. Are there, you know, besides it sounds like Microsoft has some of the compliance stuff. Are there other things that you kind of recommend kind of from that starting standpoint to get going or resources out there that a person can find to kind of help them through this process?

Liam Cleary (27:26):
Yes. I mean the UK has some pretty good information, so there's a couple of government entities that have documentation. Basically checklists that kind of you can run through and you can look through the articles. So it's the ISC is the is there a group and you can go in and say I'm looking for like the data breach one for example, and I want to know what that means. You can click on that article and then it will give you a checklist of things that you need to look for. So it's a really good resource. The UK is actually done a pretty good job because obviously GDPR rulings overwrite the existing data protection privacy rules that they have and so they've done a great job of doing that. So if you want to look at something that's kind of the place where you would go, I suppose as like a parting thing, the most important thing would be spend some time identifying what your day to is, you know, as much as that's a laborious task, that's the first thing to notice and then understand whether it's in scope or not. Is it truly, truly PII data from other people that you're utilizing, you know, is there a risk? Because the key is if you look at the language, it's about risk of that data or risk to that individual based on the data that you have from them and so understanding that. So it takes some time to understand what that means with risk to the individual of the data that you may hold and then work out a consent option. You're going to have to have it either way, whether it's a form that you send to all your clients and say, this is a new GDPR update. So Microsoft did it. For example, when you get a Office 365 contract. Now for its cloud service, there's an amendment to the existing contract that has GDPR amendments to it, so if you're an organization that does contracts, maybe it's time to add a GDPR amendment to that contract. So send that to the clients. Say he's an new GDPR updates. This is what we mean by this is what you mean by consent. This is what it means to generate interest and then get that to those clients or those end users that subscribe. So given getting ahead of that, because that's the first barrier. Did you ask for consent? Yes or no? And if you didn't, it takes one person to flag it and you may be the smallest company in the world, but if there's no way for you to prove that you have consent, that might be something they might take on. But outside of that, the last thing to check is whether you have to transfer data between countries and that's a bit of a problem. So there's rulings in the US for moving data and there's rulings in each individual country and when you look at GDPR, it spans over the all of Europe and everywhere else, but some of those rulings override that GDPR overrule somewhere else and then in the US and across the EU that we have what's called EU model clauses that allow the transfer of data but understand that if you have to transfer data from one country to another, what effects does that have on your GDPR compliance? And then I suppose my final, final, final thing for you is just make sure you understand what GDPR is first. Like actually actually just understand what it means to your organization because not everything in there is what you have to worry about. And I think like you said, you see a Webinar, you read a blog post as you said, the word doomed, like you're not doomed. You just need to make provisions for that. Like just understand it and say, oh, this is what I actually have to do. That's all I need to do.

Virgil Carroll (30:44):
Well that's some great advice and sound simple, easy peasy. Just put it in place, but I'll make sure that we, uh, add the websites you mentioned end of the show notes and I really appreciate you joining me to talk about GDPR. I think that this is some very significant, especially when you start dealing with customers. If you have customers, which virtually every business or entity in the world has, whether it's internal, external, you have customers, you have people that you need to worry about and this is something significant. It's going to be really entertaining. I'm thinking that six months from now I'd like to do a followup episode that kind of looks at GDPR six months later and see what happened to our world, changed his facebook no more. What really goes down with that. So thank you very much for joining me, Liam, and really appreciate you taking your time to talk about GDPR with us today.

Liam Cleary (31:29):
So thank you for having us.

Virgil Carroll (31:35):
So on Today's stupid buzz. I thought I'd talk a little bit about something that maybe isn't necessarily a cliche phrase that irks me, but one that is I think very particular to this topic and then also one that is very overused in that and that's the concept of data mining. And sometimes you hear this concept of big data in what that really means and a big data is really large data sets and you know, we had to have some type of really cool way of saying it. So we've said big data versus big data sets and that in data mining is really what we do with those big data sets or analyzing that and trying to discover some kinds of pattern. A lot of times this is how our marketing automation works and the way we do things is by using these big sets of data from our customers or from people that are in our target market or something along those lines that allow us to understand better how they think and what they're trying to do.

Virgil Carroll (32:31):
Some good examples of this is, um, you know, when you use like an order system to understand buyers patterns or maybe inventory flow. So if you can do some companies like Amazon are very good about understanding how to keep in just in time inventory because of how the patterns go along with the buyers and all this information. There are other aspects like, you know, understanding patterns of medicine around treatment protocols, what's worked, what hasn't, uh, over a really large set of data or from a marketing perspective, obviously, you know, something like buying a list to market based on specific criteria. So you have all those, you know, list generation companies that do that in there. But there are some cautions we have to be around, especially when we start talking about the world of GDPR. I don't think we could get a more appropriate example than what facebook has been dealing with their recent scandal and how data mining can really be abused. And, uh, if you've ever paid attention to how you can do their target ad a generation or if you've done it yourself, you know, that they, you can just do so very much a with that and it's almost crazy how you can really narrow that down. And you know, the reality is, is you have companies out there that are somewhat abusing that and using some of those benefits to be able to suck in large amounts of data and you kind of have to look at that as, you know, the data's great, but you also have to kind of think about that from your social responsibility side. So that's something that you individually as a marketing professional or as a developer or as a company need to kind of determine for yourself. But overall you always want to think about that. Um, and in the world, the GDPR in particular, if you're collecting data unnecessary, obviously in some of the discussions that I've had before this, we've talked about consent and what that means and actually pulling in data or collecting data that you don't need. So if you're collecting things from like a content standpoint and you're asking for email, phone number and you know some other pieces of information, do you really need all those pieces of information to reach out to them so you want to make sure that you're doing that and then from a mining standpoint that you're not using that data to try and mine your own pocketbook, but instead you're using it for the purpose that you used in that. And so the big thing is if you do this, your own pocketbook might just get mined by the European Union itself.

Virgil Carroll (34:56):
So thank you again for joining me on this great podcast. I hope you enjoyed the topic. We're gonna start moving onto some other topics, but may come back and revisit GDPR at some point down the road after it's been implemented and kind of look at what's happened from there. Um, if you haven't already, we encourage you to subscribe through such a vendor's is itunes, stitcher, and soundcloud. Or you can always visit our episodes on our website at discussingstupid.com. If you're interested in interacting with me or sending some comments about the podcast, I always want to hear from people if you have a topic idea or maybe you just have some comments or want to have a discussion around something you can reach to me. Really two different ways. The first is my email address at me@discussingstupid.com or you can also send me a tweet @discussstupid on which is my twitter handle. So you're just not discussing stupid. It's @discussstupid. So until our next episode, feel free to discuss stupid on your own.