Today Anthony was joined by Bill Karazsia to discuss Privacy in The New World. Bill is the Assistant General Counsel – Privacy & Data Protection at Fortive.
- What separates the ‘good’ from the ‘great’ in privacy
- Privacy challenges across multiple-jurisdictions during lock-down
- Why he bought a ‘Bat-phone’ during lock-down!
Speaker1: [00:00:01] Hello, that my name is Anthony Brown. I work at Clermont, perhaps you’ll know that by now. But I’m delighted to bring to you another episode of our privacy in the new World Series. Its our Privacy and Data Talks series. And I’m delighted today to be joined by Bill Karazsia,at Fortive. As you’ll know by now as well, hopefully if you’ve seen any of the other padcasts, our aim really is to bring you thoughts, insight, opinion, maybe a few interesting stories along the way from some of the world’s leading privacy and data thought leaders. Bill, it’s great to have you on the show on this sunny Friday morning. How are you?
Speaker2: [00:00:47] I’m just great. Thanks, Antony. It’s an absolute pleasure to be here. This is my second ever podcast and certainly my first one that involves video. So thanks for the good reason to shower and get properly dressed this morning.
Speaker1: [00:01:03] No problem. Now, it’s great to have you on. Bill, I must say as well, set up in the background is one that I perhaps aspire to have with the red phone and the very professional microphone in the front as well. So it’s great to have you on. Obviously, we’ve known each other for a few years now, Bill. I’ve known you since you first pretty much arrived in the UK from the US. And you’ve had a really interesting few years both in the US and in the UK. And I think notably you were at Virgin Media in a senior privacy role there and subsequently you’ve moved on to Fortive who are a Fortune 500 industrial technology conglomerate company where you’re the assistant general counsel for privacy and data protection. Just for anyone who’s listening, Bill, that’s not familiar with Fortive could you just tell us a little bit about it briefly, please?
Speaker2: [00:02:05] Sure. Of course. Fortive Really, you started out bang on Fortive is an industrial technology conglomerate. We are a parent company of about twenty five operating worldwide and about 62 jurisdictions and about 30,000 employees. And our business or our operating companies fall largely into three main segments, industrial technologies, field solutions and health care.
Speaker1: [00:02:37] Wow. So as we know, obviously well, for obvious reasons, health care has been, well, right in the epicenter of the global efforts with the covid-19 pandemic over the last few months. I say it every time and people who have listened to any of these podcasts, I know that I don’t want to dwell at all on the last few months is about looking forward and being positive. But I guess for you, Bill, and in the context of the sort of sector that you work in, it must have been an incredibly busy time for you over the last few months.
Speaker2: [00:03:10] Yeah, that’s that’s definitely true. I have worked longer and probably harder in the last four months than I ever have in the entire course of my career. And I say that as somebody that’s spent about four years in big law. So I think it’s a point of reference that probably speaks volumes. And certainly the health care space has been an important one for us to continue to follow. But the I can say and perhaps representative of a lot of my colleagues and peers throughout the industry, that in a way that I think employees and employee data has not always been the forefront of a privacy professionals concern, because customer data or third party data has always been an objective matter, received the spotlight, but in a way like never before. Employee data, health and safety, performance of health and safety requirements and getting it right for employees has been a focus like I have never seen before. And it’s been really satisfying and also been an opportunity really to get to know and and work under the gun with colleagues that I otherwise wouldn’t have been at a table with a virtual table with. So it’s been a very busy time, but also a time that I’m very grateful to have had so much work to do, because it certainly took your mind off of not being able to resume the lives that we were used to living just four months ago.
Speaker1: [00:04:46] Yeah, indeed. What would you say Bill has been the biggest privacy challenge, you know, in general? And you can be as explicit as you want about your own work, or as a broader spectrum for privacy pros? I mean is there something that leaps out at you?
