Interview with Karima Saini

hi this is Bob Samuels founder of techconnectr techconnectr is a

transparent marketplace and campaign
management platform of Best of Breed

account based marketing and lead
generation solutions we help marketers

deliver highly qualified leads for their
sales teams in the name of sharing best

practices wisdom regarding data privacy
and compliance we’re interviewing

various data regulation experts to that
end I’d like to introduce you to Karima

Saini from Lionheart squared karima
has great experience regarding GDPR

privacy rules karima it’s a pleasure to
speak with you how are you today yeah

really great thanks Bob it’s a beautiful
day i’m hear in southern California and so can you

tell me a little bit about tell our
audience a little bit about yourself

your background in gdpr were you’ve been
in over the past probably three or four

years or ten years how long you’ve been
around in the GDPR space and both from

GDPR really just started in 2016
although some people really go way back

to 2012 when we were working on the
actual draft Europe that’s not me but I

could say that 15 years ago when I was
working as a paralegal negotiating IT

and sass contracts right it really
mattered to the fortune 500 companies

that were negotiating these seven-figure
deals for hosted software solutions that

the that the services had information
security and privacy in mind and so it

was about 2007 I started my journey with
a my first certification in privacy at

the time I was recipient number 700 and
I thought that was a big deal

but today there are 30,000 I don’t know
if they’re all certified but they’re 30

thousand members in that Association OMA
and and since then since the in fact

International Association price of
professionals has been in business for

20 years that you’re celebrating the
20th year now and then

thirty thousand members they’ve also got
a whole sort of different types of

certifications so I just recently passed
the CIPT which is privacy technology

which obviously makes a big difference
congratulations thank you very much

because it’s about data protection isn’t
it it’s not just privacy rights and all

the other stuff that we’ll be talking
about in a few minutes and then I want

to make a quick start with what happened
during the financial crisis or right

around that time of 2008-2009 so so the
world kind of stopped in at least in

California for me and tech was a little
bit

well there was struggling so I was
helping some mates with their IPTE

streaming video company and that’s where
I was able to really put pry all the

stuff that I’ve learned in for the IAPP
into practice with the privacy by design

concept so really we came to loggerheads
with the engineers because some of them

came from Yahoo and they were all about
you know data gathering and super

collection and personalizing everything
and I was all about well we should tell

these people were doing that and how
does that affect and do we give them any

choices so it didn’t manage to convert
them but if fortunately the company ran

out of steam and the engineers left most
of them went over to Netflix so what do

you know well I you know I appreciate
your helping put in perspective that you

know I’m kind of using gdpr as shorthand
for data protection and data privacy and

so forth but that’s a that’s a valid
point that you know these these laws and

challenges started way before GDPR
but GDPR has gotten things more

codified and and very more serious than
maybe the can-spam act that we can

follow him for years before yeah you
know Kent I really enjoyed learning

about can-spam act that’s actually why I
had to take my certification because I

was working for ESP in California and
there they were also doing what’s called

the safe harbor at that time because
they had clients from all over some of

these multi-million dollar deals were
for that service

but you know we talked about at the time
people really didn’t care they like

getting personalized emails so you like
getting all the stuff that was so cool

because it wasn’t diapers or you know a
car or a band if they weren’t really

interested in a sports car or yeah just
depending on where they were at in life

and so the stuff became meaning the
emails became significant to them and

nobody complained about that well you
know I was going to mention that well

was in that exciting area of Technology
I took a little detour and I went to

banks became a VP of privacy compliance
and I could tell you it’s intense but

it’s so predictable so boring and and
this is all before gdpr

and all this stuff started and so three
years ago my partner and I decided that

you know what it’s time to move to
Europe so this is why you’re talking to

me here from London that’s where I’m at
right now and we set up two companies

one in Ireland because of brexit and the
one in England so so I just want to say

before we started to the Nitty Gritty we
today we serve the normal household

brands typically they’re digital media
and news companies well we had a stint

with a radio a national radio firm we
also do some work with some of the big

four consultancies and again the banks
and software development innovation hub

startups and those you know that’s what
keeps me excited and talking to you and

what you’re doing with TechConnectr really
cool thank you thank you this is gonna