Speaker2: [00:05:04] There’s one thing that I think easily leaps out as the biggest challenge in the area of covid and in a really heavily diversified organization like mine and keeping tabs on exactly what a privacy regulator was saying about what could and could not be asked of employees or visitors to a facility at any given time has been something that we wanted to get out ahead of and stay very informed and very current about. And we’ve done that. But it has been a huge challenge in finding the right resourcing and talent to get us the information we need and tracking that talent or that information and then getting it to the right outlets within the company to just give a perspective in quantitative terms. You know, in my experience, just in these last four months, the regulatory market, if there is such a thing, the regulatory market has really settled around about five questions that you can ask an individual in order to screen them for their ability perhaps to enter a facility or to attend a public event or to carry on their work even in the socially distanced way. And those five questions, I think, a proper way to do it, and certainly one in an organization where there’s there’s a great investment in privacy and getting it right, you need to know jurisdiction by jurisdiction, which of those five questions you’re allowed to ask.
Speaker2: [00:06:38] And then in every jurisdiction, for every question, there’s a different analysis we’ve found in whether you can ask an employee or a visitor. So an otherwise unrelated third party. And so if you do the math in these jurisdictions that are most important and most frequently tapped for us, we’ve got about thirty five jurisdictions, five questions and two different audiences you can ask it to. And that for us boils down to tracking 350 data elements twice a week for updates. So and that’s just getting the information in and getting it in the right hands has been, it’s been a mountain of work. That part hasn’t been a challenge for us because, you know, we’re set up pretty well for success there. But getting that information and keeping it current because it changes up to twice a week has been, I think, not just a challenge, but one that I’ve seen us respond very well to.
Speaker1: [00:07:32] Yeah, I mean, it’s an enormous challenge and more so than ever at a time when it’s been more difficult in many ways to, you know, to work in close quarters with your colleagues, you know, it’s it’s an enormous task to pull all that together. I mean, more so than ever everyones had to contribute and collaborate to pull all this together and in super quick time as well. You know, this is this is pushing the boundaries. This is new work. So it’s amazing. My hat’s off to you Bill and your peers and other organizations who have had to really pivot very quickly and adapt to the new world.
Speaker2: [00:08:15] All right. For the sake of keeping this banter is right, I. I want to go back to something we mentioned earlier. Can you really see the bat phone?
[00:08:20] I can see the bat phone. It’s fantastic.
Speaker2: [00:08:23] It’s actually a bat phone.
Speaker1: [00:08:24] Is it really.
Speaker2: [00:08:26] Yeah. I wanted one for ages and I wanted one because there’s there’s no dial on it. It’s only a ring phone. And I don’t I really for as long as I can remember, I’ve never liked being on the phone and I find it an absolute opportunity for me to be distracted in the in the world just for that four or five months ago when calls were simply calls, voice calls, I noticed myself having a real problem even then zoning out so during lockdown. And I spent most of lockdown in the states. Actually, a lot of America went on sale, including the suppliers of bat phones. So I got a discount and brought it back. So I plugged it right in
Speaker1: [00:09:11] Of the question on everyone’s lips is, has it rung yet Bill?
Speaker2: [00:09:16] Because this is an ancient hardwired phone and nobody has I probably don’t even have the numbers for my for my flat, hard wired, flat telephone line. The answer is no, it hasn’t rung. But when it does, we all should be worried.
Speaker1: [00:09:30] Please let us know and we’ll do a follow up podcast as and when its rung. So moving forward Bill as well in the new world as its coined now what do you see as a specific privacy challenge on the horizon? And I’m thinking here and I guess for you as an international and US business CCPA or is it what in general is on your mind at the moment?
Speaker2: [00:09:56] Right. So I, I have an answer, an answer to that responds, I think, directly to the question. And I’ll get to that, I think. But I will tell you the thing on my mind. If we can sort of continue the discussion just for a second about the the data points that we’re looking at twice a week. What’s on my mind there is certainly not wanting to get it wrong. But but why are we updating why are we looking at these data points so frequently? Somebody might say we should look at these data point so frequently because if suddenly a regulator changes their mind and doesn’t want you to ask a visitor about their contact with third parties or close contacts who have a suspected case of Covid, that we want to switch that question off in that jurisdiction. And I think there’s something to that right. It makes sense. We don’t want to ask a question we shouldn’t ask. I think companies that have a process set up where they’re looking for that information and getting those updates, even if they get it wrong for a few days, we’ll probably find forgiveness from a regulator who has identified them as having done the right thing and tried their best to switch a question from on to off. Right. So that’s not my worry, my chief worry in maintaining these data elements.