be a nice conversation so so gdpr can’t
spammed CCPA is coming around the corner

Castle I put them all in similar buckets
as far as yeah yeah which is lead

generation or online marketing in
particular for b2b for businesses to

businesses which you know I agree
everybody’s everybody’s a person out

there so even the even the everybody’s a
person so what defines personal

information when you’re dealing
was a with a b2b data it seems to be

quite different well certainly using the
well it is in the US but not for

can-spam right so so there there’s no
distinction the I think castle

I haven’t revisited that in a while so I
mean just going to stay away from the

opinion on that although I do recall
when they first came with if you were to

update some things from his computer he
did tell him about it was going to cost

you ten million Canadian dollars so you
know a significant impact and got people

to pay tuition well and them in the e
privacy where well e privacy meaning

this is or the electronic communications
our government in link and Europe there

is a little bit of distinction with b2b
versus b2c but it depends on any number

of the 27 member states because they I
was going to talk about a little later

about how but I’ll just bring it up now
sure essentially what we’re talking about

is there’s an EPA as he directive and in
the EU when you have a directive that

means every country who’s a member of
the EU gets to look at it and decide

what they like and what they don’t like
and put it into their own law with

suggestion yeah it’s kind of a
suggestion it’s a strong suggestion

Germany never adopted the the e-privacy
directive they just said oh well what we

have is already good enough so we don’t
need to do anything under that which is

surprising because you know Germany is
like one of the a little bit more one of

the tougher regulators out there and so
with this regulation that’s the promise

regulation of e-privacy that was supposed
to come around that hasn’t actually

happened in fact after three years of
negotiation they decided you know what

we’re just going to drop it and partly
it’s because GDPR has come in and

although GDPR and E privacy work
together if there’s a more privacy

friendly e-privacy context or law
depending on which nation you’re in

that one will prevail over a less
friendly less individual friendly gdpr

clause so it’s all over the map so it’s
all over the map and so you have to

actually have to have a very complex
matrix you can go in fact I think I’m

the one here with flags Austria okay you
have for a beatsie opt-in but you can do

an opt-out if you have an established
relationship and it’s the email about

the same thing this is just emailing and
but if it’s b2b it’s also often so the

Austria is pretty strict where’d you go
to Belgium a B2C is opt-in but B2B

is a little bit more of an it’s a looser
opt-out rule but it’s not the same

flavor let’s say as okay as Estonia
Estonian has a clear b2b opt-out but it

goes back to this complexity is that
when we were hoping to get in the

privacy world and I think all businesses
as well they as much as they were

dreading the idea of an e privacy
regulation the regulation gets dropped

in as is and all member states have to
follow it just suck is what we found

with a GDPR there were very accepting
of GDPR but it’s not we’re talking

about here that’s not so it so I like I
like simple and I would hope that there

is a some sort of a set of standards
that maybe covers the the worst cases

without maybe the extremes and not
having to worry too much about a

specific country if I can help yeah yeah
well it is simple but the simple answer

is going to be through case law because
a failure to get the overarching e-privacy

and you’re done the case law and
guidance from the regulators is

essentially saying optin optin optin b2b
or b2c doesn’t matter very few

situations where you can just and I
think this is the biggest challenge for

ABM and aggregators and data brokers is
that you need

a chain chain that links how you got the
consent and who can use it and all that

stuff and all the complications that we
can we can get into detail a little bit

right right so there’s a question up
there on the board you want to ask about

that oh yes let me do that so so looking
at securing personal information so

again for b2b I consider personal
information to be the name and the email

address and maybe the cell phone number
well maybe you can look at it that way

in California probably not for much
longer or at all anymore on the CCPA but

yeah so someone’s job title is personal
information yeah anything that links

back to a person is personal information
personal debt and their phone number

what it’s whether it’s direct or not you
know a phone number in the wild just a

phone number with no name attached not a
big deal and as soon as you start using

the phone number to use it as an ID even
without a name and start adding features

and preferences and whatnot to it then
and create a profile it’s an individual

so the company name is personal
information no the company name is not

personal information the company
location physical address Wow okay so we

want to get into the details really
contextual so you have to take a look at

the full package so once you know
something about in the division think

about a little bit more like geolocation
if you if you know where they are and

they go from their house to work every
day five days a week and you can track

that then you know where they work and
depending on where they work that could

be sensitive information you’re cooking
for government entity it could be for

hospital psych ward who knows right yeah
okay fair enough

so going back to the question looking at
securing personal information how do you

think these marketing CRMs or
marketplaces like Airbnb or b2b market

places like like a TechConnectr should
be GPRD compliant

okay well I mean Airbnb is all of its a
global companies so they will have to

have some components that are gdpr
compliant and the easy answer if you

would like to keep things simple is just
safeguard everybody’s stuff maybe as far

as securing personal information which
is the crux of the question you secure

it how do you secure it well you know
technology changes all the time we into

the details there but you just have to
stay on top of them make sure that what

you think is secure is still secure well
I think if I encrypted its secure well

it depends who has the key fair
enough

thank you for sharing that and that’s so

so everybody so so what’s happening now
with as far as marketing goes inside of

inside of Europe how are things changing
how are thing how are things happening

as far as b2b marketers using email
using using telemarketing my

understanding of telemarketing is that’s
outside the scope of the rules of gdpr

yeah okay let’s focus on telemarketing
for a moment that’s a good one

yes it’s outside the scope of gdpr as
far as some things are concerned it’s

actually governed by the e privacy so if
it’s electronic communication in any

shape or form
that’s texting faxing telephoning

yeah we don’t have the old copper stuff
anymore do we it’s all my understanding

is tell you know the phone call the
Texas I could see that stage a little

bit the phone call is that really
Considerable yeah well it doesn’t matter

that it’s digital not still the
communication just say that with with

digital we have additional concerns such
as voice over IP that could be inter you

could listen in to VoIP but then again
in the old days you have the operators

you know plugging in one connection to
another household and they could listen

in so I don’t know that telephone was
ever really that secure we have we had

whatsapp and it’s other over the top
kind of communication that’s know but

going back to be chief what would you do
you’d be working in an office you might

have you know with the with the TCPA in
the u.s. oh my god that’s where if you

have it’s not only talked about but I
spent a year and a half doing TCPA stuff

and we’re working the banks and he says
the your system had the capability of

automatically dialing a phone number you
were in scope for TCPA and you had to

make sure that you ran it against the
do-not-call this and so forth so it

depends here in Europe with
country you’re making the calls from and

to so in the UK particularly there’s a
commercial do not call it’s a commercial

TPS telephone preference service so
you’d have to run your your list of

people you want to contact sure through
that right sir Robinson this kind of

concept yeah
I can only gobbed in for instance I mean

you need to make sure your you’re
suppressing them against the do not

call list but but you don’t need it opt
in to be able to contact them it’s it

depends there are if it’s a nuisance
call then you have to have you have to

do that and you can’t I mean people are
getting slammed companies getting

slammed even shut down because of
nuisance calls but they have to be

fairly extreme and unwanted this is more
like Robo calling for insurance

services and whatnot but if you’re doing
a real you think something somebody went

to a webinar and they left their phone
number and they’re expecting to hear

from you because you told me we call
them then you can call them no it’s more

somebody it has a certain title there in
LinkedIn and the their informations

is found and there’s a variety of
different lists out there and then

they’re called they are taking the chances on that they’re not on the do not
call this but they didn’t they’re not on