Speaker2: [00:11:18] My chief worry is not turning a question from no to yes quickly enough, because I think there you sort of get a false negative or a type two error that that is far worse than in my opinion then than asking a question. You shouldn’t ask, because if there’s an up code that can benefit from finding out about third party contact or close household contact with a visitor, that doesn’t know they can ask that question and are therefore deprived of the insight from that question and being able to to make an entered determination on that information, then I feel like that’s where I’ve really fallen down. So we don’t we don’t monitor it’s not a chief worry for me because we want to find out what we can’t ask. We actually want to find out what we can ask and empower our operating companies or folks who are similarly situated to me to to get the information in the hands of the people to whom it matters most. So that’s sort of my day to day chief worry. But in keeping for the spirit and as you introduce the podcast or the padcast and keeping with the spirit of not making this all about covid, even in a world where that’s hard to do, I think the biggest challenge for companies that play in really smart and really fast moving data space is going to be be or is already machine learning and artificial intelligence and the regulatory framework around that is, I think, unsettled. I think it’s an area where much like GDPR are about four years ago when it was published, has a lot more opinions than actionable intelligence and actual actionable guides. And it is an area that if I can abuse an analogy, that it reminds me a lot of collateralized debt obligations and structured finance tactics from the late 2000, where if the practitioner, if a lawyer, finance lawyer answers honestly, will tell you that during that time there were plenty of client engagements where lawyers simply didn’t know what that documentation meant. Right. And artificial intelligence as an application and as a business accelerator, I think in the hands of a lot of really smart folks in the world is still one where if you pop up on the bonnet, you’re not quite sure what you’re looking at. So I think it’s a lot for the industry to settle on and perhaps some voluntary undertakings on how data can be crunched through AI. I think if we don’t get that right and we don’t act in the best interest of the data subject there, that we can see a whole wave of regulations come in that we wish we could have avoided.
Speaker1: [00:14:12] Yeah, I mean, there’s no doubt that there’s continued challenges ahead for our lifetime. It’s going to continue to grow, as we know, within the privacy arena. And certainly I know you’ve been involved in the community for many years Bill, based in the US, the UK, as I mentioned earlier. And I think during that time and obviously I’ve been very much involved as well for many years now in talking to people like myself and obviously advising and helping them with their next steps in their careers. But obviously, it’s it’s become it’s evolved. It’s become a sexier place to be. More and more graduates, for example, are interested in a career in privacy, quite rightly so. It’s an incredibly diverse and exciting career to carve out. It’s becoming more and more crowded though inevitably, as we know and I know that through your career, you’ve been heavily involved in hiring in businesses that you’ve you’ve worked at. I think my perception is and from where we sit, is that there are there are differentiators between the good and the great in privacy. And I’d really appreciate your take on that Bill. you know in terms of I guess the question is, what in your view separates the good from the great in your world as a privacy pro?
Speaker2: [00:15:37] I am actually so glad to be asked that question. Thank you for bringing it up. If you you if you attend a privacy conference or like us, if you’ve been sort of following the industry for greater than a decade, you know that there’s been a vast influx of folks who perhaps have repurposed their skills quite ably into the privacy space, but are fairly new arrivals. And I think actually some of that, if you look and you trace some of the careers that coincidentally, I think that is an outgrowth of the financial crisis of of 08, 09. But in any case, the there was no shortage of supply of candidates in the roles that I’ve I’ve looked to fill over the years. But there is something, as you put in very descriptive terms, that separates the good from the great. I landed on that just I would say, well, this year and I put a word around it and it’s not an original thought and certainly nothing I invented. But I think it is I think it is one that really hits the nail on the head. And that’s authenticity. Right. And I. I don’t necessarily look for somebody that has X number of years of experience doing a particular thing in privacy, I look for somebody that has an authentic command of the discipline and authentic command of their space. Right. They know their subject code. I tell you what I’m prepared to do, actually, if if it’s OK with you, if you think this this padcast is the right form for it, I will share I’m prepared to share the one question that I think begins a conversation around whether a candidate has an authentic command of the discipline.