any sort of opt-in list either or any
kind of yeah so I think it comes back to

you how you go about it I’m not gonna be
giving you legal advice here but

essentially most people would be
receptive to get a phone call or

disrespectful and you tell them who you
you tell them who you are you do those

faces and it’s relevant it’s relevant
and you tell them why you found out

about them somebody referred you and
then give them a choice to to never be

contacted again and make sure you take
them off your list right make sense so

tell me about about cookies and about
what I consider rip digital advertising

social programmatic and an email but
they’re all in its digital yeah well

what I like to
use that this goes very much to let me

say well I have this saying that I came
up with as I started figuring this out

is that what the GDPR giveth the e
privacy take us unfortunately

so famously there is an article 47 that
a lot excuse me a recital 47 that’s the

distinction so gdpr has articles 99 of
them they have a hundred and eighty or

so recitals that explaining what the
articles are and the recital forty-seven

the last line says that you can use
personal data for direct marketing

purposes under legitimate interest
lawful vehicles

fantastic right because as long as you
have a legitimate interest as which we

talk about scenarios of the telephone
calls you’re golden unfortunately the e

privacy considers that consent is the
only lawful basis and that’s where you

have this clash so this is where I want
to share an example of we’re going way

from pony and i’m going to cookies and
all the technology that goes with it

is that what’s complex is that the gdpr
says to get a proper consent you have to

have it freely given has to be specific
the individual has to be properly

informed the individual has to indicate
to in unambiguous

fashion that is okay to process of
personal data and what is unambiguous is

you either give a statement or a clear
affirmative action okay so that’s what

the gdpr says in that section but
there’s more

they put conditions on for for how you
get the consent so you know you as the

marketer have to be able to prove that
you obtained that gdpr compliance of

consent that the consent you have to be
able to show a regulator who asks that

it was clearly distinguishable from any
other matter so if you had a contract

and you were collecting a lot of
personal data but you didnt

actually needed to fulfill the contract
you would fail the freely given test and

the other complexity is that you have to
use clear and plain language has to be

intelligible me just most people don’t
know you use that word easily accessible

using the clear and plain language you
have to be able to withdraw your consent

at any time and you have to make that
withdrawing as easy as it was to give

the consent these are current impossible
things to do so that’s gdpr and I said

it give us right so I mean if you can do
direct marketing but you have to satisfy

these other conditions so this is why
legitimate interest is just so important

to you companies like yours versus
having to go with consent but now you

throw a privacy on top of that and
depending on which of these countries

you’re going to we were using implied
consent so for the last ten years if you

went to that website you know this it
comes up with a cookie banner and you

click it away and you proceed whether
collecting stuff but nowadays we’re

going to see that France is not allowing
it Germany’s not going to allow it the

UK is not allowing that so eat privacy
is actually saying that the implied

consent cookie banner protect free tick
boxes saying that you agree all that’s

invalid so you can’t you can’t even rely
on that that’s the thing yeah and it’s

really difficult I think for our TV
because you know they’re so deep in the

process how do you how do you actually
say which RTBU which bidder is going to

win and it’s fairly complex but you know
it sounds like it it sounds like it’s

the French cookie laws there’s IB
efforts

there’s lawsuits and so forth it’s
there’s a lot out there so what one

thing I’m curious about it are there any
I haven’t seen any public executions any

any kind of oh you a time execution you
don’t mean somebody who gets home first

and you okay not anymore now it’s all
electronic now it’s all do you mean for

like a government entity like a public server

I’m no I’m no I’m um surprised there
haven’t been any big fines that have

been issued to by the GDPR governing
body whatever that is to violators of

the rules
oh well making it really public and make

a big show of it well Spain just spent
Vueling an airline December late

November for not having proper cookies
so so there’s that yeah we should

probably say that yeah so this spring
we’re expecting the French Camille

that’s not gonna say it in French I know
how to say it but I’m not it’s there

anticipated targeted advertising cookies
and tracking devices guideline coming

soon it’s going to replace their 2003 II
privacy rules you know based on the

directive so is there a French diet on
the horizon yep you can have consent

before you can serve the cookies before
you can read the cookies will France ban

cookie walls yep they’re going to you
have to leave oh they’re going to tell

operators that they have to leave open
the possibilities for the users of their

websites to access a service even if
they refuse to consent to cookies other

than the the expressly necessary ones
essential ones and if they do consent

they’re bringing back the fact that they
can withdraw consent as easily as they

did to consent so I think technically
speaking it’s there there’s some

opportunities for those who can build
cookie consent mechanisms that work

there is also competition between the UK
and France

yeah we’re speaking a which so yeah so
what so what’s so gdpr and brexit how

does that all fit together
yep well GDPR hard brexit ok so what’s

happened is that the UK already knew
into them were 2016 they were to leave

or at least they thought they knew they
were to leave and it’s confirmed in our

election December 12 so we are actually
needy so what does that mean is that the

EU GDPr gets replaced with a UK GDPR
hooray and it’s going to line up

with a Thailand GDPR and NIGERIA GDPR
and KENYA GDPR and so forth

just so you know they’re lots of GDPR
coffee have a UK one but I would

say that though if somebody is doing
business with the EU I’m excuse me UK

individuals is that there’s kind of a
little to do checklist to do before

February or by February 1st of this year
and I would say the first thing they

need to check on is if they’re already
at eu u.s. privacy shield and arrant that

they would need to add some specific
language it says oh and by the way UK

people are included in our price issue
oh yeah and then there’s another sort of

antiquated something that that’s been
around in the old pre GDPR directive

and as part of the GDPR today is an
article 27 representatives and UK

businesses if you have a UK business and
you drink this is in the EU without an

office there you may need to have your
own EU GDPR article 27 representative if

you’re not a UK business and you don’t
have a presence in UK so in other words

the rest of the world you may have to
nominate your own UK GDPR article 27

representative and then of course
accordingly update your privacy versus

okay
satellizer everybody so so you might ask

what to eat what’s an article 27
represented what do they do what are

they good for yes yeah it’s it’s a it
can be a person or a company that an

individual has to be unnamed
Virgil and you would you would do that

again as I was explaining if you don’t
have a presence in the EU or the UK and

you have processing activities meaning
processing in there the GDPR means

even smelling it seeing it knowing about
it’s almost processing it so whether

it’s collecting it storing it sharing it
accessing it through a VDI etc you’re

processing it and if you are offering
goods or services to individuals in the

in the UK or the EU even if you
don’t get money for it or you’re

monitoring a person’s behavior which is
very likely in context of profiling if

it takes place within the EU or the UK
then you need to have one of these

article 27 representatives you have them
so that the data protection authorities

can have a local contact or
individuals can have a local contact not

having one not having one is a 10
million euro fine now I don’t know how

they’re going to issue it and we haven’t
seen anything like that yet but you know

what they’re starting to but put it this
way the the ICO in the UK has 200

employees and went from 40 to 200 as of
gdpr so you got a lot of people with

time on their hands of looking for
something to do we also know that all of

the the global data protection
authorities talk to each other they have

like monthly dinner meetings and
different things around the world so

just because one like France is doing
something UK doing something it’s not

isolated all these guys know what
they’re doing Hong Kong knows what the

UK is doing they’re all very good friends so
I just thought I’d throw that in there

you can get out so how does one get it
how does why does one identify or get a

article 27 representative I just tried
to google it it doesn’t really pop up as

anything specific that we found that
there was a shortage of people who do

that there’s a reason why there aren’t
that many article 27 representatives

because for the longest time they
actually take on the liability of their

clients who don’t do the right thing and
there aren’t too many people raising

their hands for that so I thought maybe
I was stupid for setting up that in our

in Ireland and it turns out it’s
actually okay because there’s not a

ruling but guidance that’s been
clarified by the European data

protection board where they said that
yeah okay we recognize that if you have

nothing to do then it’s really your
clients needs to be taking responsibilities unless you’re