Speaker1: [00:17:25] Please Bill.
Speaker2: [00:17:26] Well, we’ll get there. I’m going to leave everybody in a bit of baited breath. To me in the practical execution, right, if I hire a lawyer, an outside lawyer to help with a project, right. Or go to a firm with an engagement, I might sort of run rules are if I ever receive a reply by email that begins with the words under the laws of England and Wales. Right. Or under New York law, I already know that No. 1 they will be seven more paragraphs that follow the first one, and it’s not going to give me a practical answer. Secondly, I think if somebody begins to tell me if I if a challenge is presented of any sort of variety and the response involves something like suggesting that a DPIA is performed or that a regulatory notification might be required, to me that’s just reciting book knowledge, which, you know, isn’t necessarily easy to grasp. But it’s also certainly not helpful for somebody who’s got their boots on the ground and trying to solve problems for the business. Yeah, but if we could sort of let the cat out of the bag, I will say that the question I ask in interviews now and have done for a year or so is I ask somebody to to put themselves in a scenario where they are advising the marketing department and the marketing department asks whether or not they can launch a particular campaign.
Speaker2: [00:19:07] And I ask the the the candidate, if they wouldn’t mind, to just share their thinking with me around the legal basis they would use to justify the campaign if I can go forward and to please make sure that they address both consent and legitimate interest and the the you drill down. In my opinion, this question allows the candidate to show their stuff if they can drill down and articulate where many folks can’t. Actually, in my experience, they can articulate that indeed there is a legitimate interest in soft opt in possibility. And in fact, probably most marketing cases fall into it to reach out to a customer and engage in particularly electronic direct marketing or direct marketing by electronic means, using legitimate interest and not consent. So that to me, if somebody can give a great answer to that question, then then the rest of the interview is what I’m going to be very interested in and hearing more about.
Speaker1: [00:20:16] Very interesting, Bill. Thank you for that insight and I can only imagine as well that in the future, when you’re interviewing people, if somebody seems like they’ve got a ready made answer to that then we know they tuned into this padcast.
Speaker2: [00:20:28] I’ve got to come up with a new question now.
Speaker1: [00:20:32] They’ll get extra points for that anyway, right? Yeah, I mean, that due diligence.
Speaker2: [00:20:38] I have a feeling that every candidate you might send to me in the future will be very prepared for that question.
Speaker1: [00:20:45] Absolutely. Yeah. Noted and I’ll be drilling down on that – just a sort of leftfield question for you. And sorry to put you on the spot with this one. If there was a privacy law or perhaps a specific privacy law that had an element of it that you could change, what do you think that may be?
Speaker2: [00:21:06] You know, I have sat in front of the text of of a lot of different privacy laws and certainly understand some of them a lot better than others. But I’ll tell you this, I think the one thing that I can hope one day changes or that I would like to wave a magic wand and change because I just don’t get what the law says now is the CCPA’s treatment of service providers and exempt third parties. I have I sat with that section and those articles in the CCPA since gosh had to have been October 2018 on planes, trains and automobiles. And I just conceptually fail to understand the material difference between those two parties and why the contractual obligations that essentially a data controller in California needs to put in front of of those two third parties. So that has been a huge challenge for me to understand, one that I have spent not only time but money trying to solve. So I think there’s an opportunity for clarification there, or at least we can identify a development goal for me. And in 2020 and the other thing that I, I wish would change and change in the sense of being set out more clearly one way or the other is the legitimate interest assessment conversation in the GDPR. I spent a lot of time with that article as well. To me it’s I get why a documented and demonstrable assessment needs to be made about legitimate interest, because if you look at all the other legal bases, they have in a way to self executing demonstration or an artifact where consent has the consent and the proof that it was obtained, contracts themselves are living artifacts, a vital interest to something that sort of comes up quite quickly, but that you can usually create organically an artifact that demonstrates how you came out there.