unless you’re not doing what you should
do yeah so we have that if you look for

lionheartsquared.eu then you’ll find a word about that you good good that’s
good to know

so what’s a what’s a PIA a privacy
impact assessment right okay so PIAs

have been done in the u.s. if your
government entity for oh gosh 25 30 40

years for a long time since 1974
essentially what what it does how does

it work with a gdpr how does that come
into play right essentially GDPR now

has baked that into the law so you have
to do data protection impact assessments

what they call it but I prefer using PIA this is where companies can capture

how they looked at the impact to
individuals found ways to minimize any

kind of negative impact of harm to the
individuals and so all that’s recorded

that’s another basic principle of GDPR
it’s called the accountability principle

so if you walk away from this seminar it
would just talk and you don’t remember

anything else
GDPR is about transparency and

accountability those are the two basic
things you could summarize and as part

of that accountability you need to
document a lot of stuff that you’re

respectful of people’s rights and so
forth and this is a really good time to

bring in what privacy by design and by
default is privacy by design is exactly

when it sounds like and by default
there’s also exactly what it sounds like

so
I’ll just give you a quick example so

when you go to a website and
particularly let’s say if you go to ICO

ICOorg.uk’ you will have an example
of the proper kind of European cookie

consent manner where you would take a
look at the essential cookies well okay

that’s going to be always on but they by
default

turn off the preference and the
functionality cookies and you can go and

click them on if you want but privacy by
default is that essentially you ship

your product with the most privacy
available Mechelen you have to design

that in there and and there you go so
just recall that a pre-taped consent is

not valid fair enough so as far as as
far as protecting the data

I again we talked about how encryption
is good but it goes beyond that you have

to make sure you know who’s got the keys
and protect against things happening to

the data on your watch and so forth
there needs to be some sort of a

certification process it can can
companies self certify or do they need

to bring someone in to bless them that
there’s a proper you know this is this

is part of the good news because of all
those gdpr stuff we’re having having to

take a deeper look and how we do things
and the international standards

organization has just released in August
this year and I should say last year

sorry August 2019 and released what’s
called a privacy equivalent to the ISO

2704 InfoSec so they work together and
if you can implement your the privacy

aspect of it which is a 27701
rather than InfoSec to 7701

they work together and you can
actually get an auditor to come and make

you GDPR compliant if you like so you
really need it

and and is there an official
certification board is that what it is

is that ISO / so I saw that I serve two
seven seven zero one is what you would

get judged against and there are many
companies like in England you can go

with the BSI the PSI has individuals
that are qualified to evaluate you can

get independent auditors you can get one
of the big four firms to do it for you

essentially when you can obviously do
self-assessment to prepare for it but it

wouldn’t be official unless you had a
third party do it for you they have to

bless it so there’s there’s companies
that go that’s what their job is and

they and they they need they need to be
sanctioned I guess by ISO right and the

the other thing is that the well gdpr
hasn’t what’s the article 40 which is

essentially the ability for a number of
certification schemes to be developed

they have to be approved by the board
the European data protection board and

they have or the different countries so
if it’s for E-privacy then because it’s

it’s not yet part of the regulation okay
this still part okay I’m gonna get

myself tripped up here essentially I
have seen France say that you can

certify DPL Data Protection Officer if
you go to these authorized tests and

auditing companies so it really depends
the country you work in and what you’re

looking for so slowly but surely there
are more certification things but coming

back to security you know I think a lot
of people still make a lot of mistakes I

think statistics I saw maybe a couple
years ago sixty percent of data breaches

are human error is the gate open yeah
exactly it’s it’s attaching improper

emails and sending it to their own
people or you know the classic which is

instead of emailing to to blind copy you
email to 50 random people and they can

all see each other email address
I mean silly stuff like that and that’s

a data breach right so put what is
privacy shield framework ah oh the

privacy shield framework is the very
specific EU US and Swiss US framework in

order to to demonstrate that you are a
company that respects the rights of

individuals and the privacy shield
framework was it followed after the fall

of the safe harbor in Saint Potter I
think was around in 2003 maybe but

essentially the Federal Trade Commission
works with a European Data Protection

Board and the Commission in Europe and
they have designed a way to make America

adequate the reason America as a country
the United States as a country can’t

really be adequate because we have 50
states and every all states have

something different as we know with CCPA
so there’s one problem with the privacy

shield is that it’s a little bit shaky
because the its predecessor being the

safe harbor a guy named max schrems
maybe some of our audience knows who he

is he started a non-profit company
called

none of your business none of your
business goes around suing because on

day one of gdpr he wanted suit and filed
this complaint that the privacy shield

doesn’t need that the GDPR
requirements and why that a problem it’s

because we have the u.s. cloud act and
that means that even if you have your

AWS or Asia or whatever in Ireland let’s
say it’s a US company and the US

government can reach in and get out
whatever they need from the US company

no matter where they’re located so the
idea that you put your stuff in the

European country but is still with a US
company like Microsoft

for example they have received a lawsuit
that they’re not compliant well you know

what you do because it’s the businesses
don’t have any control over that it’s

the US government wants it go in and
reach so this is what bothers Matt Streams

so we’re always on pins and needles
every October when the review comes out

from the European Commission see if
privacy shield still works okay fair

enough so I I want to I we can’t go on
and I’d like to go on we should have

separate I’ll have we’ll have to have a
separate that series for you of

different topics because I do want to
get into you know that that

data security aspects and the compliance
and the encryption and the hash tags and

or whatever I chose um so let’s do that
another time

well I real quick any where do you see
things going how are things gonna be in

a year in five years you mentioned CCPA
I assume that’s going to be changed in

the landscape as well as at least things
up to the US right right I mean okay so

globally we’re going to see more
problems for companies using data it ran

them and for any reason I think we’re
gonna see a lot more fines some I’ve

watering ones I mean something as simple
as data retention where you’re keeping

something too long you wouldn’t think is
a high priority for the authorities well

unfortunately what I’m but I predict
based on what happened in Berlin just

last month is that one hundred and forty
five million euro fine came out because

they kept their data too long so so what
I see is that the data protection

authorities across the world are going
to flex their muscles and they’re going

to do it until a good number of
companies you’re going to go out of

business
I predict and there’s going to predict

that there’s going to be an outcry and
say GDPR just a step too far I’m

gonna have to down the back now that’s
going to take some time then the

pendulum always swings too far to the
right and then too far to the to the

left before it finds a middle ground so
that’s

what I think that’s great and any other
words of wisdom before I let you go yes

you know for our TB friends what I want
to do is get them to sign up for the

free monthly newsletter that the ICO
oh this is the UK ICO ICO.ORG.UK

sign up for the newsletter
December 20th

they wrote we urge I’m going to quote
now we urge all organizations involved

in our TB to review their processes
systems and documentation here are some

practical things you can do there are
three things 1 insure your senior

management understands that practices
are changing in the industry and

challenge them to review their approach
2 embed privacy by design approach to

your use of RTB we talked about that
there’s you can find out more on their

site and keep engaging with your trade
associations I think they’re really

sending a message that you need to
contact your I be your NEA I and all

that and stake and get you get your
voice heard so that the pendulum doesn’t

swing too far okay beautiful and and we
will place some links on our on the

interview page so everybody can can
confine these things easily perfect

there’s been a real pleasure talking to
you Bob Thank You Karima I appreciate your

you’re sharing your wisdom and have a
great day we’ll we’ll be be in touch

again same sounds good
yeah and Happy New Year thank you happy

new year