Speaker2: [00:23:29] Legitimate interest is is, you know, hugely relied on legal basis. And in my reading of the GDPR, there’s nothing that mandates a legitimate interest assessment be performed. That’s certainly part of the broader conversation around how you how you justify legitimate interest. There’s not a requirement, a thou shall statement around a legitimate interest assessment. But if you go to a particularly an outside law firm, they advance and promote the notion of a legitimate interest assessment, as you know, frankly, a real thing that needs to be put together and kept. And I don’t think number one, I don’t necessarily think the law is crystal clear in the mandate around a legitimate interest assessment. So if there’s no scope for clarification one way or the other, I think that’s great. And I also think it is certainly something that we do, and it’s certainly something that lands on me as a burden for the business. So if this is not what is actually required by the law and it’s more of a nice to have than a must have, and that would allow us to adjust our processes and procedures and our privacy compliance accordingly. So those are my two.
Speaker1: [00:24:52] Very interesting, Bill. Thank you, I’m sure both of those points you elaborated on, any of your contemporaries and peers will find that very, very interesting. And I’m sure many of them will share your thoughts on that as well.
Speaker2: [00:25:09] You know, I’m actually more as you get this session posted, Anthony, I would actually love to hear more from people who would disagree. And I think these these environments are great to sort of advance a point and begin a discussion. But if I’m on a panel or if I’m in an audience, I get much more stimulating experience if people actually disagree. So I would love to know of folks who are listening to this and say he’s wrong. And hear the good reasons why
Speaker1: [00:25:43] That bat phone might be ringing off the hook!
Speaker2: [00:25:47] I won’t call them, I promise.
Speaker1: [00:25:51] So just to sort of wrap things up, Bill and I always typically end with a the question asking people what they’ve learned about themselves over the last few weeks, often confined to their homes, if I may say, because prior to lock down, obviously, we’ve seen each other and we know each other that if you don’t mind me saying that I’ve learned about you during lockdown is that you can grown an incredible beard. It’s a thing of beauty. So I don’t hopefully I’m not taking your answer to that out of your your mouth. But is there anything you’ve learned over the last few weeks specifically
Speaker2: [00:26:36] So about myself? Yeah. I mean, the reactions, the spontaneous reactions I get when I’m on camera with somebody for the first time in a long time are really entertaining about my beard. And what I learned about my beard is that at a certain stage quite early on in the growing experience, it stops being a beard and truly becomes whiskers and then grows out more than it grows down. And this was more of a commitment and a bit of fun I was having with my barber. And now that the UK is reopening salons, I’ll get to visit him on Monday. So watch the space
Speaker1: [00:27:14] Before you carry on what’s your plan moving forward? Is the beard going to be trimmed or is this a thing?
Speaker2: [00:27:20] It’s going to be trimmed and can and maintained in a controlled way. Yes, we’re sort of going back to pre pandemic beard status. Yeah. So, you know, I was I was born for quarantine. I mean, I have soaked in every minute of it. I got to spend four months together with my parents, which wasn’t always easy for them. And every once in while it wasn’t easy for me, but it was an opportunity I absolutely never would have taken. I never would have thought to have if it weren’t for lockdown. And I just returned to the UK two weeks ago to my flat and beginning to do some DIY stuff and decluttering. And I was subject to the self isolation order. And I honestly didn’t miss a beat. And I think that I will take some learnings from that forward when it’s my favorite phrase to use these days when all this is over.
Speaker1: [00:28:22] Yeah, absolutely. Well, that’s all on the tip of our tongue, isn’t it? Hopefully when it’s all over, that’s for sure. But Bill unfortunately, on that note, this padcast is all over. But I just want to thank you so much. It’s been a fantastic chat with you. You’re always so engaging and you clearly know your stuff forwards, backwards, each way around. And I hope our listeners have really taken something away from this. So as is protocol, in a minute, I’m going to do this sort of shuffle with the mouse to close off this video. We’re going to do the wave – Bill, thank you so much. It’s been a pleasure talking, have a great weekend and we will, of course catch up very soon. And thanks for listening, everybody. Another padcast will be coming up very shortly. Thanks, Bill.
Don’t miss an episode!
Subscribe to our mailing list and we’ll send you an alert when the next episode is available